Today, when I was sorting things out, I accidentally found a reverse wechat function list. I remembered that I had learned some superficial knowledge of iOS reverse engineering.
Although I promised my friend it didn’t work out, I still want to share my experience and ideas, and finally take a look at what wechat group ID looks like.
Without further ado, let’s start with the main idea of this article: preparing for iOS reverse development before tweaking.
There are too many posts about reverse wechat on the Internet now. I can’t be one of them and say ‘reverse’ or ‘tweak’, it’s too cliche. The order of this paper is: 1. To reverse wechat, the first thing to consider is how to inject the dynamic library we wrote and re-signature, so we start from Script Script; 2. 2. How to use Xcode to debug and execute Script to install wechat on non-jailbroken mobile phones; 3. Write tweak code, generate dynamic library, and add practical functions, such as anti-undo functions; 4. Organize your tools for development.
Write a Script
#! BUNDLEIDENTIFIER=com.meishu. Ye APPLICATIONIDENTIFIER=***.${BUNDLEIDENTIFIER} WECHATFILEPATH = / Users / * * * * / git/jailbreak / 6.5.3 WeChat2 install_name_tool - change /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate @loader_path/libsubstrate.dylib ./Debug-iphoneos/bot.dylib ls ORIGINDIR=$(pwd) cp ./Debug-iphoneos/bot.dylib bot.dylib cp ./libsubstrate.dylib libsubstrate.dylib cp ./FontAwesome.otf FontAwesome.otf cp ./WechatIMG1.png WechatIMG1.png LIBNAME=$(find bot.dylib) LIBSUBNAME=$(find libsubstrate.dylib) FONTNAME=$(find FontAwesome.otf) WECHATIMG1=$(find WechatIMG1.png) # $(find *.dylib) TEMPDIR=$(mktemp -d) # 0.get argv if [ x$1 ! = x ] then BUNDLEIDENTIFIER=$1 fi # 1.unzip ipa unzip -qo ${WECHATFILEPATH}/WeChat.ipa -d $TEMPDIR # 2.copy files cp ${WECHATFILEPATH}/embedded.mobileprovision $TEMPDIR/ cp ${WECHATFILEPATH}/entitlements.plist $TEMPDIR/ cp ${LIBNAME} $TEMPDIR/ cp ${LIBSUBNAME} $TEMPDIR/ cp ${FONTNAME} $TEMPDIR/ cp ${WECHATIMG1} $TEMPDIR/ # 2.1 rm Origin WeChat WeChat ${LIBSUBNAME} $TEMPDIR/ cp ${FONTNAME} $TEMPDIR/ cp ${WECHATIMG1} $TEMPDIR/ # 2.1 rm Origin WeChat WeChat The begin # rm $TEMPDIR/content/WeChat app/WeChat # ${WECHATFILEPATH} cp/WeChat $TEMPDIR/content/WeChat app / # 2.1 rm origin WeChat 1月22日 End # 3. Resume CD $TEMPDIR plutil-replace application-identifier -string ${APPLICATIONIDENTIFIER} entitlements.plist plutil -replace CFBundleIdentifier -string ${BUNDLEIDENTIFIER} Payload/WeChat.app/Info.plist mv ${FONTNAME} Payload/WeChat.app/ mv ${LIBNAME} Payload/WeChat.app/ mv ${LIBSUBNAME} Payload/WeChat.app/ #${WECHATFILEPATH}/insert_dylib --all-yes @executable_path/${LIBSUBNAME} Payload/WeChat.app/WeChat #mv Payload/WeChat.app/WeChat_patched Payload/WeChat.app/WeChat #chmod +x Payload/WeChat.app/WeChat ${WECHATFILEPATH}/insert_dylib --all-yes @executable_path/${LIBNAME} Payload/WeChat.app/WeChat ${WECHATFILEPATH}/optool install -c load -p @executable_path/${LIBNAME} -t Payload/WeChat.app/WeChat mv Payload/WeChat.app/WeChat_patched Payload/WeChat.app/WeChat chmod +x Payload/WeChat.app/WeChat rm -rf Payload/WeChat.app/_CodeSignature rm -rf Payload/WeChat.app/PlugIns rm -rf Payload/WeChat.app/Watch cp embedded.mobileprovision Payload/WeChat.app/ codesign -fs "iPhone Developer: **** (****)" --no-strict --entitlements=entitlements.plist Payload/WeChat.app/${LIBSUBNAME} codesign -fs "iPhone Developer: **** (****)" --no-strict --entitlements=entitlements.plist Payload/WeChat.app/${LIBNAME} codesign -fs "iPhone Developer: **** (****)" --no-strict --entitlements=entitlements.plist Payload/WeChat.app # 4.end rm -rf ${ORIGINDIR}/WeChat.app mv Payload/WeChat.app ${ORIGINDIR} rm -rf ${TEMPDIR}
Copy the code
Explanation: 1. We just reverse some apps for learning, so there is no need to jailbreak our iPhone, so the main goal of this paper is to reverse wechat functions without jailbreaking; 2. If you do not have a jailbroken phone, the best way is to download the cracked wechat APP through an assistant, such as version 6.5.3 used in this article; 3. install_name_tool
The core is the name used to replace the dependency. To simplify, replace the original libsubstrate. Dylib with the path-based version, and the third parameter is the executable file name to modify, such as the injection file in this article: bot.dylib. The relevant install_name_tool
For more functions, please refer to the link:http://www.unix.com/man-page/osx/1/installnametool/4. The function of the plutil command is to replace the original embedded. Mobileprovision and entitlements. Plist into their own. Plutil command format: 5. Use insert_dylib to inject dynamic library and dependency library; 6. Delete unnecessary files:_CodeSignature
, PlugIns
, Watch
To avoid injection failure; 7. Finally, the codesign command is used to sign the relevant files in wechat. After signing, the executable files can be successfully installed on the non-jailbroken phone
Xcode debugging
Too lazy to write, directly look at the picture, there are three main steps to generate cracked WeChat APP, installed on the mobile phone for debugging:1. Create WeChat project with the same name, which is used to generate WeChat. App during compilation and running; Set Target Dependencies in Build Phases and add dylib to the list as long as you compile the latest dynamic library first. 3. Add a Script to Run Script and copy it from the Script we wrote above. 4. Run WeChat. Here, we need to replace the WeChat. App generated in step 3 with that in step 1.
Run logs on All Output
With logs, you can debug tweak dynamic link library code. At the same time installed two wechat is silly silly indistinguishable.
Write a tweak
To do a good job, he must sharpen his tools. Take a look at my weapon:
Now we have a tweak, we can write tweak code. If only for how to create and write tweak code, there are plenty of online tutorials available. Here will not repeat, see the recommendation at the end of the article.
Write the first hook function:
Void DelMsg (id)arg1 MsgWrap (CMessageWrap *)wrap {NSLog(@"CMessageMgr:DelMsg:arg1:%@, MsgWrap:%@", arg1, wrap); BOOL isMesasgeFromMe = NO; CContactMgr *contactManager = [[objc_getClass("MMServiceCenter") defaultCenter] getService:[objc_getClass("CContactMgr") class]]; CContact *selfContact = [contactManager getSelfContact]; if ([[wrap m_nsFromUsr] isEqualToString:[selfContact m_nsUsrName]]) { %orig; } } - (void)DelMsg:(id)arg1 MsgList:(id)arg2 DelAll:(BOOL)arg3 { NSLog(@"CMessageMgr:DelMsg:arg1:%@, MsgList: %@, DelAll: %d", arg1, arg2, arg3); BOOL isMesasgeFromMe = NO; CContactMgr *contactManager = [[objc_getClass("MMServiceCenter") defaultCenter] getService:[objc_getClass("CContactMgr") class]]; CContact *selfContact = [contactManager getSelfContact]; for (CMessageWrap* wrap in arg2) { if ([[wrap m_nsFromUsr] isEqualToString:[selfContact m_nsUsrName]]) { isMesasgeFromMe = YES; break; } } if(isMesasgeFromMe || arg3) { %orig; }}
Copy the code
Tool post
-
Hopper Disassembler v3
Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, and decompile your 32/64bits Intel Mac, Linux, Windows and iOS executables! Take a look at the feature list!
Hopper is an interactive tool for debugging (OS X only), disassembly, and decompilation on Mac, Windows, and Linux. You can debug, decomcompile, and more on 32 – and 64-bit Mac, Windows, and iOS applications.
Just drag the WeChat binary to the Hopper Disassembler, and on the left we see a list of methods in the friendly Objective-C syntax. We can search for the functions or classes we want to learn about, which is very clear; The middle is each function of the assembly language bar, although MY assembly learning is good, but I still like to see the code, more cordial. The following figure[CMessageWrap nativeUrl]
Methods.
-
insert_dylib
Command line utility for inserting a dylib load command into a Mach-O binary.
We need to use insert_dylib to inject the dynamic library bot.dylib and the dependent library libsubstrate. Dylib into the WeChat. App /WeChat target binary. Finally generate WeChat. App /WeChat_patched. Finally, just replace the generated file with WeChat. App /WeChat.
Insert_dylib github:https://github.com/Tyilo/insert_dylib
-
optool
optool is a tool which interfaces with MachO binaries in order to insert/remove load commands, strip code signatures, resign, and remove aslr. Below is its help.
optool github:https://github.com/alexzielenski/optool
conclusion
This article is a precursor to iOS reverse development, using tools and Xcode to debug tweak development tweak, paving the way for further detailed development.
Next step: Develop functionality
Recommended reference:
-
Use CocoaPods to print and send messages to wechat integrated SDK. http://t.cn/R9pADno
-
Mobile App intrusion and Reverse cracking technology -iOS. http://www.jianshu.com/p/6729f88107d6
-
Make WeChat Great Again. http://yulingtianxia.com/blog/2017/02/28/Make-WeChat-Great-Again/
-
Let you points minutes WeChat movement to occupy the top. http://www.jianshu.com/p/bfd4abd78f21
-
How did I use Xcode debugging to develop wechat message preview plugin. http://t.cn/R9p2tBu
-
IOS reverse – WeChat helloWorld. http://www.jianshu.com/p/04495a429324
-
Prison break development 2 – introduction to Tweak. http://luoxianming.cn/2016/11/13/yueyutweak1/
It is said that the most beautiful people and the most handsome people will give rewards to the author as encouragement
Coding01 looks forward to your attention