14.2 分析抢红包的方法
通过分析微信消息我们知道,红包消息类型值为49,所以实现自动抢红包功能,我们只要hook消息响应方法,然后判断消息类型为49时,调用抢红包的方法即可。那么如何定位抢红包的方法呢?我们同样可以依照上面的方法进行分析和定位。
14.2.1 借助cycript或者Reveal来分析抢红包界面
//抢红包界面弹出时,新增的view层级
| WCRedEnvelopesReceiveHomeView:0x16212eba0
| | UIButton:0x162587cb0
| | UIImageView:0x162872820
| | | UIView:0x1629021e0
| | | UIView:0x162906590
| | | UIImageView:0x1625dcd80
| | | UIView:0x1628b3c10
| | | | UIView:0x162887f60
| | | | UIView:0x16288a260
| | | | UIImageView:0x1625ee650
| | | | UIImageView:0x1625f5cc0
| | | | UIButton:0x162517760
| | | UIView:0x1628798c0
| | | | MMHeadImageView:0x16217ab70
| | | | | MMUILongPressImageView:0x16286ab80
| | | | | UIImageView:0x1628014b0
| | | MMUILabel:0x162905dd0'^_^'
| | | MMUILabel:0x162901fe0'\u7ed9\u4f60\u53d1\u4e86\u4e00\u4e2a\u7ea2\u5305'
| | | MMUILabel:0x1628796c0'\u606d\u559c\u53d1\u8d22\uff0c\u5927\u5409\u5927\u5229'
| | | UIButton:0x16284b960
| | | UIButton:0x162581d90
| | | | UIImageView:0x16255b1a0
| | | UIImageView:0x1621ca190
| | | UIImageView:0x16256cad0`
注:导出头文件中有与WCRedEnvelopesReceiveHomeView同名的头文件WCRedEnvelopesReceiveHomeView.h
使用Tweak来hook头文件WCRedEnvelopesReceiveHomeView.h
//定位到OnOpenRedEnvelopes方法是抢红包响应的函数
Sep 9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:5 DEBUG: -[< WCRedEnvelopesReceiveHomeView: 0x13191a020> OnOpenRedEnvelopes]
Sep 9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:19 DEBUG: -[ startReceiveAnimation]
Sep 9 19:18:20 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:18 DEBUG: -[ showSuccessOpenAnimation]
Sep 9 19:18:21 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:14 DEBUG: -[ removeView]
//该函数是点击"抢"时,响应的函数
- (void)OnOpenRedEnvelopes { %log; %orig; }
//使用cycript来验证一下
Flongers-iphone:~ root# cycript -p WeChat
cy# [#0x130e9a960 OnOpenRedEnvelopes]
14.2.2 静态反汇编分析
通过测试发现,每次点开抢红包界面时会有一个WCRedEnvelopesReceiveHomeView的实例对象生成。如果借助OnOpenRedEnvelopes方法来实现"抢"的功能,必须在点开抢红包界面时才能成功调用。该方法限制比较大,我们需要分析更加深层次的逻辑处理,找到更加通用的抢红包的逻辑处理代码。
在Hopper或者IDA中分析OnOpenRedEnvelopes反汇编代码
结合导出头文件通过分析发现,OnOpenRedEnvelopes中相关的内容有:
NSDictionary *m_dicBaseInfo;
id m_delegate;
WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes
//解析汇编指令
[receiver message];
将被转换为:objc_msgSend(receiver, selector);
[receiver messageArg1:xx Arg2:xx ...]; 将被转换为:objc_msgSend(receiver, selector, arg1, arg2,...);
//adrp指令是地址生成指令,x8是间接寻址的寄存器,X0~X7一般用于是参数和返回值的传递 //即调用objc_msgSend时,X0存放第一个参数receiver,X1存放第二个参数selector,后面的参数以此类推 ADRP X8,
#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE //出栈指令,将x8偏移xxx位置的值加载到X1寄存器中
LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF] //调用子程序 BL _objc_msgSend
注:重点关注X0和X1,我们可以得到OC方法调用相关的对象、方法名和返回值
- 使用tweak来hook数据观察一下OnOpenRedEnvelopes
@interface WCRedEnvelopesReceiveHomeView{ NSDictionary *m_dicBaseInfo; id m_delegate; } @end
%hook WCRedEnvelopesReceiveHomeView
(void)OnOpenRedEnvelopes {
//hook 成员变量,原理是调用runtime函数class_getInstanceVariable NSDictionary* dic = MSHookIvar(self, "m_dicBaseInfo"); NSArray *arr = [dic allKeys]; for (NSInteger i = 0; i < arr.count; i++) { NSLog(@"%@ : %@", arr[i], [dic objectForKey:arr[i]]); }
id de = MSHookIvar(self, "m_delegate");
NSLog(@"m_delegate class: %@", [de class]);
//%orig;
} %end
- 分析对WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes调用的代码
ADRP X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGE ;
LDRSW X8, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGEOFF] ;
ADD X0, X19, X8
BL _objc_loadWeakRetained
伪代码:
WCRedEnvelopesReceiveControlLogic* controlLogic = self.m_delegate;
MOV X19, X0
ADRP X8, #selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE
LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF]
BL _objc_msgSend
分析:
X0 是 controlLogic
X1 是 WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes
伪代码:
[controlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes];
验证:
WCRedEnvelopesReceiveControlLogic同名的头文件里面有该方法:
- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;
- 继续分析WCRedEnvelopesReceiveControlLogic类的WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes方法
分析汇编代码: ADRP X8, #OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGE
LDRSW X24, [X8,#OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGEOFF] LDR X0, [X27,X24] //相当于 [self m_data]
结合头文件分析 WCRedEnvelopesReceiveControlLogic中定义了成员变量:WCRedEnvelopesControlData *m_data;
ADRP X8, #selRef_m_oSelectedMessageWrap@PAGE LDR X19, [X8,#selRef_m_oSelectedMessageWrap@PAGEOFF] MOV X1, X19 BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X22, X0 //这里是返回值,X22的值就是msgWrap
分析: X0 是 m_data的值 X1 是 X19传的值,即 m_oSelectedMessageWrap
WCRedEnvelopesControlData 中定义了成员变量: CMessageWrap *m_oSelectedMessageWrap;
伪代码如下: //self代表的是WCRedEnvelopesReceiveControlLogic的实例对象 WCRedEnvelopesControlData *data = [self m_data]; CMessageWrap *msgWrap = [data m_oSelectedMessageWrap];
汇编: ADRP X8, #selRef_m_oWCPayInfoItem@PAGE LDR X1, [X8,#selRef_m_oWCPayInfoItem@PAGEOFF] STR X1, [SP,#0x120+var_100] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X23, X0 //这里是返回值
分析: X0 是上面的 msgWrap X1 是 m_oWCPayInfoItem
CMessageWrap中有属性 @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;
伪代码: WCPayInfoItem* payInfoItem = [msgWrap m_oWCPayInfoItem];
汇编: ADRP X8, #selRef_m_c2cNativeUrl@PAGE LDR X1, [X8,#selRef_m_c2cNativeUrl@PAGEOFF] STR X1, [SP,#0x120+var_108] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X25, X0 //这里是返回值
分析: X0 是上面 payInfoItem X1 是 m_c2cNativeUrl
WCPayInfoItem 中有属性 @property(retain, nonatomic) NSString *m_c2cNativeUrl;
伪代码: NSString *c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
- 可以使用Tweak来查看m_c2cNativeUrl的值
@interface WCPayInfoItem @property(retain, nonatomic) NSString *m_c2cNativeUrl; @end
@interface CMessageWrap @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem; @end
@interface WCRedEnvelopesControlData{ CMessageWrap* m_oSelectedMessageWrap; } @end
@interface WCRedEnvelopesReceiveControlLogic{ WCRedEnvelopesControlData *m_data; } @end
%hook WCRedEnvelopesReceiveControlLogic
(void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes { id data = MSHookIvar(self, "m_data"); NSLog(@"data class:%@", [data class]);
id msgWrap = MSHookIvar(data, "m_oSelectedMessageWrap"); NSLog(@"msgWrap class:%@", [msgWrap class]);
//定义了属性的不需要使用MSHookIvar来hook,直接声明之后调用即可 id payinfoitem =[msgWrap m_oWCPayInfoItem]; NSLog(@"payinfoitem class:%@", [payinfoitem class]);
NSString *nativeUrl = [payinfoitem m_c2cNativeUrl]; NSLog(@"nativeUrl class:%@, nativeUrl = %@", [nativeUrl class], nativeUrl);
//%orig; } %end
某次抢红包m_c2cNativeUrl的值:
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: data class:WCRedEnvelopesControlData
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: msgWrap class:CMessageWrap
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: payinfoitem class:WCPayInfoItem
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: nativeUrl class:__NSCFString, nativeUrl = wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137016141291061&sendusername=&ver=6&sign=