1016-微信抢红包案例(四)
@interface CMessageMgr //消息的中转站
hook:CMessageMgr--> onNewSyncAddMessage
消息类型 type: (CMessageWrap 类中) unsigned int m_uiMessageType;
1、文字
2、图片
34、语言
49、红包
来到红包界面
UITextEffectsWindow、WCPayMainWindow
@interface CMessageWrap
image.png
//--------------------逻辑分析 --------
// 微信应该有一个专门管理消息的对象!
// 这个方法到底 是谁调用来的!! 看函数调用栈!!
正常抢红包的逻辑
1、收到消息,判断是否红包消息
2、打开红包
3、去抢红包
4、拆红红包
Hook 抢红包://分析拆红包 的参数,略过抢红包,直接拆红包
1、收到消息,判断是否红包消息
4、拆红红包
Hook:WCRedEnvelopesLogicMgr
//步骤5
@interface WCRedEnvelopesLogicMgr
// 开红包的请求
- (void)OpenRedEnvelopesRequest:(id)arg1;
//1、接收到红包请求
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1;
//2、得到红包
- (void)GetHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3;
//3、拆红包后的响应
- (void)OnWCToHongbaoCommonResponse:(id)arg1 Request:(id)arg2;
//步骤5图,方法调用的顺序
image.png
/*
* ------------------- hook 收到红包 准备打开红包:拼接参数取打开红包 -----------------
*/
%hook WCRedEnvelopesReceiveControlLogic
-(void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes {
//伪代码
WCRedEnvelopesControlData * m_data = MSHookIvar<WCRedEnvelopesControlData *>(self,"m_data");
CMessageWrap * msgWrap = [m_data m_oSelectedMessageWrap];
WCPayInfoItem * payInfoItem = [msgWrap m_oWCPayInfoItem];
NSString * c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSUInteger len = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString * c2cNativeUrl2 = [c2cNativeUrl substringFromIndex:len];
NSDictionary * url_dic = [%c(WCBizUtil) dictionaryWithDecodedComponets:c2cNativeUrl2 separator:@"&"];
NSMutableDictionary * mutalbe_dic = [%c(NSMutableDictionary) dictionary];
[mutalbe_dic setObject:@"1" forKey:@"msgType"];
[mutalbe_dic setObject:url_dic[@"sendid"] forKey:@"sendId"];
[mutalbe_dic setObject:url_dic[@"channelid"] forKey:@"channelId"];
MMServiceCenter * mmserCent = [%c(MMServiceCenter) defaultCenter];
Class ccmgr = [%c(CContactMgr) class];
CContactMgr * contactMgr = [mmserCent getService:ccmgr];
CContact * selfContact = [contactMgr getSelfContact];
// displayName --> NSTaggePointString
id displayName = [selfContact getContactDisplayName];
NSLog(@"---displayName= %@",[displayName class]);
[mutalbe_dic setObject:displayName forKey:@"nickName"];
[mutalbe_dic setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];
if (msgWrap)
{
NSString * nativeUrl = c2cNativeUrl;
[mutalbe_dic setObject:nativeUrl forKey:@"nativeUrl"];
}
MMMsgLogicManager * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(MMMsgLogicManager) class]];
WeixinContentLogicController * currentLogicContoller = [redEvenlopsLogicMgr GetCurrentLogicController];
if ( currentLogicContoller )
{
CBaseContact * m_contact = [currentLogicContoller m_contact];
if ( m_contact ){
CBaseContact * contact = [currentLogicContoller m_contact];
NSString * nsUsrName = [contact m_nsUsrName];
if ( nsUsrName ){
NSLog(@"---nsUsrName= %@", nsUsrName); //nsUsrName
[mutalbe_dic setObject:nsUsrName forKey:@"sessionUserName"];
}
}
}
NSDictionary * m_dicBaseInfo = [m_data m_structDicRedEnvelopesBaseInfo];
NSString * timingIdentifier = m_dicBaseInfo[@"timingIdentifier"];
if ([timingIdentifier length]){
[mutalbe_dic setObject:timingIdentifier forKey:@"timingIdentifier"];
}
WCPayLogicMgr * payLogic = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCPayLogicMgr) class]];
[payLogic setRealnameReportScene:(unsigned int)1003];
id subScript = [m_dicBaseInfo objectForKeyedSubscript:@"agree_duty"];
[payLogic checkHongbaoOpenLicense:subScript acceptCallback:^(){
WCRedEnvelopesLogicMgr * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]];
[redEvenlopsLogicMgr OpenRedEnvelopesRequest:mutalbe_dic];
} denyCallback:^(){
}];
}
%end
/*
* ------------------------- hook 收到消息:直接取判断,去抢红包 ------------------------
*/
%hook CMessageMgr
- (void)onNewSyncAddMessage:(CMessageWrap *)msgWrap{
NSLog(@"%@\n%@",arg1,[arg1 class]);
//通过分析,找到红包的消息类型是49!
//if type == 49 {开抢!!!! }
//m_uiMessageType
if(MSHookIvar<unsigned int>(msgWrap,"m_uiMessageType") == 49){//红包消息
//WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes 内的方法调用,全部,放在此处执行
// 能在此处执行的原因是:CMessageWrap *msgWrap 类相同
// ......
//伪代码
//1、
WCPayInfoItem * payInfoItem = [msgWrap m_oWCPayInfoItem];
NSString * c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSUInteger len = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString * c2cNativeUrl2 = [c2cNativeUrl substringFromIndex:len];
NSDictionary * url_dic = [%c(WCBizUtil) dictionaryWithDecodedComponets:c2cNativeUrl2 separator:@"&"];
NSMutableDictionary * mutalbe_dic = [%c(NSMutableDictionary) dictionary];
[mutalbe_dic setObject:@"1" forKey:@"msgType"];
[mutalbe_dic setObject:url_dic[@"sendid"] forKey:@"sendId"];
[mutalbe_dic setObject:url_dic[@"channelid"] forKey:@"channelId"];
//2、接下来
MMServiceCenter * mmserCent = [%c(MMServiceCenter) defaultCenter];
Class ccmgr = [%c(CContactMgr) class];
CContactMgr * contactMgr = [mmserCent getService:ccmgr];
CContact * selfContact = [contactMgr getSelfContact];
id displayName = [selfContact getContactDisplayName];
[mutalbe_dic setObject:displayName forKey:@"nickName"];
[mutalbe_dic setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];
if (msgWrap)
{
NSString * nativeUrl = c2cNativeUrl;
[mutalbe_dic setObject:nativeUrl forKey:@"nativeUrl"];
}
//3、
/************************
MMMsgLogicManager * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService: [%c(MMMsgLogicManager) class]];
WeixinContentLogicController * currentLogicContoller = [redEvenlopsLogicMgr GetCurrentLogicController];
if ( currentLogicContoller )
{
CBaseContact * m_contact = [currentLogicContoller m_contact];
if ( m_contact ){
CBaseContact * contact = [currentLogicContoller m_contact];
NSString * nsUsrName = [contact m_nsUsrName];
if ( nsUsrName ){
NSLog(@"---nsUsrName= %@", nsUsrName); //nsUsrName
[mutalbe_dic setObject:nsUsrName forKey:@"sessionUserName"];
}
}
}
*************************/
//3、步骤三,简化代码:其实 nsUsrName可以在 msgWrap 中拿到
NSString * nsUsrName = MSHookIvar<NSString *>(msgWrap,"m_nsFromUsr");
NSLog(@"---nsUsrName= %@", nsUsrName);
if(nsUsrName){
[mutalbe_dic setObject:nsUsrName forKey:@"sessionUserName"];
}
//4、
NSDictionary * m_dicBaseInfo = [m_data m_structDicRedEnvelopesBaseInfo];
NSString * timingIdentifier = m_dicBaseInfo[@"timingIdentifier"];
if ([timingIdentifier length]){
[mutalbe_dic setObject:timingIdentifier forKey:@"timingIdentifier"];
}
WCPayLogicMgr * payLogic = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCPayLogicMgr) class]];
[payLogic setRealnameReportScene:(unsigned int)1003];
id subScript = [m_dicBaseInfo objectForKeyedSubscript:@"agree_duty"];
[payLogic checkHongbaoOpenLicense:subScript acceptCallback:^(){
WCRedEnvelopesLogicMgr * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]];
// 打开红包
[redEvenlopsLogicMgr OpenRedEnvelopesRequest:mutalbe_dic];
} denyCallback:^(){
}];
//步骤5、拆红包:拼接参数!
NSMutableDictionary * params = [%c(NSMutableDictionary) dictionary];
[params setObject:@"0" forKey:@"agreeDuty"];
[params setObject:@"1" forKey:@"inWay"];
[params setObject:@"1" forKey:@"msgType"];
[params setObject:c2cNativeUrl2 forKey:@"nativeUrl"];
[params setObject:url_dic[@"channelid"] forKey:@"channelId"];
[params setObject:url_dic[@"sendid"] forKey:@"sendId"];
//手动调用拆红包
WCRedEnvelopesLogicMgr * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]];
//真正打开红包请求的方法!:拆红包(接收到红包请求)
[redEvenlopsLogicMgr ReceiverQueryRedEnvelopesRequest:params];
}else{
NSLog(@"---msgWrap = %@", msgWrap);
}
%orig;
}
%end
image.png
image.png
网友评论