14.2 分析搶紅包的方法

通過分析微信消息我們知道抖单，紅包消息類型值為49乏屯，所以實現(xiàn)自動搶紅包功能柳骄，我們只要hook消息響應方法熊泵，然后判斷消息類型為49時仰迁，調用搶紅包的方法即可。那么如何定位搶紅包的方法呢顽分？我們同樣可以依照上面的方法進行分析和定位徐许。

14.2.1 借助cycript或者Reveal來分析搶紅包界面

//搶紅包界面彈出時，新增的view層級

|   WCRedEnvelopesReceiveHomeView:0x16212eba0
|   |   UIButton:0x162587cb0
|   |   UIImageView:0x162872820
|   |   |   UIView:0x1629021e0
|   |   |   UIView:0x162906590
|   |   |   UIImageView:0x1625dcd80
|   |   |   UIView:0x1628b3c10
|   |   |   |   UIView:0x162887f60
|   |   |   |   UIView:0x16288a260
|   |   |   |   UIImageView:0x1625ee650
|   |   |   |   UIImageView:0x1625f5cc0
|   |   |   |   UIButton:0x162517760
|   |   |   UIView:0x1628798c0
|   |   |   |   MMHeadImageView:0x16217ab70
|   |   |   |   |   MMUILongPressImageView:0x16286ab80
|   |   |   |   |   UIImageView:0x1628014b0
|   |   |   MMUILabel:0x162905dd0'^_^'
|   |   |   MMUILabel:0x162901fe0'\u7ed9\u4f60\u53d1\u4e86\u4e00\u4e2a\u7ea2\u5305'
|   |   |   MMUILabel:0x1628796c0'\u606d\u559c\u53d1\u8d22\uff0c\u5927\u5409\u5927\u5229'
|   |   |   UIButton:0x16284b960
|   |   |   UIButton:0x162581d90
|   |   |   |   UIImageView:0x16255b1a0
|   |   |   UIImageView:0x1621ca190
|   |   |   UIImageView:0x16256cad0`

注:導出頭文件中有與WCRedEnvelopesReceiveHomeView同名的頭文件WCRedEnvelopesReceiveHomeView.h
使用Tweak來hook頭文件WCRedEnvelopesReceiveHomeView.h
//定位到OnOpenRedEnvelopes方法是搶紅包響應的函數(shù)

Sep  9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:5 DEBUG: -[< WCRedEnvelopesReceiveHomeView: 0x13191a020> OnOpenRedEnvelopes]
Sep  9 19:18:19 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:19 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> startReceiveAnimation]
Sep  9 19:18:20 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:18 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> showSuccessOpenAnimation]
Sep  9 19:18:21 Flongers-iphone WeChat[17143]: [WeChatReProject] Tweak.xm:14 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13191a020> removeView]

//該函數(shù)是點擊"搶"時卒蘸，響應的函數(shù)

 - (void)OnOpenRedEnvelopes { %log; %orig; }

//使用cycript來驗證一下

 Flongers-iphone:~ root# cycript -p WeChat
 cy# [#0x130e9a960 OnOpenRedEnvelopes]

14.2.2 靜態(tài)反匯編分析

通過測試發(fā)現(xiàn)雌隅，每次點開搶紅包界面時會有一個WCRedEnvelopesReceiveHomeView的實例對象生成。如果借助OnOpenRedEnvelopes方法來實現(xiàn)"搶"的功能，必須在點開搶紅包界面時才能成功調用澄步。該方法限制比較大冰蘑，我們需要分析更加深層次的邏輯處理，找到更加通用的搶紅包的邏輯處理代碼村缸。

在Hopper或者IDA中分析OnOpenRedEnvelopes反匯編代碼
結合導出頭文件通過分析發(fā)現(xiàn)祠肥，OnOpenRedEnvelopes中相關的內容有：

NSDictionary *m_dicBaseInfo;
id  m_delegate;
WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes

//解析匯編指令

[receiver message]; 
將被轉換為:objc_msgSend(receiver, selector);
[receiver messageArg1:xx Arg2:xx ...]; 將被轉換為:objc_msgSend(receiver, selector, arg1, arg2,...);

//adrp指令是地址生成指令，x8是間接尋址的寄存器梯皿，X0~X7一般用于是參數(shù)和返回值的傳遞 //即調用objc_msgSend時仇箱，X0存放第一個參數(shù)receiver，X1存放第二個參數(shù)selector东羹，后面的參數(shù)以此類推 ADRP X8,

#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE //出棧指令剂桥，將x8偏移xxx位置的值加載到X1寄存器中 
LDR X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF] //調用子程序 BL _objc_msgSend

注:重點關注X0和X1，我們可以得到OC方法調用相關的對象属提、方法名和返回值

• 使用tweak來hook數(shù)據(jù)觀察一下OnOpenRedEnvelopes

@interface WCRedEnvelopesReceiveHomeView{ NSDictionary *m_dicBaseInfo; id m_delegate; } @end

%hook WCRedEnvelopesReceiveHomeView

(void)OnOpenRedEnvelopes {
//hook 成員變量,原理是調用runtime函數(shù)class_getInstanceVariable NSDictionary* dic = MSHookIvar<NSDictionary *>(self, "m_dicBaseInfo"); NSArray *arr = [dic allKeys]; for (NSInteger i = 0; i < arr.count; i++) { NSLog(@"%@ : %@", arr[i], [dic objectForKey:arr[i]]); }

id de = MSHookIvar<id>(self, "m_delegate");
NSLog(@"m_delegate class: %@", [de class]);
//%orig;
} %end

• 分析對WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes調用的代碼

  ADRP            X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGE ; 
  LDRSW           X8, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGEOFF] ; 
  ADD             X0, X19, X8
  BL              _objc_loadWeakRetained
 
 偽代碼：
 WCRedEnvelopesReceiveControlLogic* controlLogic = self.m_delegate;
 
  MOV             X19, X0
  ADRP            X8, #selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE
  LDR             X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF]
  BL              _objc_msgSend
  
  分析：
    X0 是 controlLogic
    X1 是 WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes

  偽代碼：
  [controlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes];  
     
  驗證：
  WCRedEnvelopesReceiveControlLogic同名的頭文件里面有該方法：
    - (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;   

• 繼續(xù)分析WCRedEnvelopesReceiveControlLogic類的WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes方法

分析匯編代碼: ADRP X8, #OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGE
LDRSW X24, [X8,#OBJC_IVAR$_WCRedEnvelopesControlLogic.m_data@PAGEOFF] LDR X0, [X27,X24] //相當于 [self m_data]

結合頭文件分析 WCRedEnvelopesReceiveControlLogic中定義了成員變量：WCRedEnvelopesControlData *m_data;

ADRP X8, #selRef_m_oSelectedMessageWrap@PAGE LDR X19, [X8,#selRef_m_oSelectedMessageWrap@PAGEOFF] MOV X1, X19 BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X22, X0 //這里是返回值,X22的值就是msgWrap

分析： X0 是 m_data的值 X1 是 X19傳的值权逗，即 m_oSelectedMessageWrap

WCRedEnvelopesControlData 中定義了成員變量： CMessageWrap *m_oSelectedMessageWrap;
偽代碼如下： //self代表的是WCRedEnvelopesReceiveControlLogic的實例對象 WCRedEnvelopesControlData *data = [self m_data]; CMessageWrap *msgWrap = [data m_oSelectedMessageWrap];


匯編: ADRP X8, #selRef_m_oWCPayInfoItem@PAGE LDR X1, [X8,#selRef_m_oWCPayInfoItem@PAGEOFF] STR X1, [SP,#0x120+var_100] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X23, X0 //這里是返回值

分析： X0 是上面的 msgWrap X1 是 m_oWCPayInfoItem

CMessageWrap中有屬性 @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;

偽代碼：    WCPayInfoItem* payInfoItem = [msgWrap m_oWCPayInfoItem];

匯編： ADRP X8, #selRef_m_c2cNativeUrl@PAGE LDR X1, [X8,#selRef_m_c2cNativeUrl@PAGEOFF] STR X1, [SP,#0x120+var_108] BL _objc_msgSend MOV X29, X29 BL _objc_retainAutoreleasedReturnValue MOV X25, X0 //這里是返回值

分析： X0 是上面 payInfoItem X1 是 m_c2cNativeUrl

WCPayInfoItem 中有屬性 @property(retain, nonatomic) NSString *m_c2cNativeUrl;

偽代碼： NSString *c2cNativeUrl = [payInfoItem m_c2cNativeUrl];

• 可以使用Tweak來查看m_c2cNativeUrl的值

@interface WCPayInfoItem @property(retain, nonatomic) NSString *m_c2cNativeUrl; @end

@interface CMessageWrap @property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem; @end

@interface WCRedEnvelopesControlData{ CMessageWrap* m_oSelectedMessageWrap; } @end

@interface WCRedEnvelopesReceiveControlLogic{ WCRedEnvelopesControlData *m_data; } @end

%hook WCRedEnvelopesReceiveControlLogic

(void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes { id data = MSHookIvar<WCRedEnvelopesControlData *>(self, "m_data"); NSLog(@"data class:%@", [data class]);

id msgWrap = MSHookIvar<CMessageWrap *>(data, "m_oSelectedMessageWrap"); NSLog(@"msgWrap class:%@", [msgWrap class]);

//定義了屬性的不需要使用MSHookIvar來hook，直接聲明之后調用即可 id payinfoitem =[msgWrap m_oWCPayInfoItem]; NSLog(@"payinfoitem class:%@", [payinfoitem class]);

NSString *nativeUrl = [payinfoitem m_c2cNativeUrl]; NSLog(@"nativeUrl class:%@, nativeUrl = %@", [nativeUrl class], nativeUrl);

//%orig; } %end

某次搶紅包m_c2cNativeUrl的值:

Sep 13 19:16:59 Flongers-iphone WeChat[2438]: data class:WCRedEnvelopesControlData 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: msgWrap class:CMessageWrap 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: payinfoitem class:WCPayInfoItem 
Sep 13 19:16:59 Flongers-iphone WeChat[2438]: nativeUrl class:__NSCFString, nativeUrl = wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039501201709137016141291061&sendusername=&ver=6&sign=