逆向壁纸类APP,去除广告下载Vip壁纸

写在前面

最近没啥事,自己就像逆向一下别人的app,下载了一块壁纸类app,开始干活。

1.准备越狱手机下载app

最好选择完美越狱的系统，下载app,使用usb连接进入root,用Clutch 脱壳。

iPhone:~ root# Clutch -i
Installed apps:
1:   爱奇艺-延禧攻略独播 <com.qiyi.iphone>
2:   こつこつ家計簿-無料のカレンダー家計簿 <com.doubibi74.money76>
3:   网易云音乐-音乐的力量 <com.netease.cloudmusic>
4:   微信 <com.tencent.xin>
5:   优酷视频-天坑鹰猎全网独播 <com.youku.YouKu>
6:   喜马拉雅FM「听书社区」电台有声小说相声评书 <com.gemd.iting>
7:   保镖报警器 <com.baobiao.baobiao>
8:   壁纸 ： 高清手机主题桌面动态墙纸 <com.tandy.wallpaper.pid39ch5>
9:   腾讯视频-如懿传独播 <com.tencent.live4iphone>

执行Clutch -d 8 开始脱壳

iPhone:~ root# Clutch -d 8
Zipping Wallpaper.app
ASLR slide: 0x1000d0000
Dumping <NotificationServiceExtension> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ASLR slide: 0x100034000
Dumping <Wallpaper> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping NotificationServiceExtension.appex
DONE: /private/var/mobile/Documents/Dumped/com.tandy.wallpaper.pid39ch5-iOS8.0-(Clutch-2.0.4).ipa
Finished dumping com.tandy.wallpaper.pid39ch5 in 19.5 seconds
iPhone:~ root#

脱壳成功,将可执行文件拿出来留着备用，使用reveal 查看app 的UI 结构

正常图片

找到下载按钮所在的View是WPDetailBottomView

D848B4B1EF0D30BABEE26104702620CB.jpg

免费的长上面这样，但是有些比较好看的壁纸不出钱就要看视频广告，特别长，没完没了。

3A447C610A562470C77DCF6364A70998.jpg

所以来逆向一把，现在将脱壳脱壳后的可执行文件也就是mach-o 文件提取出头文件。

pp文件夹就是提取出来的头文件

将pp文件夹拖入sublime,搜索WPDetailBottomView，经过一番测试发现点击下载的调用的方法是

- (void)detailWithAction:(long long)arg1;

确定好方法了，那就开始编写tweek 代码。

思路

首先移除立即下载的这个lockView 然后让下载所在的View出现并显示在合适的位置，我顺便将启动页的广告也给它移除了(这个简单)。tweek 代码如下

#import <substrate.h> // necessary



@interface cyMethodSet
- (void)cleanUpSplashWhenStop;
- (void)td_hideActivityIndicatorView;
- (void)showBottomView;
- (id)bottomView;
- (void)hiddenPayView;

@end

// 去除启动页广告
%hook ADKPhotoFrameSplashAdView

- (id)initWithFrame:(struct CGRect)arg1{
    return nil;
}

%end

// %hook WPWallSetListView
// - (void)didTapWPBasePhotoView:(id)arg1{
//     UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:@"点击了目标" delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
//     [alert show];
//     %orig;
// }

// %end
UIView *bottomViewHooked;


// - (void)loadCunstomAlertView:(long long)arg1{
//  NSString *str = [[NSString alloc]initWithFormat:@"点击了目标%lld",arg1];
//  UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
//     [alert show];
// }


%hook WPDetailView
- (id)initWithFrame:(struct CGRect)arg1 actionTypes:(long long)arg2{
    NSLog(@"------这是测试消息-------");
    %log;
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
        [self hiddenPayView];
    });


    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(1 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
        bottomViewHooked = MSHookIvar<UIView *>(self, "_bottomView");
        [bottomViewHooked setHidden:NO];
        [bottomViewHooked setFrame:CGRectMake(0, 500, 320, 44)];
    });


    return %orig;
}

- (void)detailBottomViewWithAction:(long long)arg1{
    NSString *str = [[NSString alloc]initWithFormat:@"点击了目标%lld",arg1];
    UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
    [alert show];
    %orig;

}



- (void)detailBottomLockWithIndex:(long long)arg1{
            NSString *str = [[NSString alloc]initWithFormat:@"点击3了目标%lld",arg1];
    UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
    [alert show];
    %orig;

}

- (void)detailBottomClicked{
    //      NSString *str = [[NSString alloc]initWithFormat:@"点击4了目标"];
    // UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
 //    [alert show];
    %orig;


}

- (void)detailBottomCollectSuccess{
        NSString *str = [[NSString alloc]initWithFormat:@"点击3了目标"];
    UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
    [alert show];
    %orig;

}


%end

%hook WPDetailBottomView
- (void)detailWithAction:(long long)arg1{
    NSString *str = [[NSString alloc]initWithFormat:@"点击了目2标%lld",arg1];
    UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
    [alert show];
    %orig;
}
%end

然后在Tweak.xm 所在文件夹执行

make clean && make && make package && make install

重新进入该app的壁纸vip界面，立即下载的View已经消失，下载的所在的View 出现了，点击下载如图

DE78D8197E1829AB1F9F2DAE20991E68.jpg

里面的还有下载逻辑这部分比较难，我的实现方式是擦除汇编代码。有好方法的可以交流一下，这就是大概的过程。

5A9A3F520CEEBB4CB165D06B1ABD1085.jpg