先看下效果
image.png
image.png
第一步
首先需要一个微信的ipa包。获取微信ipa一种是通过PP助手下载,另一种则是用一台越狱手机把里面的ipa给拿出来。网上相关资料有很多。
本文介绍的是使用PP助手下载微信越狱版本IPA。PP助手上的越狱微信ipa是已经砸过壳子的,使用起来比较方便,砸壳好像需要越狱手机如果没有越狱手机好像没有只有去pp助手下载越狱好的ipa了。附图weichat
weichat.png
2. 安装MonkeyDev
其实为什么安装MonkeyDev呢?MonkeyDev是集成与OpenDev的,但是OpenDev在13年就不在更新了,所以AloneMonkey就在此基础上做了进一步的更新,而且更加简单,更加傻瓜式.具体安装步骤可以查看原文博客.
安装完成之后,在新建项目的时候就会有如下的模块.
image.png
使用MonkeyDev创建动态调试工程
这时候我们就创建一个MonkeyApp工程出来.如下所示.
image.png
这个时候我们把下载好的微信ipa给放到如图,put ipa or app here这个文件不要删除留着
image.png
下面我们开始编写代码,首先在工程里面找到文件
image.png
CHDeclareClass(WCDeviceStepObject); // declare class
CHOptimizedMethod(0, self, unsigned int, WCDeviceStepObject, m7StepCount) // hook method (with no arguments and no return value)
{
int stepCount = [[[NSUserDefaults standardUserDefaults] objectForKey:@"StepCount"] intValue];
NSLog(@"--stepCountstepCountstepCount---%d",stepCount);
return stepCount; //这个是修改的步数。
}
CHConstructor // code block that runs immediately upon load
{
@autoreleasepool
{
CHLoadLateClass(WCDeviceStepObject);
CHHook(0, WCDeviceStepObject,m7StepCount);
}
}
上面的 return stepCount; 这个是步数的值 为int类型 。我这里是做了一个手动输入框。进行动态修改、输入框代码,一下代码是打开app的时候 会有一个弹框。
CHDeclareClass(NewMainFrameViewController)
CHMethod0(void,NewMainFrameViewController, viewDidLoad){
NSLog(@"NewMainFrameViewControllerNewMainFrameViewControllerNewMainFrameViewController");
GMAlertView *alertView = [[GMAlertView alloc]initWithFrame:CGRectMake(40, UIScreen.mainScreen.bounds.size.height /2.0f - 150, UIScreen.mainScreen.bounds.size.width - 80, 300)];
[alertView baseXIB_showAlpha:.3 color:nil];
CHSuper0(NewMainFrameViewController, viewDidLoad);
}
CHConstructor{
CHLoadLateClass(NewMainFrameViewController);
CHClassHook0(NewMainFrameViewController,viewDidLoad);
}
弹框代码.h
#import <UIKit/UIKit.h>
NS_ASSUME_NONNULL_BEGIN
@interface GMAlertView : UIView
@property (strong, nonatomic) UITextField *numField;
@property (strong, nonatomic) UILabel *numLable;
/** 添加一个背景View alpha透明度 color == nil lightGrayColor*/
- (void)baseXIB_showAlpha:(CGFloat)alpha color:(UIColor *)color;
@end
NS_ASSUME_NONNULL_END
弹框.m
#import "GMAlertView.h"
static NSInteger tag = 989898;
@implementation GMAlertView
- (instancetype)initWithFrame:(CGRect)frame{
if (self = [super initWithFrame:frame]) {
self.backgroundColor = [UIColor whiteColor];
[self.layer setCornerRadius:8.0f];
[self.layer setMasksToBounds:YES];
self.numLable = [UILabel new];
self.numLable.frame = CGRectMake(40, 10, UIScreen.mainScreen.bounds.size.width - 80, 50);
self.numLable.textAlignment = NSTextAlignmentCenter;
self.numLable.text = @"请输入要修改的步数,然后点击确定。然后进去搜索微信健康进入微信运动即可。由于需要上传更新步数需要时间,大约2-5分钟查询结果";
self.numLable.numberOfLines = 0;
[self addSubview:self.numLable];
self.numField = [[UITextField alloc]init];
self.numField.frame = CGRectMake(20, 70, frame.size.width - 40, 50);
self.numField.backgroundColor = [UIColor groupTableViewBackgroundColor];
// self.numLable.backgroundColor = [UIColor grayColor];
self.numField.placeholder = @"请输入步数";
self.numField.keyboardType = UIKeyboardTypeNumberPad;
self.numField.textAlignment = NSTextAlignmentCenter;
// self.numField.backgroundColor = [UIColor redColor];
// self.numField.text = @"1999";
[self addSubview:self.numField];
UIButton *btn = [UIButton buttonWithType:UIButtonTypeCustom];
btn.backgroundColor = [UIColor redColor];
[btn setTitle:@"确定" forState:UIControlStateNormal];
btn.frame = CGRectMake(20, frame.size.height - 90, frame.size.width - 40, 50);
[btn addTarget:self action:@selector(btnClick) forControlEvents:UIControlEventTouchUpInside];
[self addSubview:btn];
}
return self;
}
/** 添加一个背景View alpha透明度*/
- (void)baseXIB_showAlpha:(CGFloat)alpha color:(UIColor *)color{
UIView *bgView= [[ UIView alloc]initWithFrame:CGRectMake(0, 0, [UIScreen mainScreen].bounds.size.width, [UIScreen mainScreen].bounds.size.height)];
bgView.backgroundColor = color ?color : [UIColor blackColor];
bgView.alpha = alpha;
bgView.tag = tag;
UIWindow * wiondow = [[UIApplication sharedApplication].delegate window];
[wiondow addSubview:bgView];
[wiondow addSubview:self];
[wiondow makeKeyWindow];
}
/** 移除视图 */
- (void)baseXIB_removeSubView{
UIWindow * wiondow = [[UIApplication sharedApplication].delegate window];
UIView *bgView = [wiondow viewWithTag:tag];
[bgView removeFromSuperview];
[self removeFromSuperview];
}
- (void)btnClick{
if ([self.numLable.text isEqualToString:@""]) {
[[[UIAlertView alloc]initWithTitle:@"微信提示" message:@"请输入步数" delegate:self cancelButtonTitle:@"取消" otherButtonTitles:nil, nil]show];
return;
}
[[[UIAlertView alloc]initWithTitle:@"微信提示" message:@"修改成功请重新打开微信进入微信运动" delegate:self cancelButtonTitle:@"取消" otherButtonTitles:nil, nil]show];
// return;
[[NSUserDefaults standardUserDefaults] setObject:self.numField.text forKey:@"StepCount"];
[[NSUserDefaults standardUserDefaults] synchronize];
// [self removeFromSuperview];
[self baseXIB_removeSubView];
}
- (IBAction)okBtn:(id)sender{
[[NSUserDefaults standardUserDefaults] setObject:self.numField.text forKey:@"StepCount"];
[[NSUserDefaults standardUserDefaults] synchronize];
[self baseXIB_removeSubView];
}
- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event{
[self.numField endEditing:YES];
}
编写完成之后这里有个坑就是不让使用runtime库,修改如图位置即可,改为NO.
image.png
代码就写好了。下面就开始安装到手机上面,先运行DemoLdbDylib,然后在选择app运行,证书跟Bundle Identifier 记得改成自己的。
image.png
image.png
运行安装成功,在手机上面打开不新安装的微信。
image.png
这时候就算大功告成了.打开新安装的微信运动即可.等待几分钟数据就可修改完成代码中的数字了.
如果打包成ipa分发给别人呢,下面介绍一个笨方法。新建一个空文件夹命名为 Payload
image.png
运行成功过后你会发现 TargetApp多了一个 app.
image.png
把它复制到Payload文件夹中,然后压缩该文件夹.zip,压缩成功并修改后缀即可。
image.png
以上逆向代码是参考 https://www.jianshu.com/p/1f278e47d4e1。具体逆向分析代码,网上资料很多。
