hook wechat共存fang封

CHLoadClass_(0xe0f8, objc_getClass("NSBundle"));

CHLoadClass_(0xe104, objc_getClass("UIDevice"));

CHLoadClass_(0xe110, objc_getClass("NSDictionary"));

CHLoadClass_(0xe11c, objc_getClass("MMCrashReportExtLogMgr"));

CHLoadClass_(0xe128, objc_getClass("JailBreakHelper"));

CHLoadClass_(0xe134, objc_getClass("ASIdentifierManager"));

NSBundle

int __ZL33$NSBundle_bundleIdentifier_methodP8NSBundleP13objc_selector(void * arg0, void * arg1) {

    sp = sp - 0x1c;

    stack[2044] = arg0;

    if (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0) {

            stack[2045] = @"com.tencent.xin";

    }

    else {

            r1 = *0xe140;

            stack[2045] = (r1)(stack[2044], @selector(bundleIdentifier), @selector(bundleIdentifier), r1, r1, @selector(bundleIdentifier));

    }

    r0 = stack[2045];

    return r0;

}

NSDictionary

int __ZL33$NSDictionary_valueForKey$_methodP12NSDictionaryP13objc_selectorP8NSString(void * arg0, void * arg1, void * arg2) {

    sp = sp - 0x20;

    stack[2044] = arg0;

    stack[2042] = arg2;

    if ((sign_extend_32((*arg0)(stack[2042], @selector(isEqualToString:), @"CFBundleIdentifier", @"CFBundleIdentifier", stack[2040], stack[2041], stack[2042])) != 0x0) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {

            stack[2045] = @"com.tencent.xin";

    }

    else {

            r1 = *0xe148;

            stack[2045] = (r1)(stack[2044], @selector(valueForKey:), stack[2042], r1, r1, @selector(valueForKey:));

    }

    r0 = stack[2045];

    return r0;

}

int __ZL45$NSDictionary_objectForKeyedSubscript$_methodP12NSDictionaryP13objc_selectorPU19objcproto9NSCopying11objc_object(void * arg0, void * arg1, void * arg2) {

    sp = sp - 0x34;

    stack[2044] = arg0;

    stack[2042] = arg2;

    r2 = *stack[2042];

    if ((([stack[2042] isKindOfClass:_objc_msgSend(@class(NSString), r2, r2, r3, stack[2035], stack[2036], stack[2037], stack[2038]), stack[2042], stack[2035], stack[2036]] != 0x0) && ([stack[2042] isEqualToString:@"CFBundleIdentifier", r1, stack[2035], stack[2036]] != 0x0)) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {

            stack[2045] = @"com.tencent.xin";

    }

    else {

            r1 = *0xe14c;

            stack[2045] = (r1)(stack[2044], @selector(objectForKeyedSubscript:), stack[2042], r1, r1, @selector(objectForKeyedSubscript:));

    }

    r0 = stack[2045];

    return r0;

}

int __ZL34$NSDictionary_objectForKey$_methodP12NSDictionaryP13objc_selectorPU19objcproto9NSCopying11objc_object(void * arg0, void * arg1, void * arg2) {

    sp = sp - 0x34;

    stack[2044] = arg0;

    stack[2042] = arg2;

    r2 = *stack[2042];

    if ((([stack[2042] isKindOfClass:_objc_msgSend(@class(NSString), r2, r2, r3, stack[2035], stack[2036], stack[2037], stack[2038]), stack[2042], stack[2035], stack[2036]] != 0x0) && ([stack[2042] isEqualToString:@"CFBundleIdentifier", r1, stack[2035], stack[2036]] != 0x0)) && (sign_extend_32(isDirectCalledByModule("WeChat")) != 0x0)) {

            stack[2045] = @"com.tencent.xin";

    }

    else {

            r1 = *0xe150;

            stack[2045] = (r1)(stack[2044], @selector(objectForKey:), stack[2042], r1, r1, @selector(objectForKey:));

    }

    r0 = stack[2045];

    return r0;

}

JailBreakHelper

越狱检测

int __ZL50$JailBreakHelper_HasInstallJailbreakPlugin$_methodP11objc_objectP13objc_selectorS0_(void * arg0, void * arg1, void * arg2) {

    r0 = sign_extend_32(0x0);

    return r0;

}

int __ZL67$JailBreakHelper_HasInstallJailbreakPluginInvalidIAPPurchase_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {

    r0 = sign_extend_32(0x0);

    return r0;

}

int __ZL35$JailBreakHelper_IsJailBreak_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {

    r0 = sign_extend_32(0x0);

    return r0;

}

MMCrashReportExtLogMgr

崩溃记录

int __ZL54$MMCrashReportExtLogMgr_addLogInfo$withMessage$_methodP11objc_objectP13objc_selectorS0_S0_(void * arg0, void * arg1, void * arg2, void * arg3) {

    r0 = arg0;

    return r0;

}

ASIdentifierManager

修改广告标识

int __ZL49$ASIdentifierManager_advertisingIdentifier_methodP11objc_objectP13objc_selector(void * arg0, void * arg1) {

    sp = sp - 0x4c;

    stack[2045] = arg0;

    r0 = [*@class(UICKeyChainStore) mainBundle];

    r0 = [r0 bundleIdentifier];

    r1 = *((")" | 0x0) + 0x1bca);

    stack[2043] = (r1)(@class(UICKeyChainStore), @selector(keyChainStoreWithService:), r0, r1, stack[2029], stack[2030]);

    if ([stack[2043] objectForKeyedSubscript:@"idfa", @"idfa", stack[2029], stack[2030]] == 0x0) {

            r0 = (*0xe164)(stack[2045], @selector(advertisingIdentifier), stack[2043], @selector(advertisingIdentifier), stack[2029], stack[2030], stack[2031]);

            [stack[2043] setObject:r0 forKeyedSubscript:@"idfa", stack[2029], stack[2030], r2];

    }

    r0 = [stack[2043] objectForKeyedSubscript:@"idfa", r1, r1, @"idfa"];

    return r0;

}

其他方法

修改设备名称

int __ZL21$UIDevice_name_methodP8UIDeviceP13objc_selector(void * arg0, void * arg1) {

    r0 = @"iPhone";

    return r0;

}

防封补丁源码

#import <Foundation/Foundation.h>

#import "CaptainHook/CaptainHook.h"

#import <AdSupport/AdSupport.h>

CHDeclareClass(ASIdentifierManager)

//广告标识符伪装

CHMethod0(NSUUID *, ASIdentifierManager, advertisingIdentifier)

{

    NSUUID *advertisingIdentifier;

    NSString *key = @"idfa";

    NSString *idfa = [[NSUserDefaults standardUserDefaults] stringForKey:key];

    if (idfa && idfa.length)

    {

        advertisingIdentifier = [[NSUUID alloc] initWithUUIDString:idfa];

    }

    else

    {

        advertisingIdentifier = [NSUUID UUID];

        [[NSUserDefaults standardUserDefaults] setObject:advertisingIdentifier.UUIDString forKey:key];

    }

    return advertisingIdentifier;

}

@class BaseAuthReqInfo, BaseRequest, ManualAuthAesReqData;

CHDeclareClass(ManualAuthAesReqData);

//bundleId 伪装(待完善)

CHMethod1(void, ManualAuthAesReqData, setBundleId, NSString *, bundleId)

{

    if ([bundleId isEqualToString:[NSBundle mainBundle].bundleIdentifier])

    {

        bundleId = @"com.tencent.xin";

    }

    CHSuper1(ManualAuthAesReqData, setBundleId, bundleId);

}

//clientSeqId 伪装

CHMethod1(void, ManualAuthAesReqData, setClientSeqId, NSString *, clientSeqId)

{

    NSString *key = @"clientSeqId";

    NSString *clientSeqId_fist = [[NSUserDefaults standardUserDefaults] stringForKey:key];

    if (!clientSeqId_fist || clientSeqId_fist.length == 0)

    {

        clientSeqId_fist = [[NSUUID UUID].UUIDString stringByReplacingOccurrencesOfString:@"-" withString:@""];

        [[NSUserDefaults standardUserDefaults] setObject:clientSeqId_fist forKey:key];

    }

    NSString *newClientSeqId;

    if ([clientSeqId containsString:@"-"])

    {

        NSRange range = [clientSeqId rangeOfString:@"-"];

        NSString *clientSeqId_last = [clientSeqId substringFromIndex:range.location];

        newClientSeqId = [NSString stringWithFormat:@"%@%@", clientSeqId_fist, clientSeqId_last];

    }

    else

    {

        newClientSeqId = clientSeqId_fist;

    }

    CHSuper1(ManualAuthAesReqData, setClientSeqId, newClientSeqId);

}

//deviceName 伪装

CHMethod1(void, ManualAuthAesReqData, setDeviceName, NSString *, deviceName)

{

    //设置为默认名称

    deviceName = @"iPhone";

    CHSuper1(ManualAuthAesReqData, setDeviceName, deviceName);

}

//过日志记录  服务器记录

@class MMCrashReportExtLogMgr;

CHDeclareClass(MMCrashReportExtLogMgr);

CHMethod2(void, MMCrashReportExtLogMgr, addLogInfo, int *, arg1, withMessage, const char *, arg2)

{

    return;

}

//过越狱检测

@class JailBreakHelper;

CHDeclareClass(JailBreakHelper);

CHMethod0(BOOL, JailBreakHelper, HasInstallJailbreakPluginInvalidIAPPurchase)

{

    return NO;

}

CHMethod1(BOOL, JailBreakHelper, HasInstallJailbreakPlugin, id, arg1)

{

    return NO;

}

// 判断越狱状况

CHMethod0(BOOL, JailBreakHelper, IsJailBreak){

    return NO;

}

//所有被hook的类和函数放在这里的构造函数中