一步一步实现iOS微信自动抢红包(非越狱) 实际动手实践记录问题点解决
https://www.jianshu.com/p/189afbe3b429
1,微信地址:
/var/containers/Bundle/Application/4FFD8D7B-3AC7-4DBB-90E2-A632F189A6A0/WeChat.app/WeChat
2,获取Documents的路径:
cycript -p WeChat
NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]
/var/mobile/Containers/Data/Application/1FD71CE5-60E0-4BEC-9566-C93823369330/Documents
3,把砸壳工具dumpdecrypted.dylib拷贝到手机微信沙盒
cd /Users/wangfangshuai/Documents/wangfs/文稿/iOSSafe/Tools
scp ./dumpdecrypted.dylib root@172.18.0.93:/var/mobile/Containers/Data/Application/1FD71CE5-60E0-4BEC-9566-C93823369330/Documents
4,手机root中进入Documents
cd /var/mobile/Containers/Data/Application/1FD71CE5-60E0-4BEC-9566-C93823369330/Documents
5,killed:9
https://www.jianshu.com/p/7a7fef112b86 su mobile
codesign --force --verify --verbose --sign "iPhone Developer: fangshuai wang (DGAX3FY9AR)" dumpdecrypted.dylib
https://www.jianshu.com/p/b6d4ce0b10e4
6,砸壳成功拷贝WeChat.decrypted,说未加密不需要砸壳直接拷贝WeChat
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/4FFD8D7B-3AC7-4DBB-90E2-A632F189A6A0/WeChat.app/WeChat
7,导出头文件:
./class-dump -s -S -H ./WeChat -o ./header6.6.0-arm64
./class-dump -s -S -H ./WeChat.decrypted -o ./header6.6.0-arm64
7.本地证书:
- 716699D95A9D9B6DD2D5292CEAA8F2C1BFDBDE15 "iPhone Developer: fangshuai wang (DGAX3FY9AR)"
- 3868441CAA07AA322FC24E6B0F49B9CBB195D57D "iPhone Developer: fangshuai wang (BU4ZDHQ3UX)"
- 0293A57885B61F820B861389483FC85F36AF3D06 "iPhone Distribution: Banif Banco de Investimento S.A. (VQD29D5XJF)"
- 716A75FC487E9B3A82A7FFE57598F5011E436662 "iPhone Distribution: Radar International Markets Advisory (Beijing)Limited (XHKKLMZMHY)"
- DF3107E9F8874DFD513E38512234F1D61BA87455 "iPhone Developer: fangshuai wang (M4Y4XH854X)"
- CA69BEF457104121E4E4C34D7D364963617FBB99 "iPhone Distribution: Radar Brokers Ltd. (S5ZVK38D6V)"
6 valid identities found
8,iOSOpenDev 安装失败的解决方法:
https://www.ianisme.com/ios/2319.html
9,注入dylib:
./yololib WeChat libautoGetRedEnv.dylib
9,-bash: port: command not found 解决办法:
export PATH=MANPATH:/opt/local/share/man
export INFOPATH=$INFOPATH:/opt/local/share/info
10,Command PhaseScriptExecution failed with a nonzero exit code:
https://blog.csdn.net/dt1991524/article/details/85339816
11,Command /bin/sh failed with exit code 1:
https://www.jianshu.com/p/4aa74f2f3e10
12,重签名:
codesign -f -s "iPhone Developer: fangshuai wang (DGAX3FY9AR)" WeChat.app/libautoGetRedEnv.dylib
codesign -f -s "iPhone Developer: fangshuai wang (DGAX3FY9AR)" WeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex
codesign -f -s "iPhone Developer: fangshuai wang (DGAX3FY9AR)" WeChat.app/Watch/WeChatWatchNative.app
codesign -f -s "iPhone Developer: fangshuai wang (DGAX3FY9AR)" WeChat.app/PlugIns/WeChatShareExtensionNew.appex
codesign -f -s "iPhone Developer: fangshuai wang (DGAX3FY9AR)" --entitlements Entitlements.plist WeChat.app
13,下载尽量接近笔者版本的微信:
https://bbs.feng.com/forum.php?mod=viewthread&tid=11771162&page=1&mobile=no
14,使用到的工具:
yololib:用来把hook代码dylib注入到微信中
class-dump:用来把砸壳后的微信导出头文件,以便观察对哪个方法进行hook
dumpdecrypted:用来对二进制文件进行砸壳
iOSOpenDev:用来创建dylib,进行实际代码hook编写
OpenSSH:用来电脑连接越狱手机获取到APP路径及document路径。
Cycript:用来查找document路径
