逆向工程iOS底层原理程序员

我是怎样一步一步实现微信自动抢红包的?

2017-09-06  本文已影响2178人  一只代码狗

在逆向工程中,我们可以使用静态分析和动态调试的方法去寻找我们的目标函数!本文我将分享一下逆向微信实现微信自动抢红包的实战经验越狱,非越狱机器 都可适用,项目 GitHub 地址: RHWeChat

本项目在以下环境下测试运行:

简单说下环境搭建:
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos
// 自己编译
sudo mv ldidpath /opt/theos/bin
sudo chmod 777 /opt/theos/bin/ldid
// brew 安装
brew install ldid
git clone https://github.com/AloneMonkey/MonkeyDev.git
cd MonkeyDev/bin
sudo ./md-install

关于MonkeyDev详情,请参见:MonkeyDev的文档
大家踊跃给猴神 star 啊!
猴神在他的 MonkeyDev 中,默认集成了Reveal.framework,Cycript.framework,class-dump;并且在MonkeyDev中,你不需要手动提取ipa中的二进制文件, 修改二进制文件的Load Commands列表,加入要hook的dylib ,hook.dylib在函数constructor函数中完成对特定函数的hook,对修改后的ipa进行重签名,打包和安装,等一系列复杂的过程!Command+R 一键搞定,若要生成 ipa 文件只需在 Command+R 运行之后在源代码的 LatestBuild 目录双击createIPA.command 生成。

逆向思路:

要实现自动抢红包的功能,我们首先应该知道一个手动抢红包的流程!
所以我们先分析手动抢红包实现:

- (NSSet *)allTargets;                                                                     // set may include NSNull to indicate at least one nil target
- (UIControlEvents)allControlEvents;                                                       
- (nullable NSArray<NSString *> *)actionsForTarget:(nullable id)target forControlEvent:(UIControlEvents)controlEvent;    // single event. returns NSArray of NSString selector names. returns nil if none
image.png image.png image.png image.png image.png image.png image.png
CHDeclareClass(WCRedEnvelopesLogicMgr)
CHOptimizedMethod1(self, void, WCRedEnvelopesLogicMgr, ReceiverQueryRedEnvelopesRequest, id, arg1) {
    NSLog(@"%@", arg1);
    CHSuper1(WCRedEnvelopesLogicMgr, ReceiverQueryRedEnvelopesRequest, arg1);
}
{
    channelId = 1;
    headImg = "http://wx.qlogo.cn/mmhead/ver_1/tUsGXv3VM2C4f6Nj1vibaWy2jJUFPMnUfobCtP1iajd5QLCn8B7YM6L6E1UTwSzxkiaichIJuVibBx2BRiaAIu1UkYfjMnJiatYxpvlWdHdfBD8xKU/132";
    msgType = 1;
    nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137014370817311&sendusername=wxid_mryox0wndn8122&ver=6&sign=8f446c219788bb6db911ff7de1eefd3ac9a66298b8d8d9be3f0018f14524bbb16ca78e0b22357967ebeb36860b892b0d5300d8ae5ae70ac29759a3c673cea9f6205adb65ae01d71d29a7b7a2b757333c0f264b07f893dfb88c28ece6e9869236";
    nickName = "xxxx";
    sendId = xxx;
    sessionUserName = "xxxxx";
    timingIdentifier = 88BF75742FFAB59D7F88C494670C3FE3;
}
%hook WCBizUtil

+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2 {
    %log;
    return %orig;
}

%end
�[m +[<WCBizUtil: 0x103b28eb8> dictionaryWithDecodedComponets:msgtype=1&channelid=1&sendid=xxxxxxxxxxxxx&sendusername= xxx-com&ver=6&sign=f4455577adc87b21387127f45e6c3803649800302ac90134018c10c4a87b3a0a5df85d4360028ad28b997bbdb4e52e6b8b62804fc04444185bb4f6617359a8c41565d1592d5d251c1a8b0aaef1fdb3de576d88890323720ae701bb3e56b3e900 separator:&]
image.png
CHDeclareClass(WCRedEnvelopesLogicMgr);

CHOptimizedMethod1(self, void, WCRedEnvelopesLogicMgr, ReceiverQueryRedEnvelopesRequest, id, arg1) {
    NSLog(@"%@", arg1);
    /*
     agreeDuty = 0;
     channelId = 1;
     inWay = 1;
     msgType = 1;
     nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137007742337288&sendusername=jirenbang-com&ver=6&sign=f4455577adc87b21387127f45e6c3803649800302ac90134018c10c4a87b3a0a5df85d4360028ad28b997bbdb4e52e6b8b62804fc04444185bb4f6617359a8c41565d1592d5d251c1a8b0aaef1fdb3de576d88890323720ae701bb3e56b3e900";
     sendId = 1000039501201709137007742337288;
     */
    CHSuper1(WCRedEnvelopesLogicMgr, ReceiverQueryRedEnvelopesRequest, arg1);
}
CHOptimizedMethod2(self, void, WCRedEnvelopesLogicMgr, OnWCToHongbaoCommonResponse, id, arg1, Request, id, arg2) {
    
    NSLog(@"%@", arg1);
    NSLog(@"%@", arg2);
    /*
     <HongBaoRes: 0x1123400f0>
     <HongBaoReq: 0x1123805f0> 
    */
    CHSuper2(WCRedEnvelopesLogicMgr, OnWCToHongbaoCommonResponse, arg1, Request, arg2);
}
@property(retain, nonatomic) SKBuiltinBuffer_t *retText; // 
@property(retain, nonatomic) NSData *buffer; // @dynamic buffer;
        if ([NSStringFromClass([arg1 class]) isEqualToString:@"HongBaoRes"]) {
            NSData *data = [[arg1 retText] buffer];
            
            if (nil != data && 0 < [data length]) {
                NSError* error = nil;
                id jsonObj = [NSJSONSerialization JSONObjectWithData:data
                                                             options:NSJSONReadingAllowFragments
                                                               error:&error];
              }
        }
接下来我们就应该着手实现自动抢红包的逻辑!
- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2;
CHDeclareClass(CMessageMgr);
CHMethod(2, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) {
    NSLog(@"%@", arg1);
    NSLog(@"%@", arg2);
    CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2);
}
<msg>
    <appmsg appid="" sdkver="">
        <des><![CDATA[我给你发了一个红包,赶紧去拆!]]></des>
        <url><![CDATA[https://wxapp.tenpay.com/mmpayhb/wxhb_personalreceive?showwxpaytitle=1&msgtype=1&channelid=1&sendid=1000039501201709137014370817311&ver=6&sign=8f446c219788bb6db911ff7de1eefd3ac9a66298b8d8d9be3f0018f14524bbb16ca78e0b22357967ebeb36860b892b0d5300d8ae5ae70ac29759a3c673cea9f6205adb65ae01d71d29a7b7a2b757333c0f264b07f893dfb88c28ece6e9869236]]></url>
        <type><![CDATA[2001]]></type>
        <title><![CDATA[微信红包]]></title>
        <thumburl><![CDATA[http://wx.gtimg.com/hongbao/1701/hb.png]]></thumburl>
        <wcpayinfo>
            <templateid><![CDATA[7a2a165d31da7fce6dd77e05c300028a]]></templateid>
            <url><![CDATA[https://wxapp.tenpay.com/mmpayhb/wxhb_personalreceive?showwxpaytitle=1&msgtype=1&channelid=1&sendid=1000039501201709137014370817311&ver=6&sign=8f446c219788bb6db911ff7de1eefd3ac9a66298b8d8d9be3f0018f14524bbb16ca78e0b22357967ebeb36860b892b0d5300d8ae5ae70ac29759a3c673cea9f6205adb65ae01d71d29a7b7a2b757333c0f264b07f893dfb88c28ece6e9869236]]></url>
            <iconurl><![CDATA[http://wx.gtimg.com/hongbao/1701/hb.png]]></iconurl>
            <receivertitle><![CDATA[Best wishes]]></receivertitle>
            <sendertitle><![CDATA[Best wishes]]></sendertitle>
            <scenetext><![CDATA[微信红包]]></scenetext>
            <senderdes><![CDATA[查看红包]]></senderdes>
            <receiverdes><![CDATA[领取红包]]></receiverdes>
            <nativeurl><![CDATA[wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137014370817311&sendusername=wxid_mryox0wndn8122&ver=6&sign=8f446c219788bb6db911ff7de1eefd3ac9a66298b8d8d9be3f0018f14524bbb16ca78e0b22357967ebeb36860b892b0d5300d8ae5ae70ac29759a3c673cea9f6205adb65ae01d71d29a7b7a2b757333c0f264b07f893dfb88c28ece6e9869236]]></nativeurl>
            <sceneid><![CDATA[1002]]></sceneid>
            <innertype><![CDATA[0]]></innertype>
            <paymsgid><![CDATA[1000039501201709137014370817311]]></paymsgid>
            <scenetext>微信红包</scenetext>
            <locallogoicon><![CDATA[c2c_hongbao_icon_cn]]></locallogoicon>
            <invalidtime><![CDATA[1505373603]]></invalidtime>
        </wcpayinfo>
    </appmsg>
    <fromusername><![CDATA[wxid_mryox0wndn8122]]></fromusername>
</msg>
     agreeDuty = 0;
     channelId = 1;
     inWay = 1;
     msgType = 1;
     nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137007742337288&sendusername=jirenbang-com&ver=6&sign=f4455577adc87b21387127f45e6c3803649800302ac90134018c10c4a87b3a0a5df85d4360028ad28b997bbdb4e52e6b8b62804fc04444185bb4f6617359a8c41565d1592d5d251c1a8b0aaef1fdb3de576d88890323720ae701bb3e56b3e900";
     sendId = 1000039501201709137007742337288;
总结:

在逆向抢红包的过程中,我主要使用了静态分析和动态调试的手段:

最后分享一下我的逆向技巧:
本人是个逆向新手,若有错误之处,请多多指正
参考文章:

iOS 应用逆向工程(入门书籍)
iOS冰与火之歌 – UAF and Kernel Pwn - 蒸米
MonkeyDev 文档

跪求Star
上一篇下一篇

猜你喜欢

热点阅读