iOS逆向开发-修改微信步数
折腾了很久的逆向终于迈出了一小步,哈哈!
这里不想写太多,因为要展开讲有很多,一时半会讲不完,如果有不懂,可以看前面的两篇文章,也可以私信我一起研究学习
项目代码:http://git.oschina.net/lishangkai/reverseproject
砸壳:
localhost:~ shangkai$ ssh root@192.168.1.47
root@192.168.1.47's password:
lishangkaide-iPhone4:~ root# ps -e
注意看粗体(??表示tab)
535 ??0:00.03 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd
672 ??0:00.18 /System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/CMFSyncAgent
867 ??0:00.23 /System/Library/PrivateFrameworks/CloudServices.framework/Support/EscrowSecurityAlert.app/EscrowS
941 ??0:00.25 /usr/libexec/adid
943 ??0:06.89 com.apple.StreamingUnzipService
1026 ??0:33.04 /System/Library/CoreServices/SpringBoard.app/SpringBoard
398 ??0:13.86 /System/Library/TextInput/kbd1041 ??0:31.91 /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat
lishangkaide-iPhone4:~ root# cd /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Document
-sh: cd: /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Document: No such file or directory
上面这样进路径不行(其实是少了S),需要用cycript
lishangkaide-iPhone4:~ root# cycript -p WeChat
cy# NSHomeDirectory()
@"/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700"
lishangkaide-iPhone4: ~root# cd /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/
lishangkaide-iPhone4:~ root# ls
localhost:~ shangkai$ scp /Users/shangkai/Desktop/123/dumpdecrypted.dylib root@192.168.1.47:/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/dumpdecrypted.dylib
dumpdecrypted.dylib100%81KB13.5KB/s00:06
localhost:~ shangkai$
重点来了,这是生成WeChat文件,也就是---砸壳
lishangkaide-iPhone4:/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents root# su mobile
lishangkaide-iPhone4:~/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents mobile$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib "/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat"
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x3ea4c(from 0x3e000) = a4c
[+] Found encrypted data at address 00004000 of length 52756480 bytes - type 1.
[+] Opening /private/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c
[+] Closing original file
[+] Closing dump file
lishangkaide-iPhone4:~/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents mobile$
高亮废代码
scp root@192.168.1.47:"/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/WeChat.decrypted" /Users/shangkai/Desktop/123/WeChat
此时桌面123文件夹多了一个WeChat的文件,可以关掉ssh连接了
localhost:bin shangkai$ class-dump --arch armv7 -H /Users/shangkai/Desktop/123/WeChat -o /Users/shangkai/Desktop/123/WeChatHeader
localhost:bin shangkai$
至此,2000+个微信头文件出现,砸壳并且class-dump(掏出)头文件成功!
我们发现在WCDeviceStepObject这个类里面有几个很显眼的属性m7StepCount,hkStepCount 等. 如下:
在终端运行命令创建Tweak工程
/opt/theos/bin/nic.pl
创建一个Tweak工程, 如下:
编写Tweak.xm和makefile文件。代码
make并install Tweak工程后在测试机查看结果:
附上贱贱的效果图
安装代码:
ps:后来试了一下hook QQ 更改步数,没有成功,源码已上传,有兴趣的可以看一下
