通过Tweak工程逆向微信改变定位信息
- 使用 ssh 连接手机
➜ ~ ssh root@ip -p 22
# 手机要和Mac 在同一个网段
# OpenSSH 的 root 默认密码是 alpine
- 使用 ps -e 搜索微信进程
➜ ~ ps -e | grep WeChat
# ps -e 查看进程
# grep 过滤
- 使用 Cycript 动态注入代码
-
Cycript的使用
- 使用recursiveDescription打印UIView对象
[[UIApp keyWindow] recursiveDescription].toString() 或者 UIApp.keyWindow.recursiveDescription().toString() // 还可以借助View的nextResponder进行Controller的定位 cy# [#0x14eb4ff30 nextResponder]- _printHierarchy - 直接打印所有UIViewController
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()- _autolayoutTrace - recursiveDescription的简化版,去掉了UIView的一些描述
[[UIApp keyWindow] _autolayoutTrace].toString()- 获取bundle info
[[NSBundle mainBundle] infoDictionary].toString()
# 确保 WeChat 进程在运行
➜ ~ cycript -p WeChat
# 通过 NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) 获取微信的 documents 目录
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)
@["/var/mobile/Containers/Data/Application/777CE6C7-4909-48BD-8488-437B96945AD6/Documents"]
# 使用Cycript打印当前的Controller信息
cy# [[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
`, state: appeared, view:
| , state: disappeared, view: not in the window
| | , state: disappeared, view: (view not loaded)
| , state: disappeared, view: not in the window
| | , state: disappeared, view: (view not loaded)
| , state: appeared, view:
| | , state: disappeared, view: not in the window
| | , state: appeared, view:
| , state: disappeared, view: not in the window
| | , state: disappeared, view: (view not loaded)`
# SeePeopleNearbyViewController 是和定位最像的,也是我们之后写tweak工程的hook的对象
- 使用 dumpdecrypted.dylib 砸壳
# 在 GitHub 上下载dumpdecrypted 然后进入该目录下,执行 make 命令编译出 dylib
➜ git clone https://github.com/stefanesser/dumpdecrypted.git
➜ ~ cd dumpdecrypted-master
➜ ~ make
# 将 dumpdecrypted.dylib 拷贝到手机微信的 documents 目录下进行砸壳
➜ ~ dumpdecrypted-master scp ./dumpdecrypted.dylib [email protected]:/var/mobile/Containers/Data/Application/777CE6C7-4909-48BD-8488-437B96945AD6/Documents
# dumpdecrypted.dylib 具体用法是DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo
iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/777CE6C7-4909-48BD-8488-437B96945AD6/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/9A71740B-6F65-4827-815F-063B8BE2833C/WeChat.app/WeChat
# 当前目录下会生成砸壳后的文件,即WeChat.decrypted, 同时把该文件拷贝到电脑上,接下来我们要正式 dump 微信的可执行文件了
➜ WeChat scp [email protected]:/var/mobile/Containers/Data/Application/777CE6C7-4909-48BD-8488-437B96945AD6/Documents/WeChat.decrypted /Users/chenzhou/Desktop/WeChat
- 使用 class-dump 将 oc 运行时的信息导出
# 将 WeChat.decrypted 导出 oc 运行时信息
➜ header class-dump -s -S -H WeChat.decrypted ./header
Tweak练习
1. 定位目标文件
- ps方法
```
ps -e | grep WeChat
```
- find方法
```
find -name sshd
```
-
固定目录下查找
AppStore App全部位于"/var/mobile/Containers/Bundle/Application/"下, 系统App全部位于"/Application/"下 daemon的配置文件位于 "/System/Library/LaunchDaemons/" "/Library/LaunchDaemons" "/Library/LaunchAgents/" iPhone:/Library/LaunchDaemons root# cat com.openssh.sshd.plistLabel com.openssh.sshd Program /usr/libexec/sshd-keygen-wrapper ProgramArguments /usr/sbin/sshd -i SessionCreate Sockets Listeners SockServiceName ssh StandardErrorPath /dev/null inetdCompatibility Wait
2. 获取头文件信息和bundleID
砸壳
通过Class-dump获取头文件
-
获取bundleID (com.tencent.xin)
# 获取签名信息 codesign -dvvv WeChat ➜ WeChat codesign -dvvv WeChat Executable=/Users/chenzhou/Desktop/WeChat/WeChat Identifier=com.tencent.xin Format=Mach-O thin (arm64) CodeDirectory v=20200 size=573071 flags=0x0(none) hashes=17901+5 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=8d143bece3fe1119f3c20b16a176c46c9aeeb408 CandidateCDHash sha256=536a548754f895c8bfc71f568bf915be1e7470d3 Hash choices=sha1,sha256 CDHash=536a548754f895c8bfc71f568bf915be1e7470d3 Signature size=4297 Authority=Apple iPhone OS Application Signing Authority=Apple iPhone Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=88L2Q4487U Sealed Resources=none Internal requirements count=1 size=96
3. 分析头文件编写tweak代码
-
创建tweak工程
➜ tweak /opt/theos/bin/nic.pl NIC 2.0 - New Instance Creator ------------------------------ [1.] iphone/activator_event [2.] iphone/application_modern [3.] iphone/cydget [4.] iphone/flipswitch_switch [5.] iphone/framework [6.] iphone/ios7_notification_center_widget [7.] iphone/library [8.] iphone/notification_center_widget [9.] iphone/preference_bundle_modern [10.] iphone/tool [11.] iphone/tweak [12.] iphone/xpc_service Choose a Template (required): 11 Project Name (required): WeChatReProject Package Name [com.yourcompany.wechatreproject]: com.iosre.wechatreproject Author/Maintainer Name [chenzhou]: chuck [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.tencent.xin [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: WeChat Instantiating iphone/tweak in wechatreproject/... Done. -
编写Makefile文件
THEOS_DEVICE_IP = 192.168.6.107 DEBUG = 1 ARCHS = armv7 arm64 TARGET = iphone:latest:8.0 include $(THEOS)/makefiles/common.mk TWEAK_NAME = WeChatReProject WeChatReProject_FILES = Tweak.xm WeChatReProject_FRAMEWORKS = UIKit include $(THEOS_MAKE_PATH)/tweak.mk after-install:: install.exec "killall -9 WeChat" clean:: rm -rf ./packages/* -
编写Tweak.xm
// 通过Cycript来定位附近的人界面,一步步确定定位函数,来进行hook,修改Location信息 #import#import #import @interface SeePeopleNearByLogicController - (void)onRetrieveLocationOK:(id)arg1; @end %hook SeePeopleNearByLogicController - (void)onRetrieveLocationOK:(id)arg1 { CLLocation *location = [[CLLocation alloc] initWithLatitude:32.0104049582 longitude:112.1436524391]; %orig(location); UIAlertView *alertView = [[UIAlertView alloc] initWithTitle:[@"onRetrieveLocationOK" stringByAppendingString:[[NSString alloc] initWithFormat:@"location is %@", location]] message:nil delegate:self cancelButtonTitle:@"ok" otherButtonTitles:nil]; [alertView show]; } %end
4. 打包工程并安装
```
make clean
make
make package install
```
- 最后在附近的人里看到的信息就是CLLocation的位置的附近的人的信息