Step by step to achieve iOS WeChat automatic grab red (non jailbreak)

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
WeChat red packets

Objective: Recently, the author in the study of iOS reverse engineering, the way to get the WeChat mobile phone in hand, non jailbreak realized WeChat automatically grab a red envelope function.

Topic: this tutorial is a serious academic research articles, only for study and research, also please readers not for commercial or other illegal means, the author is not responsible yo ~ ~

OK, let’s get down to business!

Tools / files needed for this tutorial


  • Yololib
  • Class-dump
  • Dumpdecrypted
  • IOSOpenDev
  • ITools
  • OpenSSH (Cydia)
  • IFile (Cydia)
  • Cycript (Cydia)
  • Command Line Tools
  • Xcode
  • Apple Developer Certificate or enterprise certificate
  • A jailbreak iPhone

Yes, want to achieve in non iPhone jailbreak automatically grab envelopes, tools may be a bit more (to do good work must first sharpen his ^_^). However, it does not matter, we can follow the tutorial steps, step by step to perform, the unclear steps can repeat the experiment, after all, the sky will not be pie.

Decrypt WeChat executable (Mach-O)


Because applications downloaded from Appstore are encrypted, we need to use some tools to decrypt the downloaded App, commonly known as “smashing shells”. This will facilitate the analysis of the code structure of App later.

First of all, we need a jailbreak iPhone mobile phone (now on the market jailbreak is already very mature, specific jailbreak method here is not introduced). Then go to Cydia and install OpenSSH, Cycript, and iFile (you can easily log the log files when you debug the program) these three software.

PS: the author’s cell phone is iPhone 6Plus, and the system version is iOS9.1.

On the computer, using iTunes to download a new WeChat, the WeChat version I downloaded was 6.3.13. After downloading, the downloaded app is displayed on the iTunes.

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
iTunes

Connect to the iPhone, install the WeChat application just downloaded with iTunes.

Open the Mac terminal and use SSH to access the attached iPhone (make sure that iPhone and Mac are on the same network segment, and that the author’s IP address is 192.168.8.54) iPhone. The root password for OpenSSH defaults to alpine.

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
SSH

Next is the need to find WeChat’s Bundle ID, and here I have a small skill, we can put all the App on the iPhone are switched off, only to retain WeChat, and then enter the command PS -e

Step by step to achieve iOS WeChat automatic grab red (non jailbreak),
, WeChat, bundle, ID

So we found the specific path to WeChat’s executable Wechat. Next, we need to find the path of WeChat’s Documents using Cycript, and enter the command cycript -p WeChat

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
cycript
  • Compile dumpdecrypted
    , first jot down the two paths we’ve just got (Bundle and Documents), and then we’ll start using dumpdecrypted to shell the WeChat binaries (WeChat).
    make sure we download the latest dumpdecrypted source code from Github, enter the directory of the dumpdecrypted source code, compile dumpdecrypted.dylib, and command as follows:
Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
dumpdecrypted.dylib

Thus, we can see a dumpdecrypted.dylib file generated under the dumpdecrypted directory.

  • SCP
    copy dumpdecrypted.dylib to iPhone, here we use the SCP command.
    SCP, source file path, destination file path. As follows:
Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
SCP
  • The initial use of shell
    dumpdecrypted.dylib is: DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo
Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
dumpdecrypted

This means that the shell failed, and the current directory will generate the file after the shell, that is, WeChat.decrypted. Again, use the SCP command to copy the WeChat.decrypted file to the computer, and then we’ll have the official WeChat dump executable file.

Dump WeChat executable file


  • Download the latest class-dump source code from Github, and then compile with Xcode to generate class-dump (here is relatively simple, I do not elaborate).
  • Export WeChat header file
    , use the class-dump command, just smashed the shell after the WeChat.decrypted, export the header file. ./class-dump, -s, -S, -H,./WeChat.decrypted, -o,./header6.3-arm64
Header file exported from Step by step to achieve iOS WeChat automatic grab red (non jailbreak)

Here we can build a new Xcode project and add the newly exported header file to the new project, so that you can easily find WeChat’s related code.

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
WeChat header file

Find the two files of CMessageMgr.h and WCRedEnvelopesLogicMgr.h, among which we note that there are two methods: – (void) AsyncOnAddMsg: (ID), arg1, MsgWrap: (ID), arg2, – (void) OpenRedEnvelopesRequest: (ID) arg1;. Yes, and then we are going to use these two methods to achieve WeChat automatic grab red function. In fact, the principle is that, through the hook WeChat’s new message function, we judge whether it is a red message, if it is, we call WeChat’s open red envelopes method. This will automatically grab the red packets for the purpose. Ha ha, is it very simple, let’s see how it works.

  • Create a new dylib project, because the default Xcode does not support the generation of dylib, so we need to download the iOSOpenDev, after the completion of installation (Xcode7 environment will be prompted to install iOSOpenDev failed, please refer to the iOSOpenDev installation, re open Xcode), in the new project options that you can see the iOSOpenDev option.
Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
iOSOpenDev
  • Dylib code
    , select Cocoa Touch Library, so that we have built a new dylib project, we named autoGetRedEnv. Delete the autoGetRedEnv.h file, modify the autoGetRedEnv.m for autoGetRedEnv.mm, then add CaptainHook.h because WeChat will not take the initiative to load our hook code in the project, so we need to write the constructor logic hook. __attribute__ ((constructor)) static void (entry) hook} hook {/ / the specific method of WeChat AsyncOnAddMsg: MsgWrap: method and realization method are as follows: / / class CMessageMgr CHDeclareClass (CMessageMgr); CHMethod (2, void, CMessageMgr, AsyncOnAddMsg, ID, arg1, MsgWrap, ID, arg2) {/ / call the original AsyncOnAddMsg:MsgWrap: method CHSuper (2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); / / / / / / logical specific grab envelopes… Call native open envelopes method for objc_msgSend / / note there must be third parameter is declared NSMutableDictionary, or call objc_msgSend, open envelopes can not trigger ((void (*) (ID SEL, NSMutableDictionary*, objc_msgSend) (logicMgr)), @selector (OpenRedEnvelopesRequest:), params (__attribute__ (constructor);} Static void (entry)) {/ / CMessageMgr) loading CHLoadLateClass (CMessageMgr); CHClassHook //hook AsyncOnAddMsg:MsgWrap: (2, CMessageMgr, AsyncOnAddMsg, MsgWrap);} all the code of the project, the author has put into Github. After you have completed the implementation logic, you can build dylib successfully.

Repackage WeChat App


  • WeChat for the executable file into the dylib
    application to WeChat after the operation, we can execute the code, we first need to join WeChat dylib, here we used a dylib injection artifact: yololib, download the source code from the Internet, compiled by yololib. With yololib, simply execute the following sentence to complete the injection successfully. Before we inject, we rename the previously saved WeChat.decrypted to WeChat, the executable file that has been destroyed. After the
    ./yololib target executable file is injected, the dylib
    injection succeeds, you can see the following information: Step by step to achieve iOS WeChat automatic grab red (non jailbreak),
    , dylib injection
  • The new Entitlements.plist < XML? Version= “1” encoding= “UTF-8” > < DOCTYPE?! plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd” > < plist version= “1” > < Dict > < key> application-identifier< /key> < string> 123456.com.autogetredenv.demo< /string> < key> com.apple.developer.team-identifier< /key> < string> 123456< /string> < key> get-task-allow< /key> < true/> < key> keychain-access-groups< /key> < array> < string> 123456.com.autogetredenv.demo< /string> < /array> < /dict> < /plist> here you may not know your certificate of Teamid and other information, never mind, I here There is a trick, you can find a developer certificate or certificate before packing the App (for example Demo), and then enter the following command to find relevant information, in the terminal command as follows:
    ./ldid -e./Demo.app/demo
  • WeChat
    to re sign next to we generated dylib (libautoGetRedEnv.dylib), dylib WeChat, and just into the embedded.mobileprovision file (can be found over packaged in previous App) copy to WeChat.app. Command format: codesign -f -s certificate PS: certificate name of the target file names can be found respectively using the codesign command to the relevant documents in WeChat’s signature on the keys, specific implementation is as follows: Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
    re sign
  • Packaged into IPA
    to WeChat re signed, we can use xcrun to generate IPA, and specific implementations are as follows:
    xcrun -sdk IPhoneOS PackageApplication -v ~/WeChat.ipa WeChat.app -o

Install WeChat with red envelopes


If the above steps are successfully implemented, it is everything is ready except one crucial element.

We can use the iTools tool to install the improved WeChat for the iPhone (this iPhone Device ID needs to be added to the certificate).

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
iTools

Accomplished!!


Well, we can take a look at the hook WeChat grab red effect ~!

Step by step to achieve iOS WeChat automatic grab red (non jailbreak)
automatically grab red packets

Ha ha, do you think it’s cool? “Mom, don’t worry, I’m taking red packets.”. “. If you are interested, you can continue to hook WeChat’s other functions, so that both to strengthen the learning, but also to meet their own special requirements (Zhuang) (BI).

The tools and the source code involved in the tutorial are uploaded to Github.
Github address

Special thanks to:
1.iOS, a song of ice and fire (author: steamed rice)
2.iOS using reverse engineering