IOS realizes micro-letter automatic red Envelope (non jailbreak iphone) _ios

Source: Internet
Author: User
Tags decrypt ssh scp command
iOS WeChat automatically grabs red envelopes (non-jailbroken)

      WeChat red envelopes are very popular now, especially when we send red envelopes in the WeChat group. If we do n’t grab the red envelopes in time, we wo n’t be able to grab them at all. So we wonder if we can write a plug-in or the like to automatically grab the red envelopes. The function is as follows:


WeChat red envelope

Foreword: Recently, the author is studying iOS reverse engineering, and by the way, we used WeChat to practice, and realized the function of WeChat automatically grabbing red envelopes on non-jailbroken mobile phones.

Off-topic: This tutorial is a serious academic discussion article. It is only used for learning and research. Please do not use it for commercial or other illegal channels. The author is not responsible for it ~~

Well, then you can enter the topic!

Tools / files required for this tutorial

yololib
class-dump
dumpdecrypted
iOSOpenDevi
Tools
OpenSSH (Cydia)
iFile (Cydia)
Cycript (Cydia)
Command Line Tools
Xcode
Apple Developer Certificate or Enterprise Certificate for a jailbroken iPhone

Yes, if you want to achieve the purpose of automatically grabbing red envelopes on a non-jailbroken iPhone, the tool may be used a little more (the worker must first sharpen his tool if he wants to do his best ^ _ ^). However, it doesn't matter. You can follow the steps of the tutorial step by step. You can repeat the experiment if you don't know the steps. After all, the pie will not fall in the sky.

Decrypt WeChat executable file (Mach-O)

Because the applications downloaded from the Appstore are encrypted, we need to use some tools to decrypt the downloaded apps, commonly known as smashing the shell. Only in this way can we analyze the code structure of the App later.

First of all, we need an iPhone that has been jailbroken (jailbreak on the market is now very mature, the specific method of jailbreaking will not be introduced here). Then enter Cydia and install OpenSSH, Cycript, and iFile (you can easily view the log file when debugging the program).

PS: The author's mobile phone is iPhone 6Plus, the system version is iOS9.1.

Use iTunes to download the latest WeChat on the computer. The version of WeChat I downloaded at the time was 6.3.13. After downloading, the downloaded app will be displayed on iTunes.


iTunes

Connect to your iPhone and use iTunes to install the WeChat app you just downloaded.

Open the terminal of the Mac and use ssh to enter the connected iPhone (make sure the iPhone and Mac are on the same network segment, and the author ’s iPhone IP address is 192.168.8.54). The root password of OpenSSH is alpine by default.


ssh

The next step is to find the Bundle ID of WeChat. Here I have a little trick. We can turn off all the apps on the iPhone, only keep WeChat, and then enter the command ps -e


WeChat bundle id

In this way, we have found the specific path of Wechat, the executable file of WeChat. Next we need to use Cycript to find the path of WeChat Documents, enter the command cycript -p WeChat


cycript

Compile dumpdecrypted
First write down the two paths we just obtained (Bundle and Documents), at this time we will start to use dumpdecrypted to smash the shell for WeChat binary files (WeChat).
Make sure we download the latest dumpdecrypted source code from Github, enter the dumpdecrypted source code directory, compile dumpdecrypted.dylib, the command is as follows:


dumpdecrypted.dylib

In this way, we can see a dumpdecrypted.dylib file is generated in the dumpdecrypted directory.

scp
Copy dumpdecrypted.dylib to iPhone, here we use scp command.

scp source file path target file path. details as follows:


scp

Start to smash the shell
The specific usage of dumpdecrypted.dylib is: DYLD_INSERT_LIBRARIES = / PathFrom / dumpdecrypted.dylib / PathTo


dumpdecrypted

This means that the shell hitting is successful, and a file after the shell hitting, namely WeChat.decrypted, will be generated in the current directory. Also use the scp command to copy the WeChat.decrypted file to the computer, and then we will officially dump the executable file of WeChat.

dump WeChat executable file

Download the latest class-dump source code from Github, and then compile it with Xcode to generate a class-dump (here is relatively simple, I will not explain it in detail).

Export WeChat header files
Use the class-dump command to export the header file of WeChat.decrypted just after the shell was smashed. ./class-dump -s -S -H ./WeChat.decrypted -o ./header6.3-arm64


Exported header file

Here we can create a new Xcode project and add the header file just exported to the newly created project, so that it is easy to find the relevant code of WeChat.


WeChat header file

Find the two files CMessageMgr.h and WCRedEnvelopesLogicMgr.h, of which we noticed that there are these two methods:-(void) AsyncOnAddMsg: (id) arg1 MsgWrap: (id) arg2;,-(void) OpenRedEnvelopesRequest: (id) arg1 ;. That's right, next we are going to use these two methods to achieve WeChat automatic red envelope grabbing. The implementation principle is that by hooking WeChat's new message function, we judge whether it is a red envelope message, and if it is, we call WeChat's open red envelope method. This can achieve the purpose of automatically grabbing red envelopes. Haha, isn't it very simple, let's take a look at how it is implemented.

Create a new dylib project, because Xcode does not support generating dylib by default, so we need to download iOSOpenDev. After the installation is complete (Xcode7 environment will prompt that installation of iOSOpenDev failed, please refer to iOSOpenDev installation problem), reopen Xcode, in the new project options See the iOSOpenDev option.


iOSOpenDev

dylib code
Select Cocoa Touch Library, so that we have created a new dylib project, we named it autoGetRedEnv.

Delete the autoGetRedEnv.h file, modify autoGetRedEnv.m to autoGetRedEnv.mm, and then add CaptainHook.h to the project

Because WeChat will not actively load our hook code, we need to write the hook logic into the constructor.

__attribute __ ((constructor)) static void entry () {// specific hook method}

Hook WeChat's AsyncOnAddMsg: MsgWrap: method, the implementation method is as follows:

// Declare CMessageMgr class
CHDeclareClass (CMessageMgr);
CHMethod (2, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2)
{
 // Call the original AsyncOnAddMsg: MsgWrap: method
 CHSuper (2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2);
 // Specifically grab the red envelope logic
 // ...
 // Call the native method to open the red envelope
 // Note that the third parameter for objc_msgSend must be declared as NSMutableDictionary, otherwise the method of opening the red envelope will not be triggered when objc_msgSend is called
 ((void (*) (id, SEL, NSMutableDictionary *)) objc_msgSend) (logicMgr, @selector (OpenRedEnvelopesRequest :), params);
}
__attribute __ ((constructor)) static void entry ()
{
 // Load the CMessageMgr class
 CHLoadLateClass (CMessageMgr);
 // hook AsyncOnAddMsg: MsgWrap: method
 CHClassHook (2, CMessageMgr, AsyncOnAddMsg, MsgWrap);
}
The entire code of the project, (source download address).

After completing the specific implementation logic, you can successfully generate dylib.

Repackage WeChat App

Inject dylib for WeChat executable
To run our code after the WeChat application is running, we first need to add WeChat to our dylib. Here we use a dylib injection artifact: yololib. Download the source code from the Internet and get yololib after compilation.

Using yololib simply execute the following sentence to successfully complete the injection. Before injection, we first rename the previously saved WeChat.decrypted to WeChat, which is the executable file whose shell has been smashed.
./yololib target executable file dylib to be injected
After the injection is successful, you can see the following information:


dylib injection

New Entitlements.plist

<? xml version = "1.0" encoding = "UTF-8"?>
<! DOCTYPE plist PUBLIC "-// Apple // DTD PLIST 1.0 // EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version = "1.0">
<dict>
 <key> application-identifier </ key>
 <string> 123456.com.autogetredenv.demo </ string>
 <key> com.apple.developer.team-identifier </ key>
 <string> 123456 </ string>
 <key> get-task-allow </ key>
 <true />
 <key> keychain-access-groups </ key>
 <array>
 <string> 123456.com.autogetredenv.demo </ string>
 </ array>
</ dict>
</ plist>
Everyone here may not be aware of their own certificate Teamid and other information, it does not matter, I have a little trick here, you can find the App packaged with the developer certificate or enterprise certificate (for example called Demo), and then enter the following command in the terminal You can find the relevant information, the command is as follows:
./ldid -e ./Demo.app/demo

Resign to WeChat
Next, copy the generated dylib (libautoGetRedEnv.dylib), WeChat just injected into dylib, and the embedded.mobileprovision file (which can be found in the previously packaged App) to WeChat.app.

Command format: codesign -f -s certificate name target file

PS: The certificate name can be found in the keychain

Use codesign commands to sign relevant files in WeChat, the specific implementation is as follows:


Resign

Packaged into ipa
After re-signing WeChat, we can use xcrun to generate the ipa. The specific implementation is as follows:
xcrun -sdk iphoneos PackageApplication -v WeChat.app -o ~ / WeChat.ipa

Install WeChat with red envelope grabbing function

If the above steps are successfully implemented, then everything is really ready, only the Dongfeng ~~~

We can use the iTools tool to install the improved WeChat for the iPhone (this iPhone Device id needs to be added to the certificate).


iTools

The job is done! !

Well, we can see the effect of hooked WeChat grabbing red envelopes ~


Automatically grab red envelopes

The entire code of the project, (source download address).

Haha, don't you think it's cool, "Mom doesn't have to worry about grabbing red envelopes anymore.". If you are interested, you can continue to hook other functions of WeChat, which not only strengthens learning, but also meets your special (bi) needs.

Thanks for reading, I hope to help everyone, thank you for your support of this site!
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.