这个拖得有点久了 主要最近比较忙 过一段时间就要去foreign了 调试机不在身边 所以今天先帖实现代码以及几个主要函数 图文可能只有文字了 图是帖不了了 看情况明天或者后天再补充教程中部分敏感内容已用????代替 可能有人会说我按照你的教程走,最后报错了或者根本没有实现功能之类的,那么请看我随后要说的话。
不是所有的教程都是面向小白,照葫芦画瓢,葫芦没有了瓢也就不复存在,请多思考,如果您觉得看着本文章,头晕并且伴随着恶心不适,请立马点击❌,谢谢合作
声明:本文所发布的逆向分析文章,仅限用于学习和研究软件安全的目的。全体用户必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。学习逆向分析技术是为了更好的完善软件可能存在的不安全因素,提升软件安全意识。不得将上述内容私自传播、销售或者其他任何非法用途!否则,一切后果请自行自负!
主要函数:1.消息函数
-[CMessageMgr AsyncOnAddMsg:MsgWrap:]: [C] 纯文本查看 复制代码 //OC伪码
void -[CMessageMgr AsyncOnAddMsg:MsgWrap:](void * self, void * _cmd, void * arg2, void * arg3) {//arg2为用户名字,arg3=包含红包类型等一系列参数
r7 = (sp - 0x14) + 0xc;
sp = sp - 0x34;
r8 = self;
r11 = [arg2 retain];
CMP(r11, 0x0);
r10 = [arg3 retain];
if (r10 == 0x0) {
r1 = @selector(logWithLevel:module:errorCode:file:line:func:format:);
r0 = @class(iConsole);
r6 = "/Users/gydevgydev/Desktop/hudson/workspace/release_appstore_6.7.3/WeChatKernel/Message/MessageMgr.mm";
r3 = "Msg";
asm{ strd r5, r2, [sp, #0x2c + var_20] };
r2 = 0x4;
objc_msgSend(r0, r1, r2);
}
else {
r6 = [[NSMutableDictionary alloc] init];
[r6 safeSetObject:r11 forKey:@"2"];
[r6 safeSetObject:r10 forKey:@"3"];
r4 = [[NSString stringWithFormat:@"%u"] retain];//这里就是构造字典供后面使用
[r6 safeSetObject:r4 forKey:@"1"];
[r4 release];
r3 = r6;
r1 = @selector(performSelectorOnMainThread:withObject:waitUntilDone:);
r2 = @selector(MainThreadNotifyToExt:);
objc_msgSend(r8, r1, r2);
[r6 release];
}
[r10 release];
loc_2db4174(r11, r1, r2, r3);
return;
}
2.红包参数函数
-[WCPayInfoItem setM_c2cNativeUrl:]: [C] 纯文本查看 复制代码 void -[WCPayInfoItem setM_c2cNativeUrl:](void * self, void * _cmd, void * arg2) {//agr2为我们需要的红包参数,里面包含除了timingIdentifier之外所需的所有参数
loc_e0bad8(self + *0x3b320d8, arg2);
return;
}
3.开红包函数 -[WCRedEnvelopesLogicMgr OpenRedEnvelopesRequest:]: [C] 纯文本查看 复制代码 void -[WCRedEnvelopesLogicMgr OpenRedEnvelopesRequest:](void * self, void * _cmd, void * arg2) {
sub_1c0d198();
return;
}
4.红包合法验证函数(timingIdentifier) -[WCRedEnvelopesLogicMgr OnWCToHongbaoCommonResponse:Request:]: [C] 纯文本查看 复制代码 void -[WCRedEnvelopesLogicMgr OnWCToHongbaoCommonResponse:Request:](void * self, void * _cmd, void * arg2, void * arg3) {//timingIdentifier==arg2,agr2为NSData 我们需要把它转化为NSString 在使用Json解析为对象取值
r7 = (sp - 0x14) + 0xc;
sp = sp - 0x1a4;
stack[1952] = self;
r5 = loc_1c0d1a8(arg2, _cmd, arg2, arg3, stack[1943]);
sub_1c0d198();
r4 = loc_1c0d1a0();
sub_1c0d198();
r6 = loc_1c0d1a0();
r0 = r4;
r4 = r5;
loc_1c0d19c(r0);
stack[1955] = @selector(alloc);
sub_1c0d198();
stack[1961] = sub_1c0d198();
sub_1c0d198();
r7 = r7;
loc_1c0d1a0();
asm{ strd r1, r2, [sp, #0x19c + var_164] };
sub_1c0d198();
r5 = loc_1c0d1a0();
r10 = sub_1c0d198();
sub_1c0d198();
r7 = r7;
r6 = loc_1c0d1a0();
stack[1963] = r5;
if (r5 == 0x0) {
r8 = 0x3b24800;
s0 = "/Users/gydevgydev/Desktop/hudson/workspace/release_appstore_6.7.3/WCBiz/WCRedEnvelopes/Model/WCRedEnvelopesLogicMgr.mm";
asm{ strd r5, r2, [sp, #0x19c + var_190] };
sub_1c0d198();
sub_1c0d198();
r7 = r7;
stack[1963] = loc_1c0d1a0();
}
r11 = @selector(platRet);
stack[1962] = r4;
if (sub_1c0d198() != 0x0) {
stack[1960] = r6;
sub_1c0d198();
sub_1c0d198();
r5 = loc_1c0d1a0();
sub_1c0d198();
loc_1c0d19c(r5);
r5 = @selector(platMsg);
sub_1c0d198();
r7 = r7;
r4 = loc_1c0d1a0();
sub_1c0d198();
r0 = r4;
r4 = stack[1962];
loc_1c0d19c(r0);
if (r10 == 0x0) {
r10 = sub_1c0d198();
}
sub_1c0d198();
r7 = r7;
r11 = loc_1c0d1a0();
loc_1c0d19c(stack[1960]);
}
else {
r11 = r6;
}
if (r10 == 0x0) {
r8 = stack[1963];
stack[1960] = @selector(objectForKey:);
sub_1c0d198();
r7 = r7;
r5 = loc_1c0d1a0();
r10 = @selector(intValue);
r6 = sub_1c0d198();
loc_1c0d19c(r5);
if (r6 != 0x0) {
sub_1c0d198();
r5 = loc_1c0d1a0();
r10 = sub_1c0d198();
loc_1c0d19c(r5);
sub_1c0d198();
r7 = r7;
r5 = loc_1c0d1a0();
loc_1c0d19c(r11);
r11 = r5;
}
else {
r10 = 0x0;
}
}
r5 = @selector(length);
r0 = sub_1c0d198();
if ((r10 != 0x0) && (r0 == 0x0)) {
r6 = @selector(platMsg);
sub_1c0d198();
r7 = r7;
r8 = r4;
r4 = loc_1c0d1a0();
r5 = sub_1c0d198();
loc_1c0d19c(r4);
if (r5 != 0x0) {
sub_1c0d198();
r7 = r7;
r5 = loc_1c0d1a0();
loc_1c0d19c(r11);
}
else {
r5 = r11;
}
}
else {
r5 = r11;
}
r8 = r10;
stack[1953] = @selector(numberWithUnsignedInt:);
sub_1c0d198();
r7 = r7;
r4 = loc_1c0d1a0();
r11 = stack[1963];
r10 = @selector(safeSetObject:forKey:);
sub_1c0d198();
loc_1c0d19c(r4);
stack[1960] = r5;
sub_1c0d198();
r4 = @class(iConsole);
stack[1956] = @selector(cgiCmdid);
sub_1c0d198();
r1 = @selector(logWithLevel:module:errorCode:file:line:func:format:);
asm{ strd r0, r2, [sp, #0x19c + var_188] };
stack[1943] = 0x0;
sub_1c0d198();
r4 = @selector(objectForKey:);
sub_1c0d198();
r7 = r7;
r6 = loc_1c0d1a0();
r5 = @selector(intValue);
stack[1954] = sub_1c0d198();
loc_1c0d19c(r6);
if (sub_1c0d198() <= 0x3) {
sub_1c0d198();
r8 = loc_1c0d1a0();
sub_1c0d198();
sub_1c0d198();
r6 = loc_1c0d1a0();
sub_1c0d198();
sub_1c0d198();
r5 = loc_1c0d1a0();
sub_1c0d198();
r4 = loc_1c0d1a0();
sub_1c0d198();
loc_1c0d19c(r4);
loc_1c0d19c(r5);
loc_1c0d19c(r6);
stack[1955] = sub_1c0d198();
sub_1c0d198();
r10 = loc_1c0d1a0();
sub_1c0d198();
sub_1c0d198();
r4 = loc_1c0d1a0();
sub_1c0d198();
r7 = r7;
r6 = loc_1c0d1a0();
stack[1943] = r8;
r11 = sub_1c0d198();
loc_1c0d19c(r6);
loc_1c0d19c(r4);
loc_1c0d19c(r10);
loc_1c0e864(0x2f4b, 0x0);
loc_1c0d19c(r8);
r0 = 0x2c77986;
asm{ ldrd r8, sl, [sp, #0x19c + var_160] };
r0 = r0 + 0xeace7a;
r4 = stack[1963];
}
else {
stack[1951] = r10;
r0 = stack[1954] | r8;
if (r0 != 0x0) {
r10 = stack[1963];
sub_1c0d198();
stack[1950] = loc_1c0d1a0();
sub_1c0d198();
r6 = loc_1c0d1a0();
r11 = sub_1c0d198();
loc_1c0d19c(r6);
sub_1c0d198();
r8 = loc_1c0d1a0();
sub_1c0d198();
r5 = loc_1c0d1a0();
sub_1c0d198();
r7 = r7;
r6 = loc_1c0d1a0();
sub_1c0d198();
loc_1c0d19c(r6);
sub_1c0d198();
sub_1c0d198();
stack[1943] = r5;
r11 = sub_1c0d198();
loc_1c0d19c(r5);
r4 = r10;
loc_1c0d19c(r8);
loc_1c0d19c(stack[1950]);
r0 = 0x2c77856;
asm{ ldrd r8, sl, [sp, #0x19c + var_160] };
r0 = r0 + 0xeacfaa;
}
else {
r10 = sp + 0x38;
r4 = stack[1963];
r11 = 0x0;
asm{ ldm.w sl, {r1, r8, sl} };
r0 = 0x3b24800;
}
}
sub_1c0d198();
r7 = r7;
r6 = loc_1c0d1a0();
sub_1c0d198();
sub_1c0d198();
sub_1c0d198();
sub_1c0d198();
r4 = stack[1962];
r0 = sub_1c0d198();
if (r0 > 0xa) goto loc_ead116;
loc_ead020:
goto *0xead024[r0];
loc_ead03a:
if (r11 == 0x0) {
sub_1c0d198();
r4 = loc_1c0d1a0();
sub_1c0d198();
loc_1c0d19c(r4);
}
stack[1944] = 0x3179d4d;
r4 = @selector(OnQueryRedEnvelopesUserInfo:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f678;
asm{ strd r1, sb, [sp, #0x19c + var_2C] };
stack[2038] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[2039] = loc_1c0d1a8(r11);
sub_1c0d298();
loc_1c0d19c(stack[2039]);
loc_1c0d19c(stack[2038]);
r4 = stack[1962];
goto loc_ead56a;
loc_ead56a:
loc_1c0d19c(r6);
loc_1c0d19c(r11);
loc_1c0d19c(stack[1960]);
loc_1c0d19c(stack[1963]);
loc_1c0d19c(r8);
loc_1c0d19c(stack[1961]);
loc_1c0d19c(r10);
loc_1c0d19c(r4);
return;
loc_ead176:
stack[1944] = 0x3179d4d;
r4 = @selector(OnGenRedEnvelopesPayRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r1 = 0x0;
r0 = __NSConcreteStackBlock;
r2 = 0x354f690;
asm{ strd r1, sb, [sp, #0x19c + var_48] };
stack[2031] = loc_1c0d1a8(stack[1963], r1, r2, r3, stack[1943], stack[1944]);
stack[2032] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[2032]);
goto loc_ead566;
loc_ead566:
loc_1c0d19c();
goto loc_ead56a;
loc_ead1e4:
stack[1944] = 0x3179d4d;
r4 = @selector(OnSendShareRedEnvelopesoRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f6c0;
asm{ strd r1, sb, [sp, #0x19c + var_80] };
stack[2017] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[2018] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[2018]);
goto loc_ead566;
loc_ead252:
stack[1944] = 0x3179d4d;
r4 = @selector(OnReceiverQueryRedEnvelopesRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f6d8;
asm{ strd r1, sb, [sp, #0x19c + var_9C] };
stack[2010] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[2011] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[2011]);
goto loc_ead566;
loc_ead2c0:
stack[1944] = 0x3179d4d;
sub_1c0d198();
r2 = 0x3b24434;
r3 = 0xead701;
r4 = @selector(OnOpenRedEnvelopesRequest:Error:);
r1 = sp + 0xe4;
r5 = *r2;
asm{ stm.w r1, {r0, r3} };
stack[2003] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[2004] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[2004]);
goto loc_ead566;
loc_ead342:
stack[1944] = 0x3179d4d;
r4 = @selector(OnQueryRedEnvelopesDetailRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f708;
asm{ strd r1, sb, [sp, #0x19c + var_D4] };
stack[1996] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[1997] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[1997]);
goto loc_ead566;
loc_ead3b0:
stack[1944] = 0x3179d4d;
r4 = @selector(OnQueryUserSendOrReceiveRedEnveloperListRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f720;
asm{ strd r1, sb, [sp, #0x19c + var_F0] };
stack[1989] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[1990] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[1990]);
goto loc_ead566;
loc_ead41e:
stack[1944] = 0x3179d4d;
r4 = @selector(OnClearserSendOrReceiveRedEnveloperListRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f738;
asm{ strd r1, sb, [sp, #0x19c + var_10C] };
stack[1982] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[1983] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[1983]);
goto loc_ead566;
loc_ead48c:
stack[1944] = 0x3179d4d;
r4 = @selector(OnThanksForRedEnvelopesRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f750;
asm{ strd r1, sb, [sp, #0x19c + var_128] };
stack[1975] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[1976] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[1976]);
goto loc_ead566;
loc_ead4fa:
stack[1944] = 0x3179d4d;
r4 = @selector(OnGenH5RedEnvelopesPayRequest:Error:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r0 = __NSConcreteStackBlock;
r1 = 0x0;
r2 = 0x354f6a8;
asm{ strd r1, sb, [sp, #0x19c + var_64] };
stack[2024] = loc_1c0d1a8(r6, r1, r2, r3, stack[1943], stack[1944]);
stack[2025] = loc_1c0d1a8(r11);
r4 = stack[1962];
sub_1c0d298();
loc_1c0d19c(stack[2025]);
goto loc_ead566;
loc_ead116:
stack[1944] = 0x3179d4d;
r4 = @selector(OnWCRedEnvelopesBaseRequestCommonError:HongbaoCmdType:);
r3 = 0xc2000000;
r5 = __objc_proto_WCRedEnvelopesLogicMgrExt_protocol;
r1 = 0x0;
r0 = __NSConcreteStackBlock;
r2 = 0x354f768;
asm{ strd r1, sb, [sp, #0x19c + var_140] };
r0 = loc_1c0d1a8(stack[1962], r1, r2, r3, stack[1943], stack[1944]);
stack[1969] = r0;
r4 = stack[1962];
sub_1c0d298();
goto loc_ead566;
}
实现代码: [Python] 纯文本查看 复制代码 import frida
import sys
session = frida.get_usb_device().attach(88906)
script_string = """
if (ObjC.available)
{
try
{
var sessionUserName;
var timingIdentifier;
var receiver_dict = ObjC.classes.NSMutableDictionary.alloc().init();
var openred_dict = ObjC.classes.NSMutableDictionary.alloc().init();
var className = "CMessageMgr";
var funcName = "- AsyncOnAddMsg:MsgWrap:";
var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
console.log("[*] Class Name: " + className);
console.log("[*] Method Name: " + funcName);
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var arg2 = new ObjC.Object(args[2]);
console.log("AsyncOnAddMsgArg2:"+ arg2.toString());
var obj = new ObjC.Object(args[3]);
console.log("AsyncOnAddMsgArg3:"+ obj.toString());
var str = obj.toString();
type = str.split(", ");
if(type.indexOf("type=49")!=-1){
console.log("Successful!!");
console.log("receiver_dict:"+ receiver_dict);
console.log("openred_dict:"+ openred_dict);
//在这里你可以通过红包类型为49 直接调用openRed函数 达到自动抢红包
};
},
onLeave: function(retval) {
string_value = ObjC.classes.NSString.stringWithString_(retval);
console.log("Mgrretval:"+string_value+" type:"+typeof string_value);
}
});
var arr;
var url;
var originalUrl
var className = "WCPayInfoItem";
var funcName = "- setM_c2cNativeUrl:";
var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
console.log("[*] Class Name: " + className);
console.log("[*] Method Name: " + funcName);
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var arg2 = new ObjC.Object(args[2]);
//console.log("setM_c2cNativeUrl:"+ arg2.toString());
originalUrl = arg2.toString();
url = arg2.toString();
var num=url.indexOf("?")
url=url.substr(num+1); //取得所有参数
arr=url.split("&"); //各个参数放到数组里
//console.log(arr);
for(var i=0;i < arr.length;i++){
num=arr[i].indexOf("="); //num=7,9,6,12,3,4
if(num>0){
name=arr[i].substring(0,num);
value=arr[i].substr(num+1);
this[name]=value;
}
};
//构建NSDictionary
receiver_dict.setObject_forKey_(0,"agreeDuty");
receiver_dict.setObject_forKey_(1,"inWay");
receiver_dict.setObject_forKey_(this["channelid"],"channelId");
receiver_dict.setObject_forKey_(this["msgtype"],"msgType");
receiver_dict.setObject_forKey_(originalUrl,"nativeUrl");
receiver_dict.setObject_forKey_(this["sendid"],"sendId");
openred_dict.setObject_forKey_("http://wx.qlogo.cn/?????","headImg");
openred_dict.setObject_forKey_("XXX","nickName");
openred_dict.setObject_forKey_(originalUrl,"nativeUrl");
openred_dict.setObject_forKey_(this["channelid"],"channelId");
openred_dict.setObject_forKey_(this["msgtype"],"msgType");
openred_dict.setObject_forKey_(this["sendid"],"sendId");
openred_dict.setObject_forKey_(this["sendusername"],"sessionUserName");
},
onLeave: function(retval) {
console.log("Finished!");
}
});
var className = "WCRedEnvelopesLogicMgr";
var funcName = "- OnWCToHongbaoCommonResponse:Request:";
var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
console.log("[*] Class Name: " + className);
console.log("[*] Method Name: " + funcName);
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var arg2 = new ObjC.Object(args[2]);
//NSData转换为NSString
console.log("OnWCToHongbaoCommonResponse:"+ Memory.readUtf8String(arg2.retText().buffer().bytes(),arg2.retText().buffer().length()));
//将json字符串转换成json对象
var obj = JSON.parse(Memory.readUtf8String(arg2.retText().buffer().bytes(),arg2.retText().buffer().length()));
console.log(obj.timingIdentifier);
timingIdentifier = obj.timingIdentifier;
openred_dict.setObject_forKey_(timingIdentifier,"timingIdentifier");[/align][align=left]
[/align][align=left]if(timingIdentifier!=null){
console.log("OpenRed");
var OpenRedEnvelopesRequest = ObjC.classes.WCRedEnvelopesLogicMgr.alloc().init();
OpenRedEnvelopesRequest["- OpenRedEnvelopesRequest:"](openred_dict);
};
},
onLeave: function(retval) {
console.log("Finished!");
}
});
}
catch(err)
{
console.log("[!] Exception2: " + err.message);
}
}
else
{
console.log("Objective-C Runtime is not available!");
}
"""
script = session.create_script(script_string)
def on_message(message, data):
if message['type'] == 'error':
print("[!] " + message['stack'])
elif message['type'] == 'send':
print("[i] " + message['payload'])
else:
print(message)
script.on('message', on_message)
script.load()
sys.stdin.read()
# 红包参数:
# [<WCRedEnvelopesLogicMgr: 0x171030740> OpenRedEnvelopesRequest:{
# channelId = 1;
# headImg = "http://wx.qlogo.cn/????";
# msgType = 1;
# nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=10000394012018&sendusername=?????&ver=6&sign=????";
# nickName = "????";
# sendId = 10000394012018102;
# sessionUserName = ?????;
# timingIdentifier = ?????;
# } ]
|