iOS WeChat automatically grabs red envelopes (non-jailbroken)
WeChat red envelopes are very popular now, especially when we send red envelopes in the WeChat group. If we do n’t grab the red envelopes in time, we wo n’t be able to grab them at all. So we wonder if we can write a plug-in or the like to automatically grab the red envelopes. The function is as follows:
WeChat red envelope
Foreword: Recently, the author is studying iOS reverse engineering, and by the way, we used WeChat to practice, and realized the function of WeChat automatically grabbing red envelopes on non-jailbroken mobile phones.
Off-topic: This tutorial is a serious academic discussion article. It is only used for learning and research. Please do not use it for commercial or other illegal channels. The author is not responsible for it ~~
Well, then you can enter the topic!
Tools / files required for this tutorial
yololib
class-dump
dumpdecrypted
iOSOpenDevi
Tools
OpenSSH (Cydia)
iFile (Cydia)
Cycript (Cydia)
Command Line Tools
Xcode
Apple Developer Certificate or Enterprise Certificate for a jailbroken iPhone
Yes, if you want to achieve the purpose of automatically grabbing red envelopes on a non-jailbroken iPhone, the tool may be used a little more (the worker must first sharpen his tool if he wants to do his best ^ _ ^). However, it doesn't matter. You can follow the steps of the tutorial step by step. You can repeat the experiment if you don't know the steps. After all, the pie will not fall in the sky.
Decrypt WeChat executable file (Mach-O)
Because the applications downloaded from the Appstore are encrypted, we need to use some tools to decrypt the downloaded apps, commonly known as smashing the shell. Only in this way can we analyze the code structure of the App later.
First of all, we need an iPhone that has been jailbroken (jailbreak on the market is now very mature, the specific method of jailbreaking will not be introduced here). Then enter Cydia and install OpenSSH, Cycript, and iFile (you can easily view the log file when debugging the program).
PS: The author's mobile phone is iPhone 6Plus, the system version is iOS9.1.
Use iTunes to download the latest WeChat on the computer. The version of WeChat I downloaded at the time was 6.3.13. After downloading, the downloaded app will be displayed on iTunes.
iTunes
Connect to your iPhone and use iTunes to install the WeChat app you just downloaded.
Open the terminal of the Mac and use ssh to enter the connected iPhone (make sure the iPhone and Mac are on the same network segment, and the author ’s iPhone IP address is 192.168.8.54). The root password of OpenSSH is alpine by default.
ssh
The next step is to find the Bundle ID of WeChat. Here I have a little trick. We can turn off all the apps on the iPhone, only keep WeChat, and then enter the command ps -e
WeChat bundle id
In this way, we have found the specific path of Wechat, the executable file of WeChat. Next we need to use Cycript to find the path of WeChat Documents, enter the command cycript -p WeChat
cycript
Compile dumpdecrypted
First write down the two paths we just obtained (Bundle and Documents), at this time we will start to use dumpdecrypted to smash the shell for WeChat binary files (WeChat).
Make sure we download the latest dumpdecrypted source code from Github, enter the dumpdecrypted source code directory, compile dumpdecrypted.dylib, the command is as follows:
dumpdecrypted.dylib
In this way, we can see a dumpdecrypted.dylib file is generated in the dumpdecrypted directory.
scp
Copy dumpdecrypted.dylib to iPhone, here we use scp command.
scp source file path target file path. details as follows:
scp
Start to smash the shell
The specific usage of dumpdecrypted.dylib is: DYLD_INSERT_LIBRARIES = / PathFrom / dumpdecrypted.dylib / PathTo
dumpdecrypted
This means that the shell hitting is successful, and a file after the shell hitting, namely WeChat.decrypted, will be generated in the current directory. Also use the scp command to copy the WeChat.decrypted file to the computer, and then we will officially dump the executable file of WeChat.
dump WeChat executable file
Download the latest class-dump source code from Github, and then compile it with Xcode to generate a class-dump (here is relatively simple, I will not explain it in detail).
Export WeChat header files
Use the class-dump command to export the header file of WeChat.decrypted just after the shell was smashed. ./class-dump -s -S -H ./WeChat.decrypted -o ./header6.3-arm64
Exported header file
Here we can create a new Xcode project and add the header file just exported to the newly created project, so that it is easy to find the relevant code of WeChat.
WeChat header file
Find the two files CMessageMgr.h and WCRedEnvelopesLogicMgr.h, of which we noticed that there are these two methods:-(void) AsyncOnAddMsg: (id) arg1 MsgWrap: (id) arg2;,-(void) OpenRedEnvelopesRequest: (id) arg1 ;. That's right, next we are going to use these two methods to achieve WeChat automatic red envelope grabbing. The implementation principle is that by hooking WeChat's new message function, we judge whether it is a red envelope message, and if it is, we call WeChat's open red envelope method. This can achieve the purpose of automatically grabbing red envelopes. Haha, isn't it very simple, let's take a look at how it is implemented.
Create a new dylib project, because Xcode does not support generating dylib by default, so we need to download iOSOpenDev. After the installation is complete (Xcode7 environment will prompt that installation of iOSOpenDev failed, please refer to iOSOpenDev installation problem), reopen Xcode, in the new project options See the iOSOpenDev option.
iOSOpenDev
dylib code
Select Cocoa Touch Library, so that we have created a new dylib project, we named it autoGetRedEnv.
Delete the autoGetRedEnv.h file, modify autoGetRedEnv.m to autoGetRedEnv.mm, and then add CaptainHook.h to the project
Because WeChat will not actively load our hook code, we need to write the hook logic into the constructor.
Hook WeChat's AsyncOnAddMsg: MsgWrap: method, the implementation method is as follows:
// Declare CMessageMgr class
CHDeclareClass (CMessageMgr);
CHMethod (2, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2)
{
// Call the original AsyncOnAddMsg: MsgWrap: method
CHSuper (2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2);
// Specifically grab the red envelope logic
// ...
// Call the native method to open the red envelope
// Note that the third parameter for objc_msgSend must be declared as NSMutableDictionary, otherwise the method of opening the red envelope will not be triggered when objc_msgSend is called
((void (*) (id, SEL, NSMutableDictionary *)) objc_msgSend) (logicMgr, @selector (OpenRedEnvelopesRequest :), params);
}
__attribute __ ((constructor)) static void entry ()
{
// Load the CMessageMgr class
CHLoadLateClass (CMessageMgr);
// hook AsyncOnAddMsg: MsgWrap: method
CHClassHook (2, CMessageMgr, AsyncOnAddMsg, MsgWrap);
}
The entire code of the project, (source download address).
After completing the specific implementation logic, you can successfully generate dylib.
Repackage WeChat App
Inject dylib for WeChat executable
To run our code after the WeChat application is running, we first need to add WeChat to our dylib. Here we use a dylib injection artifact: yololib. Download the source code from the Internet and get yololib after compilation.
Using yololib simply execute the following sentence to successfully complete the injection. Before injection, we first rename the previously saved WeChat.decrypted to WeChat, which is the executable file whose shell has been smashed.
./yololib target executable file dylib to be injected
After the injection is successful, you can see the following information:
dylib injection
New Entitlements.plist
<? xml version = "1.0" encoding = "UTF-8"?>
<! DOCTYPE plist PUBLIC "-// Apple // DTD PLIST 1.0 // EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version = "1.0">
<dict>
<key> application-identifier </ key>
<string> 123456.com.autogetredenv.demo </ string>
<key> com.apple.developer.team-identifier </ key>
<string> 123456 </ string>
<key> get-task-allow </ key>
<true />
<key> keychain-access-groups </ key>
<array>
<string> 123456.com.autogetredenv.demo </ string>
</ array>
</ dict>
</ plist>
Everyone here may not be aware of their own certificate Teamid and other information, it does not matter, I have a little trick here, you can find the App packaged with the developer certificate or enterprise certificate (for example called Demo), and then enter the following command in the terminal You can find the relevant information, the command is as follows:
./ldid -e ./Demo.app/demo
Resign to WeChat
Next, copy the generated dylib (libautoGetRedEnv.dylib), WeChat just injected into dylib, and the embedded.mobileprovision file (which can be found in the previously packaged App) to WeChat.app.
Command format: codesign -f -s certificate name target file
PS: The certificate name can be found in the keychain
Use codesign commands to sign relevant files in WeChat, the specific implementation is as follows:
Resign
Packaged into ipa
After re-signing WeChat, we can use xcrun to generate the ipa. The specific implementation is as follows:
xcrun -sdk iphoneos PackageApplication -v WeChat.app -o ~ / WeChat.ipa
Install WeChat with red envelope grabbing function
If the above steps are successfully implemented, then everything is really ready, only the Dongfeng ~~~
We can use the iTools tool to install the improved WeChat for the iPhone (this iPhone Device id needs to be added to the certificate).
iTools
The job is done! !
Well, we can see the effect of hooked WeChat grabbing red envelopes ~
Automatically grab red envelopes
The entire code of the project, (source download address).
Haha, don't you think it's cool, "Mom doesn't have to worry about grabbing red envelopes anymore.". If you are interested, you can continue to hook other functions of WeChat, which not only strengthens learning, but also meets your special (bi) needs.
Thanks for reading, I hope to help everyone, thank you for your support of this site!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.