LLDB is used to analyze wechat, and then the analysis results are used to gradually explain how to Hook the login process of wechat and intercept the wechat password.

In the last article (APP re-signing), we have introduced how to re-sign the APP and use XCode to run wechat. Now that we have reached this step, we must not miss the powerful LLDB. This article will explain how to use LLDB to analyze wechat, and then use the results of analysis to gradually explain how to Hook the login process of wechat and intercept the wechat password.

Click to download Demo: HookWeChat, this time there are two copies of the code. Because the jailbroken wechat is too large, it is restricted by Github, so it is not uploaded to Github. You can download it separately through the link below

Tools and files required in this article: jailbreak wechat 7.0.2 Extract code: 2W87 MachOView extract code: N3HY Yololib Extract code: E8QS class-dump extract code: V5ku

Next, we will take off the seemingly safe coat of wechat from the next few parts and expose it to everyone.

  • The role of the Framework
  • A Preliminary Study on MachO (Principle Analysis)
  • Code injection (code procedures)
  • ViewDebug, LLDB, and class-dump analyze wechat login pages (Principle analysis)
  • Hook login, automatically obtain password (code process)
  • conclusion

1. Functions of Framework (Those familiar with Framework can skip this step)

What is Framework here will not add narration, I refer to this website, very detailed, do not understand you directly @ me. Click here: Framework strongest Explanation

Without further ado, the next direct demonstration of how to create a Framework, and introduce the basic principles related to our Hook wechat.

Create a new project FrameworkDemo, create a new Framework and call it FYHook

Create a new InjectCode object in the newly created FYHook folder and create a new code:

+ (void)load {
    NSLog(@"Here we go, brother 😁");
}
Copy the code

😁 is output to prove that the Framework created in this way can run directly in our project.

2. Initial exploration of MachO (if you don’t want to see the principle, you can skip to the third part of the code injection)

According to the APP re-signature mentioned in the last article, we can use XCode to run wechat, so is it possible to inject our code into wechat APP by combining the two?

Step 1 Start with a question.

According to the conclusion in APP re-signing, it is convenient to re-sign APP by using script (because we use WeChat as an example, so it is referred to as WeChat below). Then, in the re-signing script project, we directly create a Framework, can we make the code in our Framework run in WeChat?

Obviously, this doesn’t work (if you’re interested, try it out)! Why is that? This question will be answered next, so keep this question in mind.

Step 2 MachO function

When we used XCode to create HYHook, XCode actually did one operation for us: when we created HYHook, we linked HYHook to our project at the same time (this was a new function of XCode in the later stage, and we needed to do this step directly in the earlier XCode).

common
b
Step 8 APP re-signature

Somewhere

The executable file in question is the MachO file (that’s not the focus of this article, but stay tuned for a future article about the all-important MachO in the next chapter), and you can use the MachOView tool to see what’s in MachO.

Step 3 MachOView

MachOView

Open MachO on the FrameworkDemo with MachOView and you can see the following figure

You can see that there is a Load Commons group, which contains all the libraries that need to be loaded dynamically. That is, if there is no corresponding FYHook in Load Commons, FYHook will not be loaded.

FYHook has been added to Load Commons, and FYHook is in the same Frameworks as MachO. FYHook is a folder. FYHook is a MachO.)

So here is the answer to “why did we add FYHook directly to our re-signed script project and not directly run FYHook”. There is no FYHook path in Load Commons in the MachO file we built. So you can’t run the code in FYHook.

So can we directly add FYHook to the MachO file we built? Obviously not, because the MachO file we Build will always be replaced by MachO in the original package (WeChat). We need to add FYHook to MachO in the original package (WeChat).

Step 4 Mark FYHook into MachO

Here we need to use the terminal command line tool: Yololib extraction code: E8QS

We can use yololib on our terminal by unpacking the downloaded yololib.zip and putting yololib in the physicist ⁨ directory /usr⁩/local⁩/bin⁩

The following command is the command to inject FYHook into WeChat

/ / yololib "MachO" path "FYHook relatively MachO path" yololib WeChat Frameworks/FYHook framework/FYHookCopy the code

3. Code injection

Step 1 Establish the re-sign script project

Create a new project, named InjectFrameWork, the process can refer to the previous article (APP re-signature) and finally get the following project:

Step 2 Create a Framework file

Create a new Framework file named FYHook, create InjectCode in FYHook, add the same load code to InjectCode, and do the following:

Step 3 Modify the MachO file of the source file

Find the MachO file of WeChat, open the terminal, enter this directory to execute the command

/ / yololib "MachO" path "FYHook relatively MachO path" yololib WeChat Frameworks/FYHook framework/FYHookCopy the code

Step 4 Repackage WeChat. Ipa

zip -ry WeChat.ipa Payload
Copy the code

Step 5 Add new WeChat. Ipa and run the project

Add the new Wechat7.0.2 jailbreak. Ipa to the APP file (this step can only add the file, not add the project).

Common + R run code, will find wechat run up, our come, brother 😁 has also been output!

Step 6 Think new

The previous analysis we created FYHook, but did not inject MachO, the answer is come, brother 😁 can not be output, WeChat can run. So what happens if we inject FYHook into MachO without creating the corresponding FYHook. Framework? This is left to you to think, and then to verify, students with answers can also leave a comment below, and say why oh.

ViewDebug, LLDB, and class-dump analyze the wechat login page

Step 1 ViewDebug

After running wechat, XCode jumps to the login page and uses ViewDebug to view the detailed UI

Step 2 LLDB

Use LLDB to see the specific Target and Action names for the login button

Step 3 class-dump

Class-dump is a tool that can export information about objective-C runtime declarations. You can actually export.h files. Class-dump can be used to export unencrypted app headers.

Again, copy class-dump to the Mac directory /usr⁩/local⁩/bin⁩ so we can use yololib on the terminal

Run command to export all header files of WeChat.

// class-dump -h "MachO file for app" -o "input directory" class-dump -h WeChat -o /Users/dengbin/Code/GitHub/HookWeChat/InjectFrameWork/APP/WeChat-HCopy the code

Step 4 Find the contents of the input box

Use the text tool, such as the Sublime does check WeChat header files, find WCAccountMainLoginViewController found in front

Find that there is a method inside – (void)onNext; And _textFieldUserNameItem,_textFieldUserPwdItem that looks a lot like an account field, a password field.

Now, the next thing we need to do is find the string inside the password field, and we can see that both of these are WCAccountTextFieldItem objects, so we can go ahead and find WCAccountTextFieldItem in the exported file

Textfiled is not found, but WCAccountTextFieldItem is inherited from WCBaseTextFieldItem, so continue to search for WCBaseTextFieldItem

So from here you can see an m_textField object, this is a WCUITextField object, which looks like our target textField, so let’s go ahead and look at WCUITextField

Sure enough, this is a UITextField file, so we can retrieve its string from the text field.

Now try LLDB to verify our guess: type “qWERTY” in the account field and “123456” in the password field

po [(WCAccountMainLoginViewController *)0x1128bbc00 valueForKey:@"_textFieldUserPwdItem"]
po [(WCAccountTextFieldItem *)0x28328e880 valueForKey:@"m_textField"]
po [(WCUITextField *)0x112163a00 text]
Copy the code

The first address 0x1128bbc00 was found using ViewDubg in the first two.

It can be found that the password 123456 we entered was indeed found in the end, which proves that our analysis is correct.

5, Hook login, automatically obtain the password

And then there’s Coding. Principle analysis, in fact, the code is very simple, directly on the code:


+ (void)load {
    NSLog(@"Here we go, brother 😁");
    Method onNext = class_getInstanceMethod(objc_getClass("WCAccountMainLoginViewController"), sel_registerName("onNext")); //1. Save the original IMP old_onNext = method_getImplementation(onNext); //2.SET method_setImplementation(onNext, (IMP)my_next); } IMP (*old_onNext)(id self,SEL _cmd); Void my_next(id self,SEL _cmd){// Get the password NSString *pwd = [[[self valueForKey:@"_textFieldUserPwdItem"] valueForKey:@"m_textField"] performSelector:@selector(text)];
    NSString *accountTF = [[[self valueForKey:@"_textFieldUserNameItem"] valueForKey:@"m_textField"] performSelector:@selector(text)];
    NSLog(@"The password is! % @".pwd); // Append the password to the account field [[[self valueForKey:@"_textFieldUserNameItem"] valueForKey:@"m_textField"] performSelector:@selector(setText:) withObject:[NSString stringWithFormat:@"% @ + % @",accountTF,pwd]]. // call old_onNext(self,_cmd); }Copy the code

To explain a little bit, earlier we found that the login sound was onNext, so we used objective-C Runtime features to replace onNext with methods. Before responding to the original onNext, we added our own methods, such as entering the password directly in the account bar in the code. After running, the results are shown as follows:

I’m using setIMP and getIMP to HOOK the original method, but there are various methods: class_replaceMethod(),method_exchangeImplementations(), so I’ll give you an example.

All the code for this article can be downloaded here: HookWeChat

6. Conclusion:

  • Re-sign your APP so it can run in XCode
  • Yololib is used to inject the Framework so that the APP can run our direct code
  • Use ViewDebug, LLDB, and class-dump to analyze the location of login events and password boxes
  • Using the Runtime’s MethodSwizzle, Hook the login event

This is just a simple wechat static page for preliminary contact, although the idea is simple, but the use of tools, is countless god predecessors paved the way for us, thank you!

The MachO file is only briefly mentioned in this article. In fact, MachO is a crucial presence in our reverse process. For example:

  • Cracking the shell of the app is actually decrypting MachO
  • All the method names, all the static strings are stored in MachO
  • App architecture (ARM64, ARM7…) It’s also distinguished in MachO
  • App loading is actually a step by step operation on MachO
  • .

So, in the next article, I’ll take a closer look at the MachO file. Please continue to pay attention, feel helpful point a collection, message evaluation oh.