14.1 定位紅包消息響應方法
14.1.1 砸殼和導出頭文件以供分析用
詳細過程見筆記第7章
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat
class-dump -s -S -H WeChat.decrypted -o ./MyHeaders
14.1.2 借助cycript來動態分析界面定位視圖控制器(ViewController)
- 打開應用并使用cycript附加進程
cycript -p WeChat
- 使用recursiveDescription打印UIView對象
[[UIApp keyWindow] recursiveDescription].toString()
或者
UIApp.keyWindow.recursiveDescription().toString()
- 選擇一個UIView對象的id,借助nextResponder方法獲取視圖控制器
<UIView: 0x14eaed070; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x14eafa130>>
//使用nextResponder找到視圖控制器(ViewController)
cy# [#0x14eaed070 nextResponder]
#"<BaseMsgContentViewController: 0x14f1dc200>"
- 在class-dump到處的頭文件中,查找BaseMsgContentViewController相關的文件
? ls -al *BaseMsgContentViewController*
-rw-r--r-- 1 liuzhongzheng staff 26105 Aug 25 15:59 BaseMsgContentViewController.h
-
cycript的其它用法介紹
-
_printHierarchy - 直接打印所有UIViewController
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString() _autolayoutTrace - recursiveDescription的簡化版,去掉了UIView的一些描述
[[UIApp keyWindow] _autolayoutTrace].toString()- 獲取bundle info
[[NSBundle mainBundle] infoDictionary].toString() -
14.1.3 借助Reveal來動態分析界面定位視圖控制器(ViewController)
OSX 上安裝Reveal
官網:https://revealapp.com/iOS 上安裝Reveal Loader
通過Cydia搜索安裝Reveal Loader使用Reveal觀察界面結構
14.1.4 借助thoes模塊Logify來精確定位消息響應方法
創建Tweak工程
批量生成hook BaseMsgContentViewController.h文件中方法的Tweak.xm文件
/opt/theos/bin/logify.pl ../WeChat/Headers/BaseMsgContentViewController.h > Tweak.xm
用logify.pl生成的Tweak.xm文件替換Tweak工程中的Tweak.xm文件
編譯Tweak工程并安裝
make package
make install
- 通過查看和分析日志定位消息響應的方法
tail -f /var/log/syslog | grep WeChat
[<BaseMsgContentViewController: 0x1368e9c00> addMessageNode:{m_uiMesLocalID=38, m_ui64MesSvrID=6021494297990342718, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>649531066</sequence_id></msgsource>"} layout:1 addMoreMsg:0]
//定位到與消息響應相關的方法
- (void)addMessageNode:(id)arg1 layout:(_Bool)arg2 addMoreMsg:(_Bool)arg3 { %log; %orig; }
14.1.5 借助lldb進行動態調試
- 在iOS上配置debugserver
- 把iPhone連接xcode,在iOS上/Developer/usr/bin/目錄下面生成調試工具debugserver
luz-iphone:/Developer/usr/bin root# ls
DTDeviceArbitration* ScreenShotr* XcodeDeviceMonitor* debugserver* iprofiler* xctest*
-
給debugserver瘦身和重新簽名,并放入/usr/bin/目錄下方便隨時調用
lipo(靜態庫拆分與合并)命令的介紹: http://www.lxweimin.com/p/e590f041c5f6//拷貝到OS X上去 scp debugserver luz@192.168.1.138:/tmp //查看CPU架構信息 ?lipo -info debugserver Architectures in the fat file: debugserver are: armv7 armv7s arm64 //瘦身 lipo -thin arm64 debugserver -output debugserver.thin //使用ldid添加task_for_pid權限 ? ldid -Sent.xml debugserver.thin ? ldid -e debugserver.thin <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> //使用codesign添加task_for_pid權限 codesign -s - --entitlements ent.plist -f debugserver.thin ? ldid -e debugserver.thin <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>run-unsigned-code</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist> -
在iOS使用debugserver附加程序
- 打開調試
debugserver -x backboard IP:port /path/to/executable- 附加調試
debugserver *:9527 -a "WeChat" 在OSX使用lldb連接debugserver進行調試
lldb
process connect connect://192.168.1.113:9527 //ip是iPhone的地址,端口要一致
- 使用usbmuxd工具通過USB口轉發ssh和調式信息
- 通過USB口轉發ssh
//把本地2222端口轉發到iOS的22(ssh)端口
./tcprelay.py -t 22:2222
Forwarding local port 2222 to remote port 22
//ssh進行連接 - localhost(127.0.0.1)是本地主機(本機的標準域名)
ssh root@localhost -p 2222
-
通過USB口轉發lldb調試
//把本地9527端口轉發到iOS的9527端口 ./tcprelay.py -t 9527:9527 //在iOS上指定debugserver監聽的端口號(要與9527:9527冒號前面的一致9527) debugserver *:9527 -a "WeChat" //在OSX上指定連接的端口號(要與9527:9527冒號后面的一致) lldb process connect connect://localhost:9527 查看ASLR偏移
image list -o -f
(lldb) image list -o -f
[ 0] 0x0000000000054000 /private/var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat(0x0000000100054000)
偏移后模塊基地址 = 偏移前模塊基地址 + 模塊的ASLR偏移
偏移后符號基地址 = 偏移前符號基地址 + 符號所在模塊的ASLR偏移(一般用在這兒)
偏移后指令基地址 = 偏移前指令基地址 + 指令所在模塊的ASLR偏移
- 使用Hopper查看函數基地址
-[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]:
0000000101dcbb0c db 0xe9 ; '.'
0000000101dcbb0d db 0x23 ; '#'
-
使用lldb的br命令設備斷點br
br s -a '0x0000000000054000+0x0000000101dcbb0c' 設置斷點 b function br s –a address br s –a 'ASLROffset+address' //查看所有斷點 br list //刪除斷點 br delete 1 //程序繼續運行 發送消息,等待觸發斷點,然后查看函數調用堆棧
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
* frame #0: 0x0000000101defb0c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 23979876
frame #1: 0x0000000102035434 WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26361996
frame #2: 0x000000010202059c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26276340
frame #3:
WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 34703800
frame #4: 0x0000000187955f9c Foundation`__NSThreadPerformPerform + 372
frame #5: 0x0000000186a0c240 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
frame #6: 0x0000000186a0b4e4 CoreFoundation`__CFRunLoopDoSources0 + 264
frame #7: 0x0000000186a09594 CoreFoundation`__CFRunLoopRun + 712
frame #8: 0x00000001869352d4 CoreFoundation`CFRunLoopRunSpecific + 396
frame #9: 0x00000001901536fc GraphicsServices`GSEventRunModal + 168
frame #10: 0x000000018b4fafac UIKit`UIApplicationMain + 1488
frame #11: 0x00000001000bab5c WeChat`_mh_execute_header + 617308
frame #12: 0x00000001988a6a08 libdyld.dylib`start + 4
//計算函數地址
偏移后符號基地址 = 偏移前符號基地址 + 符號所在模塊的ASLR偏移
偏移后符號基地址 - 符號所在模塊的ASLR偏移 = 偏移前符號基地址
0x0000000101e3db24 - 00000000000f4000 = 101D49B24
-
在Hopper或者IDA中分析函數調用關系
0x0000000101dcbb0c -[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:] //在此處設置斷點,發現只有在當前聊天界面才會觸發,不是我們找的目標方法 0x102011434 = 0x0000000102035434 - 0x0000000000024000 -[BaseMsgContentLogicController DidAddMsg:] a //在此處設置斷點,發現只有在當前聊天界面才會觸發,不是我們找的目標方法 0x101FFC59C = 0x000000010202059c - 0x0000000000024000 -[BaseMsgContentLogicController OnAddMsg:MsgWrap:] //在此處設置斷點,只要收到消息就會觸發,符合我們尋址的目標方法 0x102805D60 = 0x0000000102829d60 - 0x0000000000024000 -[CMessageMgr MainThreadNotifyToExt:] 注:定位到另一個與消息接收有關的類CMessageMgr,在微信到處頭文件中發現有同名文件CMessageMgr.h -
繼續使用Tweak來hook CMessageMgr中的方法,觀察日志輸出
//使用logify來繼續追蹤CMessageMgr這個類,發現消息到來時,這幾個方法有響應 //單獨分析這幾個方法 %hook CMessageMgr - (void)AsyncOnPreAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; } - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; } - (void)AsyncOnPushMsg:(id)arg1 { %log; %orig; } - (void)CheckMessageStatus:(id)arg1 Msg:(id)arg2 { %log; %orig; } %end 1.打開聊天界面時CheckMessageStatus有反應,所以排除它 2.AsyncOnPreAddMsg、AsyncOnAddMsg、AsyncOnPushMsg這三個方法都是在消息到來時觸發,從 方法命名AsyncOnPreAddMsg應該是消息的前置處理,AsyncOnPushMsg可能是往隊列里面添加消息。 這三個方法都可以用來備選,我們先選AsyncOnAddMsg。 //分析AsyncOnAddMsg的參數 %hook CMessageMgr - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 { NSLog(@"arg1 = %@ , arg2 = %@", arg1, arg2); NSLog(@"arg1 class = %@ , arg2 class = %@", [arg1 class], [arg2 class]); %orig; } %end //參數輸出日志如下 Sep 9 16:39:53 luz-iphone WeChat[16048]: arg1 = wxid_lx85gyfaib9431 , arg2 = {m_uiMesLocalID=61, m_ui64MesSvrID=6890149828648546534, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=3, type=1, msgSource="<msgsource><sequence_id>649531092</sequence_id></msgsource>"} Sep 9 16:39:53 luz-iphone WeChat[16048]: arg1 = __NSCFString , arg2 = CMessageWrap //所以消息響應函數如下,CMessageWrap亦有同名的導出頭文件CMessageWrap.h - (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap; 分析消息內容相關的類CMessageWrap
@interface CMessageWrap
@property (nonatomic, strong) NSString* m_nsContent;
@property (nonatomic, assign) NSInteger m_uiMessageType;
@property(retain, nonatomic) NSString *m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsToUsr;
@property(retain, nonatomic) NSString *m_nsAtUserList; // @synthesize m_nsAtUserList;
@property(retain, nonatomic) NSString *m_nsBizChatId; // @synthesize m_nsBizChatId;
@property(retain, nonatomic) NSString *m_nsBizClientMsgID; // @synthesize m_nsBizClientMsgID;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsKFWorkerOpenID; // @synthesize m_nsKFWorkerOpenID;
@property(retain, nonatomic) NSString *m_nsMsgSource; // @synthesize m_nsMsgSource;
@property(retain, nonatomic) NSString *m_nsPattern; // @synthesize m_nsPattern;
@property(retain, nonatomic) NSString *m_nsPushContent; // @synthesize m_nushContent;
@property(retain, nonatomic) NSString *m_nsRealChatUsr; // @synthesize m_nsRealChatUsr;
@end
%hook CMessageMgr
- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap {
%orig;
NSInteger uiMessageType = [wrap m_uiMessageType];
NSString* content = [wrap m_nsContent];
NSString* nsFromUsr = [wrap m_nsFromUsr];
NSString* nsToUsr = [wrap m_nsToUsr];
NSString* nsAtUserList = [wrap m_nsAtUserList];
NSString* nsBizChatId = [wrap m_nsBizChatId];
NSString* nsBizClientMsgID = [wrap m_nsBizClientMsgID];
NSString* nsKFWorkerOpenID = [wrap m_nsKFWorkerOpenID];
NSString* nsMsgSource = [wrap m_nsMsgSource];
NSString* nsDisplayName = [wrap m_nsDisplayName];
NSString* nsPattern = [wrap m_nsPattern];
NSString* nsRealChatUsr = [wrap m_nsRealChatUsr];
NSString* nsPushContent = [wrap m_nsPushContent];
NSLog(@"m_uiMessageType=%zd m_nsContent=%@ m_nsFromUsr=%@ m_nsToUsr=%@ m_nsAtUserList=%@ m_nsBizChatId=%@ m_nsBizClientMsgID=%@ m_nsDisplayName=%@ m_nsKFWorkerOpenID=%@ m_nsMsgSource=%@ m_nsPattern=%@ m_nsPushContent=%@ m_nsRealChatUsr=%@",
uiMessageType,
content,
nsFromUsr,
nsToUsr,
nsAtUserList,nsBizChatId,
nsBizClientMsgID,
nsDisplayName,
nsKFWorkerOpenID,
nsMsgSource,
nsPattern,
nsPushContent,
nsRealChatUsr);
//記錄消息
if( 1 == uiMessageType ){ //普通消息
if( 0 == nsPushContent.length){
if([nsToUsr rangeOfString:@"filehelper"].location != NSNotFound)
NSLog(@"[文件助手: %@]",content);
else NSLog(@"[我: %@]",content);
}else
NSLog(@"[%@]",nsPushContent);
}else if ( 3 == uiMessageType ){ //圖片消息
NSLog(@"收到圖片消息");
}else if ( 49 == uiMessageType ){ //紅包消息
NSLog(@"收到紅包消息");
}
}
%end
