Eight or nine months ago I saw this article step by step to achieve iOS wechat automatic red envelope snatching (non-jailbreak), and then I tried to start my own get one, but because my device is ios9.3.2 a little strange, in the cracking shell and packaging link stuck. One or two months ago I saw someone success Again :Make WeChat Great Again. This time I also decided to try it. I finally figured it out. Ha!
It has been used for a long time and has not been banned!
What you need to prepare: Dumpdecrypted To decrypt shells using Yololib injection to get headers using class-dump, IOSOpenDev, iTools, pp assistant, OpenSSH, Cycript, Command Line Tools reveal Hopper (view binary files for code analysis) Xcode Apple Developer certificate or enterprise certificate and configuration file a jailbroken iPhone wechat app installation package
A, smashing shells
There are two kinds of files after obtaining the shell breaking: 1. Manually breaking the shell by yourself; 2. Download the cracked wechat (such as ITools PP assistant) through a third-party jailbreak platform.Copy the codeManual shell smashing:
1. Install the SSH plug-in OpenSSH on the jailbreak software and the plug-in Cycript that interacts with the application in the command line
2. Keep the jailbroken phone on the same LAN as the MAC (in order to be able to access the phone from the MAC via SSH)
3. On the MAC cli, log in to the mobile phone using SSH and enter SSH [email protected](mobile phone IP address). The default root password is alpine. You can change the root password.
4. Run on the phone WeChat, then add piping through access to run the program command ps – e | grep WeChat screen WeChat file path And do the record will use later
Here I get the path is/var/containers/Bundle/Application/D7DA798A b9f – 006 – b – 4 – AD53 – EDF4D52A1BAE/WeChat app/WeChat (have to)
5. Find the path of Documents and enter cycript -p WeChat to enter the cycript command state
6. Input NSSearchPathForDirectoriesInDomains (NSDocumentDirectory NSUserDomainMask, YES) [0], to obtain the Documents path And do the record will use later. (need WeChat in running, CTRL + d cycript Ends the command status
Here to get the path is/var/mobile/Containers/Data/Application/B3DFAF56 E8EE – 4 – A56B – 884 c21c43049 cad/Documents (have to)
7. Copy dumpDecrypted into the Documents directory of WeChat for cracking shells. Cut the command line back to the Mac OS and use the SCP command to copy the file to the Documents directory in WeChat
Type SCP Dumpdecrypted. Dylib [email protected]:****Documents directory
8. Log in to the mobile phone using SSH again and start cracking the shell
The following error occurred when executing the above command on my phone (ios9.3.2) using the command DYLD_INSERT_LIBRARIES=/Documents path dumpdecrypted. Dylib executable file pathCopy the codeKilled: 9
Failed opening: Permission denied
It was this mistake that held me back eight or nine months ago but I was not willing to crack the shell with the following method after repeated attempts
CD Go to the Documents directory and run the DYLD_INSERT_LIBRARIES=dumpdecrypted. Dylib Executable file directory as mobile. Finally made it
The command generates the decrypted file in the current directory, WeChat. Decrypted
9. Copy decryp.decrypted to your Mac
scp [email protected]: / var/mobile/Containers/Data/Application/B3DFAF56 E8EE – 4 – A56B – 884 c21c43049 cad/Documents/WeChat decryp Ted./ (copy to current directory)
Check whether hit shell otool success – l WeChat. Decrypted | grep – B 2 crypt. Cryptid 0 means successful cryptid 1 means unsuccessful my phone is 5S, and cryptid 0 in ARM64 means successful shell smashing
10. Copy WeChat. App for use
Use scp-r when copying hereCopy the codeSCP – r [email protected]: / var/containers/Bundle/Application/D7DA798A b9f – 006 – b – 4 – AD53 – EDF4D52A1BAE/WeChat app. /
Second, the injection
Install iOSOpenDev
iosopendev.com/download/
If you are experiencing similar issues, try downloading iOSOpenDev_Patches and follow these steps:
1.
Put Specifications1 folder renamed Specifications/Applications/Xcode. The app/Contents/Developer/Platforms/iPhoneOS platform/Developer / Library/Xcode/
2,
Put Specifications2 folder renamed Specifications/Applications/Xcode. The app/Contents/Developer/Platforms/iPhoneSimulator platform/Dev eloper/Library/Xcode/
3,
Put usr3 renamed usr/Applications/Xcode. The app/Contents/Developer/Platforms/iPhoneSimulator platform/Developer /
4,
Install iOSOpenDev
Second, generate dylib file
To create a project, select Cocoa Touch Library, called autoGetRedEnvCopy the code
Download captainhook. h and Autogetredenv. mm from Github, copy the source code to the project file, and compile the libautogetredenv. dylib. The method of snatching red packets in.mm file needs to be modified, because the method of snatching red packets has been changed. It is no longer as simple as hook wechat AsyncOnAddMsg: MsgWrap: method and then call the method that opens the red envelope
New ways to automatically get red packets:
Hook WeChat AsyncOnAddMsg: MsgWrap:, in this method call ReceiverQueryRedEnvelopesRequest receive a red envelope method
CHMethod(2, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) { CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); NSUInteger m_uiMessageType = [arg2 m_uiMessageType]; id m_nsFromUsr = [arg2 m_nsFromUsr]; id m_nsContent = [arg2 m_nsContent]; switch(m_uiMessageType) { case 49: { id logicMgr = [[objc_getClass("MMServiceCenter") defaultCenter] getService:objc_getClass("WCRedEnvelopesLogicMgr")]; id contactManager =[[objc_getClass("MMServiceCenter") defaultCenter] getService:objc_getClass("CContactMgr")]; id selfContact = [contactManager getSelfContact]; id m_nsUsrName = [selfContact m_nsUsrName]; If ([m_nsFromUsr isEqualToString:m_nsUsrName]) {return; } if ([m_nsContent rangeOfString:@"wxpay://"].location ! = NSNotFound) { if (! kZTConfig.isAutoGrapEnv) { return; } NSString *nativeUrl = m_nsContent; NSRange rangeStart = [m_nsContent rangeOfString:@"wxpay://c2cbizmessagehandler/hongbao"]; if (rangeStart.location ! = NSNotFound) { NSUInteger locationStart = rangeStart.location; nativeUrl = [nativeUrl substringFromIndex:locationStart]; } NSRange rangeEnd = [nativeUrl rangeOfString:@"]]"]; if (rangeEnd.location ! = NSNotFound) { NSUInteger locationEnd = rangeEnd.location; nativeUrl = [nativeUrl substringToIndex:locationEnd]; } NSString *naUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]]; NSArray *parameterPairs =[naUrl componentsSeparatedByString:@"&"]; NSMutableDictionary *parameters = [NSMutableDictionary dictionaryWithCapacity:[parameterPairs count]]; for (NSString *currentPair in parameterPairs) { NSRange range = [currentPair rangeOfString:@"="]; if(range.location == NSNotFound) continue; NSString *key = [currentPair substringToIndex:range.location]; NSString *value =[currentPair substringFromIndex:range.location + 1]; [parameters SafetySetObject:value forKey:key]; } // Red envelope parameters... NSLog(@"dictParam=%@", dictParam); ((void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(ReceiverQueryRedEnvelopesRequest:), dictParam); return; } break; } default: break; }}Copy the codeTo hook OnWCToHongbaoCommonResponse method, in this method to call OpenRedEnvelopesRequest opened the envelope method
CHDeclareClass(WCRedEnvelopesLogicMgr); CHOptimizedMethod2(self, void, WCRedEnvelopesLogicMgr, OnWCToHongbaoCommonResponse, id, arg1, Request, id, arg2) { CHSuper2(WCRedEnvelopesLogicMgr, OnWCToHongbaoCommonResponse, arg1, Request, arg2); if ([ZTUserDefaults boolForKey:kZTAutoGrapEnvKey]) { if ([NSStringFromClass([arg1 class]) isEqualToString:@"HongBaoRes"]) { NSData *data = [[arg1 retText] buffer]; if (nil ! = data && 0 < [data length]) { NSError* error = nil; id jsonObj = [NSJSONSerialization JSONObjectWithData:data options:NSJSONReadingAllowFragments error:&error]; if (nil ! = error) { NSLog(@"error %@", [error localizedDescription]); } else if (nil ! = jsonObj) { if ([NSJSONSerialization isValidJSONObject:jsonObj]) { if ([jsonObj isKindOfClass:[NSDictionary class]]) { id idTemp = jsonObj[@"timingIdentifier"]; if (idTemp) { NSMutableDictionary *params = [[ZTUserDefaults objectForKey:ZTParamKey] mutableCopy]; [ZTUserDefaults setObject:[NSMutableDictionary dictionary] forKey:ZTParamKey]; [params SafetySetObject:idTemp forKey:@"timingIdentifier"]; If (params.allkeys. count < 2) {return; } id logicMgr = [[objc_getClass("MMServiceCenter") defaultCenter] getService:objc_getClass("WCRedEnvelopesLogicMgr")]; Dispatch_time_t delayTime = dispatch_time(DISPATCH_TIME_NOW, 1.0 * NSEC_PER_SEC); dispatch_after(delayTime, dispatch_get_main_queue(), ^(void) { ((void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(OpenRedEnvelopesRequest:), params); }); } } } } } } } }Copy the codeIn order to reduce the chances of being blocked in the front of the red envelope do not go to grab their own red envelope do not repeat to grab red envelope necessary can be added to grab red envelope delay
Modify the number of wechat steps
# pragma mark - WCDeviceStepObjectCHDeclareClass steps (WCDeviceStepObject) / / / / modify CHOptimizedMethod (0, the self, unsigned long, WCDeviceStepObject, m7StepCount) { return 6666; } CHOptimizedMethod(0, self, unsigned long, WCDeviceStepObject, hkStepCount) { return 6666; } __attribute__((constructor)) static void entry() {// CHHook(0, WCDeviceStepObject, m7StepCount); CHHook(0, WCDeviceStepObject, hkStepCount); }Copy the codeTo prevent message retraction, onRevokeMsg is called. Hook it to do nothing
CHDeclareClass(CMessageMgr); CHOptimizedMethod(1, self, void, CMessageMgr, onRevokeMsg, id, Value1){} __attribute__((constructor)) static void entry(){// Load CMessageMgr CHLoadLateClass(CMessageMgr); CHHook(1, CMessageMgr, onRevokeMsg); }Copy the codeWe can also add a control switch in the Settings interface. Oh, the Settings page of wechat is NewSettingViewController. We can add two cells in it to control the switch of snatching red packets and set the number of steps. The cell class in the Settings page is MMTableViewSectionInfo and you can see by hopper there are a number of ways to create a cell and we’re going to use the following two methods. For saving the number of steps and controlling the red envelope switch, use a simple class to save
/ / steps to add grab a red envelope and modify selected CHDeclareClass NewSettingViewController CHOptimizedMethod0 (self, void, NewSettingViewController, reloadTableData) { CHSuper0(NewSettingViewController, reloadTableData); MMTableViewInfo *tableInfo = [self valueForKey:@"m_tableViewInfo"]; MMTableViewSectionInfo *sectionInfo = [objc_getClass("MMTableViewSectionInfo") sectionInfoDefaut]; MMTableViewCellInfo *autoGrapRedEnvCellInfo = [objc_getClass("MMTableViewCellInfo") SwitchCellForSel: @ the selector (autoGrabEnvSwitchAction:) target: kZTConfig title: @ "automatic grab a red envelope" on: kZTConfig. IsAutoGrapEnv]; [sectionInfo addCell:autoGrapRedEnvCellInfo]; MMTableViewCellInfo *setpCell = [objc_getClass("MMTableViewCellInfo") editorCellForSel:@selector(handleStepCount:) Focus :NO text:[NSString stringWithFormat:@"%ld", (long) kztconfig.stepcount]]; [sectionInfo addCell:setpCell]; [tableInfo insertSection:sectionInfo At:0]; MMTableView *tableView = [tableInfo getTableView]; [tableView reloadData]; }Copy the codeCompile together to get the libautogetre v.dylib file
Inject dylib
1. Rename decrypted to WeChat and then inject dylib into WeChat by **yoyolib**Copy the code****./yololib target executable file to inject dylib. The following information is displayed: ****
3. Re-sign and pack
New Entitlements. Plist
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE plist PUBLIC "- / / / / DTD plist Apple / 1.0 / EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" > < plist Version ="1.0"> <dict> <key>application-identifier</key> <string> certificate id.com.xx.xx</string> <key>aps-environment</key> <string> Production </string> <key>com.apple.developer.team-identifier</key> <string> Certificate ID </string> <key>get-task-allow</key> <false/> </dict> </plist>Copy the codeTo obtain the required information, run /opt/iOSOpenDev/bin/ ldid-e./ demo. app/Demo
2. Download the configuration file
Download a profile from the developer website that matches the plIST above and name it Embedded. Mobileprovision
3. The four files, into a good backup before WeChat. The app folder: 1. The embedded. 2 mobileprovision libautoGetRedEnv. Dylib 3. Inject libautogetre V. dylib after the WeChat file 4.Entitlements. Plist
Pay attention to the. Plist file embedded. Mobileprovision and the certificate required for packaging. Otherwise, packaging will fail no matter how many times you try
4. Re-sign the wechat program coDesign-F-S certificate name object file
codesign -f -s "iPhone Developer:xxxxx" WeChat.app/libautoGetRedEnv.dylib
codesign -f -s "iPhone Developer:xxxxx" WeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex
codesign -f -s "iPhone Developer:xxxxx" WeChat.app/Watch/WeChatWatchNative.app
codesign -f -s "iPhone Developer:xxxxx" WeChat.app/PlugIns/WeChatShareExtensionNew.appex
codesign -f -s "iPhone Developer:xxxxx" --entitlements Entitlements.plist WeChat.app
Copy the codeAfter packaging it into IPA and re-signing it for wechat, we can use XCRun to generate IPA. The specific implementation is as follows: Xcrun – SDK iphoneOS PackageApplication -v WeChat. App -o ~/WeChat. Ipa
Package out the WeChat. Ipa and install it on the phone using ITools
Direct up effect
Automatic red envelope snatching
Prevents group message withdrawal
Modify the steps
Automatic red envelope switch and set the number of steps
