ios 逆向工程
剛進一個新公司,公司的大牛直接分給一個課題研究任務,直接懵逼了,/(ㄒoㄒ)/~~ 想哭,世界就是這麼酷酷的,硬着頭上唄,一切行動聽指揮-----> 就研究了下,在此分享下,有需要的看下,有不足之處請指點一二,謝謝各位大大,O(∩_∩)O哈哈~
前言
- ios逆向工程指的是在軟件層面上進行逆向分析的一個過程。如果想要達到對ios軟件較強的逆向分析能力,最好能非常熟悉ios設備的硬件構成、ios系統的運行原理,還要具備豐富的ios開發經驗,比如:拿到一個App之後能清晰的推斷出這個App使用的技術,包括引用了那些FrameWork,那些經典的第三方代碼,以及整個App工程大致的文件個數等。
- 逆向工程的主要兩個作用:首先是攻破目標程序,拿到關鍵信息,可以歸類於安全相關的逆向工程,其次是借鑑他人的程序功能來開發自己的軟件,可以歸類於開發相關的逆向工程
- 與安全相關的ios逆向工程
ios 逆向工程最突出的應用領域就是與安全相關的,比如:通過逆向一個金融App,來評定這個軟件的安全等級,安全專家通過逆向ios病毒,來找到殺毒的方法,安全公司通過逆向ios系統電話、短信功能,來構建一個手機防火牆
a.評定安全等級
ios中那些具有交易功能的App一般會先加密敏感數據,然後將加密過的數據存儲在本地或通過互聯網傳輸,而如果安全意識不夠強,就完全有可能將重要信息直接用明文保存或傳輸,安全隱患極大。App雖然可以將低維的攻擊防守得如銅牆鐵壁一般,但是擋不住高維的逆向攻擊,不過不可以據此得出App不安全的結論,因爲ios逆向工程的使用均來自一個前提:ios越獄,在這種環境下,我們使用這些逆向工程技術來分析評估目標App中可被攻擊點有多少,可攻擊點越少的自然就越安全。
b. 逆向惡意軟件
ios 是隻能移動終端操作系統,它同計算機操作系統沒有本質區別,惡意軟件就是通過逆向工程定位系統和軟件漏洞,利用漏洞滲透進目標主機,獲取敏感數據
- 與開發相關的ios逆向工程
開發者可以逆向系統調用,在自己的程序裏使用一些文檔中沒有提及的私有功能,還可以逆向一些經典的軟件等
a.逆向系統調用
開發者編寫的軟件能夠運行在操作系統中,提供各種各樣的功能,是因爲操作系統本身已經內嵌了這些功能,軟件只是拿來重組使用。絕大多數的App的實現都源於公開的開發文檔,而不能使用諸如鎖屏,關機等文檔中不涉及的功能,如果你的程序面向Cydia,那麼不採用非公開功能將導致程序幾乎沒有競爭力,故可以通過逆向ios系統調用,還原系統實現相應功能的代碼,並應用到自己的程序中。
b.借鑑別的軟件
逆向工程最受歡迎的應用場合就是“借鑑”他人的軟件功能。
一 、ios 越獄
ios 完美越獄和不完美越獄
完美越獄,越獄後的iPhone可以正常關機和重啓
不完美越獄,iPhone一旦關機後再開機時,屏幕就會一直停留在啓動畫面,也就是“白蘋果”狀態。或者能正常開機,但已經安裝的破解軟件都無法正常使用,需要將設備與PC連接後,使用軟件進行引導才能使用。一般說來,在蘋果發佈新的iOS固件後,針對該固件的不完美越獄會先發布,隨後完美越獄纔可能發佈,一般較新的系統版本,均爲不完美越獄
越獄方法推薦
PP助手:http://jailbreak.25pp.com/
ps:不同機型,不同系統,有的可以越獄,有的不可以
http://jailbreak.25pp.com/iphone5syueyu/
如何判斷是否越獄成功?
-
桌面是否有cydia
![]()
2.工具判斷(比如pp助手)
使用cydia安裝軟件
二、 Mac遠程登錄到iphone
我們經常在Mac的終端上,通過敲一下命令來完成一些操作,iOS 和Mac OSX 都是基於Drawin(蘋果的一個基於Unix的開源系統內核),所以ios中同樣支持終端的命令行操作,在逆向工程中,可以使用命令行來操縱iphone。
爲了建立連接需要用到 SSH 和OpenSSH
SSH: Secure Shell的縮寫,表示“安全外殼協議”,是一種可以爲遠程登錄提供安全保障的協議,使用SSH,可以把所有傳輸的數據進行加密,"中間人"攻擊方式就不可能實現,能防止DNS 欺騙和IP欺騙
OpenSSH: 是SSH協議的免費開源實現,可以通過OpenSSH的方式讓Mac遠程登錄到iphone,此時進行訪問時,Mac 是客戶端 iphone是服務器
使用OpenSSH遠程登錄步驟如下
- 在iphone上安裝cydia 安裝OpenSSH工具(軟件源http://apt.saurik.com)
- OpenSSH的具體使用步驟可以查看Description中的描述
第一種登錄方式可以使用WIFI
具體使用步驟
- 確保Mac和iphone在同一個局域網下(連接同一個WIFI)
- 在Mac的終端輸入ssh賬戶名@服務器主機地址,比如ssh [email protected](這裏服務器是手機) 初始密碼 alpine
- 登錄成功後就可以使用終端命令行操作iphone
- 退出登錄 exit
ps:ios下2個常用賬戶 root、moblie
- root: 最高權限賬戶,HOME是 /var/root
- moblie :普通權限賬戶,只能操作一些普通文件,不能操作別的文件,HOME是/var/mobile
- 登錄moblie用戶:root moblie@服務器主機地址
root和mobli用戶的初始登錄密碼都是alpine
第二種登錄方式 通過USB進行SSH登錄
- 22端口
- 端口就是設備對外提供服務的窗口,每個端口都有個端口號,範圍是0--65535,共2^16個
- 有些端口是保留的,已經規定了用途,比如 21端口提供FTP服務,80端口是提供HTTP服務,22端口提供SSH服務,更多保留端口號課參考 鏈接
- iphone 默認是使用22端口進行SSH通信,採用的是TCP協議
- 默認情況下,由於SSH走的是TCP協議,Mac是通過網絡連接的方式SSH登錄到iphone,要求iPhone連接WIFI,爲了加快傳輸速度,也可以通過USB連接的方式進行SSH登錄,Mac上有個服務程序usbmuxd(開機自動啓動),可以將Mac的數據通過USB傳輸到iphone,路徑是/System/Library/PrivateFrameworks/mobileDevice.framework/Resources/usbmuxd
- usbmuxd的使用
- 下載usbmuxd工具包,下載v1.0.8版本,主要用到裏面的一個python腳本: tcprelay.py, 下載鏈接
- 將iphone的22端口(SSH端口)映射到Mac本地的10010端口
cd ~/Documents/usbmux-1.08/python-client
python tcprelay.py -t 22:10010
加上 -t 參數是爲了能夠同時支持多個SSH連接,端口映射完畢後,以後如果想跟iphone的22端口通信,直接跟Mac本地的10010端口通信就可以了,新開一個終端界面,SSH登錄到Mac本地的10010端口,usbmuxd會將Mac本地10010端口的TCP協議數據,通過USB連接轉發到iphone的22 端口,遠程拷貝文件也可以直接跟Mac本地的10010端口通信,如:scp -p 10010 ~/Desktop/1.txt root@localhost:~/test 將Mac上的/Desktop/1.txt文件,拷貝到iphone上的/test路徑。
- 先開一個終端,先完成端口映射
*cd 到usbmuxd文件夾路徑 - python tcprelay.py -t 22:10010
- 再開一個端口
注入手機
- ssh root@localhost -p 10010
-
Zhanghua123:~ root# cycript -p SpringBoard
![]()
ps: 切記第一個終端不可以關閉,纔可以保持端口映射狀態
三、 Cycript的使用
Cycript 是Objective-C++ JavaScript Java等語法的混合物,可以用來探索,修改,調試正在運行的Mac\ios App
官網:http://www.cycript.org/
文檔: http://www.cycript.org/manual
通過Cycdia 安裝Cycript,就可以在iphone上調試運行中的APP
使用上面usb鏈接的方式進入iphone
Zhanghua123:~ root# ps -e
會出現很多進程
看var開頭的,可以看到開的進程
- cycript 基本語法
- 定義變量
- var 變量名 = 變量值
- 用內存地址獲取對象
-
內存地址
- 查看已經加載的所有OC類
- ObjectiveC.classes
- 查看對象的所有成員變量
- *對象
- 遞歸打印view的所有子控件
- view.recursiveDescription().toString()
- 篩選出某種類型的對象
- choose(UIViewController)
- choose(UITableViewCell)
注入手機
cycript Zhanghua123:~ root# cycript -p SpringBoard
創建一個彈框
cy# alertView = [[UIAlertView alloc] initWithTitle:@"di yi ge niinag" message:'cai kei djd' delegate:nil cancelButtonTitle:@"OK"otherButtonTitles:nil]
#"<UIAlertView: 0x10b8d3e80; frame = (0 0; 0 0); layer = <CALayer: 0x170a21100>>"
cy# [alertView show]
cy#
cy# UIApp.keyWindow.rootViewController
#"<DFNavigationController: 0x10603e000>"
cy# #0x10603e000.visibleViewController
#"<ALULoginContainerController: 0x105740200>"
cy# visible = #0x105740200
#"<ALULoginContainerController: 0x105740200>"
cy# visible.childViewController
cy# *visible
{isa:ALULoginContainerController,_hasOverrideClient:false,_hasOverrideHost:false,_hasInputAssistantItem:false,_overrideTransitioningDelegate:null,_view:#"<UIView: 0x105789110; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x17022fa40>>",_tabBarItem:null,_navigationItem:#"<<UINavigationItem: 0x1741c2ee0>: title:'(null)'>",_toolbarItems:null,_title:null,_nibName:null,_nibBundle:#"NSBundle </var/containers/Bundle/Application/BBAD7933-C1F3-4839-AFF0-49B2A34C81B0/AlipayWallet.app> rideUseCustomPresentation:false,_modalPresentationCapturesStatusBarAppearance:false,_disablesAutomaticKeyboardDismissal:false,_ignoresParentMargins:false,_childViewControllers:@[#"<aluAlipayLoginViewController: 0x10f62a130>"],_customNavigationInteractiveTransitionDuration:0,_customNavigationInteractiveTransitionPercentComplete:0,_customTransitioningView:null,_lastNotifiedTraitCollection:#"<UITraitCollection: 0x1740d7ca0; _UITraitNameUserInterfaceIdiom = Phone, _UITraitNameDisplayScale = 2.000000,
cy# vv = #0x10f62a130
#"<aluAlipayLoginViewController: 0x10f62a130>"
cy# vv.subViews
cy# *vv
{isa:aluAlipayLoginViewController,_hasOverrideClient:false,_hasOverrideHost:false,_hasInputAssistantItem:false,_overrideTransitioningDelegate:null,_view:#"<UIView: 0x1103c4c50; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1059898c0>>",_tabBarItem:null,_navigationItem:#"<<UINavigationIt5510; frame = (0 275; 320 293); autoresize = W; layer = <CALayer: 0x1100aa760>>",_languageBtn:#"<aluLinkButton: 0x110305fa0; baseClass = UIButton; frame = (272 12; 33 19.5); opaque = NO; layer = <CALayer: 0x1059e0940>>",_moreBtn:#"<aluLinkButton: 0x110a34e50; baseClass = UIButton; frame = (16 243; 288 45); opaque = NO; layer = <CALayer: 0x110a55ca0>>",_extraInfo:null,_actionSheet:null,_apRDS:#"<APSecRDS: 0x1740d42e0>",_rdsGotData:null,_backDelegate:null,_monitorPageRef:@"fromloginpw",_intentHandlers:null,_expireTime:null,_isRegBtnOut:false,_smsLoginBtn:#"<aluLinkButton: 0x1103ea3e0; baseClass = UIButton; frame = (189 75; 115 19.5); opaque = NO; tag = 3; layer = <CALayer: 0x1103cd420>>",_findbackPwdBtn:#"<aluLinkButton: 0x1100949d0; baseClass = UIButton; frame = (16 75; 75 19.5); opaque = NO; tag = 3; layer = <CALayer: 0x1100f9270>>",_alipayLoginRPC:null,_alipayLoginResult:null}
cy#
cy# choose(UITextField)
[#"<aluTextField: 0x1103e1660; baseClass = UITextField; frame = (83 0; 207 45); text = ''; opaque = NO; autoresize = W; tintColor = UIExtendedSRGBColorSpace 0.0627451 0.556863 0.913725 1; gestureRecognizers = <NSArray: 0x11000e850>; layer = <CALayer: 0x10fdbf1d0>>",#"<aluTextField: 0x1103e2c40; baseClass = UITextField; frame = (83 0; 176 45); text = ''; opaque = NO; autoresize = W; tintColor = UIExtendedSRGBColorSpace 0.0627451 0.556863 0.913725 1; gestureRecognizers = <NSArray: 0x1100c2ff0>; layer = <CALayer: 0x1059cb4f0>>"]
cy# #0x1103e1660.text = 'ge bi lao wang'
"ge bi lao wang"
cy# #0x1103e2c40.text = '1234'
"1234"
cy#
如果輸入中文,要轉碼一次
http://tool.chinaz.com/tools/unicode.aspx
添加一個view
cy# v2 = [[UIView alloc]init]
#"<UIView: 0x111b90ab0; frame = (0 0; 0 0); layer = <CALayer: 0x11002fe40>>"
cy# v2.frame
(extern "C" struct CGRect ":frame"(id, SEL))
cy# [v2 frame]
{0:{0:0,1:0},1:{0:0,1:0}}
cy# v2.frame = {0:{0:0,1:0},1:{0:320,1:200}}
{0:{0:0,1:0},1:{0:320,1:200}}
cy# [view addSubview: v2]
cy# v2
#"<UIView: 0x111b90ab0; frame = (0 0; 320 200); layer = <CALayer: 0x11002fe40>>"
cy# v2.backgroundColor = [UIColor redColor]
#"UIExtendedSRGBColorSpace 1 0 0 1"
cy#
Cycript 封裝的一些庫
從下面地址下載資源
https://github.com/CoderMJLee/mjcript
然後安裝在手機的 Device/usr/lib路徑下
具體使用如下:
Zhanghua123:~ root# cycript -p SpringBoard
cy# @import mjcript
{}
cy# MJAppId
@"com.apple.springboard"
cy# MJAppPath
@"/System/Library/CoreServices/SpringBoard.app"
cy# MJDocPath
@"/var/mobile/Documents"
cy# MJCachesPath
@"/var/mobile/Library/Caches"
cy#
實現清楚SpringBoard 上面app的推送通知數目
- 登錄
- 看是否是脫殼的(沒有打印出,表示已經脫殼)
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd Desktop/SpringBoard/
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ ls
Headers SpringBoard
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ otool -l Springboard | grep cycpt
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ class-dump -H SpringBoard -o Headers
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$
- 進入SpringBoard並引入 庫
Zhanghua123:~ root# cycript -p SpringBoard
cy# @import mjcript
{}
3.查找
cy# MJRootVc()
#"<SBHomeScreenViewController: 0x100cb1390>"
cy# MJChildVcs(#0x100cb1390)
`<SBHomeScreenViewController 0x100cb1390>, state: appeared, view: <SBHomeScreenView 0x10ac0c700>
| <SBIconController 0x101067200>, state: appeared, view: <SBIconContentView 0x100eb4cd0>
| | <SBRootFolderController 0x10189e800>, state: disappeared, view: <SBFolderContainerView 0x10af2fcd0>
| | | <SBHomeScreenPullDownSearchViewController 0x10ac24c10>, state: disappeared, view: <_SBMultiplexingView 0x10ac25a70>
| | | <SBHomeScreenSearchableTodayViewController 0x10ac25130>, state: disappeared, view: <_SBMultiplexingView 0x10af2ad40>`
cy# MJSubviews (#0x100cb1390)
throw new Error("Invalid parameter") /*
MJSubviews */
cy# MJSubviews (#0x100cb1390.view)
`<SBHomeScreenView: 0x10ac0c700; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1702338e0>>
| <SBIconContentView: 0x100eb4cd0; frame = (0 0; 320 568); clipsToBounds = YES; autoresize = W+H; layer = <CALayer: 0x170426920>>
| | <SBFolderContainerView: 0x10af2fcd0; frame = (0 0; 320 568); clipsToBounds = YES; layer = <CALayer: 0x174437de0>>
| | | <SBRootFolderView: 0x10af2c200; frame = (0 0; 320 568); layer = <CALayer: 0x174436080>>
| | | | <SBSearchBlurEffectView: 0x10af2e920; variant: static; style: LightTintedBlur; frame = (0 0; 320 568); clipsToBounds = YES; alpha = 0; layer = <CALayer: 0x174437b40>>
| | | | | <_SBFakeBlurView: 0x10af2ed50; style: LightTintedBlur; frame = (0 0; 320 568); animations = { AlignFakeWallpaperToLayer-0x174231ce0=<CAMatchMoveAnimation: 0x174a29920>; }; layer = <CALayer: 0x174437b60>>
| | | | | | <SBFWallpaperView: 0x10af2f160; frame = (0 0; 320 568); layer = <CALayer: 0x174437b80>>
| | | | | | | <UIView: 0x10af2f5b0; frame = (0 0; 320 568); layer = <CALayer: 0x174437ba0>>
| | | | | | | | <UIImageView: 0x10af2f750; frame = (-26 -64; 372 696); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174437c80>>
| | | | | <UIView: 0x10af2f930; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437d40>>
| | | | <UIView: 0x10af2c5f0; frame = (0 0; 320 568); layer = <CALayer: 0x1744360c0>>
| | | | | <SBIconScrollView: 0x10187d800; baseClass = UIScrollView; frame = (0 20; 320 436); autoresize = W+H; gestureRecognizers = <NSArray: 0x174c5dd90>; layer = <CALayer: 0x174436160>; contentOffset: {640, 0}; contentSize: {1280, 436}>
| | | | | | <SBSearchScrollView: 0x10184d400; baseClass = UIScrollView; frame = (0 0; 0 0); clipsToBounds = YES; hidden = YES; gestureRecognizers = <NSArray: 0x174e41b00>; layer = <CALayer: 0x174437860>; contentOffset: {0, 94}; contentSize: {0, 94}>
| | | | | | | <UIImageView: 0x10ac5a020; frame = (-39 88.5; 36 2.5); alpha = 0; opaque = NO; autoresize = TM; userInteractionEnabled = NO; layer = <CALayer: 0x170431b20>>
| | | | | | <_SBRootFolderLayoutWrapperView: 0x100c78430; frame = (0 -20; 320 568); layer = <CALayer: 0x174437a20>>
| | | | | | | <_SBMultiplexingView: 0x10af2ad40; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437a40>>
| | | | | | | | <_SBMultiplexedHostView: 0x10af2e750; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437a60>>
| | | | | | <SBRootIconListView 0x10db31310: frame = {{320, 0}, {320, 436}}; Model = <SBIconListModel: 0x174e61780; 19 icons; folder = <SBRootFolderWithDock: 0x174504b60, (null)>>>
| | | | | | | <SBIconView: 0x10af3a110; frame = (16 7; 60 74); opaque = NO; layer = <CALayer: 0x174438e00>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10ac2c950; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17042e240>>
| | | | | | | | | <_UILegibilityImageView: 0x10af3a660; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174438580>>
| | | | | | | | | <_UILegibilityImageView: 0x100c997c0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174438f40>>
| | | | | | | | <SBIconImageView: 0x10b4098a0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x170820a40>>
| | | | | | | <SBIconView: 0x10af36740; frame = (92 7; 60 74); opaque = NO; layer = <CALayer: 0x174438b00>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10af36a00; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17443ac00>>
| | | | | | | | | <_UILegibilityImageView: 0x10af34500; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174439100>>
| | | | | | | | | <_UILegibilityImageView: 0x10af37d50; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1744396c0>>
| | | | | | | | <SBIconImageView: 0x10af36be0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x17443a180>>
| | | | | | | <SBIconView: 0x10af45b80; frame = (168 7; 60 74); opaque = NO; layer = <CALayer: 0x174439800>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10af47600; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17443a340>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac3ae80; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042edc0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac3aca0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042eda0>>
| | | | | | | | <SBIconImageView: 0x10af477e0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x174439fc0>>
| | | | | | | <SBIconView: 0x10af32000; frame = (244 7; 60 74); opaque = NO; layer = <CALayer: 0x1744392e0>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10ac25870; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17042d6c0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac2bad0; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042dec0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac2b8f0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042dee0>>
| | | | | | | | <SBIconImageView: 0x10b37d980; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x17463b220>>
| | | | | | | <SBIconView: 0x10af74db0; frame = (16 95; 60 74); opaque = NO; layer = <CALayer: 0x17443d260>>
- 測試查找,通過顯示與隱藏的方式看紅色數目是哪個類
cy# #0x10ac11980.hidden = 1
1
cy# #0x10ac11980.hidden = 1
1
cy# #0x10ac11980.hidden = 0
四、sh腳本文件
- 將經常執行的一系列終端命令行放到sh腳本文件中(shell),然後執行腳本文件,可以通過sh、bash、source命令來執行sh腳本文件
- sh bash
- 當前shell環境會啓動一個子進程來執行腳本文件,執行後返回到父進程的shell環境,執行cd時,在子進程中會進入到cd目錄,但是在父進程中環境並沒有改變,也就是說目錄沒有改變
- source
- 在當前的shell環境下執行腳本文件,執行cd後會跳轉到cd的目錄,source可以用一個點.來代替,比如“.test.sh”
五、 ios 脫殼
- 脫殼就是摘掉殼程序,加未加密的可執行文件還原出來,脫殼主要有2種方法:硬脫殼,動態脫殼
硬脫殼就是直接執行解密算法,動態脫殼,執行殼程序,將真實的內容解密出來,即熱內存中的可執行文件是已經解密過的,則我們可以直接導出,由於手機程序比較複雜,ios 中常用的是硬脫殼。
- ios 中有很多好用的脫殼工具
- Clutch:https://github.com/KJCracks/Clutch
- dumpdecrypted: https://github.com/stefanesser/dumpdecrypted/
- class-dump
class-dump的作用就是把Mach-O文件的class信息給dump出來(把類信息給導出來),生成對應的.h頭文件
官方網址: http://stevenygard.com/projects/class-dump/
下載完工具包以後將class-dump文件複製到Mac的/usr/local/bin目錄,這樣在終端就能識別class-dump命令了
常用的格式:class-dump -H Mach-O文件路徑 -o 頭文件存放目錄
ps: -H表示要生成頭文件 -O用於制定頭文件的存放目錄
權限問題:
cuilinhaodeMacBook-Pro:脫殼 cuilinhao$ class-dump -H To-Do -o Headers
-bash: /usr/local/bin/class-dump: Permission denied
解決:cuilinhaodeMacBook-Pro:脫殼 cuilinhao$ chmod +x /usr/local/bin/class-dump
logo語法
六、Clutch
Clutch的配置
- 下載最新的Release版: https://github.com/KJCracks/Clutch/releases
- 去掉版本號,改名爲Clutch
- 將clutch文件拷貝到iphone的/usr/btn目錄
4.如果在iphone上執行Clutch指令,權限不夠,賦予“可執行的權限”
Clutch - 使用
- 列出已經安裝的APP:Clutch -i
Zhanghua123:~ root# Clutch -i
Installed apps:
1: WiFi伴侶-安全上網管家 <com.eldxin7.wifibanlv>
2: 華夏萬家金服 <com.hxwj.WJJF>
3: 智仟匯 <com.zhidou.smart>
4: 悟空問答 - 超火爆全民問答討論社區 <com.ss.iphone.article.wenda>
5: 愛思加強版 <com.pd.A4Player>
6: 喜馬拉雅FM「聽書社區」電臺有聲小說相聲評書 <com.gemd.iting>
7: 聯璧金融-安全靠譜的理財平臺 <com.lincomb.licai>
8: Microsoft To-Do <com.microsoft.to-do>
Zhanghua123:~ root#
- 輸入APP序號或者Bundle Id進行脫殼操作: clutch -d APP序號BundleId
- 脫殼成功後會生成一個ipa文件且會有一個ipa存放的路徑
4.檢驗一下是否脫殼成功
otool -l To-Do | grep crypt
cryptoff 16384
cycptsize 2490368
cryptid 0
當 cryptid 爲0 時表示已經脫殼成功
- 導出頭文件
class-dump -H To-Do -o Headers
dumpdecrypted 使用
- 下載源代碼,然後在源代碼目錄執行make指令進行編譯,獲得dylib動態庫文件
下載地址:https://github.com/stefanesser/dumpdecrypted/archive/master.zip
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd /Users/cuilinhao/Desktop/dumpdecrypted-master
cuilinhaodeMacBook-Pro:dumpdecrypted-master cuilinhao$ ls
Makefile README dumpdecrypted.c
cuilinhaodeMacBook-Pro:dumpdecrypted-master cuilinhao$ make
將dylib文件拷貝到iphone上,放到/var/root目錄
終端進入dylib所在的目錄
-
使用環境變量DYLD_INSERT_LIBARIES將dylib注入到需要脫殼的可執行文件(可執行文件路徑可以通過ps -A查看獲取)
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib + 可執行文件路徑
![]()
-
.decrpted文件就是脫殼後的可執行文件
ps: 在使用過程可能會遇到錯誤
![]()
錯誤主要是因爲對dylib所在的文件夾權限不夠
解決方案:將dylib放在用戶所在文件夾,如果是root用戶,就放在/var/root目錄,如果是moblie用戶,將dylib放在/var/moblie目錄
一鍵砸殼,僅供參考
一鍵砸殼:
砸殼命令
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd /opt
cuilinhaodeMacBook-Pro:opt cuilinhao$ cd dump/frida-ios-dump/
cuilinhaodeMacBook-Pro:frida-ios-dump cuilinhao$ ls
LICENSE dump.js process.sh
README.md dump.py requirements.txt
cuilinhaodeMacBook-Pro:frida-ios-dump cuilinhao$ sudo ./dump.py com.tencent.xin
問題:
ios ImportError: No module named scp
解決方法
sudo pip install -r requirements.txt
七、 Reveal 安裝
Reveal 是一款調試ios程序UI界面的神器
破解版 https://pan.baidu.com/s/1lz9lwTKXD9bS8DnvT9gkBQ 提取密碼:b31u 【建議直接裝破解的,不然有坑】
建議下載至少Reveal4版本,支持USB連接調試
調試環境配置
iphone上安裝Reveal Loader
軟件源: http://apt.so/codermjlee,不要安裝其他源的版本,有可能不支持新版Reveal
安裝完Reveal Loader後,打開[設置], 選擇需要調試的APP
[圖片上傳失敗...(image-b2610e-1525830769359)]-
點擊電腦上的Reveal軟件, 然後找到Reveal中RevealServer文件,覆蓋iphone的/Library/RHRevealLoader/RevealServer文件
![]()
ps: 在iPhone上沒有RHRevealLoader文件夾,可以自己創建
- 重啓SpringBoard killall SpringBoard
有問題請參考下面鏈接
https://www.jianshu.com/p/51c539f61ab0
https://blog.csdn.net/qq_30513483/article/details/51820525
https://blog.csdn.net/u013538542/article/details/70860013
http://blog.sina.com.cn/s/blog_894d45e20102wtbo.html
八、Hopper 安裝
直接百度下載
使用如下:
砸殼之後ipa中有一個mach-o 文件
就這個
然後打開Hopper
看 reveal 的類 GZECBaseWebViewController
看僞代碼
九、安裝theos
一、 安裝簽名工具ldid
1.先確保安裝了brew, https://brew.sh
$ /usr/bin/ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
- 利用brew 安裝ldid
brew install ldid
二、 修改環境變量
- 編輯用戶的配置文件
vim ~/.bash_profile
- 在.bash_profile 文件後面加入以下2行
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
- 讓.bash_profile配置的環境變量立即生效
vim ~/.bash_profile
三、 下載theos
- 建議在$THEOS目錄下載代碼(就是上面配置的~/theos目錄)
git clone --recursive https://github.com/theos/theos.git $THEOS
四、 新建tweak項目
cd 到一個存放項目代碼的文件夾
cd ~/Desktop
nic.pl
選擇 iphone/tweak
填寫項目信息
Project Name
項目名稱
Package Name
項目ID (隨便寫)
Author/Maintainer Name
作者, 直接敲回車按照默認
[iphone/tweak] MobileSubstrate Bundle filter
需要修改APP的Bundle Identifier (喜馬拉雅的是com.gemd.iting )
可以通過Cycript 查看APP 的Bundle Identifier
[iphone/tweak] List of applications to terminate upon installation
直接敲回車就可以
Project Name (required): ting_tweak
Package Name [com.yourcompany.ting_tweak]: com.mj.ting
Author/Maintainer Name [MJ Lee]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
com.gemd.iting
[iphone/tweak] List of applications to terminate upon installation (space-
separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in ting_tweak/...
Done.
五、編輯Makefile
在前面加入環境變量, 寫清楚通過那個ip和端口訪問手機
THEOS_DEVICE_IP
THEOS_DEVICE_PORT
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = ting_tweak
ting_tweak_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"
如果不希望每個項目的Makefile都編寫環境變量,也可以添加到用戶配置文件中,編輯完畢之後 source ~/.bash_profile 讓配置生效
$ vim ~/.bash_profile
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010
$ source ~/.bash_profile
安裝完成之後
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd theos/
cuilinhaodeMacBook-Pro:theos cuilinhao$ ls
LICENSE.md bin lib package.json toolchain
Prefix.pch extras makefiles sdks vendor
README.md include mod templates
cuilinhaodeMacBook-Pro:theos cuilinhao$ ls -l
total 96
-rw-r--r-- 1 cuilinhao staff 35367 4 26 10:04 LICENSE.md
-rw-r--r-- 1 cuilinhao staff 754 4 26 10:04 Prefix.pch
-rw-r--r-- 1 cuilinhao staff 829 4 26 10:04 README.md
drwxr-xr-x 19 cuilinhao staff 608 4 26 10:04 bin
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 extras
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 include
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 lib
drwxr-xr-x 25 cuilinhao staff 800 4 26 10:04 makefiles
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 mod
-rw-r--r-- 1 cuilinhao staff 655 4 26 10:04 package.json
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 sdks
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 templates
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 toolchain
drwxr-xr-x 7 cuilinhao staff 224 4 26 10:04 vendor
進入bin 進行查看
cuilinhaodeMacBook-Pro:theos cuilinhao$ cd bin
cuilinhaodeMacBook-Pro:bin cuilinhao$ ls -l
total 80
-rwxr-xr-x 1 cuilinhao staff 491 4 26 10:04 deb_build_num.sh
lrwxr-xr-x 1 cuilinhao staff 29 4 26 10:04 denicify.pl -> ../vendor/nic/bin/denicify.pl
lrwxr-xr-x 1 cuilinhao staff 21 4 26 10:04 dm.pl -> ../vendor/dm.pl/dm.pl
-rwxr-xr-x 1 cuilinhao staff 892 4 26 10:04 fakeroot.sh
-rwxr-xr-x 1 cuilinhao staff 148 4 26 10:04 install.copyFile
-rwxr-xr-x 1 cuilinhao staff 313 4 26 10:04 install.exec
-rwxr-xr-x 1 cuilinhao staff 213 4 26 10:04 install.mergeDir
lrwxr-xr-x 1 cuilinhao staff 29 4 26 10:04 logify.pl -> ../vendor/logos/bin/logify.pl
lrwxr-xr-x 1 cuilinhao staff 28 4 26 10:04 logos.pl -> ../vendor/logos/bin/logos.pl
lrwxr-xr-x 1 cuilinhao staff 24 4 26 10:04 nic.pl -> ../vendor/nic/bin/nic.pl
lrwxr-xr-x 1 cuilinhao staff 27 4 26 10:04 nicify.pl -> ../vendor/nic/bin/nicify.pl
-rwxr-xr-x 1 cuilinhao staff 980 4 26 10:04 package_version.sh
-rwxr-xr-x 1 cuilinhao staff 801 4 26 10:04 post-update
-rwxr-xr-x 1 cuilinhao staff 437 4 26 10:04 target.pl
lrwxr-xr-x 1 cuilinhao staff 12 4 26 10:04 update-git-repo -> update-theos
-rwxr-xr-x 1 cuilinhao staff 1030 4 26 10:04 update-theos
-rwxr-xr-x 1 cuilinhao staff 552 4 26 10:04 vercmp.pl
cuilinhaodeMacBook-Pro:bin cuilinhao$
配置路徑,使nic.pl 讓在任何地方訪問到
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
配置完之後查看
cuilinhaodeMacBook-Pro:~ cuilinhao$ echo $PATH
/Users/cuilinhao/.rvm/gems/ruby-2.2.2/bin:/Users/cuilinhao/.rvm/gems/ruby-2.2.2@global/bin:/Users/cuilinhao/.rvm/rubies/ruby-2.2.2/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/cuilinhao/.rvm/bin
cuilinhaodeMacBook-Pro:~ cuilinhao$
ps: 如果配置完之後,還沒有出現路徑,執行命令 source .bash_profile 使路徑生效
六、編寫代碼
打開tweak.xm 文件
%hook SBIconParallaxBadgeView
- (id)init
{
return nil;
}
%end
七、 編譯-打包-安裝
- 編譯
make
- 打包成deb
make package
- 安裝(默認會自動重啓Springboard)
make install
八、可能遇到的問題
- -make package的錯誤
Can't locate IO/Compress/Lzma.pm in @INC (you may need to install the
IO::Compress::Lzma module) (@INC contains: /Library/Perl/5.18/darwin-
thread-multi-2level /Library/Perl/5.18 /Network/Library/Perl/5.18/darwin-
thread-multi-2level /Network/Library/Perl/5.18 /Library/Perl/Updates/5.18.2
/System/Library/Perl/5.18/darwin-thread-multi-2level
/System/Library/Perl/5.18 /System/Library/Perl/Extras/5.18/darwin-thread-
multi-2level /System/Library/Perl/Extras/5.18 .) at
/Users/mj/theos/bin/dm.pl line 12.
BEGIN failed--compilation aborted at /Users/mj/theos/bin/dm.pl line 12.
make: *** [internal-package] Error 2
- 錯誤是因爲打包壓縮方式有問題,改成gzip壓縮就可以了
- 修改dm.pl 文件,用#號註釋掉下面兩句
vim $THEOS/vendor/dm.pl/dm.pl
#use IO::Compress::Lzma;
#use IO::Compress::Xz;
- 修改deb.mk 文件第6行的壓縮方式爲gzp
vim $THEOS/makefiles/package/deb.mk
_THEOS_PLATFORM_DPKG_DEB_COMPRESSION ?= gzip
2 -make 錯誤
Error: You do not have an SDK in
/Library/Developer/CommandLineTools/Platforms/iPhoneOS.platform/Developer/S
DKs
- 是因爲xcode 導致路徑(有可能安裝了好幾個xcode),需要指定一下xcode
sudo xcode-select --switch
/Applications/Xcode.app/Contents/Developer/
- 在make是出現Nothing
> Making all for tweak xxx...
make[2]: Nothing to be done for `internal-library-compile'.
- 是因爲之前已經編譯過,有緩存導致的,clean一下即可
make clean
make
實現騰訊視頻播放去除廣告
- 找到騰訊ipa,進行砸殼處理
- 使用class-dump 導出頭文件
-
通過Reveal查看播放視圖view
![]()
4.如果只去除廣告的view,可能會清除廣告不完善,故清除整個vc,但在QNBPlayerVideoAdsViewController控制器中沒有找到對應的init方法,那隻能去找對應的父類
#import <UIKit/UIViewController.h>
#import "QNBBasePlayerViewControllerEventDelegate-Protocol.h"
#import "QNBEventDelegate-Protocol.h"
@class NSMutableArray, NSObject, NSString, QNBPlayerInfo;
@protocol QNBEventProxy;
@interface QNBBasePlayerViewController : UIViewController <QNBEventDelegate, QNBBasePlayerViewControllerEventDelegate>
{
_Bool _alreadyAddToParent;
QNBPlayerInfo *_playerInfo;
QNBBasePlayerViewController *_parentEventController;
UIViewController *_parentUIController;
UIViewController *_pageViewController;
NSMutableArray *_childEventControllers;
SEL _interceptReceiveSEL;
NSObject<QNBEventProxy> *_proxy;
}
@property(nonatomic) _Bool alreadyAddToParent; // @synthesize alreadyAddToParent=_alreadyAddToParent;
@property(nonatomic) __weak NSObject<QNBEventProxy> *proxy; // @synthesize proxy=_proxy;
@property(nonatomic) SEL interceptReceiveSEL; // @synthesize interceptReceiveSEL=_interceptReceiveSEL;
@property(retain, nonatomic) NSMutableArray *childEventControllers; // @synthesize childEventControllers=_childEventControllers;
@property(nonatomic) __weak UIViewController *pageViewController; // @synthesize pageViewController=_pageViewController;
@property(nonatomic) __weak UIViewController *parentUIController; // @synthesize parentUIController=_parentUIController;
@property(nonatomic) __weak QNBBasePlayerViewController *parentEventController; // @synthesize parentEventController=_parentEventController;
@property(nonatomic) __weak QNBPlayerInfo *playerInfo; // @synthesize playerInfo=_playerInfo;
- (void).cxx_destruct;
- (void)excuteEvent:(id)arg1 forEventNode:(id)arg2;
- (id)didReceivePlayerEventInUI:(id)arg1;
- (void)shouldSetConstraintsForViews;
- (void)shouldSetupViews;
- (void)addChildEventController:(id)arg1;
- (void)addToParentViewController;
- (void)viewDidLayoutSubviews;
- (id)eventProxy;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withPageViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withParentEventViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withAddToParenViewControllerNow:(_Bool)arg4;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withParentEventViewController:(id)arg4;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3;
// Remaining properties
@property(readonly, copy) NSString *debugDescription;
@property(readonly, copy) NSString *description;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;
@end
5.重寫父類的init方法
- 獲取bundle ID MJAppId = [NSBundle mainBundle].bundleIdentifier
Zhanghua123:~ root# cycript -p live4iphone
cy# @import mjcript
{}
cy# [Nsbundle mainBundle]
throw new ReferenceError("Can't find variable: Nsbundle")
cy# [NSbundle mainBundle]
throw new ReferenceError("Can't find variable: NSbundle")
cy# MJAppId
@"com.tencent.live4iphone"
cy#
- 創建tweak
cuilinhaodeMacBook-Pro:TengXun cuilinhao$ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
cuilinhaodeMacBook-Pro:TengXun cuilinhao$ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/activator_event
[2.] iphone/application_modern
[3.] iphone/cydget
[4.] iphone/flipswitch_switch
[5.] iphone/framework
[6.] iphone/ios7_notification_center_widget
[7.] iphone/library
[8.] iphone/notification_center_widget
[9.] iphone/preference_bundle_modern
[10.] iphone/tool
[11.] iphone/tweak
[12.] iphone/xpc_service
Choose a Template (required): 11
Project Name (required): tweak_test
Package Name [com.yourcompany.tweak_test]: com.lh.test
Author/Maintainer Name [崔林豪]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.tencent.live4iphone
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in tweak_test/...
Done.
- 寫tweak.xm 文件
%hook QNBPlayerVideoAdsViewController
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withPageViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withParentEventViewController:(id)arg4
withAddToParenViewControllerNow:(_Bool)arg5
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withAddToParenViewControllerNow:(_Bool)arg4
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withParentEventViewController:(id)arg4
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3
{
return nil;
}
%end
- 編譯-運行-安裝
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd /Users/cuilinhao/Desktop/tencenttest
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ ls
Makefile control packages
Tweak.xm obj tencentTest.plist
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make
> Making all for tweak tencentTest…
make[2]: Nothing to be done for `internal-library-compile'.
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make clean
==> Cleaning…
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make
> Making all for tweak tencentTest…
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (armv7)…
==> Linking tweak tencentTest (armv7)…
clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
==> Generating debug symbols for tencentTest…
rm /Users/cuilinhao/Desktop/tencenttest/.theos/obj/debug/armv7/Tweak.xm.mm
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (arm64)…
==> Linking tweak tencentTest (arm64)…
clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
==> Generating debug symbols for tencentTest…
rm /Users/cuilinhao/Desktop/tencenttest/.theos/obj/debug/arm64/Tweak.xm.mm
==> Merging tweak tencentTest…
==> Signing tencentTest…
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make package
> Making all for tweak tencentTest…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak tencentTest…
dm.pl: building package `com.lh.test:iphoneos-arm' in `./packages/com.lh.test_0.0.1-5+debug_iphoneos-arm.deb'
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make install
==> Installing…
[email protected]'s password:
(Reading database ... 3664 files and directories currently installed.)
Preparing to unpack /tmp/_theos_install.deb ...
Unpacking com.lh.test (0.0.1-5+debug) over (0.0.1-3+debug) ...
Setting up com.lh.test (0.0.1-5+debug) ...
install.exec "killall -9 SpringBoard"
[email protected]'s password:
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$
十、逆向簡單應用
微信爬蟲
- 自動化實現通過手機號搜索獲取用戶信息
- 源碼鏈接: https://github.com/cuilinhao/WeChatCrawler.git
對WIFI伴侶 和WIFI萬能鑰匙進行逆向分析
參考 https://www.jianshu.com/p/e2eef5f9a09d
一步一步實現iOS微信自動搶紅包(非越獄)
找到CMessageMgr.h和WCRedEnvelopesLogicMgr.h這兩文件,其中我們注意到有這兩個方法:- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2; ,- (void)OpenRedEnvelopesRequest:(id)arg1;。沒錯,接下來我們就是要利用這兩個方法來實現微信自動搶紅包功能。其實現原理是,通過hook微信的新消息函數,我們判斷是否爲紅包消息,如果是,我們就調用微信的打開紅包方法。這樣就能達到自動搶紅包的目的了。
參考大神的鏈接:https://www.jianshu.com/p/189afbe3b429
參考資源鏈接:http://ios.jobbole.com/92647/