14.1 定位紅包消息響應方法

14.1.1 砸殼和導出頭文件以供分析用

詳細過程見筆記第7章
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat

class-dump -s -S -H WeChat.decrypted -o ./MyHeaders

14.1.2 借助cycript來動態分析界面定位視圖控制器（ViewController）

• 打開應用并使用cycript附加進程

  cycript -p WeChat

• 使用recursiveDescription打印UIView對象

 [[UIApp keyWindow] recursiveDescription].toString()
 或者
 UIApp.keyWindow.recursiveDescription().toString()

• 選擇一個UIView對象的id，借助nextResponder方法獲取視圖控制器

 <UIView: 0x14eaed070; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x14eafa130>>
 
 //使用nextResponder找到視圖控制器（ViewController）
 cy# [#0x14eaed070 nextResponder]
 #"<BaseMsgContentViewController: 0x14f1dc200>"

• 在class-dump到處的頭文件中，查找BaseMsgContentViewController相關的文件

 ? ls -al *BaseMsgContentViewController*
 -rw-r--r--  1 liuzhongzheng  staff  26105 Aug 25 15:59 BaseMsgContentViewController.h

• cycript的其它用法介紹

  • _printHierarchy － 直接打印所有UIViewController

    [[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
    

  • _autolayoutTrace - recursiveDescription的簡化版，去掉了UIView的一些描述

  [[UIApp keyWindow] _autolayoutTrace].toString()
  

  • 獲取bundle info

  [[NSBundle mainBundle] infoDictionary].toString()
  

14.1.3 借助Reveal來動態分析界面定位視圖控制器（ViewController）

• OSX 上安裝Reveal
  官網:https://revealapp.com/

• iOS 上安裝Reveal Loader
  通過Cydia搜索安裝Reveal Loader

• 使用Reveal觀察界面結構

14.1.4 借助thoes模塊Logify來精確定位消息響應方法

• 創建Tweak工程

• 批量生成hook BaseMsgContentViewController.h文件中方法的Tweak.xm文件

/opt/theos/bin/logify.pl ../WeChat/Headers/BaseMsgContentViewController.h > Tweak.xm

• 用logify.pl生成的Tweak.xm文件替換Tweak工程中的Tweak.xm文件

• 編譯Tweak工程并安裝

make package
make install

• 通過查看和分析日志定位消息響應的方法

tail -f /var/log/syslog | grep WeChat

[<BaseMsgContentViewController: 0x1368e9c00> addMessageNode:{m_uiMesLocalID=38, m_ui64MesSvrID=6021494297990342718, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>649531066</sequence_id></msgsource>"}  layout:1 addMoreMsg:0]

//定位到與消息響應相關的方法
- (void)addMessageNode:(id)arg1 layout:(_Bool)arg2 addMoreMsg:(_Bool)arg3 { %log; %orig; }

14.1.5 借助lldb進行動態調試

• 在iOS上配置debugserver

• 把iPhone連接xcode，在iOS上/Developer/usr/bin/目錄下面生成調試工具debugserver

 luz-iphone:/Developer/usr/bin root# ls
 DTDeviceArbitration*  ScreenShotr*  XcodeDeviceMonitor*  debugserver*  iprofiler*  xctest*

• 給debugserver瘦身和重新簽名，并放入/usr/bin/目錄下方便隨時調用
  lipo（靜態庫拆分與合并）命令的介紹: http://www.lxweimin.com/p/e590f041c5f6

  //拷貝到OS X上去
  scp debugserver luz@192.168.1.138:/tmp 
  
  //查看CPU架構信息
  ?lipo -info debugserver 
  Architectures in the fat file: debugserver are: armv7 armv7s arm64
  
  //瘦身
  lipo -thin arm64 debugserver -output debugserver.thin
  
  //使用ldid添加task_for_pid權限
  ?  ldid -Sent.xml debugserver.thin 
  ?  ldid -e debugserver.thin 
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
           <key>com.apple.springboard.debugapplications</key>
           <true/>
           <key>get-task-allow</key>
           <true/>
           <key>task_for_pid-allow</key>
           <true/>
           <key>run-unsigned-code</key>
           <true/>
   </dict>
   </plist>
   
  //使用codesign添加task_for_pid權限
  codesign -s - --entitlements ent.plist -f debugserver.thin
  ? ldid -e  debugserver.thin
   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
       <key>com.apple.springboard.debugapplications</key>
       <true/>
       <key>run-unsigned-code</key>
       <true/>
       <key>get-task-allow</key>
       <true/>
       <key>task_for_pid-allow</key>
       <true/>
   </dict> 
   </plist>
  

• 在iOS使用debugserver附加程序

  • 打開調試

  debugserver -x backboard IP:port /path/to/executable
  

  • 附加調試

  debugserver *:9527 -a "WeChat"
  

• 在OSX使用lldb連接debugserver進行調試

 lldb 
 process connect connect://192.168.1.113:9527  //ip是iPhone的地址，端口要一致

• 使用usbmuxd工具通過USB口轉發ssh和調式信息
• 通過USB口轉發ssh

 //把本地2222端口轉發到iOS的22(ssh)端口
 ./tcprelay.py -t 22:2222
 Forwarding local port 2222 to remote port 22

 //ssh進行連接 - localhost(127.0.0.1)是本地主機(本機的標準域名)
 ssh root@localhost -p 2222   

• 通過USB口轉發lldb調試

  //把本地9527端口轉發到iOS的9527端口
  ./tcprelay.py -t 9527:9527
  
  //在iOS上指定debugserver監聽的端口號(要與9527:9527冒號前面的一致9527)
  debugserver *:9527 -a "WeChat" 
  
  //在OSX上指定連接的端口號(要與9527:9527冒號后面的一致)
  lldb 
  process connect connect://localhost:9527 
  

• 查看ASLR偏移

image list -o -f 

(lldb) image list -o -f
[  0] 0x0000000000054000 /private/var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat(0x0000000100054000)

偏移后模塊基地址 = 偏移前模塊基地址 + 模塊的ASLR偏移
偏移后符號基地址 = 偏移前符號基地址 + 符號所在模塊的ASLR偏移（一般用在這兒）
偏移后指令基地址 = 偏移前指令基地址 + 指令所在模塊的ASLR偏移

• 使用Hopper查看函數基地址

 -[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]:
0000000101dcbb0c         db  0xe9 ; '.'                                         
0000000101dcbb0d         db  0x23 ; '#'

• 使用lldb的br命令設備斷點br

   br s -a '0x0000000000054000+0x0000000101dcbb0c'
  
   設置斷點
   b function
   br s –a address
   br s –a 'ASLROffset+address'
   
   //查看所有斷點
   br list
   
   //刪除斷點
   br delete 1
   
   //程序繼續運行
   
  

• 發送消息，等待觸發斷點，然后查看函數調用堆棧

(lldb) bt
   * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
     * frame #0: 0x0000000101defb0c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 23979876
       frame #1: 0x0000000102035434 WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26361996
       frame #2: 0x000000010202059c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26276340
       frame #3: 
       WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 34703800
       frame #4: 0x0000000187955f9c Foundation`__NSThreadPerformPerform + 372
       frame #5: 0x0000000186a0c240 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
       frame #6: 0x0000000186a0b4e4 CoreFoundation`__CFRunLoopDoSources0 + 264
       frame #7: 0x0000000186a09594 CoreFoundation`__CFRunLoopRun + 712
       frame #8: 0x00000001869352d4 CoreFoundation`CFRunLoopRunSpecific + 396
       frame #9: 0x00000001901536fc GraphicsServices`GSEventRunModal + 168
       frame #10: 0x000000018b4fafac UIKit`UIApplicationMain + 1488
       frame #11: 0x00000001000bab5c WeChat`_mh_execute_header + 617308
       frame #12: 0x00000001988a6a08 libdyld.dylib`start + 4
 
 //計算函數地址
偏移后符號基地址 = 偏移前符號基地址 + 符號所在模塊的ASLR偏移
偏移后符號基地址 - 符號所在模塊的ASLR偏移 = 偏移前符號基地址
0x0000000101e3db24 -  00000000000f4000 =  101D49B24

• 在Hopper或者IDA中分析函數調用關系

  0x0000000101dcbb0c
  -[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]
  
  //在此處設置斷點，發現只有在當前聊天界面才會觸發，不是我們找的目標方法
  0x102011434 = 0x0000000102035434 - 0x0000000000024000 
  -[BaseMsgContentLogicController DidAddMsg:]
  
  a //在此處設置斷點，發現只有在當前聊天界面才會觸發，不是我們找的目標方法
  0x101FFC59C = 0x000000010202059c - 0x0000000000024000 
  -[BaseMsgContentLogicController OnAddMsg:MsgWrap:]
  
  //在此處設置斷點，只要收到消息就會觸發，符合我們尋址的目標方法
  0x102805D60 = 0x0000000102829d60 - 0x0000000000024000 
  -[CMessageMgr MainThreadNotifyToExt:]
  
  注:定位到另一個與消息接收有關的類CMessageMgr，在微信到處頭文件中發現有同名文件CMessageMgr.h
  

• 繼續使用Tweak來hook CMessageMgr中的方法，觀察日志輸出

  //使用logify來繼續追蹤CMessageMgr這個類，發現消息到來時，這幾個方法有響應
  
  //單獨分析這幾個方法
  %hook CMessageMgr
  - (void)AsyncOnPreAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; }
  - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; }
  - (void)AsyncOnPushMsg:(id)arg1 { %log; %orig; }
  - (void)CheckMessageStatus:(id)arg1 Msg:(id)arg2 { %log; %orig; }
  %end
  
  1.打開聊天界面時CheckMessageStatus有反應，所以排除它
  2.AsyncOnPreAddMsg、AsyncOnAddMsg、AsyncOnPushMsg這三個方法都是在消息到來時觸發，從
    方法命名AsyncOnPreAddMsg應該是消息的前置處理，AsyncOnPushMsg可能是往隊列里面添加消息。
    這三個方法都可以用來備選，我們先選AsyncOnAddMsg。
  
  //分析AsyncOnAddMsg的參數 
  %hook CMessageMgr
  - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 {
      NSLog(@"arg1 = %@ , arg2 = %@", arg1, arg2); 
      NSLog(@"arg1 class = %@ , arg2 class = %@", [arg1 class], [arg2 class]);  
      %orig; 
  }
  %end
  //參數輸出日志如下
  Sep  9 16:39:53 luz-iphone WeChat[16048]: arg1 = wxid_lx85gyfaib9431 , arg2 = {m_uiMesLocalID=61, m_ui64MesSvrID=6890149828648546534, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=3, type=1, msgSource="<msgsource><sequence_id>649531092</sequence_id></msgsource>"}  Sep  9 16:39:53 luz-iphone WeChat[16048]: arg1 = __NSCFString , arg2 = CMessageWrap
  //所以消息響應函數如下，CMessageWrap亦有同名的導出頭文件CMessageWrap.h
  - (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap; 
  
  

• 分析消息內容相關的類CMessageWrap

    @interface CMessageWrap
    @property (nonatomic, strong) NSString* m_nsContent;
    @property (nonatomic, assign) NSInteger m_uiMessageType;
    @property(retain, nonatomic) NSString *m_nsFromUsr;
    @property(retain, nonatomic) NSString *m_nsToUsr; 

    @property(retain, nonatomic) NSString *m_nsAtUserList; // @synthesize m_nsAtUserList;
    @property(retain, nonatomic) NSString *m_nsBizChatId; // @synthesize m_nsBizChatId;
    @property(retain, nonatomic) NSString *m_nsBizClientMsgID; // @synthesize m_nsBizClientMsgID;
    @property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
    @property(retain, nonatomic) NSString *m_nsKFWorkerOpenID; // @synthesize m_nsKFWorkerOpenID;
    @property(retain, nonatomic) NSString *m_nsMsgSource; // @synthesize m_nsMsgSource;
    @property(retain, nonatomic) NSString *m_nsPattern; // @synthesize m_nsPattern;
    @property(retain, nonatomic) NSString *m_nsPushContent; // @synthesize m_nushContent;
    @property(retain, nonatomic) NSString *m_nsRealChatUsr; // @synthesize m_nsRealChatUsr;
    @end
    
    %hook CMessageMgr
    - (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap {
      %orig;
      NSInteger uiMessageType = [wrap m_uiMessageType];
      NSString* content = [wrap m_nsContent];
      NSString* nsFromUsr = [wrap m_nsFromUsr];
      NSString* nsToUsr = [wrap m_nsToUsr];
      NSString* nsAtUserList = [wrap m_nsAtUserList];
      NSString* nsBizChatId = [wrap m_nsBizChatId];
      NSString* nsBizClientMsgID = [wrap m_nsBizClientMsgID];
      NSString* nsKFWorkerOpenID = [wrap m_nsKFWorkerOpenID];
      NSString* nsMsgSource = [wrap m_nsMsgSource];
      NSString* nsDisplayName = [wrap m_nsDisplayName];
      NSString* nsPattern = [wrap m_nsPattern];
      NSString* nsRealChatUsr = [wrap m_nsRealChatUsr];
      NSString* nsPushContent = [wrap m_nsPushContent];
      
      NSLog(@"m_uiMessageType=%zd m_nsContent=%@ m_nsFromUsr=%@ m_nsToUsr=%@ m_nsAtUserList=%@ m_nsBizChatId=%@ m_nsBizClientMsgID=%@ m_nsDisplayName=%@ m_nsKFWorkerOpenID=%@ m_nsMsgSource=%@ m_nsPattern=%@ m_nsPushContent=%@ m_nsRealChatUsr=%@",
                                            uiMessageType,
                                            content,
                                            nsFromUsr,
                                            nsToUsr,
                                            nsAtUserList,nsBizChatId,                 
                                            nsBizClientMsgID,
                                            nsDisplayName,
                                            nsKFWorkerOpenID,
                                            nsMsgSource,
                                            nsPattern,
                                            nsPushContent,
                                            nsRealChatUsr);
                                              //記錄消息 
      if( 1 == uiMessageType ){ //普通消息
        if( 0 == nsPushContent.length){
            if([nsToUsr rangeOfString:@"filehelper"].location != NSNotFound)
                NSLog(@"[文件助手: %@]",content);
            else  NSLog(@"[我: %@]",content);
        }else
          NSLog(@"[%@]",nsPushContent);      
      }else if ( 3 == uiMessageType ){ //圖片消息
         NSLog(@"收到圖片消息");
      }else if ( 49 == uiMessageType ){ //紅包消息
         NSLog(@"收到紅包消息");
      }  
    }
   %end