解压 "微信共存防封版_v6.3.22.ipa", 发现 addone.dylib.
打开hopper, 发现hook了以下6个方法.
CHLoadClass_(0xe0f8, objc_getClass("NSBundle"));
CHLoadClass_(0xe104, objc_getClass("UIDevice"));
CHLoadClass_(0xe110, objc_getClass("NSDictionary"));
CHLoadClass_(0xe11c, objc_getClass("MMCrashReportExtLogMgr"));
CHLoadClass_(0xe128, objc_getClass("JailBreakHelper"));
CHLoadClass_(0xe134, objc_getClass("ASIdentifierManager"));
NSBundle
int __ZL33$NSBundle_bundleIdentifier_methodP8NSBundleP13objc_selector(void * arg0, void * arg1) {
sp = sp - 0x1c;
stack[2044] = arg0;
if (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0) {
stack[2045] = @"com.tencent.xin";
}
else {
r1 = *0xe140;
stack[2045] = (r1)(stack[2044], @selector(bundleIdentifier), @selector(bundleIdentifier), r1, r1, @selector(bundleIdentifier));
}
r0 = stack[2045];
return r0;
}
NSDictionary
int __ZL33$NSDictionary_valueForKey$_methodP12NSDictionaryP13objc_selectorP8NSString(void * arg0, void * arg1, void * arg2) {
sp = sp - 0x20;
stack[2044] = arg0;
stack[2042] = arg2;
if ((sign_extend_32((*arg0)(stack[2042], @selector(isEqualToString:), @"CFBundleIdentifier", @"CFBundleIdentifier", stack[2040], stack[2041], stack[2042])) != 0x0) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {
stack[2045] = @"com.tencent.xin";
}
else {
r1 = *0xe148;
stack[2045] = (r1)(stack[2044], @selector(valueForKey:), stack[2042], r1, r1, @selector(valueForKey:));
}
r0 = stack[2045];
return r0;
}
int __ZL45$NSDictionary_objectForKeyedSubscript$_methodP12NSDictionaryP13objc_selectorPU19objcproto9NSCopying11objc_object(void * arg0, void * arg1, void * arg2) {
sp = sp - 0x34;
stack[2044] = arg0;
stack[2042] = arg2;
r2 = *stack[2042];
if ((([stack[2042] isKindOfClass:_objc_msgSend(@class(NSString), r2, r2, r3, stack[2035], stack[2036], stack[2037], stack[2038]), stack[2042], stack[2035], stack[2036]] != 0x0) && ([stack[2042] isEqualToString:@"CFBundleIdentifier", r1, stack[2035], stack[2036]] != 0x0)) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {
stack[2045] = @"com.tencent.xin";
}
else {
r1 = *0xe14c;
stack[2045] = (r1)(stack[2044], @selector(objectForKeyedSubscript:), stack[2042], r1, r1, @selector(objectForKeyedSubscript:));
}
r0 = stack[2045];
return r0;
}
int __ZL34$NSDictionary_objectForKey$_methodP12NSDictionaryP13objc_selectorPU19objcproto9NSCopying11objc_object(void * arg0, void * arg1, void * arg2) {
sp = sp - 0x34;
stack[2044] = arg0;
stack[2042] = arg2;
r2 = *stack[2042];
if ((([stack[2042] isKindOfClass:_objc_msgSend(@class(NSString), r2, r2, r3, stack[2035], stack[2036], stack[2037], stack[2038]), stack[2042], stack[2035], stack[2036]] != 0x0) && ([stack[2042] isEqualToString:@"CFBundleIdentifier", r1, stack[2035], stack[2036]] != 0x0)) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {
stack[2045] = @"com.tencent.xin";
}
else {
r1 = *0xe150;
stack[2045] = (r1)(stack[2044], @selector(objectForKey:), stack[2042], r1, r1, @selector(objectForKey:));
}
r0 = stack[2045];
return r0;
}
JailBreakHelper
越狱检测
int __ZL50$JailBreakHelper_HasInstallJailbreakPlugin$_methodP11objc_objectP13objc_selectorS0_(void * arg0, void * arg1, void * arg2) {
r0 = sign_extend_32(0x0);
return r0;
}
int __ZL67$JailBreakHelper_HasInstallJailbreakPluginInvalidIAPPurchase_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {
r0 = sign_extend_32(0x0);
return r0;
}
int __ZL35$JailBreakHelper_IsJailBreak_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {
r0 = sign_extend_32(0x0);
return r0;
}
MMCrashReportExtLogMgr
崩溃记录
int __ZL54$MMCrashReportExtLogMgr_addLogInfo$withMessage$_methodP11objc_objectP13objc_selectorS0_S0_(void * arg0, void * arg1, void * arg2, void * arg3) {
r0 = arg0;
return r0;
}
ASIdentifierManager
修改广告标识
int __ZL49$ASIdentifierManager_advertisingIdentifier_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {
sp = sp - 0x4c;
stack[2045] = arg0;
r0 = [*@class(UICKeyChainStore) mainBundle];
r0 = [r0 bundleIdentifier];
r1 = *((")" | 0x0) + 0x1bca);
stack[2043] = (r1)(@class(UICKeyChainStore), @selector(keyChainStoreWithService:), r0, r1, stack[2029], stack[2030]);
if ([stack[2043] objectForKeyedSubscript:@"idfa", @"idfa", stack[2029], stack[2030]] == 0x0) {
r0 = (*0xe164)(stack[2045], @selector(advertisingIdentifier), stack[2043], @selector(advertisingIdentifier), stack[2029], stack[2030], stack[2031]);
[stack[2043] setObject:r0 forKeyedSubscript:@"idfa", stack[2029], stack[2030], r2];
}
r0 = [stack[2043] objectForKeyedSubscript:@"idfa", r1, r1, @"idfa"];
return r0;
}
其他方法
修改设备名称
int __ZL21$UIDevice_name_methodP8UIDeviceP13objc_selector(void * arg0, void * arg1) {
r0 = @"iPhone";
return r0;
}
防封补丁源码
#import
#import "CaptainHook/CaptainHook.h"
#import
CHDeclareClass(ASIdentifierManager)
//广告标识符伪装
CHMethod0(NSUUID *, ASIdentifierManager, advertisingIdentifier)
{
NSUUID *advertisingIdentifier;
NSString *key = @"idfa";
NSString *idfa = [[NSUserDefaults standardUserDefaults] stringForKey:key];
if (idfa && idfa.length)
{
advertisingIdentifier = [[NSUUID alloc] initWithUUIDString:idfa];
}
else
{
advertisingIdentifier = [NSUUID UUID];
[[NSUserDefaults standardUserDefaults] setObject:advertisingIdentifier.UUIDString forKey:key];
}
return advertisingIdentifier;
}
@class BaseAuthReqInfo, BaseRequest, ManualAuthAesReqData;
CHDeclareClass(ManualAuthAesReqData);
//bundleId 伪装(待完善)
CHMethod1(void, ManualAuthAesReqData, setBundleId, NSString *, bundleId)
{
if ([bundleId isEqualToString:[NSBundle mainBundle].bundleIdentifier])
{
bundleId = @"com.tencent.xin";
}
CHSuper1(ManualAuthAesReqData, setBundleId, bundleId);
}
//clientSeqId 伪装
CHMethod1(void, ManualAuthAesReqData, setClientSeqId, NSString *, clientSeqId)
{
NSString *key = @"clientSeqId";
NSString *clientSeqId_fist = [[NSUserDefaults standardUserDefaults] stringForKey:key];
if (!clientSeqId_fist || clientSeqId_fist.length == 0)
{
clientSeqId_fist = [[NSUUID UUID].UUIDString stringByReplacingOccurrencesOfString:@"-" withString:@""];
[[NSUserDefaults standardUserDefaults] setObject:clientSeqId_fist forKey:key];
}
NSString *newClientSeqId;
if ([clientSeqId containsString:@"-"])
{
NSRange range = [clientSeqId rangeOfString:@"-"];
NSString *clientSeqId_last = [clientSeqId substringFromIndex:range.location];
newClientSeqId = [NSString stringWithFormat:@"%@%@", clientSeqId_fist, clientSeqId_last];
}
else
{
newClientSeqId = clientSeqId_fist;
}
CHSuper1(ManualAuthAesReqData, setClientSeqId, newClientSeqId);
}
//deviceName 伪装
CHMethod1(void, ManualAuthAesReqData, setDeviceName, NSString *, deviceName)
{
//设置为默认名称
deviceName = @"iPhone";
CHSuper1(ManualAuthAesReqData, setDeviceName, deviceName);
}
//过日志记录
@class MMCrashReportExtLogMgr;
CHDeclareClass(MMCrashReportExtLogMgr);
CHMethod2(void, MMCrashReportExtLogMgr, addLogInfo, int *, arg1, withMessage, const char *, arg2)
{
return;
}
//过越狱检测
@class JailBreakHelper;
CHDeclareClass(JailBreakHelper);
CHMethod0(BOOL, JailBreakHelper, HasInstallJailbreakPluginInvalidIAPPurchase)
{
return NO;
}
CHMethod1(BOOL, JailBreakHelper, HasInstallJailbreakPlugin, id, arg1)
{
return NO;
}
CHMethod0(BOOL, JailBreakHelper, IsJailBreak)
{
return NO;
}
//所有被hook的类和函数放在这里的构造函数中
CHConstructor
{
@autoreleasepool
{
CHLoadLateClass(ASIdentifierManager);
CHHook0(ASIdentifierManager, advertisingIdentifier);
CHLoadLateClass(ManualAuthAesReqData);
CHHook1(ManualAuthAesReqData, setBundleId);
CHHook1(ManualAuthAesReqData, setClientSeqId);
CHHook1(ManualAuthAesReqData, setDeviceName);
CHLoadLateClass(MMCrashReportExtLogMgr);
CHHook2(MMCrashReportExtLogMgr, addLogInfo, withMessage);
CHLoadLateClass(JailBreakHelper);
CHHook0(JailBreakHelper, HasInstallJailbreakPluginInvalidIAPPurchase);
CHHook1(JailBreakHelper, HasInstallJailbreakPlugin);
CHHook0(JailBreakHelper, IsJailBreak);
}
}