In honor of losing my jailbroken iPad, I had to write something.

So… The following does not require jailbreaking.




WeChat movement

I don’t know what 60,000 steps is, because I’ve never done it, but that’s what a friend described it to me.




crack

First of all, this is a simple cannot again simple reverse experiment, also just in reverse simpler validation, here not to discuss how to hit a shell, classdump, hooks, dylib these things, because of the simple don’t need, also does not have detailed analysis of the reverse process, because of the simple don’t need, here only need two software:

  1. PP Assistant (for downloading the iOS version of the App has broken the shell)
  2. Hopper Disassembler

And it only takes three steps to complete the hack.

PP assistant, use it only to download the broken iOS jailbreak App, no explanation.

Hopper Disassembler V3

Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, and decompile your 32/64bits Intel Mac, Linux, Windows and iOS executables! Take a look at the feature list!

In short, Hopper is a decompiler. There may be other tools like IDA. Because the free version lacks features and the full version is too expensive, Hopper was chosen without hesitation.

In 2015, major music platforms banded together to crack down on pirated audio sites, attacking each other and only removing unlicensed music. Some music platforms have also changed from charging for high-quality songs to paying for them, making it difficult for the masses to listen to songs.

Now all we have to do is find our freedom again.

Shrimp Music for MAC

A shrimp without a member is just a shrimp.




Dried shrimp music

VIP membership is required if you want to use xiami Mac player to listen to high-quality songs. Let’s give ourselves a “member”.

  1. First, turn on Hopper.

  2. Found dried shrimp music installation directory/Applications/Xiami app/Contents/under MacOS/Xiami and dragged out the binary file to throw it into the Hopper window, OK then begins to analysis, shrimp music for MAC do very simple, Disassembly is going to be done in a minute, and you can see on the left hand side a nice objective-C method call, and you can search for the name of the method that you want to know, and it’s very clear here that we’re going to give ourselves a VIP, and we’re going to search for “VIP.”




Hopper

It’s not hard to see that the function is already there,

[XMUser isVIP]Copy the code

We can view the pseudocode of the method through the button in the upper right corner. Then use Hopper static Patch to place the cursor on the first line of assembly code for [XMUser isVIP] and go to Modify -> Assemble Instruction and type mov Rax, 0x1 in the pop-up text box, as shown:




Paste_Image.png

Click “Assemble and Go Next” again, type ret, and after clicking the button to complete the input, the modified code block turns white and looks something like this:




Paste_Image.png

What does that mean here? In x86 assembly, the return value of the function is stored in the RAX register. 0x1 corresponds to BOOL YES. This assembly means that 0x1 is inserted into the EAX register. So we let [XMUser isVIP] always return YES to tell shrimp that you are always A VIP.

Then the action is almost complete, go to File-> Produce New Executable to generate a New binary, Replace the original directory (/ Applications/Xiami. App/Contents/MacOS /) in the binary file (Xiami).




Paste_Image.png

Reboot the Xiami Music player and bombard your ears with 320kbps of high-quality music.




Paste_Image.png

This is a relatively simple way to reverse, of course, reverse has great limitations, if you want to achieve a wider range of hook or use openDev tools to do.

Xiami Music for iOS

Now xiami Music can’t listen to Jay’s songs… Have to say gao Xiaosong this money invited chairman, also really is to do something…

However, I’m not going to reverse the shrimp, because I don’t want to use it, but you can also use a similar method to skip the shrimp verification, audition can not hear the song.

WeChat movement

Do you want to be followed by your wechat friends every day? Want to hog the cover of your goddess/hero wechat campaign every day? So now we only need 5 minutes and 3 steps to do it.

1. Download the Broken App (jailbreak app)




Paste_Image.png

2. Use Hopper to modify the number of wechat steps

Ipa /Payload/




Paste_Image.png

Right click WeChat. App to display the package content, find the WeChat binary file and drag it to the Hopper window for disassembly. Because WeChat application is relatively large, the disassembly time may be a little long, but we can first find the method providing the number of steps, and Patch after the method disassembly is completed. Use the old method mentioned above, and here is the result. Movw r0, # 0xFFFF bx LR The 0xFFFF is hexadecimal, which is the number of steps returned. You can change the number of steps you want.




Paste_Image.png

Shift+ Command +E generates a new binary file, WeChat. Create a shell project with Xcode, use the bundle Id with development permission, name it whatever you want, select your certificate description file, and compile it. Mytest1.app is generated.




Paste_Image.png

We need this embedded. Mobileprovision in the mytest1.app file




Paste_Image.png

Then also need to create Entitlements. Plist, here needs to use the certificate team-ID, do not know can be found in the key in the certificate, pay attention to the team-ID here must be a distribution certificate. For example, iPhone Distribution: Tian Xiao (ABCDEFGHIB) in ABCDEFGHIB





    application-identifier
    ABCDEFGHIB.dimsky.MyTest1
    com.apple.developer.team-identifier
    ABCDEFGHIB
    get-task-allow
    
    keychain-access-groups
    
        ABCDEFGHIB.dimsky.MyTest1
    


Copy the code



The part crossed out is called TeamId

All required files have been generated and the embedded. Mobileprovision and modified WeChat binaries are copied to the WeChat. App for replacement.

3. Re-sign and install

Next, we re-sign our WeChat. App.

Codesign -f -s Certificate name object fileCopy the code

The following is the document that needs to be re-signed, the certificate name can be found in the key string, pay attention to the Entitlements. Plist file that needs to be created earlier in this step.

codesign -f -s "iPhone Developer: Tian Xiao (XXXXXXXX)" WeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex
codesign -f -s "iPhone Developer: Tian Xiao (XXXXXXXX)" WeChat.app/Watch/WeChatWatchNative.app
codesign -f -s "iPhone Developer: Tian Xiao (XXXXXXXX)" WeChat.app/PlugIns/WeChatShareExtensionNew.appex
codesign -f -s "iPhone Developer: Tian Xiao (XXXXXXXX)" --entitlements Entitlements.plist WeChat.appCopy the code

Package to generate IPA

xcrun -sdk iphoneos PackageApplication -v WeChat.app  -o ~/WeChat.ipaCopy the code

It can then be installed via PP assistant.

Friendship tip: do not open violent mode, concession number more real as well, or be deleted friends, don’t blame me.

The disadvantages of long-term hegemony can be imagined, but also ask you to consider.

Note:

This article is for academic exchange only, please do not use it for commercial purposes.

Reference: A Song of Ice and Fire on iOS