逆向工程二:微信抢红包
微信版本: WeChat 6.5.20 (计算ASLR偏移,是之前版本;不同版本的偏移地址不一样)
一.砸壳获取头文件
-
找到bundle路径:
登录到iPhone,查看微信的进程信息ssh root@192.168.2.24 ps -e | grep WeChat从进程信息里获取微信bundle的路径
3079 ?? 0:41.37 /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat -
获取沙盒路径:
通过cyscript获取微信的沙盒路径,如果没有cy#那么点击进入微信:cycript -p WeChat注入微信进程之后,NSHomeDirectory()输出沙盒路径
cy# NSHomeDirectory() @"/var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D" cy# -
下载dumpdecrypted砸壳工具,编译成dylib包
克隆源码,并且编译生成一个
dumpdecrypted.dylibgit clone https://github.com/stefanesser/dumpdecrypted.git make -
注入微信获取解密的包
scp将
dumpdecrypted.dylib拷贝到iPhonescp dumpdecrypted.dylib root@192.168.2.24:/tmpiPhone里进入微信沙盒的Documents目录,拷贝
dumpdecrypted.dylib到Documents目录cd /var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D/Documents cp /tmp/dumpdecrypted.dylib .通过上面得到的bundle中WeChat包文件,注入微信。注意如果输出
Killed: 9那么切换到mobile用户
```
su mobile
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat
```
输出信息:
```
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10006cca8(from 0x10006c000) = ca8
[+] Found encrypted data at address 00004000 of length 52396032 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ca8
[+] Closing original file
[+] Closing dump file
```
上面信息结束之后,在Documents目录下有个`WeChat.decrypted`文件
-
获取头文件信息
在mac上拷贝iPhone的解密的微信包文件scp root@192.168.2.24:/var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D/Documents/WeChat.decrypted . root@192.168.2.24's password: WeChat.decrypted 100% 63MB 2.1MB/s 00:30class-dump 获取所有的微信头文件到WXHeaders目录
class-dump -s -S -H WeChat.decrypted -o WXHeaders/ -
获取微信bundle id : com.tencent.xin
查看签名信息:codesign -dvvv WeChat.decryptedExecutable=/Users/leaf/yy/project/redpocket/WeChat.decrypted Identifier=com.tencent.xin Format=Mach-O thin (arm64) CodeDirectory v=20200 size=511951 flags=0x0(none) hashes=15991+5 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=5640d0abb3945378afd4a6b90dfc5aab4010e268 CandidateCDHash sha256=f664c1dd6fc1d17f04fd4f268fa2872f04316a7b Hash choices=sha1,sha256 CDHash=f664c1dd6fc1d17f04fd4f268fa2872f04316a7b Signature size=4297 Authority=Apple iPhone OS Application Signing Authority=Apple iPhone Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=88L2Q4487U Sealed Resources=none Internal requirements count=1 size=96
二.创建Tweak工程
-
调用theod:
/opt/theos/bin/nic.pl -
选择tweak,然后输入相关信息:
//项目名称 Project Name (required): redpocket //项目的包名,即bundle id Package Name [com.yourcompany.demo]: cc.onezen.redpocket //开发者名称 Author/Maintainer Name [wz]: wz //需要注入的进程的 bundle id [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.tencent.xin //deb包安装完成后需要重启的进程名字 [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: WeChat Instantiating iphone/tweak in demo/... Done. -
自动安装配置
Makefile#debug=0是release包 DEBUG = 0 #iphone的ip地址 THEOS_DEVICE_IP = 192.168.2.24 #当前包支持的cpu架构 ARCHS = armv7 arm64 #支持的ios版本 TARGET = iphone:latest:8.0 include $(THEOS)/makefiles/common.mk TWEAK_NAME = redpocket redpocket_FILES = Tweak.xm #需要导入的库 redpocket_FRAMEWORKS = UIKit include $(THEOS_MAKE_PATH)/Tweak.mk after-install:: install.exec "killall -9 WeChat" clean:: rm -rf ./packages/* rm -rf ./.theos/*
三.定位视图
- 安装Reveal:安装mac客户端,iPhone通过Cydia安装Reveal Loader
- 通过cycript
注入:cycript -p WeChat
通过recursiveDescription输出View层级信息
[[UIApp keyWindow] recursiveDescription].toString()
点语法:
UIApp.keyWindow.recursiveDescription().toString()
简化信息:
[[UIApp keyWindow] _autolayoutTrace].toString()
输出信息
`
\u2022iConsoleWindow:0x136d68680
| UILayoutContainerView:0x1384c2870
| | UITransitionView:0x1384c3960
| | | UIViewControllerWrapperView:0x1383e9400
| | | | \u2022UILayoutContainerView:0x1383a2610
| | | | | +UINavigationTransitionView:0x1383a8460
| | | | | | +UIViewControllerWrapperView:0x136d93020
| | | | | | | UIView:0x136db5350
| | | | | | | | MMMultiSelectToolView:0x1386207f0
| | | | | | | | | UIImageView:0x138670cf0
| | | | | | | | | UIButton:0x1386c9d50
| | | | | | | | | | UIImageView:0x138590f00
| | | | | | | | | UIButton:0x1386ca100
| | | | | | | | | | UIImageView:0x138591140
| | | | | | | | | UIButton:0x1386ca3a0
| | | | | | | | | | UIImageView:0x13858f590
| | | | | | | | | UIButton:0x1386ca640
| | | | | | | | | | UIImageView:0x13858f910
| | | | | | | | YYTableView:0x137206a00
| | | | | | | | | UITableViewWrapperView:0x1370ff000
| | | | | | | | | | ChatTableViewCell:0x137a3b000'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x138351120
| | | | | | | | | | | | TextMessageCellView:0x138366fa0
| | | | | | | | | | | | | MMHeadImageView:0x1383622a0
| | | | | | | | | | | | | | MMUILongPressImageView:0x138362900
| | | | | | | | | | | | | | UIImageView:0x138362ae0
| | | | | | | | | | | | | UIView:0x138544160
| | | | | | | | | | | | | | YYAsyncImageView:0x138365dc0
| | | | | | | | | | | | | | RichTextView:0x138364300
| | | | | | | | | | ChatTableViewCell:0x1371d5a00'ChatTimeCellView'
| | | | | | | | | | | UITableViewCellContentView:0x136df9740
| | | | | | | | | | | | ChatTimeCellView:0x138558f20
| | | | | | | | | | | | | UIImageView:0x138571830
| | | | | | | | | | | | | MMUILabel:0x138563610'\u4e0b\u53484:53'
| | | | | | | | | | ChatTableViewCell:0x137182200'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x13858efc0
| | | | | | | | | | | | TextMessageCellView:0x138459100
| | | | | | | | | | | | | MMHeadImageView:0x138589e00
| | | | | | | | | | | | | | MMUILongPressImageView:0x1385bbae0
| | | | | | | | | | | | | | UIImageView:0x1385abb60
| | | | | | | | | | | | | UIView:0x13855b3e0
| | | | | | | | | | | | | | YYAsyncImageView:0x13807cd10
| | | | | | | | | | | | | | RichTextView:0x13807d120
| | | | | | | | | | ChatTableViewCell:0x1378e0800'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x1388150f0
| | | | | | | | | | | | TextMessageCellView:0x138693c70
| | | | | | | | | | | | | MMHeadImageView:0x138582150
| | | | | | | | | | | | | | MMUILongPressImageView:0x138582370
| | | | | | | | | | | | | | UIImageView:0x138581e10
| | | | | | | | | | | | | UIView:0x138362780
| | | | | | | | | | | | | | YYAsyncImageView:0x138850240
| | | | | | | | | | | | | | RichTextView:0x1386d2140
| | | | | | | | | | ChatTableViewCell:0x137879e00'ChatTimeCellView'
| | | | | | | | | | | UITableViewCellContentView:0x13883fad0
| | | | | | | | | | | | ChatTimeCellView:0x138580320
| | | | | | | | | | | | | UIImageView:0x1385b87d0
| | | | | | | | | | | | | MMUILabel:0x13856c110'\u4e0b\u53484:47'
| | | | | | | | | | ChatTableViewCell:0x1371df800'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x138456700
| | | | | | | | | | | | TextMessageCellView:0x1385bd010
| | | | | | | | | | | | | MMHeadImageView:0x13859b5b0
| | | | | | | | | | | | | | MMUILongPressImageView:0x13859b7d0
| | | | | | | | | | | | | | UIImageView:0x1385a05e0
| | | | | | | | | | | | | UIView:0x13856e080
| | | | | | | | | | | | | | YYAsyncImageView:0x13856e320
| | | | | | | | | | | | | | RichTextView:0x1385390b0
| | | | | | | | | | ChatTableViewCell:0x1370a1200'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x13853d4f0
| | | | | | | | | | | | TextMessageCellView:0x1385429c0
| | | | | | | | | | | | | MMHeadImageView:0x138570e30
| | | | | | | | | | | | | | MMUILongPressImageView:0x138535160
| | | | | | | | | | | | | | UIImageView:0x138534e20
| | | | | | | | | | | | | UIView:0x138571290
| | | | | | | | | | | | | | YYAsyncImageView:0x138571500
| | | | | | | | | | | | | | RichTextView:0x13856b5e0
| | | | | | | | | | ChatTableViewCell:0x137048400'ChatTimeCellView'
| | | | | | | | | | | UITableViewCellContentView:0x138548900
| | | | | | | | | | | | ChatTimeCellView:0x138548ee0
| | | | | | | | | | | | | UIImageView:0x13856af50
| | | | | | | | | | | | | MMUILabel:0x13859ef80'\u4e0b\u53483:45'
| | | | | | | | | | ChatTableViewCell:0x1370b2e00'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x13854b950
| | | | | | | | | | | | TextMessageCellView:0x13856beb0
| | | | | | | | | | | | | MMHeadImageView:0x138537450
| | | | | | | | | | | | | | MMUILongPressImageView:0x138537670
| | | | | | | | | | | | | | UIImageView:0x138537110
| | | | | | | | | | | | | UIView:0x138537850
| | | | | | | | | | | | | | YYAsyncImageView:0x1385379c0
| | | | | | | | | | | | | | RichTextView:0x138537b90
| | | | | | | | | | ChatTableViewCell:0x13709ec00'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x1385af910
| | | | | | | | | | | | TextMessageCellView:0x1385bf520
| | | | | | | | | | | | | MMHeadImageView:0x1385639c0
| | | | | | | | | | | | | | MMUILongPressImageView:0x138563be0
| | | | | | | | | | | | | | UIImageView:0x1385bf9a0
| | | | | | | | | | | | | UIView:0x138563dc0
| | | | | | | | | | | | | | YYAsyncImageView:0x138563f30
| | | | | | | | | | | | | | RichTextView:0x138458230
| | | | | | | | | | ChatTableViewCell:0x137209800'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x138539820
| | | | | | | | | | | | TextMessageCellView:0x13854b100
| | | | | | | | | | | | | MMHeadImageView:0x1385c5110
| | | | | | | | | | | | | | MMUILongPressImageView:0x138554240
| | | | | | | | | | | | | | UIImageView:0x13858a040
| | | | | | | | | | | | | UIView:0x1385b3df0
| | | | | | | | | | | | | | YYAsyncImageView:0x13858ce20
| | | | | | | | | | | | | | RichTextView:0x138586a10
| | | | | | | | | | ChatTableViewCell:0x1371cc000'TextMessageCellView'
| | | | | | | | | | | UITableViewCellContentView:0x138540a90
| | | | | | | | | | | | TextMessageCellView:0x13854c320
| | | | | | | | | | | | | MMHeadImageView:0x1385a6e80
| | | | | | | | | | | | | | MMUILongPressImageView:0x1385ba500
| | | | | | | | | | | | | | UIImageView:0x138586e10
| | | | | | | | | | | | | UIView:0x1385b4680
| | | | | | | | | | | | | | YYAsyncImageView:0x138457ed0
| | | | | | | | | | | | | | RichTextView:0x138564b70
| | | | | | | | | | ChatTableViewCell:0x13790ac00'ChatTimeCellView'
| | | | | | | | | | | UITableViewCellContentView:0x1388411a0
| | | | | | | | | | | | ChatTimeCellView:0x138811160
| | | | | | | | | | | | | UIImageView:0x1385505d0
| | | | | | | | | | | | | MMUILabel:0x138455ca0'\u4e0b\u534812:12'
| | | | | | | | | UIImageView:0x1383efa50
| | | | | | | | | UIImageView:0x138613090
| | | | | | | | MMInputToolView:0x1386c1840
| | | | | | | | | MMQuickSendEmoticonView:0x1385568a0
| | | | | | | | | | UIImageView:0x138556f00
| | | | | | | | | InputToolViewBar:0x1386c20f0
| | | | | | | | | | UIVisualEffectView:0x1385c4f10
| | | | | | | | | | | _UIVisualEffectBackdropView:0x1385459a0
| | | | | | | | | | | _UIVisualEffectFilterView:0x138545d50
| | | | | | | | | | | _UIVisualEffectContentView:0x138546160
| | | | | | | | | | MMGrowTextView:0x138554440
| | | | | | | | | | | UIImageView:0x13855eb70
| | | | | | | | | | | MMTextView:0x1371df200
| | | | | | | | | | | | _UITextContainerView:0x136d7a920
| | | | | | | | | | | | UIImageView:0x13882ff20
| | | | | | | | | | UIView:0x13854e900
| | | | | | | | | | MMTransparentButton:0x138553f70'\u6309\u4f4f \u8bf4\u8bdd'
| | | | | | | | | | | UIImageView:0x138593d50
| | | | | | | | | | | UIButtonLabel:0x1385547b0'\u6309\u4f4f \u8bf4\u8bdd'
| | | | | | | | | | UIButton:0x13854ea70
| | | | | | | | | | | UIImageView:0x138591890
| | | | | | | | | | UIButton:0x138554f50
| | | | | | | | | | | UIImageView:0x138591c90
| | | | | | | | | | UIButton:0x1385549d0
| | | | | | | | | | | UIImageView:0x138592090
| | | | | | | | | MMUIView:0x1386c1bb0
| | | | | | | | | | UIVisualEffectView:0x138681a80
| | | | | | | | | | | _UIVisualEffectBackdropView:0x1380ddac0
| | | | | | | | | | | _UIVisualEffectFilterView:0x138043700
| | | | | | | | | | | _UIVisualEffectContentView:0x138340cb0
| | | | | | | | | RecordView:0x13803a360
| | | | | | | | | | UIImageView:0x13801d840
| | | | | | | | | | | UIView:0x136eceb30
| | | | | | | | | | | | UIImageView:0x136f3d5f0
| | | | | | | | | | | | UIImageView:0x136ef5520
| | | | | | | | | | | | UIActivityIndicatorView:0x1386c9b40
| | | | | | | | | | | | | UIImageView:0x136ec5f70
| | | | | | | | | | | MMTransparentButton:0x1386c9870'\u624b\u6307\u4e0a\u6ed1\uff0c\u53d6\u6d88\u53d1\u9001'
| | | | | | | | | | | | UIButtonLabel:0x1380726a0'\u624b\u6307\u4e0a\u6ed1\uff0c\u53d6\u6d88\u53d1\u9001'
| | | | | | | | | | | UIImageView:0x1383baf80
| | | | | | | | | | | MMUILabel:0x1383788e0
| | | | | | | | | | | MMUILabel:0x13868e110
| | | | | | | | | UIView:0x1383eb3d0
| | | | | | | | | WASendSessionMsgView:0x138558d80
| | | | | | | | | | UIImageView:0x138559120
| | | | | | | | | | UILabel:0x138559440'\u53ef\u80fd\u8981\u53d1\u9001\u7684\ufffc\u5c0f\u7a0b\u5e8f\uff1a'
| | | | | | | | | | MMWebImageView:0x136ecf560
| | | | | | | | | | UIActivityIndicatorView:0x13833b540
| | | | | | | | | | | UIImageView:0x136e748d0
| | | | | | | | | | UIButton:0x1386c95d0
| | | | | | | | | | | UIImageView:0x1385933c0
| | | | | | | | | UIButton:0x138555360
| | | | | | | | | | UIImageView:0x138592a10
| | | | | | | | | | MMUILabel:0x138555ae0'\u4f60\u53ef\u80fd\u8981\u53d1\u9001\u7684\u7167\u7247:'
| | | | | UIButton:0x138202b80
| | | | | UIButton:0x138289d00
| | | | | VoiceRecogView:0x1380bda70
| | | | | | UIImageView:0x138093f40
| | | | | | UIImageView:0x13809e220
| | | | | | UIImageView:0x1380a6ef0
| | | | | | UIImageView:0x13809b890
| | | | | MMUINavigationBar:0x1383a2bb0
| | | | | | UIView:0x1384a5ef0
| | | | | | _UINavigationBarBackground:0x1383a3320
| | | | | | | _UIBackdropView:0x13865cf10
| | | | | | | | _UIBackdropEffectView:0x13862d540
| | | | | | | | UIView:0x13862b140
| | | | | | | UIImageView:0x13863c750
| | | | | | MMTitleView:0x138606f20
| | | | | | | UIView:0x1383a0f70
| | | | | | | | MMUILabel:0x13834a3e0'\u591c\u8fb0'
| | | | | | | | MMUILabel:0x1386da320
| | | | | | | | UIImageView:0x138353fc0
| | | | | | UIView:0x1380a79f0
| | | | | | | MMBarButton:0x138690f10'\u5fae\u4fe1'
| | | | | | | | UIImageView:0x1380bb6a0
| | | | | | | | UIButtonLabel:0x1386edae0'\u5fae\u4fe1'
| | | | | | UIView:0x13866ca60
| | | | | | | MMBarButton:0x1388260b0
| | | | | | | | UIImageView:0x1386b6540
| | | | | | _UINavigationBarBackIndicatorView:0x1384a96e0
| | UITabBar:0x1384c2ba0
| | | _UITabBarBackgroundView:0x136d8ad90
| | | UITabBarButton:0x1383c0bb0
| | | | UITabBarSwappableImageView:0x1384d4820
| | | | UITabBarButtonLabel:0x1383c0f50'\u5fae\u4fe1'
| | | UITabBarButton:0x136d6a1a0
| | | | UITabBarSwappableImageView:0x1383c1410
| | | | UITabBarButtonLabel:0x138509980'\u901a\u8baf\u5f55'
| | | UITabBarButton:0x1383e5260
| | | | UITabBarSwappableImageView:0x138507e40
| | | | UITabBarButtonLabel:0x1383c1180'\u53d1\u73b0'
| | | UITabBarButton:0x1383e4d00
| | | | UITabBarSwappableImageView:0x1383e9200
| | | | UITabBarButtonLabel:0x1383e3560'\u6211'
| | | MMBadgeView:0x1383eb1f0
| | | | MMUILabel:0x1383ec5d0
| | | MMBadgeView:0x1383ed280
| | | | MMUILabel:0x1383ed660
| | | MMBadgeView:0x1383edea0
| | | | MMUILabel:0x1383ee260
| | | MMBadgeView:0x1383eeab0
| | | | MMUILabel:0x1383eee70
| | | UIImageView:0x136d94250
找到一个ViewController上面的UIView:<UIView: 0x12f09d930; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x12f2567e0>>,查看响应者
cy# [#0x12f09d930 nextResponder]
#"<BaseMsgContentViewController: 0x12e2f1600>"
四. 定位 BaseMsgContentViewController 消息响应方法
-
BaseMsgContentViewController头文件所有的方法被触发打印信息
/opt/theos/bin/logify.pl ./WXHeaders/BaseMsgContentViewController.h > Tweak.xm -
编译安装
注释掉//- (void).cxx_destruct { %log; %orig; }方法,并且在编译中,注释掉所有报错的方法,报错的最主要的原因是找不到头文件。 -
安装成功后查看log信息
发送消息,定位和消息相关的方法
-[<BaseMsgContentViewController: 0x137904600> addMessageNode:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"} layout:1 addMoreMsg:0] -[<BaseMsgContentViewController: 0x137904600> addTimeNode:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"} layout:1 addMoreMsg:0] -[<BaseMsgContentViewController: 0x137904600> isShowHeadImage:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"} ] -[<BaseMsgContentViewController: 0x137904600> getMessageChatContactByMessageWrap:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"}根据log信息,可以很容易得出
addMessageNode是我们要找的
五. 通过lldb动态调试
-
iPhone连接xcode,iOS上会自动在/Developer/usr/bin/目录下面生成调试工具debugserver
-
debugserver瘦身和重新签名,并放入iPhone /usr/bin /目录下
#mac上拷贝debugserver scp root@192.168.2.24:/Developer/usr/bin/debugserver . #查看支持的架构 lipo -info debugserver Architectures in the fat file: debugserver are: armv7 armv7s arm64 #瘦身 lipo -thin arm64 debugserver -output debugserver.arm64 #使用ldid添加task_for_pid权限 vi ent.xml #添加下面信息 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> #开始修改 ldid -S ent.xml debugserver.arm64 #查看修改后的信息 ldid -e debugserver.arm64 #使用codesign添加task_for_pid权限 vim ent.plist codesign -s - --entitlements ent.plist -f debugserver.arm64 #配合debugserver命令 cp debugserver.arm64 /usr/local/Cellar ln -s /usr/local/Cellar/debugserver.arm64 /usr/local/bin/debugserver scp debugserver.arm64 root@192.168.2.24:/usr/bin/ #在iphone改debugserver名字 mv /usr/bin/debugserver.arm64 /usr/bin/debugserver -
启动调试(目的: 找出接受消息的类,不受页面的限制,单例)
在iPhone启动服务debugserver *:6666 -a "WeChat"mac lldb连接debugserver
lldb (lldb) process connect connect://192.168.2.24:6666 //注意ip和端口要和配的相同调试相关命令
#查看所有断点 br list #添加 -a后的地址是:偏移后符号基地址 br s -a '0x00000000000a4000+0x0000000101c8bf4c' #删除:根据br list标号 br delete 1 #设置 b function br s –a address br s –a 'ASLROffset+address' #继续运行 c #等待断点触发 bt -
计算地址
地址相关计算逻辑
偏移后模块基地址 = 偏移前模块基地址 + 模块的ASLR偏移 偏移后指令基地址 = 偏移前指令基地址 + 指令所在模块的ASLR偏移 偏移后符号基地址 = 偏移前符号基地址 + 符号所在模块的ASLR偏移查看ASLR偏移
(lldb) image list -o -f | grep WeChat [ 0] 0x00000000000a4000 /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat(0x00000001000a4000)通过Hopper查看addMessageNode的函数基地址
-[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]: 0000000101c8bf4c db 0xff ; '.' ; Objective C Implementation defined at 0x103863320 (instance) 0000000101c8bf4d db 0xc3 ; '.' 0000000101c8bf4e db 0x05 ; '.'偏移后符号基地址 = 0x00000000000a4000 + 0x0000000101c8bf4c
-
调试微信发送消息
lldb 添加第一个断点:br s -a '0x00000000000a4000+0x0000000101c8bf4c'
注意:在进入好友聊天界面的时候,会多次调用断点,所以进入是删除断点,然后再添加。发送消息之后,断点停留。然后bt查看堆栈信息,最后c继续
(lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1 * frame #0: 0x0000000101d2ff4c WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4127552 frame #1: 0x0000000101f999ec WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 6657504 frame #2: 0x0000000101f83310 WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 6565636 frame #3: 0x0000000104464ce8 MMCommon`_callExtension + 480 frame #4: 0x00000001027e35fc WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 15348208 frame #5: 0x0000000182f1002c Foundation`__NSThreadPerformPerform + 340 frame #6: 0x00000001824f109c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 frame #7: 0x00000001824f0b30 CoreFoundation`__CFRunLoopDoSources0 + 540 frame #8: 0x00000001824ee830 CoreFoundation`__CFRunLoopRun + 724 frame #9: 0x0000000182418c50 CoreFoundation`CFRunLoopRunSpecific + 384 frame #10: 0x0000000183d00088 GraphicsServices`GSEventRunModal + 180 frame #11: 0x0000000187702088 UIKit`UIApplicationMain + 204 frame #12: 0x0000000100180488 WeChat`_mh_execute_header + 902280 frame #13: 0x0000000181fb68b8 libdyld.dylib`start + 4 (lldb) c Process 2013 resuming (lldb)查看堆栈信息可以的得出:与WeChat相关的有四条信息
计算四条信息的地址:偏移后符号基地址 = 符号所在模块的ASLR偏移 + 偏移前符号基地址 frame #0: 0x0000000101d2ff4c => 0x00000000000a4000 + 0x0000000101c8bf4c frame #1: 0x0000000101f999ec => 0x00000000000a4000 + ? 偏移前符号基地址 = 偏移后符号基地址 - 符号所在模块的ASLR偏移 frame #1: 0x0000000101f999ec => 0x00000000000a4000 + (0x101EF59EC) frame #2: 0x0000000101f83310 => 0x00000000000a4000 + (0x101EDF310) frame #4: 0x00000001027e35fc => 0x00000000000a4000 + (0x10273F5FC)通过Hopper和计算出的(偏移前符号基地址)查看相关的方法,Hopper中使用快捷键G,跳转到某一地址。查看地址不是对应地址,而是地址相关的地址。
0x101EF59EC:(内部方法) 0000000101ef5964 adrpx24, #0x102f0f000; XREF=-[BaseMsgContentLogicController DidAddMsg:]+328 0x101EDF310: 0000000101edf310 adrp x8, #0x103b7c000; XREF=-[BaseMsgContentLogicController OnAddMsg:MsgWrap:]+336 0x10273F5FC: (相关) -[CMessageMgr MainThreadNotifyToExt:]:lldb继续添加断点调试,这次在好友列表页打断点。
0x0000000101d2ff4c: 好友聊天页面有效,淘汰! 0x0000000101f999ec: 好友聊天页面有效,淘汰! 0x0000000101f83310: 好友聊天页面有效,淘汰! 0x00000001027e35fc: 任意页面有效, 找到了!通过上面分析的出,是[CMessageMgr MainThreadNotifyToExt:]方法。然后我们hook CMessageMgr类中的所有方法,来找出接受消息的方法。
➜ WXHeaders ls -ll *CMessageMgr* -rw-r--r-- 1 wz staff 17573 9 28 10:08 CMessageMgr.h /opt/theos/bin/logify.pl CMessageMgr.h > ../Tweak.xm查看日志找出的相关方法:
[<CMessageMgr: 0x127ab9570> CheckMessageStatus:] [<CMessageMgr: 0x127ab9570> AsyncOnPreAddMsg:] [<CMessageMgr: 0x127ab9570> AsyncOnAddMsg:] [<CMessageMgr: 0x127ab9570> AsyncOnPushMsg:] [<CMessageMgr: 0x127ab9570> AsyncOnAddMsgListForSession:]选择方法:[<CMessageMgr: 0x127ab9570> AsyncOnAddMsg:],并且输出参数类型,移除不用的方法,留下部分有用的方法。
```
- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 {
//%log;
%orig;
NSLog(@"arg1: %@, %@", [arg1 class], arg1);
NSLog(@"arg2: %@, %@", [arg2 class], arg2);
}
```
输出内容
```
Sep 29 15:02:44 iPhone WeChat[2394] <Warning>: arg1: __NSCFString, wxid_y9bs6i3qil6m21
Sep 29 15:02:44 iPhone WeChat[2394] <Warning>: arg2: CMessageWrap, {m_uiMesLocalID=28, m_ui64MesSvrID=3324982937891416074, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=3, type=1, msgSource="<msgsource><sequence_id>690750088</sequence_id></msgsource>"}
```
分析消息 CMessageWrap头文件,根据测试得出结论:
```
@interface CMessageWrap
@property(nonatomic) _Bool m_bCdnForward; // @synthesize m_bCdnForward;
@property(nonatomic) _Bool m_bForward; // @synthesize m_bForward;
@property(nonatomic) _Bool m_bIsBrandSendMass; // @synthesize m_bIsBrandSendMass;
@property(nonatomic) _Bool m_bIsFromBrandSession; // @synthesize m_bIsFromBrandSession;
@property(nonatomic) _Bool m_bIsSplit; // @synthesize m_bIsSplit;
@property(nonatomic) _Bool m_bNew; // @synthesize m_bNew;
@property(nonatomic) unsigned int m_bReceiveMessageSwitchStatus; // @synthesize m_bReceiveMessageSwitchStatus;
@property(retain, nonatomic) NSString *m_bizMsgMenuID; // @synthesize m_bizMsgMenuID;
@property(retain, nonatomic) NSMutableDictionary *m_dicForwardParas; // @synthesize m_dicForwardParas=_m_dicForwardParas;
@property(retain, nonatomic) NSData *m_dtThumbnail; // @synthesize m_dtThumbnail;
@property(nonatomic) unsigned int m_forwardType; // @synthesize m_forwardType=_m_forwardType;
@property(nonatomic) _Bool m_isEnterpriseMsg; // @synthesize m_isEnterpriseMsg;
@property(nonatomic) _Bool m_isTempSessionMsg; // @synthesize m_isTempSessionMsg;
@property(nonatomic) long long m_n64MesSvrID; // @synthesize m_n64MesSvrID;
@property(retain, nonatomic) NSString *m_nsAtUserList; // @synthesize m_nsAtUserList;
@property(retain, nonatomic) NSString *m_nsBizChatId; // @synthesize m_nsBizChatId;
@property(retain, nonatomic) NSString *m_nsBizClientMsgID; // @synthesize m_nsBizClientMsgID;
@property(retain, nonatomic) NSString *m_nsContent; // @synthesize m_nsContent;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsFromUsr; // @synthesize m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsKFWorkerOpenID; // @synthesize m_nsKFWorkerOpenID;
@property(retain, nonatomic) NSString *m_nsMsgSource; // @synthesize m_nsMsgSource;
@property(retain, nonatomic) NSString *m_nsPattern; // @synthesize m_nsPattern;
@property(retain, nonatomic) NSString *m_nsPushBody; // @synthesize m_nsPushBody;
@property(retain, nonatomic) NSString *m_nsPushContent; // @synthesize m_nsPushContent;
@property(retain, nonatomic) NSString *m_nsPushPrefix; // @synthesize m_nsPushPrefix;
@property(retain, nonatomic) NSString *m_nsPushTitle; // @synthesize m_nsPushTitle;
@property(retain, nonatomic) NSString *m_nsRealChatUsr; // @synthesize m_nsRealChatUsr;
@property(retain, nonatomic) NSString *m_nsToUsr; // @synthesize m_nsToUsr;
@property(nonatomic) unsigned int m_sequenceId; // @synthesize m_sequenceId;
@property(nonatomic) unsigned int m_uiBizChatVer; // @synthesize m_uiBizChatVer;
@property(nonatomic) unsigned int m_uiCreateTime; // @synthesize m_uiCreateTime;
@property(nonatomic) unsigned int m_uiDownloadStatus; // @synthesize m_uiDownloadStatus;
@property(nonatomic) unsigned int m_uiEmojiStatFlag; // @synthesize m_uiEmojiStatFlag;
@property(nonatomic) unsigned int m_uiImgStatus; // @synthesize m_uiImgStatus;
@property(nonatomic) unsigned int m_uiMesLocalID; // @synthesize m_uiMesLocalID;
@property(nonatomic) int m_uiMessageType; // @synthesize m_uiMessageType;
@property(nonatomic) unsigned int m_uiMsgFlag; // @synthesize m_uiMsgFlag;
@property(nonatomic) unsigned int m_uiPercent; // @synthesize m_uiPercent;
@property(nonatomic) unsigned int m_uiSendTime; // @synthesize m_uiSendTime;
@property(nonatomic) unsigned int m_uiStatus; // @synthesize m_uiStatus;
@end
%hook CMessageMgr
- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)msg {
NSString *content = [msg m_nsContent];
NSString *fromUsr = [msg m_nsFromUsr];
NSString *toUsr = [msg m_nsToUsr];
int messageType = [msg m_uiMessageType];
NSLog(@"content: %@", content);
NSLog(@"fromUsr: %@", fromUsr);
NSLog(@"toUsr: %@", toUsr);
NSLog(@"messageType: %d", messageType);
if (messageType == 1)
{
NSLog(@"文本消息");
}else if (messageType == 3)
{
NSLog(@"图片消息");
}else if (messageType == 48)
{
NSLog(@"位置消息");
}else if (messageType == 49)
{
NSLog(@"红包消息、转账消息");
}else{
NSLog(@"未知");
}
%orig;
}
```
六. 红包相关的方法
点开红包,显示抢红包页面,然后通过cycript查看页面层级:
iPhone:~ root# cycript -p WeChat
cy# [[UIApp keyWindow] _autolayoutTrace].toString()
红包相关的页面层级:
| WCRedEnvelopesReceiveHomeView:0x1301296d0
| | UIButton:0x1301298c0
| | UIImageView:0x12fd566c0
| | | UIView:0x130237de0
| | | UIView:0x130240a70
| | | UIImageView:0x13021d600
| | | UIView:0x13021bad0
| | | | UIView:0x13023d320
| | | | UIView:0x13021d1c0
| | | | UIImageView:0x1302418d0
| | | | UIImageView:0x13021ed80
| | | | UIButton:0x13022fe50
| | | UIView:0x1302251f0
| | | | MMHeadImageView:0x1302328c0
| | | | | MMUILongPressImageView:0x1302249a0
| | | | | UIImageView:0x1302309c0
| | | MMUILabel:0x1302412f0'\u591c\u8fb0'
| | | MMUILabel:0x13021f740'\u7ed9\u4f60\u53d1\u4e86\u4e00\u4e2a\u7ea2\u5305'
| | | MMUILabel:0x1302436e0'\u8be5\u7ea2\u5305\u5df2\u8d85\u8fc724\u5c0f\u65f6\u3002\u5982\u5df2\u9886\u53d6\uff0c\u53ef\u5728\u201c\u6211\u7684\u7ea2\u5305\u201d\u4e2d...'
| | | UIButton:0x13012d3f0
| | | UIButton:0x13012d690
| | | | UIImageView:0x13012ddb0
| | | UIImageView:0x13012adf0
| | | UIImageView:0x13012b0b0
调试WCRedEnvelopesReceiveHomeView页面
/opt/theos/bin/logify.pl WXHeaders/WCRedEnvelopesReceiveHomeView.h > Tweak.xm
日志:
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:8 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> initWithFrame:-- andData:<WCRedEnvelopesControlData: 0x13742e5b0> delegate:<WCRedEnvelopesReceiveControlLogic: 0x13719a0c0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:13 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> refreshViewWithData:<WCRedEnvelopesControlData: 0x13742e5b0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:16 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> shouldShowDetailButtonWithIsSender:0 Type:0 ReceiveStutus:0 envelopeStutus:2 data:<WCRedEnvelopesControlData: 0x13742e5b0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:16 DEBUG: = 0
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:15 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> shouldShowBottomDescriptionWithType:0 envelopeStutus:2]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:15 DEBUG: = 0
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:8 DEBUG: = <WCRedEnvelopesReceiveHomeView: 0x13720c6d0; frame = (0 0; 320 568); clipsToBounds = YES; layer = <CALayer: 0x1370e6d30>>
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:17 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> showAnimation]
点开红包后调用:
Oct 20 10:50:25 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:5 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> OnOpenRedEnvelopes]
Oct 20 10:50:25 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:19 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> startReceiveAnimation]
Oct 20 10:50:26 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:18 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> showSuccessOpenAnimation]
Oct 20 10:50:26 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:14 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> removeView]
仔细分析可以得出几个和数据相关的方法,其它基本是UI相关
//WCRedEnvelopesControlData & WCRedEnvelopesReceiveControlLogic 初始化一个红包视图
-[<WCRedEnvelopesReceiveHomeView: 0x1370974c0> initWithFrame:-- andData:<WCRedEnvelopesControlData: 0x136cddbf0> delegate:<WCRedEnvelopesReceiveControlLogic: 0x136f4c9b0>]
//根据WCRedEnvelopesControlData刷新界面
-[<WCRedEnvelopesReceiveHomeView: 0x1370974c0> refreshViewWithData:<WCRedEnvelopesControlData: 0x136cddbf0>]
//打开红包操作
-[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> OnOpenRedEnvelopes]
打开红包的操作才是我们需要的,那么我们走起,通过Hopper反编译OnOpenRedEnvelopes
头文件
@interface WCRedEnvelopesReceiveHomeView{
id m_delegate;
NSDictionary *m_dicBaseInfo;
}
@end
%hook WCRedEnvelopesReceiveHomeView
- (void)OnOpenRedEnvelopes {
%log;
//%orig;
NSDictionary *dict = MSHookIvar<NSDictionary *>(self, "m_dicBaseInfo");
NSArray *arr = [dict allKeys];
for(NSInteger i=0; i<arr.count; i++){
NSString *key = arr[i];
id value = [dict valueForKey:key];
NSLog(@"key : %@ value : %@", key, value);
}
id delegate = MSHookIvar<id>(self, "m_delegate");
NSLog(@"m_delegate class is %@ ", [delegate class]);
}
%end
日志输出:
Oct 20 15:21:19 iPhone WeChat[3282] <Notice>: [redpocket] Tweak.xm:25 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x15e8b0510> OnOpenRedEnvelopes]
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>:Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : watermark value :
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : sendUserName value : wxid_y9bs6i3qil6m21
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : timingIdentifier value : C2E51DAD13A971F9E5C3EC016C9CA2E7
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : hbStatus value : 2
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : receiveStatus value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : sendId value : 1000039501201710207015233607354
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : isSender value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>:Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : hbType value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: m_delegate class is WCRedEnvelopesReceiveControlLogic
WeChat 6.5.20 分割线,上面是之前版本,偏移地址不一样,逻辑啥的都一样。App Store自动升级真是郁闷啊!
Hopper反汇编打开红包方法(和IDA做对比):
-[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes]:
0000000100e586e8 sub sp, sp, #0x70 ; Objective C Implementation defined at 0x1036f8b50 (instance)
0000000100e586ec stp x24, x23, [sp, #0x30] ;x23+(sp+0x30) = x24
0000000100e586f0 stp x22, x21, [sp, #0x40] ;x21+(sp+0x40) = x22
0000000100e586f4 stp x20, x19, [sp, #0x50] ;x19+(sp+0x50) = x20
0000000100e586f8 stp x29, x30, [sp, #0x60] ;x30+(sp+0x60) = x29
0000000100e586fc add x29, sp, #0x60 ;x29 = sp + 0x60
0000000100e58700 mov x19, x0 ;x19 = x0
0000000100e58704 adrp x8, #0x103c2a000 ;地址生成self
0000000100e58708 ldrsw x24, [x8, #0xfbc] ; x24 = (x8+0xfbc) objc_ivar_offset_WCRedEnvelopesReceiveHomeView_m_dicBaseInfo self.m_dicBaseInfo
0000000100e5870c ldr x0, [x19, x24] ;x0 = (x19+x24)
0000000100e58710 adrp x8, #0x103b7d000
0000000100e58714 ldr x20, [x8, #0xee0] ; "objectForKey:",@selector(objectForKey:) ;方法地址
0000000100e58718 adrp x2, #0x1033a6000
0000000100e5871c add x2, x2, #0xfb8 ; @"isSender"
0000000100e58720 mov x1, x20
0000000100e58724 bl imp___stubs__objc_msgSend ;调用 [self.m_dicBaseInfo objectForKey:@"isSender"]
0000000100e58728 mov x29, x29
0000000100e5872c bl imp___stubs__objc_retainAutoreleasedReturnValue 返回值在x0
0000000100e58730 mov x21, x0
0000000100e58734 adrp x8, #0x103b7f000 ; @selector(WAAppCacheSandboxDirWithAppID:)
0000000100e58738 ldr x22, [x8, #0x858] ; "intValue",@selector(intValue)
0000000100e5873c mov x1, x22
0000000100e58740 bl imp___stubs__objc_msgSend ; 实现appid变为intValue
0000000100e58744 mov x23, x0
0000000100e58748 mov x0, x21 ;返回值isSender
0000000100e5874c bl imp___stubs__objc_release
0000000100e58750 ldr x0, [x19, x24] ;x0 = (x19+x24)
0000000100e58754 adrp x2, #0x1033a6000
0000000100e58758 add x2, x2, #0xb18 ;@"hbType"
0000000100e5875c mov x1, x20
0000000100e58760 bl imp___stubs__objc_msgSend ;[self.m_dicBaseInfo valueForKey:@"hbType"]
0000000100e58764 mov x29, x29
0000000100e58768 bl imp___stubs__objc_retainAutoreleasedReturnValue ;返回值
0000000100e5876c mov x20, x0
0000000100e58770 mov x1, x22
0000000100e58774 bl imp___stubs__objc_msgSend
0000000100e58778 mov x21, x0
0000000100e5877c mov x0, x20
0000000100e58780 bl imp___stubs__objc_release
0000000100e58784 adrp x8, #0x103c07000
0000000100e58788 ldr x0, [x8, #0x7b8] ; x0 = (x8+0x7b8) objc_cls_ref_NSString,_OBJC_CLASS_$_NSString
0000000100e5878c add w8, w21, #0x1
0000000100e58790 cmp w23, #0x0
0000000100e58794 orr w9, wzr, #0x1
0000000100e58798 cinc w9, w9, le
0000000100e5879c adrp x10, #0x103b7d000
0000000100e587a0 ldr x1, [x10, #0xf68] ; "stringWithFormat:",@selector(stringWithFormat:)
0000000100e587a4 adrp x10, #0x10330d000
0000000100e587a8 add x10, x10, #0x18 ; @""
0000000100e587ac orr w11, wzr, #0x2
0000000100e587b0 stp x11, x10, [sp, #0x20]
0000000100e587b4 stp x9, xzr, [sp, #0x10]
0000000100e587b8 movz w9, #0x5
0000000100e587bc stp x9, x8, [sp]
0000000100e587c0 adrp x2, #0x1033a7000
0000000100e587c4 add x2, x2, #0x2b8 ; @"%u,%u,%u,%u,%u,%@"
0000000100e587c8 bl imp___stubs__objc_msgSend ; [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"];
0000000100e587cc mov x29, x29
0000000100e587d0 bl imp___stubs__objc_retainAutoreleasedReturnValue
0000000100e587d4 mov x20, x0
0000000100e587d8 movz w0, #0x2db5
0000000100e587dc mov x1, x20
0000000100e587e0 movz w2, #0x0
0000000100e587e4 movz w3, #0x0 ; argument "self"
0000000100e587e8 bl 0x102923a8c
0000000100e587ec adrp x8, #0x103c2a000
0000000100e587f0 ldrsw x8, [x8, #0xfd8] ; objc_ivar_offset_WCRedEnvelopesReceiveHomeView_m_delegate
0000000100e587f4 add x0, x19, x8
0000000100e587f8 bl imp___stubs__objc_loadWeakRetained
0000000100e587fc mov x19, x0
0000000100e58800 adrp x8, #0x103bb1000 ; @selector(setModifyDefaultAmt:)
0000000100e58804 ldr x1, [x8, #0xf40] ; "WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes",@selector(WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes)
0000000100e58808 bl imp___stubs__objc_msgSend
0000000100e5880c mov x0, x19
0000000100e58810 bl imp___stubs__objc_release
0000000100e58814 mov x0, x20
0000000100e58818 ldp x29, x30, [sp, #0x60]
0000000100e5881c ldp x20, x19, [sp, #0x50]
0000000100e58820 ldp x22, x21, [sp, #0x40]
0000000100e58824 ldp x24, x23, [sp, #0x30]
0000000100e58828 add sp, sp, #0x70
0000000100e5882c b imp___stubs__objc_release
; endp
IDA反汇编打开红包的方法(IDA 调用方法时比Hopper注释更加详细,所以下面使用IDA):
- IDA 在调用方法时,将方法的地址,转换为函数名;看反汇编代码更加清晰
- 调用objc_msgSend方法时: X0存放第一个参数receiver,X1存放第二个参数selector,后面的参数依此类推
- x0~x7常用做参数,x0常用做返回值
- adrp地址生成指令,常用做取方法的地址
- x8常用做间接寻址
- mac终端命令 只在当前目录根据内容(MMServiceCenter)查找相关文件:
mdfind -onlyin . MMServiceCenter
text:0000000100E586E8 ; void __cdecl -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes](WCRedEnvelopesReceiveHomeView *self, SEL)
__text:0000000100E586E8 __WCRedEnvelopesReceiveHomeView_OnOpenRedEnvelopes_
__text:0000000100E586E8 SUB SP, SP, #0x70
__text:0000000100E586EC STP X24, X23, [SP,#0x30]
__text:0000000100E586F0 STP X22, X21, [SP,#0x40]
__text:0000000100E586F4 STP X20, X19, [SP,#0x50]
__text:0000000100E586F8 STP X29, X30, [SP,#0x60]
__text:0000000100E586FC ADD X29, SP, #0x60
__text:0000000100E58700 MOV X19, X0
__text:0000000100E58704 ADRP X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_dicBaseInfo@PAGE
__text:0000000100E58708 LDRSW X24, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_dicBaseInfo@PAGEOFF] ; NSDictionary *m_dicBaseInfo;
__text:0000000100E5870C LDR X0, [X19,X24]
__text:0000000100E58710 ADRP X8, #selRef_objectForKey_@PAGE
__text:0000000100E58714 LDR X20, [X8,#selRef_objectForKey_@PAGEOFF]
__text:0000000100E58718 ADRP X2, #cfstr_Issender_1@PAGE
__text:0000000100E5871C ADD X2, X2, #cfstr_Issender_1@PAGEOFF ; "isSender"
__text:0000000100E58720 MOV X1, X20
__text:0000000100E58724 BL _objc_msgSend
__text:0000000100E58728 MOV X29, X29
__text:0000000100E5872C BL _objc_retainAutoreleasedReturnValue
;上面是返回值: [self.m_dicBaseInfo objectForKey:@"isSender"]
__text:0000000100E58730 MOV X21, X0
__text:0000000100E58734 ADRP X8, #selRef_intValue@PAGE
__text:0000000100E58738 LDR X22, [X8,#selRef_intValue@PAGEOFF]
__text:0000000100E5873C MOV X1, X22
__text:0000000100E58740 BL _objc_msgSend
__text:0000000100E58744 MOV X23, X0
__text:0000000100E58748 MOV X0, X21
__text:0000000100E5874C BL _objc_release
__text:0000000100E58750 LDR X0, [X19,X24]
__text:0000000100E58754 ADRP X2, #cfstr_Hbtype_1@PAGE
__text:0000000100E58758 ADD X2, X2, #cfstr_Hbtype_1@PAGEOFF ; "hbType"
__text:0000000100E5875C MOV X1, X20
__text:0000000100E58760 BL _objc_msgSend
__text:0000000100E58764 MOV X29, X29
__text:0000000100E58768 BL _objc_retainAutoreleasedReturnValue
;上面是返回值: [self.m_dicBaseInfo objectForKey:@"hbType"]
__text:0000000100E5876C MOV X20, X0
__text:0000000100E58770 MOV X1, X22
__text:0000000100E58774 BL _objc_msgSend
__text:0000000100E58778 MOV X21, X0
__text:0000000100E5877C MOV X0, X20
__text:0000000100E58780 BL _objc_release
__text:0000000100E58784 ADRP X8, #classRef_NSString@PAGE
__text:0000000100E58788 LDR X0, [X8,#classRef_NSString@PAGEOFF]
__text:0000000100E5878C ADD W8, W21, #1
__text:0000000100E58790 CMP W23, #0
__text:0000000100E58794 MOV W9, #1
__text:0000000100E58798 CINC W9, W9, LE
__text:0000000100E5879C ADRP X10, #selRef_stringWithFormat_@PAGE
__text:0000000100E587A0 LDR X1, [X10,#selRef_stringWithFormat_@PAGEOFF]
__text:0000000100E587A4 ADRP X10, #stru_10330D018@PAGE
__text:0000000100E587A8 ADD X10, X10, #stru_10330D018@PAGEOFF
__text:0000000100E587AC MOV W11, #2
__text:0000000100E587B0 STP X11, X10, [SP,#0x20]
__text:0000000100E587B4 STP X9, XZR, [SP,#0x10]
__text:0000000100E587B8 MOV W9, #5
__text:0000000100E587BC STP X9, X8, [SP]
__text:0000000100E587C0 ADRP X2, #cfstr_UUUUU_1@PAGE ;
__text:0000000100E587C4 ADD X2, X2, #cfstr_UUUUU_1@PAGEOFF ; "%u,%u,%u,%u,%u,%@"
__text:0000000100E587C8 BL _objc_msgSend
__text:0000000100E587CC MOV X29, X29
__text:0000000100E587D0 BL _objc_retainAutoreleasedReturnValue
;上面是返回值: [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"]
__text:0000000100E587D4 MOV X20, X0
__text:0000000100E587D8 MOV W0, #0x2DB5
__text:0000000100E587DC MOV X1, X20
__text:0000000100E587E0 MOV W2, #0
__text:0000000100E587E4 MOV W3, #0
__text:0000000100E587E8 BL sub_102923A8C
__text:0000000100E587EC ADRP X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGE
__text:0000000100E587F0 LDRSW X8, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGEOFF] ; WCRedEnvelopesReceiveHomeViewDelegate *m_delegate;
__text:0000000100E587F4 ADD X0, X19, X8
__text:0000000100E587F8 BL _objc_loadWeakRetained
__text:0000000100E587FC MOV X19, X0
__text:0000000100E58800 ADRP X8, #selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE
__text:0000000100E58804 LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF]
__text:0000000100E58808 BL _objc_msgSend
; 上面调用: [self.m_delegate WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]
;通过日志可以看出self.m_delegate类的类型为:WCRedEnvelopesReceiveControlLogic
__text:0000000100E5880C MOV X0, X19
__text:0000000100E58810 BL _objc_release
__text:0000000100E58814 MOV X0, X20
__text:0000000100E58818 LDP X29, X30, [SP,#0x60]
__text:0000000100E5881C LDP X20, X19, [SP,#0x50]
__text:0000000100E58820 LDP X22, X21, [SP,#0x40]
__text:0000000100E58824 LDP X24, X23, [SP,#0x30]
__text:0000000100E58828 ADD SP, SP, #0x70
__text:0000000100E5882C B _objc_release
__text:0000000100E5882C ; End of function -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes]
得出的大概伪代码:
//是否是消息发送者
int isSender = [[self.m_dicBaseInfo objectForKey:@"isSender"] intValue];
//红包类型
NSNumber *hbType = [self.m_dicBaseInfo objectForKey:@"hbType"];
//后面参数未知
NSString *unknownStr = [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"];
//调用打开红包 WCRedEnvelopesReceiveControlLogic
[self.m_delegate WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]
接着我们通过上面调用方法的信息,反汇编 WCRedEnvelopesReceiveControlLogic的WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes方法:
text:00000001011FF35C ; void __cdecl -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes](WCRedEnvelopesReceiveControlLogic *self, SEL)
__text:00000001011FF35C __WCRedEnvelopesReceiveControlLogic_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes_
... ;省略部分代码
__text:00000001011FF35C SUB SP, SP, #0x130
__text:00000001011FF360 STP D9, D8, [SP,#0x120+var_60]
__text:00000001011FF364 STP X28, X27, [SP,#0x120+var_50]
__text:00000001011FF368 STP X26, X25, [SP,#0x120+var_40]
__text:00000001011FF36C STP X24, X23, [SP,#0x120+var_30]
__text:00000001011FF370 STP X22, X21, [SP,#0x120+var_20]
__text:00000001011FF374 STP X20, X19, [SP,#0x120+var_10]
__text:00000001011FF378 STP X29, X30, [SP,#0x120+var_s0]
__text:00000001011FF37C ADD X29, SP, #0x120
__text:00000001011FF380 MOV X27, X0
__text:00000001011FF384 ADRP X8, #_OBJC_IVAR_$_WCRedEnvelopesControlLogic.m_data@PAGE ; WCRedEnvelopesControlData *m_data;
__text:00000001011FF388 NOP
__text:00000001011FF38C LDRSW X21, [X8,#_OBJC_IVAR_$_WCRedEnvelopesControlLogic.m_data@PAGEOFF] ; WCRedEnvelopesControlData *m_data;
__text:00000001011FF390 LDR X0, [X27,X21]
__text:00000001011FF394 ADRP X8, #selRef_m_oSelectedMessageWrap@PAGE
__text:00000001011FF398 LDR X19, [X8,#selRef_m_oSelectedMessageWrap@PAGEOFF]
__text:00000001011FF39C MOV X1, X19
__text:00000001011FF3A0 BL _objc_msgSend
__text:00000001011FF3A4 MOV X29, X29
__text:00000001011FF3A8 BL _objc_retainAutoreleasedReturnValue
;上面返回值 CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
__text:00000001011FF3AC MOV X22, X0 ;x0返回值,是messageWrap的地址
__text:00000001011FF3B0 ADRP X8, #selRef_m_oWCPayInfoItem@PAGE
__text:00000001011FF3B4 LDR X1, [X8,#selRef_m_oWCPayInfoItem@PAGEOFF]
__text:00000001011FF3B8 STR X1, [SP,#0x120+var_100] ;x1是m_oWCPayInfoItem方法地址
__text:00000001011FF3BC BL _objc_msgSend
__text:00000001011FF3C0 MOV X29, X29
__text:00000001011FF3C4 BL _objc_retainAutoreleasedReturnValue
;上面返回值 WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
__text:00000001011FF3C8 MOV X23, X0
__text:00000001011FF3CC ADRP X8, #selRef_m_c2cNativeUrl@PAGE
__text:00000001011FF3D0 LDR X24, [X8,#selRef_m_c2cNativeUrl@PAGEOFF]
__text:00000001011FF3D4 MOV X1, X24
__text:00000001011FF3D8 BL _objc_msgSend
__text:00000001011FF3DC MOV X29, X29
__text:00000001011FF3E0 BL _objc_retainAutoreleasedReturnValue
;上面返回值 NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
__text:00000001011FF3E4 MOV X25, X0
__text:00000001011FF3E8 ADRP X8, #selRef_length@PAGE
__text:00000001011FF3EC LDR X1, [X8,#selRef_length@PAGEOFF]
__text:00000001011FF3F0 ADRP X0, #cfstr_WxpayC2cbizmes_0@PAGE ; "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
__text:00000001011FF3F4 ADD X0, X0, #cfstr_WxpayC2cbizmes_0@PAGEOFF ; "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
__text:00000001011FF3F8 STR X1, [SP,#0x120+var_F8] ;[SP,#0x120+var_F8] = 字符串length方法
__text:00000001011FF3FC BL _objc_msgSend
__text:00000001011FF400 MOV X2, X0
__text:00000001011FF404 ADRP X8, #selRef_substringFromIndex_@PAGE
__text:00000001011FF408 LDR X1, [X8,#selRef_substringFromIndex_@PAGEOFF]
__text:00000001011FF40C MOV X0, X25
__text:00000001011FF410 BL _objc_msgSend
__text:00000001011FF414 MOV X29, X29
__text:00000001011FF418 BL _objc_retainAutoreleasedReturnValue
;上面有两个方法:1. [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length] 2. [m_c2cNativeUrl substringFromIndex]
;NSInterger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
;上面的返回值 : NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
__text:00000001011FF41C MOV X20, X0 ;x20是nativeUrlData
__text:00000001011FF420 MOV X0, X25 ;此时的x25是m_c2cNativeUrl的地址
__text:00000001011FF424 BL _objc_release
__text:00000001011FF428 MOV X0, X23
__text:00000001011FF42C BL _objc_release
__text:00000001011FF430 MOV X0, X22 ; x22 是messageWrap的地址
__text:00000001011FF434 BL _objc_release
__text:00000001011FF438 ADRP X8, #classRef_WCBizUtil@PAGE
__text:00000001011FF43C LDR X0, [X8,#classRef_WCBizUtil@PAGEOFF] ;x0是WCBizUtil
__text:00000001011FF440 ADRP X8, #selRef_dictionaryWithDecodedComponets_separator_@PAGE
__text:00000001011FF444 LDR X1, [X8,#selRef_dictionaryWithDecodedComponets_separator_@PAGEOFF] ;x1是dictionaryWithDecodedComponets_separator
__text:00000001011FF448 ADRP X3, #stru_10330F0F8@PAGE ; "&" x3是字符串 "&"
__text:00000001011FF44C ADD X3, X3, #stru_10330F0F8@PAGEOFF ; "&"
__text:00000001011FF450 STR X20, [SP,#0x120+var_E0]
__text:00000001011FF454 MOV X2, X20 ;x2 是nativeUrlData
__text:00000001011FF458 BL _objc_msgSend
__text:00000001011FF45C MOV X29, X29
__text:00000001011FF460 BL _objc_retainAutoreleasedReturnValue
;上面返回值:
;NSDictionary *nativeUrlDict = [WCBizUtil dictionaryWithDecodedComponets:nativeUrlData separator:@"&"]
__text:00000001011FF464 MOV X20, X0 ;x20 是 nativeUrlDict
__text:00000001011FF468 ADRP X8, #classRef_NSMutableDictionary@PAGE
__text:00000001011FF46C LDR X0, [X8,#classRef_NSMutableDictionary@PAGEOFF] ;x0是NSMutableDictionary
__text:00000001011FF470 ADRP X8, #selRef_dictionary@PAGE
__text:00000001011FF474 LDR X1, [X8,#selRef_dictionary@PAGEOFF] ;x1是dictionary
__text:00000001011FF478 BL _objc_msgSend
__text:00000001011FF47C MOV X29, X29
__text:00000001011FF480 BL _objc_retainAutoreleasedReturnValue
;上面返回值: NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
__text:00000001011FF484 MOV X22, X0 ;x22是dictM
__text:00000001011FF488 ADRP X8, #selRef_safeSetObject_forKey_@PAGE
__text:00000001011FF48C LDR X25, [X8,#selRef_safeSetObject_forKey_@PAGEOFF]
__text:00000001011FF490 ADRP X2, #cfstr_1@PAGE ; "1"
__text:00000001011FF494 ADD X2, X2, #cfstr_1@PAGEOFF ; "1"
__text:00000001011FF498 ADRP X3, #cfstr_Msgtype_1@PAGE ; "msgType"
__text:00000001011FF49C ADD X3, X3, #cfstr_Msgtype_1@PAGEOFF ; "msgType"
__text:00000001011FF4A0 MOV X1, X25
__text:00000001011FF4A4 BL _objc_msgSend
;上面代码: [dictM setObject:@1 forKey:@"msgType"];
__text:00000001011FF4A8 ADRP X8, #selRef_objectForKey_@PAGE
__text:00000001011FF4AC LDR X23, [X8,#selRef_objectForKey_@PAGEOFF]
__text:00000001011FF4B0 ADRP X2, #cfstr_Sendid_2@PAGE ; "sendid"
__text:00000001011FF4B4 ADD X2, X2, #cfstr_Sendid_2@PAGEOFF ; "sendid"
__text:00000001011FF4B8 MOV X0, X20 ;x20是nativeUrlData
__text:00000001011FF4BC MOV X1, X23
__text:00000001011FF4C0 BL _objc_msgSend
__text:00000001011FF4C4 MOV X29, X29
__text:00000001011FF4C8 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id sendId = [nativeUrlData objectForKey:@"sendid"];
__text:00000001011FF4CC MOV X26, X0 ;X26是 sendId
__text:00000001011FF4D0 ADRP X3, #cfstr_Sendid_1@PAGE ; "sendId"
__text:00000001011FF4D4 ADD X3, X3, #cfstr_Sendid_1@PAGEOFF ; "sendId"
__text:00000001011FF4D8 MOV X0, X22 ;x22是dictM
__text:00000001011FF4DC MOV X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF4E0 MOV X2, X26 ;X26是sendId
__text:00000001011FF4E4 BL _objc_msgSend
;上面代码:[dictM setObject:sendId forKey: @"sendId"]
__text:00000001011FF4E8 MOV X0, X26
__text:00000001011FF4EC MOV X26, X21
__text:00000001011FF4F0 BL _objc_release
__text:00000001011FF4F4 ADRP X2, #cfstr_Channelid_0@PAGE ; "channelid"
__text:00000001011FF4F8 ADD X2, X2, #cfstr_Channelid_0@PAGEOFF ; "channelid"
__text:00000001011FF4FC STR X20, [SP,#0x120+var_E8]
__text:00000001011FF500 MOV X0, X20 ;x20是nativeUrlData
__text:00000001011FF504 MOV X1, X23 ;X23是 objectForKey
__text:00000001011FF508 BL _objc_msgSend
__text:00000001011FF50C MOV X29, X29
__text:00000001011FF510 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id channelId = [nativeUrlData objectForKey:@"channelid"]
__text:00000001011FF514 MOV X23, X0
__text:00000001011FF518 ADRP X3, #cfstr_Channelid@PAGE ; "channelId"
__text:00000001011FF51C ADD X3, X3, #cfstr_Channelid@PAGEOFF ; "channelId"
__text:00000001011FF520 MOV X0, X22
__text:00000001011FF524 MOV X1, X25
__text:00000001011FF528 MOV X2, X23
__text:00000001011FF52C BL _objc_msgSend
;上面代码:[dictM setObject:channelId forKey:@"channelId"]
__text:00000001011FF530 MOV X0, X23
__text:00000001011FF534 BL _objc_release
__text:00000001011FF538 ADRP X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FF53C LDR X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ;x0是MMServiceCenter
__text:00000001011FF540 ADRP X8, #selRef_defaultCenter@PAGE
__text:00000001011FF544 LDR X28, [X8,#selRef_defaultCenter@PAGEOFF]
__text:00000001011FF548 MOV X1, X28 ;x8是defaultCenter
__text:00000001011FF54C BL _objc_msgSend
__text:00000001011FF550 MOV X29, X29
__text:00000001011FF554 BL _objc_retainAutoreleasedReturnValue
;上面返回值:MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
;MMServiceCenter 比较神奇,从classdump里找不到相关的头文件信息
__text:00000001011FF558 MOV X23, X0
__text:00000001011FF55C ADRP X8, #classRef_CContactMgr@PAGE
__text:00000001011FF560 LDR X0, [X8,#classRef_CContactMgr@PAGEOFF]
__text:00000001011FF564 ADRP X8, #selRef_class@PAGE
__text:00000001011FF568 LDR X1, [X8,#selRef_class@PAGEOFF]
__text:00000001011FF56C STR X1, [SP,#0x120+var_D0]
__text:00000001011FF570 BL _objc_msgSend
;上面代码:Class contactMgrCls = [CContactMgr class];
__text:00000001011FF574 MOV X2, X0
__text:00000001011FF578 ADRP X8, #selRef_getService_@PAGE
__text:00000001011FF57C LDR X1, [X8,#selRef_getService_@PAGEOFF]
__text:00000001011FF580 MOV X0, X23 ;X23是serviceCenter
__text:00000001011FF584 STR X1, [SP,#0x120+var_D8]
__text:00000001011FF588 BL _objc_msgSend
__text:00000001011FF58C MOV X29, X29
__text:00000001011FF590 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id contactMgrSer = [serviceCenter getService: contactMrgCls]
__text:00000001011FF594 MOV X21, X0
__text:00000001011FF598 ADRP X8, #selRef_getSelfContact@PAGE
__text:00000001011FF59C LDR X1, [X8,#selRef_getSelfContact@PAGEOFF]
__text:00000001011FF5A0 BL _objc_msgSend
__text:00000001011FF5A4 MOV X29, X29
__text:00000001011FF5A8 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id contactMgrSelfContact = [contactMgrSer getSelfContact];
__text:00000001011FF5AC MOV X20, X0
__text:00000001011FF5B0 MOV X0, X21
__text:00000001011FF5B4 BL _objc_release
__text:00000001011FF5B8 MOV X0, X23
__text:00000001011FF5BC BL _objc_release
__text:00000001011FF5C0 ADRP X8, #selRef_getContactDisplayName@PAGE
__text:00000001011FF5C4 LDR X1, [X8,#selRef_getContactDisplayName@PAGEOFF]
__text:00000001011FF5C8 MOV X0, X20
__text:00000001011FF5CC BL _objc_msgSend
__text:00000001011FF5D0 MOV X29, X29
__text:00000001011FF5D4 BL _objc_retainAutoreleasedReturnValue
;上面返回值: NSString *displayName = [contactMgrSelfContact getContactDisplayName];
__text:00000001011FF5D8 MOV X21, X0
__text:00000001011FF5DC ADRP X3, #cfstr_Nickname_4@PAGE ; "nickName"
__text:00000001011FF5E0 ADD X3, X3, #cfstr_Nickname_4@PAGEOFF ; "nickName"
__text:00000001011FF5E4 MOV X0, X22 ;x22是dictM
__text:00000001011FF5E8 MOV X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF5EC MOV X2, X21
__text:00000001011FF5F0 BL _objc_msgSend
;上面代码: [dictM setObject:displayName forKey: @"nickName"];
__text:00000001011FF5F4 MOV X0, X21
__text:00000001011FF5F8 BL _objc_release
__text:00000001011FF5FC ADRP X8, #selRef_m_nsHeadImgUrl@PAGE
__text:00000001011FF600 LDR X1, [X8,#selRef_m_nsHeadImgUrl@PAGEOFF]
__text:00000001011FF604 STR X20, [SP,#0x120+var_F0]
__text:00000001011FF608 MOV X0, X20
__text:00000001011FF60C BL _objc_msgSend
__text:00000001011FF610 MOV X29, X29
__text:00000001011FF614 BL _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
__text:00000001011FF618 MOV X21, X0
__text:00000001011FF61C ADRP X3, #cfstr_Headimg_2@PAGE ; "headImg"
__text:00000001011FF620 ADD X3, X3, #cfstr_Headimg_2@PAGEOFF ; "headImg"
__text:00000001011FF624 MOV X0, X22
__text:00000001011FF628 MOV X1, X25
__text:00000001011FF62C MOV X2, X21
__text:00000001011FF630 BL _objc_msgSend
;上面代码:[dictM setObject: headImgUrl forKey:@"headImg"]
__text:00000001011FF634 MOV X0, X21
__text:00000001011FF638 BL _objc_release
__text:00000001011FF63C LDR X0, [X27,X26] ;x26=X21 即[X27, x26] = [x27,x21] self.m_data
__text:00000001011FF640 MOV X1, X19 ;X19是m_oSelectedMessageWrap方法
__text:00000001011FF644 BL _objc_msgSend
__text:00000001011FF648 MOV X29, X29
__text:00000001011FF64C BL _objc_retainAutoreleasedReturnValue
;上面返回值:CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
__text:00000001011FF650 MOV X21, X0
__text:00000001011FF654 BL _objc_release
__text:00000001011FF658 CBZ X21, loc_1011FF6CC ;如果messageWrap为空跳转loc_1011FF6CC
__text:00000001011FF65C LDR X0, [X27,X26]
__text:00000001011FF660 MOV X1, X19
__text:00000001011FF664 BL _objc_msgSend
__text:00000001011FF668 MOV X29, X29
__text:00000001011FF66C BL _objc_retainAutoreleasedReturnValue
;上面返回值:CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
__text:00000001011FF670 MOV X19, X0 ;x19是messageWrap
__text:00000001011FF674 LDR X1, [SP,#0x120+var_100] ; [SP,#0x120+var_100] 是m_oWCPayInfoItem方法地址
__text:00000001011FF678 BL _objc_msgSend
__text:00000001011FF67C MOV X29, X29
__text:00000001011FF680 BL _objc_retainAutoreleasedReturnValue
;上面返回值 WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
__text:00000001011FF684 MOV X21, X0
__text:00000001011FF688 MOV X1, X24
__text:00000001011FF68C BL _objc_msgSend
__text:00000001011FF690 MOV X29, X29
__text:00000001011FF694 BL _objc_retainAutoreleasedReturnValue
;上面返回值 NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
__text:00000001011FF698 MOV X23, X0
__text:00000001011FF69C ADRP X3, #cfstr_Nativeurl_4@PAGE ; "nativeUrl"
__text:00000001011FF6A0 ADD X3, X3, #cfstr_Nativeurl_4@PAGEOFF ; "nativeUrl"
__text:00000001011FF6A4 MOV X0, X22 ;x22是dictM
__text:00000001011FF6A8 MOV X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF6AC MOV X2, X23 ;
__text:00000001011FF6B0 BL _objc_msgSend
;上面代码:[dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];
__text:00000001011FF6B4 MOV X0, X23
__text:00000001011FF6B8 BL _objc_release
__text:00000001011FF6BC MOV X0, X21
__text:00000001011FF6C0 BL _objc_release
__text:00000001011FF6C4 MOV X0, X19
__text:00000001011FF6C8 BL _objc_release
__text:00000001011FF6CC
__text:00000001011FF6CC loc_1011FF6CC ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+2FC↑j
__text:00000001011FF6CC ADRP X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FF6D0 LDR X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ;MMServiceCenter
__text:00000001011FF6D4 STR X28, [SP,#0x120+var_100]
__text:00000001011FF6D8 MOV X1, X28 ;x28是defaultCenter
__text:00000001011FF6DC BL _objc_msgSend
__text:00000001011FF6E0 MOV X29, X29
__text:00000001011FF6E4 BL _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
__text:00000001011FF6E8 MOV X21, X0
__text:00000001011FF6EC ADRP X8, #classRef_MMMsgLogicManager@PAGE
__text:00000001011FF6F0 LDR X0, [X8,#classRef_MMMsgLogicManager@PAGEOFF] ; MMMsgLogicManager
__text:00000001011FF6F4 LDR X1, [SP,#0x120+var_D0] ;class方法
__text:00000001011FF6F8 BL _objc_msgSend
;上面代码: Class logicMgrCls = [MMMsgLogicManager class];
__text:00000001011FF6FC MOV X2, X0
__text:00000001011FF700 MOV X0, X21
__text:00000001011FF704 LDR X1, [SP,#0x120+var_D8] ;getService方法
__text:00000001011FF708 BL _objc_msgSend
__text:00000001011FF70C MOV X29, X29
__text:00000001011FF710 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id logicMgrSer = [serviceCenter getService:logicMgrCls];
__text:00000001011FF714 MOV X23, X0
__text:00000001011FF718 ADRP X8, #selRef_GetCurrentLogicController@PAGE
__text:00000001011FF71C LDR X1, [X8,#selRef_GetCurrentLogicController@PAGEOFF]
__text:00000001011FF720 BL _objc_msgSend
__text:00000001011FF724 MOV X29, X29
__text:00000001011FF728 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id currentVC = [logicMgrSer GetCurrentLogicController];
__text:00000001011FF72C MOV X28, X0
__text:00000001011FF730 MOV X0, X23
__text:00000001011FF734 BL _objc_release
__text:00000001011FF738 MOV X0, X21
__text:00000001011FF73C BL _objc_release
__text:00000001011FF740 CBZ X28, loc_1011FF810 ;如果currentVC为nil,跳转到loc_1011FF810
__text:00000001011FF744 ADRP X8, #selRef_m_contact@PAGE
__text:00000001011FF748 LDR X21, [X8,#selRef_m_contact@PAGEOFF]
__text:00000001011FF74C MOV X0, X28
__text:00000001011FF750 MOV X1, X21
__text:00000001011FF754 BL _objc_msgSend
__text:00000001011FF758 MOV X29, X29
__text:00000001011FF75C BL _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];
__text:00000001011FF760 MOV X23, X0
__text:00000001011FF764 CBZ X23, loc_1011FF810 ;如果contact为nil,跳转loc_1011FF810
__text:00000001011FF768 MOV X0, X28
__text:00000001011FF76C MOV X1, X21
__text:00000001011FF770 BL _objc_msgSend
__text:00000001011FF774 MOV X29, X29
__text:00000001011FF778 BL _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];
__text:00000001011FF77C MOV X19, X26
__text:00000001011FF780 MOV X26, X0
__text:00000001011FF784 ADRP X8, #selRef_m_nsUsrName@PAGE
__text:00000001011FF788 LDR X24, [X8,#selRef_m_nsUsrName@PAGEOFF]
__text:00000001011FF78C MOV X1, X24
__text:00000001011FF790 BL _objc_msgSend
__text:00000001011FF794 MOV X29, X29
__text:00000001011FF798 BL _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *userName = [contact m_nsUsrName];
__text:00000001011FF79C MOV X20, X0
__text:00000001011FF7A0 BL _objc_release
__text:00000001011FF7A4 MOV X0, X26
__text:00000001011FF7A8 MOV X26, X19
__text:00000001011FF7AC BL _objc_release
__text:00000001011FF7B0 MOV X0, X23
__text:00000001011FF7B4 BL _objc_release
__text:00000001011FF7B8 CBZ X20, loc_1011FF810 ;如果userName为空跳转到loc_1011FF810
__text:00000001011FF7BC MOV X0, X28
__text:00000001011FF7C0 MOV X1, X21
__text:00000001011FF7C4 BL _objc_msgSend
__text:00000001011FF7C8 MOV X29, X29
__text:00000001011FF7CC BL _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];
__text:00000001011FF7D0 MOV X20, X0
__text:00000001011FF7D4 MOV X1, X24
__text:00000001011FF7D8 BL _objc_msgSend
__text:00000001011FF7DC MOV X29, X29
__text:00000001011FF7E0 BL _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *userName = [contact m_nsUsrName];
__text:00000001011FF7E4 MOV X21, X0
__text:00000001011FF7E8 ADRP X3, #cfstr_Sessionusernam@PAGE ; "sessionUserName"
__text:00000001011FF7EC ADD X3, X3, #cfstr_Sessionusernam@PAGEOFF ; "sessionUserName"
__text:00000001011FF7F0 MOV X0, X22 ;x22是dictM
__text:00000001011FF7F4 MOV X1, X25 ;x25是方法setObject
__text:00000001011FF7F8 MOV X2, X21 ;x21是username
__text:00000001011FF7FC BL _objc_msgSend
;上面代码: [dictM setObject:userName forKey:@"sessionUserName"]
__text:00000001011FF800 MOV X0, X21
__text:00000001011FF804 BL _objc_release
__text:00000001011FF808 MOV X0, X20
__text:00000001011FF80C BL _objc_release
;判断语句结束
__text:00000001011FF810
__text:00000001011FF810 loc_1011FF810 ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+3E4↑j
__text:00000001011FF810 ; -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+408↑j ...
__text:00000001011FF810 STP X28, X26, [SP,#0x120+var_110]
__text:00000001011FF814 LDR X0, [X27,X26] ;x0是 self.m_data
__text:00000001011FF818 ADRP X8, #selRef_m_structDicRedEnvelopesBaseInfo@PAGE ;m_structDicRedEnvelopesBaseInfo
__text:00000001011FF81C LDR X24, [X8,#selRef_m_structDicRedEnvelopesBaseInfo@PAGEOFF]
__text:00000001011FF820 MOV X1, X24
__text:00000001011FF824 BL _objc_msgSend
__text:00000001011FF828 MOV X29, X29
__text:00000001011FF82C BL _objc_retainAutoreleasedReturnValue
;返回值:NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
__text:00000001011FF830 MOV X20, X0
__text:00000001011FF834 ADRP X8, #selRef_stringForKey_@PAGE
__text:00000001011FF838 LDR X1, [X8,#selRef_stringForKey_@PAGEOFF]
__text:00000001011FF83C ADRP X2, #cfstr_Timingidentifi@PAGE ; "timingIdentifier"
__text:00000001011FF840 ADD X2, X2, #cfstr_Timingidentifi@PAGEOFF ; "timingIdentifier"
__text:00000001011FF844 BL _objc_msgSend
__text:00000001011FF848 MOV X29, X29
__text:00000001011FF84C BL _objc_retainAutoreleasedReturnValue
; NSString *timingIdentifier = [baseInfoDict stringForKey:@"timingIdentifier"];
__text:00000001011FF850 MOV X19, X0
__text:00000001011FF854 MOV X0, X20
__text:00000001011FF858 BL _objc_release
__text:00000001011FF85C MOV X0, X19
__text:00000001011FF860 LDR X1, [SP,#0x120+var_F8] ;字符串length方法
__text:00000001011FF864 BL _objc_msgSend
; [timingIdentifier length]
__text:00000001011FF868 CBZ X0, loc_1011FF884 ;如果[timingIdentifier length] = 0 跳转 loc_1011FF884
__text:00000001011FF86C ADRP X3, #cfstr_Timingidentifi@PAGE ; "timingIdentifier"
__text:00000001011FF870 ADD X3, X3, #cfstr_Timingidentifi@PAGEOFF ; "timingIdentifier"
__text:00000001011FF874 MOV X0, X22
__text:00000001011FF878 MOV X1, X25
__text:00000001011FF87C MOV X2, X19
__text:00000001011FF880 BL _objc_msgSend
; [dictM setObject:timingIdentifier forKey:@"timingIdentifier"];
__text:00000001011FF884
__text:00000001011FF884 loc_1011FF884 ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+50C↑j
__text:00000001011FF884 SUB X0, X29, #-var_68 ;x0 = (x29-var_68)
__text:00000001011FF888 MOV X1, X27
__text:00000001011FF88C BL _objc_initWeak
__text:00000001011FF890 ADRP X28, #classRef_MMServiceCenter@PAGE
__text:00000001011FF894 LDR X0, [X28,#classRef_MMServiceCenter@PAGEOFF]
__text:00000001011FF898 LDR X26, [SP,#0x120+var_100]
__text:00000001011FF89C MOV X1, X26
__text:00000001011FF8A0 BL _objc_msgSend
__text:00000001011FF8A4 MOV X29, X29
__text:00000001011FF8A8 BL _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
__text:00000001011FF8AC MOV X20, X0
__text:00000001011FF8B0 STR X19, [SP,#0x120+var_F8]
__text:00000001011FF8B4 MOV X19, X27
__text:00000001011FF8B8 ADRP X27, #classRef_WCPayLogicMgr@PAGE
__text:00000001011FF8BC LDR X0, [X27,#classRef_WCPayLogicMgr@PAGEOFF]
__text:00000001011FF8C0 LDR X21, [SP,#0x120+var_D0]
__text:00000001011FF8C4 MOV X1, X21 ;x21是class
__text:00000001011FF8C8 BL _objc_msgSend
;Class payLogicMgrCls = [WCPayLogicMgr class];
__text:00000001011FF8CC MOV X2, X0
__text:00000001011FF8D0 MOV X0, X20 ;serviceCenter
__text:00000001011FF8D4 MOV X25, X22
__text:00000001011FF8D8 LDR X22, [SP,#0x120+var_D8] ;getService方法
__text:00000001011FF8DC MOV X1, X22
__text:00000001011FF8E0 BL _objc_msgSend
__text:00000001011FF8E4 MOV X29, X29
__text:00000001011FF8E8 BL _objc_retainAutoreleasedReturnValue
;id payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];
__text:00000001011FF8EC MOV X23, X0
__text:00000001011FF8F0 ADRP X8, #selRef_setRealnameReportScene_@PAGE
__text:00000001011FF8F4 LDR X1, [X8,#selRef_setRealnameReportScene_@PAGEOFF]
__text:00000001011FF8F8 MOV W2, #0x3EB
__text:00000001011FF8FC BL _objc_msgSend
;[payLogicMgrSer setRealnameReportScene:@"0x3EB"]
__text:00000001011FF900 MOV X0, X23
__text:00000001011FF904 BL _objc_release
__text:00000001011FF908 MOV X0, X20
__text:00000001011FF90C BL _objc_release
__text:00000001011FF910 ADD X8, SP, #0x120+var_C8
__text:00000001011FF914 ADD X8, X8, #0x28
__text:00000001011FF918 STR X8, [SP,#0x120+var_118]
__text:00000001011FF91C LDR X0, [X28,#classRef_MMServiceCenter@PAGEOFF]
__text:00000001011FF920 MOV X1, X26
__text:00000001011FF924 BL _objc_msgSend
__text:00000001011FF928 MOV X29, X29
__text:00000001011FF92C BL _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
__text:00000001011FF930 MOV X26, X0
__text:00000001011FF934 LDR X0, [X27,#classRef_WCPayLogicMgr@PAGEOFF]
__text:00000001011FF938 MOV X1, X21
__text:00000001011FF93C BL _objc_msgSend
__text:00000001011FF940 MOV X2, X0
__text:00000001011FF944 MOV X0, X26
__text:00000001011FF948 MOV X1, X22
__text:00000001011FF94C BL _objc_msgSend
__text:00000001011FF950 MOV X29, X29
__text:00000001011FF954 BL _objc_retainAutoreleasedReturnValue
;Class payLogicMgrCls = [WCPayLogicMgr class];
__text:00000001011FF958 MOV X27, X0
__text:00000001011FF95C LDR X8, [SP,#0x120+var_108]
__text:00000001011FF960 LDR X0, [X19,X8]
__text:00000001011FF964 MOV X1, X24
__text:00000001011FF968 BL _objc_msgSend
__text:00000001011FF96C MOV X29, X29
__text:00000001011FF970 BL _objc_retainAutoreleasedReturnValue
;返回值:NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
__text:00000001011FF974 MOV X24, X0
__text:00000001011FF978 ADRP X8, #selRef_objectForKeyedSubscript_@PAGE
__text:00000001011FF97C LDR X1, [X8,#selRef_objectForKeyedSubscript_@PAGEOFF]
__text:00000001011FF980 ADRP X2, #cfstr_AgreeDuty@PAGE ; "agree_duty"
__text:00000001011FF984 ADD X2, X2, #cfstr_AgreeDuty@PAGEOFF ; "agree_duty"
__text:00000001011FF988 BL _objc_msgSend
__text:00000001011FF98C MOV X29, X29
__text:00000001011FF990 BL _objc_retainAutoreleasedReturnValue
; id agreeDuty = [baseInfoDict objectForKeyedSubscript:@"agree_duty"]
__text:00000001011FF994 MOV X20, X0
__text:00000001011FF998 ADRP X28, #__NSConcreteStackBlock_ptr@PAGE
__text:00000001011FF99C LDR X28, [X28,#__NSConcreteStackBlock_ptr@PAGEOFF] ; x28是NSConcreteStackBlock_ptr
__text:00000001011FF9A0 STR X28, [SP,#0x120+var_98] ;(sp+0x120+var_98) = x28
__text:00000001011FF9A4 ADRP X8, #qword_103101B78@PAGE
__text:00000001011FF9A8 LDR D8, [X8,#qword_103101B78@PAGEOFF]
__text:00000001011FF9AC ADR X8, sub_1011FFAD8
__text:00000001011FF9B0 NOP
;sub_1011FFAD8 子程序,分析里面的代码
__text:00000001011FF9B4 STR D8, [SP,#0x120+var_90]
__text:00000001011FF9B8 STR X8, [SP,#0x120+var_88]
__text:00000001011FF9BC ADRP X8, #unk_1032B3238@PAGE
__text:00000001011FF9C0 ADD X8, X8, #unk_1032B3238@PAGEOFF
__text:00000001011FF9C4 STP X8, X25, [SP,#0x120+var_80]
__text:00000001011FF9C8 MOV X0, X25 ;x25是dictM
__text:00000001011FF9CC BL _objc_retain
__text:00000001011FF9D0 MOV X22, X0
__text:00000001011FF9D4 MOV X0, X19
__text:00000001011FF9D8 BL _objc_retain
;第一个block参数 #0x120+var_98
__text:00000001011FF9DC MOV X23, X0
__text:00000001011FF9E0 STR X23, [SP,#0x120+var_70]
__text:00000001011FF9E4 STR X28, [SP,#0x120+var_C8]
__text:00000001011FF9E8 STR D8, [SP,#0x120+var_C0]
__text:00000001011FF9EC ADR X8, sub_1011FFBF0
__text:00000001011FF9F0 NOP
;sub_1011FFBF0 子程序,分析里面的代码
__text:00000001011FF9F4 STR X8, [SP,#0x120+var_B8]
__text:00000001011FF9F8 ADRP X8, #unk_1032B3268@PAGE
__text:00000001011FF9FC ADD X8, X8, #unk_1032B3268@PAGEOFF
__text:00000001011FFA00 STR X8, [SP,#0x120+var_B0]
__text:00000001011FFA04 SUB X1, X29, #-var_68
__text:00000001011FFA08 LDR X19, [SP,#0x120+var_118]
__text:00000001011FFA0C MOV X0, X19
__text:00000001011FFA10 BL _objc_copyWeak
__text:00000001011FFA14 MOV X0, X23
__text:00000001011FFA18 BL _objc_retain
;第二个block参数 #0x120+var_C8
__text:00000001011FFA1C STR X0, [SP,#0x120+var_A8]
__text:00000001011FFA20 ADRP X8, #selRef_checkHongbaoOpenLicense_acceptCallback_denyCallback_@PAGE
__text:00000001011FFA24 LDR X1, [X8,#selRef_checkHongbaoOpenLicense_acceptCallback_denyCallback_@PAGEOFF]
__text:00000001011FFA28 ADD X3, SP, #0x120+var_98
__text:00000001011FFA2C ADD X4, SP, #0x120+var_C8
__text:00000001011FFA30 MOV X0, X27
__text:00000001011FFA34 MOV X2, X20
__text:00000001011FFA38 BL _objc_msgSend
;- (void)checkHongbaoOpenLicense:(id)arg1 acceptCallback:(CDUnknownBlockType)arg2 denyCallback:(CDUnknownBlockType)arg3;
; [payLogicMgrCls checkHongbaoOpenLicense:agreeDuty acceptCallback: denyCallback: ]
__text:00000001011FFA3C MOV X0, X20
__text:00000001011FFA40 BL _objc_release
__text:00000001011FFA44 MOV X0, X24
__text:00000001011FFA48 BL _objc_release
__text:00000001011FFA4C MOV X0, X27
__text:00000001011FFA50 BL _objc_release
__text:00000001011FFA54 MOV X0, X26
__text:00000001011FFA58 BL _objc_release
__text:00000001011FFA5C LDR X0, [SP,#0x120+var_A8]
__text:00000001011FFA60 BL _objc_release
__text:00000001011FFA64 MOV X0, X19
__text:00000001011FFA68 BL _objc_destroyWeak
__text:00000001011FFA6C LDR X0, [SP,#0x120+var_70]
__text:00000001011FFA70 BL _objc_release
__text:00000001011FFA74 LDR X0, [SP,#0x120+var_78]
__text:00000001011FFA78 BL _objc_release
__text:00000001011FFA7C MOV X0, X22
__text:00000001011FFA80 BL _objc_release
__text:00000001011FFA84 SUB X0, X29, #-var_68
__text:00000001011FFA88 BL _objc_destroyWeak
__text:00000001011FFA8C LDR X0, [SP,#0x120+var_F8]
__text:00000001011FFA90 BL _objc_release
__text:00000001011FFA94 LDR X0, [SP,#0x120+var_110]
__text:00000001011FFA98 BL _objc_release
__text:00000001011FFA9C LDR X0, [SP,#0x120+var_F0]
__text:00000001011FFAA0 BL _objc_release
__text:00000001011FFAA4 LDR X0, [SP,#0x120+var_E8]
__text:00000001011FFAA8 BL _objc_release
__text:00000001011FFAAC LDR X0, [SP,#0x120+var_E0]
__text:00000001011FFAB0 BL _objc_release
__text:00000001011FFAB4 LDP X29, X30, [SP,#0x120+var_s0]
__text:00000001011FFAB8 LDP X20, X19, [SP,#0x120+var_10]
__text:00000001011FFABC LDP X22, X21, [SP,#0x120+var_20]
__text:00000001011FFAC0 LDP X24, X23, [SP,#0x120+var_30]
__text:00000001011FFAC4 LDP X26, X25, [SP,#0x120+var_40]
__text:00000001011FFAC8 LDP X28, X27, [SP,#0x120+var_50]
__text:00000001011FFACC LDP D9, D8, [SP,#0x120+var_60]
__text:00000001011FFAD0 ADD SP, SP, #0x130
__text:00000001011FFAD4 RET
__text:00000001011FFAD4 ; End of function -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]
__text:00000001011FFAD4
__text:00000001011FFAD8
__text:00000001011FFAD8 ; =============== S U B R O U T I N E =======================================
__text:00000001011FFAD8
__text:00000001011FFAD8 ; Attributes: bp-based frame
__text:00000001011FFAD8 ; 第一个block参数里面的代码
__text:00000001011FFAD8 sub_1011FFAD8 ; DATA XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+650↑o
__text:00000001011FFAD8
__text:00000001011FFAD8 var_20 = -0x20
__text:00000001011FFAD8 var_10 = -0x10
__text:00000001011FFAD8 var_s0 = 0
__text:00000001011FFAD8
__text:00000001011FFAD8 STP X22, X21, [SP,#-0x10+var_20]!
__text:00000001011FFADC STP X20, X19, [SP,#0x20+var_10]
__text:00000001011FFAE0 STP X29, X30, [SP,#0x20+var_s0]
__text:00000001011FFAE4 ADD X29, SP, #0x20
__text:00000001011FFAE8 MOV X19, X0
__text:00000001011FFAEC ADRP X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FFAF0 LDR X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ; void *
__text:00000001011FFAF4 ADRP X8, #selRef_defaultCenter@PAGE
__text:00000001011FFAF8 LDR X1, [X8,#selRef_defaultCenter@PAGEOFF] ; char *
__text:00000001011FFAFC BL _objc_msgSend
__text:00000001011FFB00 MOV X29, X29
__text:00000001011FFB04 BL _objc_retainAutoreleasedReturnValue
; [MMServiceCenter defaultCenter]
__text:00000001011FFB08 MOV X20, X0
__text:00000001011FFB0C ADRP X8, #classRef_WCRedEnvelopesLogicMgr@PAGE
__text:00000001011FFB10 LDR X0, [X8,#classRef_WCRedEnvelopesLogicMgr@PAGEOFF] ; void *
__text:00000001011FFB14 ADRP X8, #selRef_class@PAGE
__text:00000001011FFB18 LDR X1, [X8,#selRef_class@PAGEOFF] ; char *
__text:00000001011FFB1C BL _objc_msgSend
; [WCRedEnvelopesLogicMgr class]
__text:00000001011FFB20 MOV X2, X0
__text:00000001011FFB24 ADRP X8, #selRef_getService_@PAGE
__text:00000001011FFB28 LDR X1, [X8,#selRef_getService_@PAGEOFF] ; char *
__text:00000001011FFB2C MOV X0, X20 ; void *
__text:00000001011FFB30 BL _objc_msgSend
__text:00000001011FFB34 MOV X29, X29
__text:00000001011FFB38 BL _objc_retainAutoreleasedReturnValue
; WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[MMServiceCenter defaultCenter] getService: [WCRedEnvelopesLogicMgr class]];
__text:00000001011FFB3C MOV X21, X0
__text:00000001011FFB40 LDR X2, [X19,#0x20] ;[X19,#0x20] 是
__text:00000001011FFB44 ADRP X8, #selRef_OpenRedEnvelopesRequest_@PAGE
__text:00000001011FFB48 LDR X1, [X8,#selRef_OpenRedEnvelopesRequest_@PAGEOFF] ; char *
__text:00000001011FFB4C BL _objc_msgSend
; [redEnvelopesLogicMgr OpenRedEnvelopesRequest: ]
;下面是打开红包的后的UI操作
__text:00000001011FFB50 MOV X0, X21
__text:00000001011FFB54 BL _objc_release
__text:00000001011FFB58 MOV X0, X20
__text:00000001011FFB5C BL _objc_release
__text:00000001011FFB60 LDR X8, [X19,#0x28]
__text:00000001011FFB64 ADRP X9, #_OBJC_IVAR_$_WCBaseControlLogic.m_uiLogicStatus@PAGE ; unsigned int m_uiLogicStatus;
__text:00000001011FFB68 NOP
__text:00000001011FFB6C LDRSW X9, [X9,#_OBJC_IVAR_$_WCBaseControlLogic.m_uiLogicStatus@PAGEOFF] ; unsigned int m_uiLogicStatus;
__text:00000001011FFB70 MOV W10, #4
__text:00000001011FFB74 STR W10, [X8,X9]
__text:00000001011FFB78 LDR X8, [X19,#0x28]
__text:00000001011FFB7C ADRP X9, #_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGE ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFB80 LDRSW X9, [X9,#_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGEOFF] ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFB84 LDR X0, [X8,X9]
__text:00000001011FFB88 ADRP X8, #selRef_startReceiveAnimation@PAGE
__text:00000001011FFB8C LDR X1, [X8,#selRef_startReceiveAnimation@PAGEOFF]
__text:00000001011FFB90 LDP X29, X30, [SP,#0x20+var_s0]
__text:00000001011FFB94 LDP X20, X19, [SP,#0x20+var_10]
__text:00000001011FFB98 LDP X22, X21, [SP+0x20+var_20],#0x30
__text:00000001011FFB9C B _objc_msgSend
;显示打开红包的UI
__text:00000001011FFB9C ; End of function sub_1011FFAD8
__text:00000001011FFB9C
_
__text:00000001011FFBF0 sub_1011FFBF0 ; DATA XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+690↑o
__text:00000001011FFBF0
__text:00000001011FFBF0 var_10 = -0x10
__text:00000001011FFBF0 var_s0 = 0
__text:00000001011FFBF0
__text:00000001011FFBF0 STP X20, X19, [SP,#-0x10+var_10]!
__text:00000001011FFBF4 STP X29, X30, [SP,#0x10+var_s0]
__text:00000001011FFBF8 ADD X29, SP, #0x10
__text:00000001011FFBFC MOV X19, X0
__text:00000001011FFC00 ADD X0, X19, #0x28
__text:00000001011FFC04 BL _objc_loadWeakRetained
__text:00000001011FFC08 MOV X20, X0
__text:00000001011FFC0C ADRP X8, #selRef_WCRedEnvelopesReceiveHomeViewBack@PAGE
__text:00000001011FFC10 LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewBack@PAGEOFF] ; char *
__text:00000001011FFC14 BL _objc_msgSend
__text:00000001011FFC18 MOV X0, X20
__text:00000001011FFC1C BL _objc_release
__text:00000001011FFC20 LDR X8, [X19,#0x20]
__text:00000001011FFC24 ADRP X9, #_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGE ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFC28 LDRSW X9, [X9,#_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGEOFF] ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFC2C LDR X0, [X8,X9]
__text:00000001011FFC30 ADRP X8, #selRef_endAnimation@PAGE
__text:00000001011FFC34 LDR X1, [X8,#selRef_endAnimation@PAGEOFF]
__text:00000001011FFC38 LDP X29, X30, [SP,#0x10+var_s0]
__text:00000001011FFC3C LDP X20, X19, [SP+0x10+var_10],#0x20
__text:00000001011FFC40 B _objc_msgSend ;结束动画
__text:00000001011FFC40 ; End of function sub_1011FFBF0
通过反汇编分析出的OC代码:
CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSInterger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
NSDictionary *nativeUrlDict = [WCBizUtil dictionaryWithDecodedComponets:nativeUrlData separator:@"&"]
NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
[dictM setObject:@1 forKey:@"msgType"];
id sendId = [nativeUrlData objectForKey:@"sendid"];
[dictM setObject:sendId forKey: @"sendId"]
id channelId = [nativeUrlData objectForKey:@"channelid"]
[dictM setObject:channelId forKey:@"channelId"]
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class contactMgrCls = [CContactMgr class];
CContactMgr *contactMgrSer = [serviceCenter getService: contactMrgCls]
CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
NSString *displayName = [contactMgrSelfContact getContactDisplayName];
[dictM setObject:displayName forKey: @"nickName"];
NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
[dictM setObject: headImgUrl forKey:@"headImg"]
if([self.m_data m_oSelectedMessageWrap]){
CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
[dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];
}
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class logicMgrCls = [MMMsgLogicManager class];
MMMsgLogicManager *logicMgrSer = [serviceCenter getService:logicMgrCls];
BaseMsgContentLogicController *currentVC = [logicMgrSer GetCurrentLogicController];
if([currentVC m_contact];){
id contact = [currentVC m_contact];
NSString *userName = [contact m_nsUsrName];
id contact = [currentVC m_contact];
NSString *userName = [contact m_nsUsrName];
[dictM setObject:userName forKey:@"sessionUserName"]
}
NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
NSString *timingIdentifier = [baseInfoDict stringForKey:@"timingIdentifier"];
if([timingIdentifier length] > 0){
[dictM setObject:timingIdentifier forKey:@"timingIdentifier"];
}
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class payLogicMgrCls = [WCPayLogicMgr class];
WCPayLogicMgr *payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];
[payLogicMgrSer setRealnameReportScene:@"0x3EB"]
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
id agreeDuty = [baseInfoDict objectForKeyedSubscript:@"agree_duty"];
//点击打开红包后的操作
[payLogicMgrSer checkHongbaoOpenLicense:agreeDuty acceptCallback: denyCallback: ];
acceptCallback block里面的相关的代码:
WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[MMServiceCenter defaultCenter] getService: [WCRedEnvelopesLogicMgr class]];
[redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM]
编写Tweak工程相关的代码,其中点击打开红包后的操作只使用 acceptCallback block里面的操作,其它的涉及到UI操作的省略:
@interface WCBizUtil
+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;
@end
@interface MMServiceCenter
+ (id)defaultCenter;
- (id)getService:(id)cls;
@end
@interface WCRedEnvelopesReceiveHomeView{
id m_delegate;
NSDictionary *m_dicBaseInfo;
}
@end
@interface WCPayInfoItem
@property(retain, nonatomic) NSString *m_c2cNativeUrl; // @synthesize m_oSelectedMessageWrap;
@end
@interface CMessageWrap
@property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;
@end
@interface WCRedEnvelopesControlData
@property(retain, nonatomic) CMessageWrap *m_oSelectedMessageWrap;
@property(retain, nonatomic) NSDictionary *m_structDicRedEnvelopesBaseInfo;
@end
@interface WCRedEnvelopesReceiveControlLogic
{
WCRedEnvelopesControlData *m_data;
}
- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;
@end
@interface CContactMgr
- (id)getSelfContact;
@end
@interface CBaseContact
@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsUsrName;
- (id)getContactDisplayName;
@end
@interface MMMsgLogicManager
- (id)GetCurrentLogicController;
@end
@interface BaseMsgContentLogicController
@property(retain, nonatomic) CBaseContact *m_contact;
@end
@interface WCPayLogicMgr
-(void)setRealnameReportScene:(int)sence;
@end
@interface WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1;
@end
%hook WCRedEnvelopesReceiveControlLogic
- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes {
// %orig;
WCRedEnvelopesControlData *mData = MSHookIvar<WCRedEnvelopesControlData *>(self, "m_data");
CMessageWrap *messageWrap = [mData m_oSelectedMessageWrap];
WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];
NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
[dictM setObject:@"1" forKey:@"msgType"];
id sendId = [nativeUrlDict objectForKey:@"sendid"];
[dictM setObject:sendId forKey: @"sendId"];
id channelId = [nativeUrlDict objectForKey:@"channelid"];
[dictM setObject:channelId forKey:@"channelId"];
MMServiceCenter *serviceCenter = [%c(MMServiceCenter) defaultCenter];
Class contactMgrCls = [%c(CContactMgr) class];
CContactMgr *contactMgrSer = [serviceCenter getService: contactMgrCls];
CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
NSString *displayName = [contactMgrSelfContact getContactDisplayName];
[dictM setObject:displayName forKey: @"nickName"];
NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
[dictM setObject: headImgUrl forKey:@"headImg"];
if([mData m_oSelectedMessageWrap]){
CMessageWrap *messageWrap = [mData m_oSelectedMessageWrap];
WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
[dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];
}
Class logicMgrCls = [%c(MMMsgLogicManager) class];
MMMsgLogicManager *logicMgrSer = [serviceCenter getService:logicMgrCls];
BaseMsgContentLogicController *currentVC = [logicMgrSer GetCurrentLogicController];
if([currentVC m_contact]){
CBaseContact *contact = [currentVC m_contact];
NSString *userName = [contact m_nsUsrName];
[dictM setObject:userName forKey:@"sessionUserName"];
}
NSDictionary* baseInfoDict = [mData m_structDicRedEnvelopesBaseInfo];
NSString *timingIdentifier = [baseInfoDict objectForKey:@"timingIdentifier"];
if([timingIdentifier length] > 0){
[dictM setObject:timingIdentifier forKey:@"timingIdentifier"];
}
Class payLogicMgrCls = [%c(WCPayLogicMgr) class];
WCPayLogicMgr *payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];
[payLogicMgrSer setRealnameReportScene:0x3EB];
NSLog(@"\nDictM\n\n %@", dictM);
//block 调用
WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [serviceCenter getService: [%c(WCRedEnvelopesLogicMgr) class]];
[redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM];
}
%end
到这里我们会感觉越来越接近了,然后将编写的Tweak.xm运行起来,发送红包已抢成功!
到这我们进行分析WCRedEnvelopesLogicMgr类
/opt/theos/bin/logify.pl ./WXHeaders/WCRedEnvelopesLogicMgr.h > Tweak.xm
%hook WCRedEnvelopesLogicMgr
// - (void).cxx_destruct { %log; %orig; }
- (void)AsyncBizSubcribeRequest:(id)arg1 { %log; %orig; }
- (void)CheckAuthBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)ClearserSendOrReceiveRedEnveloperListRequest:(id)arg1 { %log; %orig; }
- (void)DeleteRedEnvelopesRecord:(id)arg1 { %log; %orig; }
- (void)GenH5RedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GenRedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GenYearRedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GetEnterpriseHongbaoBizRequest:(id)arg1 CMDID:(unsigned int)arg2 SendKey:(id)arg3 OutputType:(unsigned int)arg4 { %log; %orig; }
- (void)GetEnterpriseHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 SendKey:(id)arg3 OutputType:(unsigned int)arg4 ShouldSubscribe:(_Bool)arg5 { %log; %orig; }
- (void)GetHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3 { %log; %orig; }
- (void)GetYearHongbaoRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3 { %log; %orig; }
- (void)OnWCToAsyncBizSubscribeResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OpenBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)OpenEnterpriseRedEnvelopesRequest:(id)arg1 SendKey:(id)arg2 ShouldSubscribe:(_Bool)arg3 { %log; %orig; }
- (void)OpenRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesDetailRequest:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesUserInfo:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesUserInfoNoCache:(id)arg1 { %log; %orig; }
- (void)QueryUserSendOrReceiveRedEnveloperListRequest:(id)arg1 { %log; %orig; }
- (void)ReceiveBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)SendShareRedEnvelopesoRequest:(id)arg1 { %log; %orig; }
- (void)ThanksForRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)addReceiveSystemMsgWithDic:(id)arg1 { %log; %orig; }
- (id)init { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
// - (void)setM_senderNickNameHelper:(ContactUpdateHelper *)m_senderNickNameHelper { %log; %orig; }
// - (ContactUpdateHelper *)m_senderNickNameHelper { %log; ContactUpdateHelper * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (NSString *)debugDescription { %log; NSString * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (NSString *)description { %log; NSString * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (unsigned long long )hash { %log; unsigned long long r = %orig; HBLogDebug(@" = %llu", r); return r; }
- (Class )superclass { %log; Class r = %orig; HBLogDebug(@" = %@", r); return r; }
%end
运行查看日志:
打开红包View的日志:
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:31 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> ReceiverQueryRedEnvelopesRequest:{
agreeDuty = 0;
channelId = 1;
inWay = 1;
msgType = 1;
nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
sendId = 1000039401201711157020140209144;
}]
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:11 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> GetHongbaoBusinessRequest:{
agreeDuty = 0;
channelId = 1;
inWay = 1;
msgType = 1;
nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
sendId = 1000039401201711157020140209144;
} CMDID:3 OutputType:1]
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:21 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x1609aa360> Request:<HongBaoReq: 0x160901060>]
点击红包view上面的开后的日志:
Nov 15 19:06:03 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:25 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OpenRedEnvelopesRequest:{
channelId = 1;
headImg = "http://wx.qlogo.cn/mmhead/ver_1/dE3om8P2WCFmIe3beWMRicvRPveuUVF7X8xqpOle86QY9iaoqiazgaujFibEu9MhjLFtV4SoY8xZ2ExbrFYH4oxVRA/132";
msgType = 1;
nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
nickName = "\U6e05\U53f6\U6a80";
sendId = 1000039401201711157020140209144;
sessionUserName = "wxid_y9bs6i3qil6m21";
timingIdentifier = DEF5E3380DD95D53177182E094AB8619;
}]
Nov 15 19:06:03 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:11 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> GetHongbaoBusinessRequest:{
channelId = 1;
headImg = "http://wx.qlogo.cn/mmhead/ver_1/dE3om8P2WCFmIe3beWMRicvRPveuUVF7X8xqpOle86QY9iaoqiazgaujFibEu9MhjLFtV4SoY8xZ2ExbrFYH4oxVRA/132";
msgType = 1;
nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
nickName = "\U6e05\U53f6\U6a80";
sendId = 1000039401201711157020140209144;
sessionUserName = "wxid_y9bs6i3qil6m21";
timingIdentifier = DEF5E3380DD95D53177182E094AB8619;
} CMDID:4 OutputType:1]
Nov 15 19:06:04 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:21 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x16094c730> Request:<HongBaoReq: 0x160883210>]
Nov 15 19:06:04 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:34 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> addReceiveSystemMsgWithDic:{
SystemMsgContext = "<img src=\"SystemMessages_HongbaoIcon.png\"/> \U4f60\U9886\U53d6\U4e86$wxid_y9bs6i3qil6m21$\U7684<_wc_custom_link_ color=\"#FD9931\" href=\"weixin://weixinhongbao/opendetail?sendid=1000039401201711157020140209144&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5&ver=6\">\U7ea2\U5305</_wc_custom_link_>";
amount = 10;
canShare = 0;
changeWording = "\U5df2\U5b58\U5165\U96f6\U94b1\Uff0c\U53ef\U76f4\U63a5\U8f6c\U8d26";
hasWriteAnswer = 0;
hbStatus = 4;
hbType = 0;
headTitle = "";
isContinue = 0;
isSender = 0;
jumpChange = 1;
operationHeader = (
);
"real_name_info" = {
"guide_flag" = 0;
};
recAmount = 10;
recNum = 1;
receiveId = 1000039401000711157020140209144;
receiveStatus = 2;
record = (
{
answer = "";
receiveAmount = 10;
receiveId = 1000039401000711157020140209144;
receiveOpenId = 1000039401000711157020140209144;
receiveTime = 1510743964;
state = 1;
userName = "wxid_3ylu53d9rpy712";
}
);
sendId = 1000039401201711157020140209144;
sendUserName = "wxid_y9bs6i3qil6m21";
sessionUserName = "wxid_y9bs6i3qil6m21";
statusMess = "";
totalAmount = 10;
totalNum = 1;
watermark = "";
wishing = "\U606d\U559c\U53d1\U8d22\Uff0c\U5927\U5409\U5927\U5229";
}]
通过日志分析可知:
-
-[WCRedEnvelopesLogicMgr ReceiverQueryRedEnvelopesRequest:{}]类似获取红包信息的操作,拆开红包前调用 -
-[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x1609aa360> Request:<HongBaoReq: 0x160901060>]拆开红包前后都调用 -
-[WCRedEnvelopesLogicMgr OpenRedEnvelopesRequest:{}]拆开红包后调用,是真正决定抢红包的方法
重点分析这三个方法:
%hook WCRedEnvelopesLogicMgr
- (void)OnWCToHongbaoCommonResponse:(HongBaoRes *)arg1 Request:(HongBaoReq *)arg2 {
// %log;
%orig;
NSLog(@"HongBaoRes ---> cgiCmdid: %d platRet: %d retText: %@ platMsg : %@ ",arg1.cgiCmdid, arg1.platRet, arg1.retText, arg1.platMsg);
NSLog(@"HongBaoReq ---> cgiCmdid: %d outPutType : %d reqText: %@ ",arg2.cgiCmd, arg2.outPutType, arg2.reqText);
NSLog(@"HongBaoRes buffer: %@", [[NSString alloc] initWithData:arg1.retText.buffer encoding:NSUTF8StringEncoding]);
NSLog(@"HongBaoReq buffer: %@", [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding]);
if (arg1.retText.buffer.length>0)
{
// NSLog(@"arg1.retText.buffer:\n");
NSDictionary *retTextObj = [NSJSONSerialization JSONObjectWithData:arg1.retText.buffer options:0 error:nil];
NSLog(@"%@", retTextObj);
// NSString *retTextStr = [[NSString alloc] initWithData:arg1.retText.buffer encoding:NSUTF8StringEncoding];
// NSDictionary *retTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:retTextStr separator:@"&"];
// NSLog(@"retTextDict: %@",retTextDict);
}
if (arg2.reqText.buffer.length>0)
{
// NSLog(@"arg2.reqText.buffer :\n");
NSString *reqTextStr = [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding];
NSDictionary *reqTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:reqTextStr separator:@"&"];
NSLog(@"reqTextDict: %@",reqTextDict);
}
}
%end
%hook WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1 {
%orig;
%log;
NSLog(@"OpenRedEnvelopesRequest param: %@", [arg1 class]);
}
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
%end
拼接参数,编写自动抢红包代码:
#import "YCHongBaoMgr.h"
@interface WCBizUtil
+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;
+ (void)showAlert:(NSString *)msg;
+ (void)enableAutoOpenWithNativeUrl:(NSString *)nativeUrl;
+ (BOOL)isEnableAutoOpenWithNativeUrl:(NSString *)nativeUrl;
+ (void)autoOpenWithNativeUrl:(NSString *)nativeUrl;
@end
@interface SKBuiltinBuffer_t
+ (id)skBufferWithData:(id)arg1;
// Remaining properties
@property(retain, nonatomic) NSData *buffer; // @dynamic buffer;
@property(nonatomic) unsigned int iLen; // @dynamic iLen;
@end
@interface HongBaoReq
@property(retain, nonatomic) SKBuiltinBuffer_t *reqText; // @dynamic reqText;
@property(nonatomic) unsigned int cgiCmd; // @dynamic cgiCmd;
@property(nonatomic) unsigned int outPutType; // @dynamic outPutType;
@end
@interface HongBaoRes
@property(retain, nonatomic) SKBuiltinBuffer_t *retText; // @dynamic reqText;
@property(nonatomic) unsigned int cgiCmdid; // @dynamic cgiCmd;
@property(retain, nonatomic) NSString *platMsg; // @dynamic platMsg;
@property(nonatomic) int platRet; // @dynamic platRet;
@end
@interface MMServiceCenter
+ (id)defaultCenter;
- (id)getService:(id)cls;
@end
@interface CContactMgr
- (id)getSelfContact;
@end
@interface CBaseContact
@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsUsrName;
- (id)getContactDisplayName;
@end
@interface WCPayInfoItem
@property(retain, nonatomic) NSString *m_c2cNativeUrl; // @synthesize m_oSelectedMessageWrap;
@end
@interface CMessageWrap
@property(retain, nonatomic) NSString *m_nsContent; // @synthesize m_nsContent;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsFromUsr; // @synthesize m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsToUsr; // @synthesize m_nsToUsr;
@property(nonatomic) int m_uiMessageType; // @synthesize m_uiMessageType;
@property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;
@end
@interface WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1;
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1;
@end
%hook CMessageMgr
- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)msg {
%orig;
int messageType = [msg m_uiMessageType];
NSString *fromUsr = [msg m_nsFromUsr];
if (messageType == 49)
{
NSLog(@"红包消息、转账消息");
WCPayInfoItem *payInfoItem = [msg m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];
BOOL isGroupHB = [fromUsr containsString:@"chatroom"];
//if msgtype == 1 is enable auto open red envelopes
id msgType = [nativeUrlDict valueForKey:@"msgtype"];
if([msgType isEqual: @"1"]){
[%c(WCBizUtil) enableAutoOpenWithNativeUrl:m_c2cNativeUrl];
//************ auto get red envelopes info ****************//
NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
//msgType: group and friend are same , value is 1
[dictM setObject:@"1" forKey:@"msgType"];
// agreeDuty is 0
[dictM setValue:@"0" forKey:@"agreeDuty"];
[dictM setValue:m_c2cNativeUrl forKey:@"nativeUrl"];
id sendId = [nativeUrlDict objectForKey:@"sendid"];
[dictM setObject:sendId forKey: @"sendId"];
id channelId = [nativeUrlDict objectForKey:@"channelid"];
[dictM setObject:channelId forKey:@"channelId"];
//group hb is 0 ,friend hb is 1
if(isGroupHB){
[dictM setObject:@"0" forKey:@"inWay"];
}else{
[dictM setObject:@"1" forKey:@"inWay"];
}
NSLog(@"dictM: %@", dictM);
// auto get red envelope info
WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService: [%c(WCRedEnvelopesLogicMgr) class]];
[redEnvelopesLogicMgr ReceiverQueryRedEnvelopesRequest:dictM];
}else{
NSLog(@"msgtype : %@ mgtype class: %@", msgType, [msgType class]);
}
}
}
%end
%hook WCRedEnvelopesLogicMgr
- (void)OnWCToHongbaoCommonResponse:(HongBaoRes *)arg1 Request:(HongBaoReq *)arg2 {
%orig;
//HongBaoRes.cgiCmdid = 3 is get hongbao info, .cgiCmdid = 4 is open hongbao
if(arg1.retText.buffer.length>0 && arg2.reqText.buffer.length>0 && arg1.cgiCmdid == 3 ){
//********** auto open red envelopes **********//
//HonBaoRes
NSDictionary *retTextObj = [NSJSONSerialization JSONObjectWithData:arg1.retText.buffer options:0 error:nil];
//HonBaoReq
NSString *reqTextStr = [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding];
NSDictionary *reqTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:reqTextStr separator:@"&"];
NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
[dictM setValue:@"1" forKey:@"msgType"];
//m_c2cNativeUrl is url encode
NSString *m_c2cNativeUrl = [reqTextDict valueForKey:@"nativeUrl"];
//decode url
m_c2cNativeUrl = (NSString *)CFBridgingRelease(CFURLCreateStringByReplacingPercentEscapesUsingEncoding(kCFAllocatorDefault,(CFStringRef)m_c2cNativeUrl, CFSTR(""),kCFStringEncodingUTF8));
if(![%c(WCBizUtil) isEnableAutoOpenWithNativeUrl:m_c2cNativeUrl]){
return;
}else{
[%c(WCBizUtil) autoOpenWithNativeUrl:m_c2cNativeUrl];
}
NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];
id sendId = [nativeUrlDict valueForKey:@"sendid"];
[dictM setValue:sendId forKey: @"sendId"];
id channelId = [nativeUrlDict valueForKey:@"channelid"];
[dictM setValue:channelId forKey:@"channelId"];
MMServiceCenter *serviceCenter = [%c(MMServiceCenter) defaultCenter];
Class contactMgrCls = [%c(CContactMgr) class];
CContactMgr *contactMgrSer = [serviceCenter getService: contactMgrCls];
CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
NSString *displayName = [contactMgrSelfContact getContactDisplayName];
[dictM setValue:displayName forKey: @"nickName"];
NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
[dictM setValue: headImgUrl forKey:@"headImg"];
[dictM setValue:m_c2cNativeUrl forKey: @"nativeUrl"];
NSString *userName = [nativeUrlDict valueForKey:@"sendusername"];
if(userName.length > 0){
[dictM setValue:[nativeUrlDict valueForKey:@"sendusername"] forKey:@"sessionUserName"];
}
NSString *timingIdentifier = [retTextObj valueForKey:@"timingIdentifier"];
if([timingIdentifier length] > 0){
[dictM setValue:timingIdentifier forKey:@"timingIdentifier"];
}
NSLog(@"dictM Count:%lu data: %@",[dictM count], dictM);
//等待0.5s
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
//auto open red envelopes
WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [serviceCenter getService: [%c(WCRedEnvelopesLogicMgr) class]];
[redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM];
});
}
}
%end
%hook WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1 {
%orig;
%log;
}
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
%end
%hook MicroMessengerAppDelegate
- (_Bool)application:(id)arg1 didFinishLaunchingWithOptions:(id)arg2 {
%log;
[%c(YCHongBaoMgr) showAlert:@"start...."];
return %orig;
}
%end
%hook WCBizUtil
%new
+ (void)enableAutoOpenWithNativeUrl:(NSString *)nativeUrl{
NSMutableDictionary *dictM = [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];
if (!dictM) {
dictM = [NSMutableDictionary dictionary];
}else{
dictM = [NSMutableDictionary dictionaryWithDictionary:dictM];
}
[dictM setValue:@1 forKey:nativeUrl];
[[NSUserDefaults standardUserDefaults] setObject:dictM forKey:@"AutoOpenWithNativeUrl"];
}
%new
+ (BOOL)isEnableAutoOpenWithNativeUrl:(NSString *)nativeUrl{
NSMutableDictionary *dictM = [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];
if (dictM) {
NSNumber *val = [dictM valueForKey:nativeUrl];
if (val.intValue == 1) {
return true;
}
}
return false;
}
%new
+ (void)autoOpenWithNativeUrl:(NSString *)nativeUrl {
NSMutableDictionary *dictM = [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];
if (dictM) {
dictM = [NSMutableDictionary dictionaryWithDictionary:dictM];
[dictM setValue:@0 forKey:nativeUrl];
[[NSUserDefaults standardUserDefaults] setObject:dictM forKey:@"AutoOpenWithNativeUrl"];
}
}
%new
+ (void)showAlert:(NSString *)msg {
[[[UIAlertView alloc] initWithTitle:msg message:nil delegate:nil cancelButtonTitle:@"confirm" otherButtonTitles:nil, nil] show];
}
%end
网友评论