iOS逆向 非群主@所有人

iOS 逆向开发交流群

微信中只有群主才有@所有人的权限，下面用iOS逆向实现一下非群主@所有人的功能。

1、Makefile文件代码如下：

THEOS_DEVICE_IP = 192.123.10.123
TARGET = iphone:latest:8.0
ARCHS = armv7 arm64

include theos/makefiles/common.mk

TWEAK_NAME = weichatselectall
weichatselectall_FILES = Tweak.xm
weichatselectall_FRAMEWORKS = UIKit CoreFoundation Foundation CoreGraphics QuartzCore Security


include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
    install.exec "killall -9 WeChat"

2、Tweak.xm 代码如下：

#import 
#import "WeChatRedEnvelop.h"
#import 

%hook NewMainFrameViewController

- (void)viewDidLoad
{
    %orig;

    UIButton *transparentButton = [UIButton buttonWithType:UIButtonTypeCustom];
    transparentButton.frame = CGRectMake(0, 64, 44, 44);
    transparentButton.layer.cornerRadius = 8;
    transparentButton.clipsToBounds = YES;
    transparentButton.backgroundColor = [UIColor blueColor];
    [transparentButton addTarget:self action:@selector(clickImage) forControlEvents:UIControlEventTouchUpInside];
    [((UIViewController *)self).view addSubview:transparentButton];
}

%new
- (void)clickImage
{
    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"请输入文本" message:@"" delegate:self cancelButtonTitle:@"取消" otherButtonTitles:@"确定",nil];
    [alert setAlertViewStyle:UIAlertViewStylePlainTextInput];
    [alert show];
}

%new
- (void)alertView:(UIAlertView *)alertView clickedButtonAtIndex:(NSInteger)buttonIndex
{
    if(buttonIndex == 1) {
        UITextField *field = [alertView textFieldAtIndex:0];
        NSLog(@"txt ====  %@",field.text);

        NSString *path = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES).lastObject;
        NSString *plistPath =  [path stringByAppendingPathComponent:@"data.plist"];

        NSMutableArray *roomArray = [NSMutableArray arrayWithContentsOfFile:plistPath];
        NSLog(@"roomArray ===== %@",roomArray);


        CMessageMgr *messager = [[objc_getClass("MMServiceCenter") defaultCenter] getService:[objc_getClass("CMessageMgr") class]];
        CMessageWrap *wrap = [[%c(CMessageWrap) alloc] initWithMsgType:1];

        for(NSString *roomID in roomArray) {
            NSLog(@"顺序测试-----%@",roomID);
            NSTimeInterval time = [[NSDate date] timeIntervalSince1970];
            long long int date = (long long int)time;

            NSString *name =[%c(SettingUtil) getLocalUsrName:0];
            wrap.m_nsFromUsr = name;
            wrap.m_nsContent = [NSString stringWithFormat:@"#所有人 %@",field.text];
            wrap.m_nsToUsr = roomID;
            wrap.m_uiCreateTime = date;
            wrap.m_uiStatus = 1;
            wrap.m_nsMsgSource = nil;
            [messager AddMsg:roomID MsgWrap:wrap];
        }
    }
}

%end

%hook CMessageMgr

- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap{

    NSLog(@"接收到消息%@",wrap);
    NSString *fromUser = wrap.m_nsFromUsr ;

    if ([fromUser  hasSuffix:@"@chatroom"]) {

        NSLog(@"chatroom found");

        NSString *path = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES).lastObject;
        NSString *plistPath =  [path stringByAppendingPathComponent:@"data.plist"];
        NSMutableArray *arrayM = [NSMutableArray array];
        NSArray *storArray = [NSArray arrayWithContentsOfFile:plistPath];
        [arrayM addObjectsFromArray:storArray];

        if (![arrayM containsObject:fromUser]){
            [arrayM addObject:fromUser];
            NSLog(@"存储数据");
            NSLog(@"arrayM ==== %@",arrayM);
            [arrayM writeToFile:plistPath atomically:YES];
        }
    }
    %orig;
}

- (void)AddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap
{

    NSLog(@"time ===%ld",(unsigned long)wrap.m_uiCreateTime);

    int type = wrap.m_uiMessageType;
    NSString *knFromUser = wrap.m_nsFromUsr;
    NSString *knToUsr = wrap.m_nsToUsr;
    NSString *knContent = wrap.m_nsContent;
    NSString *knSource = wrap.m_nsMsgSource;
    NSString *message = [NSString stringWithFormat:@"type=%d--knFromUser=%@--knToUsr=%@--knContent=%@--knSource=%@",type,knFromUser,knToUsr,knContent,knSource];

    CContactMgr *contactManager = [[objc_getClass("MMServiceCenter") defaultCenter] getService:[objc_getClass("CContactMgr") class]];
    CContact *selfContact = [contactManager getSelfContact];

    NSLog(@"message =======  %@",message);

    if (type == 1) {
        if ([knFromUser isEqualToString:selfContact.m_nsUsrName]) {
            if ([knToUsr hasSuffix:@"@chatroom"]) {
                NSLog(@"selfContact ==== %@",selfContact);
                    if( knSource == nil){
                        NSString *aaa = [selfContact.m_nsUsrName stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
                        NSLog(@"length=%lu,%@",(unsigned long)aaa.length,aaa);
                        NSArray *result = (NSArray *)[objc_getClass("CContact") getChatRoomMemberWithoutMyself:knToUsr];

                            if ([knContent hasPrefix:@"#所有人"]){ // 前缀要求
                                NSString *subStr = [knContent substringFromIndex:4];
                                NSMutableString *string = [NSMutableString string];
                                [result enumerateObjectsUsingBlock:^(CContact *obj, NSUInteger idx, BOOL * _Nonnull stop) {
                                    [string appendFormat:@",%@",obj.m_nsUsrName];
                                }];

                                NSString *sourceString = [string substringFromIndex:1];
                                wrap.m_uiStatus = 3;
                                wrap.m_nsContent = subStr;
                                wrap.m_nsMsgSource = [NSString stringWithFormat:@"%@",sourceString];

                                int type2 = wrap.m_uiMessageType;
                                NSString *knFromUser2 = wrap.m_nsFromUsr;
                                NSString *knToUsr2 = wrap.m_nsToUsr;
                                NSString *knContent2 = wrap.m_nsContent;
                                NSString *knSource2 = wrap.m_nsMsgSource;
                                NSString *message2 = [NSString stringWithFormat:@"type=%d--knFromUser=%@--knToUsr=%@--knContent=%@--knSource=%@",type2,knFromUser2,knToUsr2,knContent2,knSource2];

                                NSLog(@"message2 =======  %@",message2);
                            }
                    }
            }
        }
    }

    NSLog(@"wrap =====  %@,=====%@",wrap.m_nsContent,wrap);
    %orig;
    //    NSString *userName = wrap.m_nsUsrName;

}

%end

3、WeChatRedEnvelop.h 代码如下：

#pragma mark - Util

@interface WCBizUtil : NSObject

+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;

@end

@interface SKBuiltinBuffer_t : NSObject

@property(retain, nonatomic) NSData *buffer; // @dynamic buffer;

@end

#pragma mark - Message

@interface WCPayInfoItem: NSObject

@property(retain, nonatomic) NSString *m_c2cNativeUrl;

@end

@interface CMessageWrap : NSObject

@property (retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;
@property (assign, nonatomic) NSUInteger m_uiMesLocalID;
@property (retain, nonatomic) NSString* m_nsFromUsr;            ///< 发信人，可能是群或个人
@property (retain, nonatomic) NSString* m_nsToUsr;              ///< 收信人
@property (assign, nonatomic) NSUInteger m_uiStatus;
@property (retain, nonatomic) NSString* m_nsContent;            ///< 消息内容
@property (retain, nonatomic) NSString* m_nsRealChatUsr;        ///< 群消息的发信人，具体是群里的哪个人
@property (assign, nonatomic) NSUInteger m_uiMessageType;
@property (assign, nonatomic) long long m_n64MesSvrID;
@property (assign, nonatomic) NSUInteger m_uiCreateTime;
@property (retain, nonatomic) NSString *m_nsDesc;
@property (retain, nonatomic) NSString *m_nsAppExtInfo;
@property (assign, nonatomic) NSUInteger m_uiAppDataSize;
@property (assign, nonatomic) NSUInteger m_uiAppMsgInnerType;
@property (retain, nonatomic) NSString *m_nsShareOpenUrl;
@property (retain, nonatomic) NSString *m_nsShareOriginUrl;
@property (retain, nonatomic) NSString *m_nsJsAppId;
@property (retain, nonatomic) NSString *m_nsPrePublishId;
@property (retain, nonatomic) NSString *m_nsAppID;
@property (retain, nonatomic) NSString *m_nsAppName;
@property (retain, nonatomic) NSString *m_nsThumbUrl;
@property (retain, nonatomic) NSString *m_nsAppMediaUrl;
@property (retain, nonatomic) NSData *m_dtThumbnail;
@property (retain, nonatomic) NSString *m_nsTitle;
@property (retain, nonatomic) NSString *m_nsMsgSource;

- (id)initWithMsgType:(long long)arg1;
+ (_Bool)isSenderFromMsgWrap:(id)arg1;

//- (void)AddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap;
//- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap;

@end

@interface CMessageMgr : NSObject

- (void)AddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap;

- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2 fixTime:(_Bool)arg3 NewMsgArriveNotify:(_Bool)arg4;

    @end

@interface MMServiceCenter : NSObject

+ (instancetype)defaultCenter;
- (id)getService:(Class)service;

@end

@interface MMLanguageMgr: NSObject

- (id)getStringForCurLanguage:(id)arg1 defaultTo:(id)arg2;


@end

#pragma mark - RedEnvelop

@interface WCRedEnvelopesControlData : NSObject

@property(retain, nonatomic) CMessageWrap *m_oSelectedMessageWrap;

@end

@interface WCRedEnvelopesLogicMgr: NSObject

- (void)OpenRedEnvelopesRequest:(id)params;
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1;
- (void)GetHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3;

/** Added Methods */
- (unsigned int)calculateDelaySeconds;

@end

@interface HongBaoRes : NSObject

@property(retain, nonatomic) SKBuiltinBuffer_t *retText; // @dynamic retText;
@property(nonatomic) int cgiCmdid; // @dynamic cgiCmdid;

@end

@interface HongBaoReq : NSObject

@property(retain, nonatomic) SKBuiltinBuffer_t *reqText; // @dynamic reqText;

@end

#pragma mark - Contact

@interface CContact: NSObject <NSCoding>

@property(retain, nonatomic) NSString *m_nsUsrName;
@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsNickName;

- (id)getContactDisplayName;

+ (id)getChatRoomMemberWithoutMyself:(id)arg1;

@end

@interface CContactMgr : NSObject

- (id)getSelfContact;
- (id)getContactByName:(id)arg1;
- (id)getContactForSearchByName:(id)arg1;
- (_Bool)getContactsFromServer:(id)arg1;
- (_Bool)isInContactList:(id)arg1;
- (_Bool)addLocalContact:(id)arg1 listType:(unsigned int)arg2;

@end


#pragma mark - QRCode

@interface ScanQRCodeLogicController: NSObject

@property(nonatomic) unsigned int fromScene;
- (id)initWithViewController:(id)arg1 CodeType:(int)arg2;
- (void)tryScanOnePicture:(id)arg1;
- (void)doScanQRCode:(id)arg1;
- (void)showScanResult;

@end

@interface NewQRCodeScanner: NSObject

- (id)initWithDelegate:(id)arg1 CodeType:(int)arg2;
- (void)notifyResult:(id)arg1 type:(id)arg2 version:(int)arg3;

@end

#pragma mark - MMTableView

@interface MMTableViewInfo

- (id)getTableView;
- (void)clearAllSection;
- (void)addSection:(id)arg1;
- (void)insertSection:(id)arg1 At:(unsigned int)arg2;

@end

@interface MMTableViewSectionInfo

+ (id)sectionInfoDefaut;
+ (id)sectionInfoHeader:(id)arg1;
+ (id)sectionInfoHeader:(id)arg1 Footer:(id)arg2;
- (void)addCell:(id)arg1;

@end

@interface MMTableViewCellInfo

+ (id)normalCellForSel:(SEL)arg1 target:(id)arg2 title:(id)arg3 accessoryType:(long long)arg4;
+ (id)switchCellForSel:(SEL)arg1 target:(id)arg2 title:(id)arg3 on:(_Bool)arg4;
+ (id)normalCellForSel:(SEL)arg1 target:(id)arg2 title:(id)arg3 rightValue:(id)arg4 accessoryType:(long long)arg5;
+ (id)normalCellForTitle:(id)arg1 rightValue:(id)arg2;
+ (id)urlCellForTitle:(id)arg1 url:(id)arg2;

@end

@interface MMTableView: UITableView

@end

#pragma mark - UI
@interface MMUICommonUtil : NSObject

+ (id)getBarButtonWithTitle:(id)arg1 target:(id)arg2 action:(SEL)arg3 style:(int)arg4;

@end

@interface MMLoadingView : UIView

@property(retain, nonatomic) UILabel *m_label; // @synthesize m_label;
@property (assign, nonatomic) BOOL m_bIgnoringInteractionEventsWhenLoading; // @synthesize m_bIgnoringInteractionEventsWhenLoading;

- (void)setFitFrame:(long long)arg1;
- (void)startLoading;
- (void)stopLoading;
- (void)stopLoadingAndShowError:(id)arg1;
- (void)stopLoadingAndShowOK:(id)arg1;


@end

@interface MMWebViewController: NSObject

- (id)initWithURL:(id)arg1 presentModal:(_Bool)arg2 extraInfo:(id)arg3;

@end


@protocol ContactSelectViewDelegate <NSObject>

- (void)onSelectContact:(CContact *)arg1;

@end

@interface ContactSelectView : UIView

@property(nonatomic) unsigned int m_uiGroupScene; // @synthesize m_uiGroupScene;
@property(nonatomic) _Bool m_bMultiSelect; // @synthesize m_bMultiSelect;
@property(retain, nonatomic) NSMutableDictionary *m_dicMultiSelect; // @synthesize m_dicMultiSelect;

- (id)initWithFrame:(struct CGRect)arg1 delegate:(id)arg2;
- (void)initData:(unsigned int)arg1;
- (void)initView;
- (void)addSelect:(id)arg1;

@end

@interface ContactsDataLogic : NSObject

@property(nonatomic) unsigned int m_uiScene; // @synthesize m_uiScene;

@end

@interface MMUINavigationController : UINavigationController

@end

#pragma mark - UtilCategory

@interface NSMutableDictionary (SafeInsert)

- (void)safeSetObject:(id)arg1 forKey:(id)arg2;

@end

@interface NSDictionary (NSDictionary_SafeJSON)

- (id)arrayForKey:(id)arg1;
- (id)dictionaryForKey:(id)arg1;
- (double)doubleForKey:(id)arg1;
- (float)floatForKey:(id)arg1;
- (long long)int64ForKey:(id)arg1;
- (long long)integerForKey:(id)arg1;
- (id)stringForKey:(id)arg1;

@end

@interface NSString (NSString_SBJSON)

- (id)JSONArray;
- (id)JSONDictionary;
- (id)JSONValue;

@end

#pragma mark - UICategory

@interface UINavigationController (LogicController)

- (void)PushViewController:(id)arg1 animated:(_Bool)arg2;

@end

@interface MMUIViewController : UIViewController

- (void)startLoadingBlocked;
- (void)startLoadingNonBlock;
- (void)startLoadingWithText:(NSString *)text;
- (void)stopLoading;
- (void)stopLoadingWithFailText:(NSString *)text;
- (void)stopLoadingWithOKText:(NSString *)text;

@end

@interface NewSettingViewController: MMUIViewController

- (void)reloadTableData;

@end

@interface ContactInfoViewController : MMUIViewController

@property(retain, nonatomic) CContact *m_contact; // @synthesize m_contact;

@end

@protocol MultiSelectContactsViewControllerDelegate <NSObject>
- (void)onMultiSelectContactReturn:(NSArray *)arg1;

@optional
- (int)getFTSCommonScene;
- (void)onMultiSelectContactCancelForSns;
- (void)onMultiSelectContactReturnForSns:(NSArray *)arg1;
@end

@interface MultiSelectContactsViewController : UIViewController

@property(nonatomic) _Bool m_bKeepCurViewAfterSelect; // @synthesize m_bKeepCurViewAfterSelect=_m_bKeepCurViewAfterSelect;
@property(nonatomic) unsigned int m_uiGroupScene; // @synthesize m_uiGroupScene;

@property(nonatomic, weak) id  m_delegate; // @synthesize m_delegate;

@end

@interface SettingUtil : NSObject

+ (NSString *)getLocalUsrName:(NSInteger)arg1;

@end

//@interface NewMainFrameViewController : UIViewController
//    
//- (void)AddMsg:(id)arg1 MsgWrap:(CMessageWrap *)wrap;
//    
//@end

Demo下载