iOS逆向记录(六)微信抢红包第二篇

14.2 分析抢红包的方法

通过分析微信消息我们知道，红包消息类型值为49，所以实现自动抢红包功能，我们只要hook消息响应方法，然后判断消息类型为49时，调用抢红包的方法即可。那么如何定位抢红包的方法呢？我们同样可以依照上面的方法进行分析和定位。

14.2.1 借助cycript或者Reveal来分析抢红包界面

//抢红包界面弹出时，新增的view层级

|   WCRedEnvelopesReceiveHomeView:0x16212eba0
|   |   UIButton:0x162587cb0
|   |   UIImageView:0x162872820
|   |   |   UIView:0x1629021e0
|   |   |   UIView:0x162906590
|   |   |   UIImageView:0x1625dcd80
|   |   |   UIView:0x1628b3c10
|   |   |   |   UIView:0x162887f60
|   |   |   |   UIView:0x16288a260
|   |   |   |   UIImageView:0x1625ee650
|   |   |   |   UIImageView:0x1625f5cc0
|   |   |   |   UIButton:0x162517760
|   |   |   UIView:0x1628798c0
|   |   |   |   MMHeadImageView:0x16217ab70
|   |   |   |   |   MMUILongPressImageView:0x16286ab80
|   |   |   |   |   UIImageView:0x1628014b0
|   |   |   MMUILabel:0x162905dd0'^_^'
|   |   |   MMUILabel:0x162901fe0'\u7ed9\u4f60\u53d1\u4e86\u4e00\u4e2a\u7ea2\u5305'
|   |   |   MMUILabel:0x1628796c0'\u606d\u559c\u53d1\u8d22\uff0c\u5927\u5409\u5927\u5229'
|   |   |   UIButton:0x16284b960
|   |   |   UIButton:0x162581d90
|   |   |   |   UIImageView:0x16255b1a0
|   |   |   UIImageView:0x1621ca190
|   |   |   UIImageView:0x16256cad0`

注:导出头文件中有与WCRedEnvelopesReceiveHomeView同名的头文件WCRedEnvelopesReceiveHomeView.h
使用Tweak来hook头文件WCRedEnvelopesReceiveHomeView.h
//定位到OnOpenRedEnvelopes方法是抢红包响应的函数

Sep  9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:5 DEBUG: -[< WCRedEnvelopesReceiveHomeView: 0x13191a020> OnOpenRedEnvelopes]
Sep  9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:19 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> startReceiveAnimation]
Sep  9 19:18:20 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:18 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> showSuccessOpenAnimation]
Sep  9 19:18:21 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:14 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> removeView]

//该函数是点击"抢"时，响应的函数

 - (void)OnOpenRedEnvelopes { %log; %orig; }

//使用cycript来验证一下

 Flongers-iphone:~ root# cycript -p WeChat
 cy# [#0x130e9a960 OnOpenRedEnvelopes]

14.2.2 静态反汇编分析

通过测试发现，每次点开抢红包界面时会有一个WCRedEnvelopesReceiveHomeView的实例对象生成。如果借助OnOpenRedEnvelopes方法来实现"抢"的功能，必须在点开抢红包界面时才能成功调用。该方法限制比较大，我们需要分析更加深层次的逻辑处理，找到更加通用的抢红包的逻辑处理代码。

在Hopper或者IDA中分析OnOpenRedEnvelopes反汇编代码
结合导出头文件通过分析发现，OnOpenRedEnvelopes中相关的内容有：

NSDictionary *m_dicBaseInfo;
id  m_delegate;
WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes

//解析汇编指令

[receiver message]; 
将被转换为:objc_msgSend(receiver, selector);
[receiver messageArg1:xx Arg2:xx ...]; 将被转换为:objc_msgSend(receiver, selector, arg1, arg2,...);

//adrp指令是地址生成指令，x8是间接寻址的寄存器，X0~X7一般用于是参数和返回值的传递 //即调用objc_msgSend时，X0存放第一个参数receiver，X1存放第二个参数selector，后面的参数以此类推 ADRP X8,

#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE //出栈指令，将x8偏移xxx位置的值加载到X1寄存器中 
LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF] //调用子程序 BL _objc_msgSend

注:重点关注X0和X1，我们可以得到OC方法调用相关的对象、方法名和返回值

• 使用tweak来hook数据观察一下OnOpenRedEnvelopes

@interface WCRedEnvelopesReceiveHomeView{ NSDictionary *m_dicBaseInfo; id m_delegate; } @end

%hook WCRedEnvelopesReceiveHomeView

(void)OnOpenRedEnvelopes {
//hook 成员变量,原理是调用runtime函数class_getInstanceVariable NSDictionary* dic = MSHookIvar<NSDictionary *>(self, "m_dicBaseInfo"); NSArray *arr = [dic allKeys]; for (NSInteger i = 0; i < arr.count; i++) { NSLog(@"%@ : %@", arr[i], [dic objectForKey:arr[i]]); }

id de = MSHookIvar<id>(self, "m_delegate");
NSLog(@"m_delegate class: %@", [de class]);
//%orig;
} %end

• 分析对WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes调用的代码

  ADRP            X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGE ; 
  LDRSW           X8, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGEOFF] ; 
  ADD             X0, X19, X8
  BL              _objc_loadWeakRetained
 
 伪代码：
 WCRedEnvelopesReceiveControlLogic* controlLogic = self.m_delegate;
 
  MOV             X19, X0
  ADRP            X8, #selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE
  LDR             X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF]
  BL              _objc_msgSend
  
  分析：
    X0 是 controlLogic
    X1 是 WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes

  伪代码：
  [controlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes];  
     
  验证：
  WCRedEnvelopesReceiveControlLogic同名的头文件里面有该方法：
    - (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;   

• 继续分析WCRedEnvelopesReceiveControlLogic类的WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes方法

分析汇编代码: ADRP X8, #OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGE
LDRSW X24, [X8,#OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGEOFF] LDR X0, [X27,X24] //相当于 [self m_data]

结合头文件分析 WCRedEnvelopesReceiveControlLogic中定义了成员变量：WCRedEnvelopesControlData *m_data;

ADRP X8, #selRef_m_oSelectedMessageWrap@PAGE LDR X19, [X8,#selRef_m_oSelectedMessageWrap@PAGEOFF] MOV X1, X19 BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X22, X0 //这里是返回值,X22的值就是msgWrap

分析： X0 是 m_data的值 X1 是 X19传的值，即 m_oSelectedMessageWrap

WCRedEnvelopesControlData 中定义了成员变量： CMessageWrap *m_oSelectedMessageWrap;
伪代码如下： //self代表的是WCRedEnvelopesReceiveControlLogic的实例对象 WCRedEnvelopesControlData *data = [self m_data]; CMessageWrap *msgWrap = [data m_oSelectedMessageWrap];


汇编: ADRP X8, #selRef_m_oWCPayInfoItem@PAGE LDR X1, [X8,#selRef_m_oWCPayInfoItem@PAGEOFF] STR X1, [SP,#0x120+var_100] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X23, X0 //这里是返回值

分析： X0 是上面的 msgWrap X1 是 m_oWCPayInfoItem

CMessageWrap中有属性 @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;

伪代码：    WCPayInfoItem* payInfoItem = [msgWrap m_oWCPayInfoItem];

汇编： ADRP X8, #selRef_m_c2cNativeUrl@PAGE LDR X1, [X8,#selRef_m_c2cNativeUrl@PAGEOFF] STR X1, [SP,#0x120+var_108] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X25, X0 //这里是返回值

分析： X0 是上面 payInfoItem X1 是 m_c2cNativeUrl

WCPayInfoItem 中有属性 @property(retain, nonatomic) NSString *m_c2cNativeUrl;

伪代码： NSString *c2cNativeUrl = [payInfoItem m_c2cNativeUrl];

• 可以使用Tweak来查看m_c2cNativeUrl的值

@interface WCPayInfoItem @property(retain, nonatomic) NSString *m_c2cNativeUrl; @end

@interface CMessageWrap @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem; @end

@interface WCRedEnvelopesControlData{ CMessageWrap* m_oSelectedMessageWrap; } @end

@interface WCRedEnvelopesReceiveControlLogic{ WCRedEnvelopesControlData *m_data; } @end

%hook WCRedEnvelopesReceiveControlLogic

(void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes { id data = MSHookIvar<WCRedEnvelopesControlData *>(self, "m_data"); NSLog(@"data class:%@", [data class]);

id msgWrap = MSHookIvar<CMessageWrap *>(data, "m_oSelectedMessageWrap"); NSLog(@"msgWrap class:%@", [msgWrap class]);

//定义了属性的不需要使用MSHookIvar来hook，直接声明之后调用即可 id payinfoitem =[msgWrap m_oWCPayInfoItem]; NSLog(@"payinfoitem class:%@", [payinfoitem class]);

NSString *nativeUrl = [payinfoitem m_c2cNativeUrl]; NSLog(@"nativeUrl class:%@, nativeUrl = %@", [nativeUrl class], nativeUrl);

//%orig; } %end

某次抢红包m_c2cNativeUrl的值:

Sep 13 19:16:59 Flongers-iphone WeChat[2438]: data class:WCRedEnvelopesControlData 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: msgWrap class:CMessageWrap 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: payinfoitem class:WCPayInfoItem 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: nativeUrl class:__NSCFString, nativeUrl = wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137016141291061&sendusername=&ver=6&sign=