出口信息,自动还原好友

反编译是犯罪的,本文仅做技术学习,不提供逆向破解后的代码
探究反编译可以荣升APP安全性,防止旁人反编译自己的APP

逆向工程二:微信抢红包

微信版本: WeChat 6.5.20
(总结ASLR偏移,是事先版本;不同版本的晃动地址不雷同)

先看看最后把微信改成了怎么体统

一.砸壳获取头文件

  1. 找到bundle路径:
    签到到魅族,查看微信的过程音讯

    ssh root@192.168.2.24
    ps -e | grep WeChat    
    

    从过程音信里拿到微信bundle的途径

     3079 ?? 0:41.37 /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat
    
  2. 赢得沙盒路径:
    透过cyscript获取微信的沙盒路径,倘诺没有cy#那么点击进入微信:

    cycript -p WeChat
    

    流入微信进程之后,NSHomeDirectory()输出沙盒路径

    cy# NSHomeDirectory()
    @"/var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D"
    cy# 
    
  3. 下载dumpdecrypted砸壳工具,编译成dylib包

    克隆源码,并且编译生成一个dumpdecrypted.dylib

     git clone https://github.com/stefanesser/dumpdecrypted.git 
     make
    
  4. 流入微信获取解密的包

    scp将dumpdecrypted.dylib拷贝到iPhone

    scp dumpdecrypted.dylib root@192.168.2.24:/tmp
    

    摩托罗拉里进入微信沙盒的Documents目录,拷贝dumpdecrypted.dylib到Documents目录

    cd /var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D/Documents
    cp /tmp/dumpdecrypted.dylib .
    

    透过下面拿到的bundle中WeChat包文件,注入微信。注意倘若出口Killed: 9这就是说切换来mobile用户

```
su mobile
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat
```
输出信息:

```
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10006cca8(from 0x10006c000) = ca8
[+] Found encrypted data at address 00004000 of length 52396032 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ca8
[+] Closing original file
[+] Closing dump file

```
上面信息结束之后,在Documents目录下有个`WeChat.decrypted`文件
  1. 拿到头文件音信
    在mac上拷贝小米的解密的微信包文件

    scp root@192.168.2.24:/var/mobile/Containers/Data/Application/0A361401-3880-4C73-862A-8E06F4B7328D/Documents/WeChat.decrypted . 
    
    root@192.168.2.24's password: 
    WeChat.decrypted                                                      100%   63MB   2.1MB/s   00:30  
    

    class-dump 得到具有的微信头文件到WXHeaders目录

    class-dump -s -S -H WeChat.decrypted -o WXHeaders/
    
  2. 取得微信bundle id : com.tencent.xin
    翻看签名音讯:codesign -dvvv WeChat.decrypted

    Executable=/Users/leaf/yy/project/redpocket/WeChat.decrypted
    Identifier=com.tencent.xin
    Format=Mach-O thin (arm64)
    CodeDirectory v=20200 size=511951 flags=0x0(none) hashes=15991+5 location=embedded
    Hash type=sha256 size=32
    CandidateCDHash sha1=5640d0abb3945378afd4a6b90dfc5aab4010e268
    CandidateCDHash sha256=f664c1dd6fc1d17f04fd4f268fa2872f04316a7b
    Hash choices=sha1,sha256
    CDHash=f664c1dd6fc1d17f04fd4f268fa2872f04316a7b
    Signature size=4297
    Authority=Apple iPhone OS Application Signing
    Authority=Apple iPhone Certification Authority
    Authority=Apple Root CA
    Info.plist=not bound
    TeamIdentifier=88L2Q4487U
    Sealed Resources=none
    Internal requirements count=1 size=96
    

微信设置页

二.创建Tweak工程

  1. 调用theod: /opt/theos/bin/nic.pl

  2. 慎选tweak,然后输入相关音讯:

    //项目名称    
    Project Name (required): redpocket 
    //项目的包名,即bundle id
    Package Name [com.yourcompany.demo]: cc.onezen.redpocket 
    //开发者名称
    Author/Maintainer Name [wz]: wz 
    //需要注入的进程的 bundle id
    [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.tencent.xin
    //deb包安装完成后需要重启的进程名字
    [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: WeChat  
    Instantiating iphone/tweak in demo/...
    Done.
    
  3. 自行安装配置Makefile

    #debug=0是release包
    DEBUG = 0
    #iphone的ip地址
    THEOS_DEVICE_IP = 192.168.2.24
    #当前包支持的cpu架构
    ARCHS = armv7 arm64 
    #支持的ios版本
    TARGET = iphone:latest:8.0  
    include $(THEOS)/makefiles/common.mk
    
    TWEAK_NAME = redpocket
    redpocket_FILES = Tweak.xm
    #需要导入的库
    redpocket_FRAMEWORKS = UIKit 
    include $(THEOS_MAKE_PATH)/Tweak.mk
    
    after-install::
        install.exec "killall -9 WeChat"
    clean::
        rm -rf ./packages/*
        rm -rf ./.theos/*
    

现阶段是贯彻了不限人数的音信群发,自动验证,自动復苏好友,清理删掉我的人。将来或者会实现更多效益哦。

三.一定视图

  1. 安装Reveal:安装mac客户端,iPhone通过Cydia安装Reveal Loader
  2. 通过cycript

注入:cycript -p WeChat

因此recursiveDescription输出View层级信息

[[UIApp keyWindow] recursiveDescription].toString()

点语法:
UIApp.keyWindow.recursiveDescription().toString()

简化信息:
[[UIApp keyWindow] _autolayoutTrace].toString()

出口音讯

`
\u2022iConsoleWindow:0x136d68680
|   UILayoutContainerView:0x1384c2870
|   |   UITransitionView:0x1384c3960
|   |   |   UIViewControllerWrapperView:0x1383e9400
|   |   |   |   \u2022UILayoutContainerView:0x1383a2610
|   |   |   |   |   +UINavigationTransitionView:0x1383a8460
|   |   |   |   |   |   +UIViewControllerWrapperView:0x136d93020
|   |   |   |   |   |   |   UIView:0x136db5350
|   |   |   |   |   |   |   |   MMMultiSelectToolView:0x1386207f0
|   |   |   |   |   |   |   |   |   UIImageView:0x138670cf0
|   |   |   |   |   |   |   |   |   UIButton:0x1386c9d50
|   |   |   |   |   |   |   |   |   |   UIImageView:0x138590f00
|   |   |   |   |   |   |   |   |   UIButton:0x1386ca100
|   |   |   |   |   |   |   |   |   |   UIImageView:0x138591140
|   |   |   |   |   |   |   |   |   UIButton:0x1386ca3a0
|   |   |   |   |   |   |   |   |   |   UIImageView:0x13858f590
|   |   |   |   |   |   |   |   |   UIButton:0x1386ca640
|   |   |   |   |   |   |   |   |   |   UIImageView:0x13858f910
|   |   |   |   |   |   |   |   YYTableView:0x137206a00
|   |   |   |   |   |   |   |   |   UITableViewWrapperView:0x1370ff000
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x137a3b000'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x138351120
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x138366fa0
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x1383622a0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138362900
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138362ae0
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x138544160
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x138365dc0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x138364300
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1371d5a00'ChatTimeCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x136df9740
|   |   |   |   |   |   |   |   |   |   |   |   ChatTimeCellView:0x138558f20
|   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138571830
|   |   |   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x138563610'\u4e0b\u53484:53'
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x137182200'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x13858efc0
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x138459100
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x138589e00
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x1385bbae0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385abb60
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x13855b3e0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x13807cd10
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x13807d120
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1378e0800'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x1388150f0
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x138693c70
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x138582150
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138582370
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138581e10
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x138362780
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x138850240
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x1386d2140
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x137879e00'ChatTimeCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x13883fad0
|   |   |   |   |   |   |   |   |   |   |   |   ChatTimeCellView:0x138580320
|   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385b87d0
|   |   |   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x13856c110'\u4e0b\u53484:47'
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1371df800'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x138456700
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x1385bd010
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x13859b5b0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x13859b7d0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385a05e0
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x13856e080
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x13856e320
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x1385390b0
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1370a1200'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x13853d4f0
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x1385429c0
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x138570e30
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138535160
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138534e20
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x138571290
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x138571500
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x13856b5e0
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x137048400'ChatTimeCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x138548900
|   |   |   |   |   |   |   |   |   |   |   |   ChatTimeCellView:0x138548ee0
|   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x13856af50
|   |   |   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x13859ef80'\u4e0b\u53483:45'
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1370b2e00'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x13854b950
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x13856beb0
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x138537450
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138537670
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138537110
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x138537850
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x1385379c0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x138537b90
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x13709ec00'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x1385af910
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x1385bf520
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x1385639c0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138563be0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385bf9a0
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x138563dc0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x138563f30
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x138458230
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x137209800'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x138539820
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x13854b100
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x1385c5110
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x138554240
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x13858a040
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x1385b3df0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x13858ce20
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x138586a10
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x1371cc000'TextMessageCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x138540a90
|   |   |   |   |   |   |   |   |   |   |   |   TextMessageCellView:0x13854c320
|   |   |   |   |   |   |   |   |   |   |   |   |   MMHeadImageView:0x1385a6e80
|   |   |   |   |   |   |   |   |   |   |   |   |   |   MMUILongPressImageView:0x1385ba500
|   |   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138586e10
|   |   |   |   |   |   |   |   |   |   |   |   |   UIView:0x1385b4680
|   |   |   |   |   |   |   |   |   |   |   |   |   |   YYAsyncImageView:0x138457ed0
|   |   |   |   |   |   |   |   |   |   |   |   |   |   RichTextView:0x138564b70
|   |   |   |   |   |   |   |   |   |   ChatTableViewCell:0x13790ac00'ChatTimeCellView'
|   |   |   |   |   |   |   |   |   |   |   UITableViewCellContentView:0x1388411a0
|   |   |   |   |   |   |   |   |   |   |   |   ChatTimeCellView:0x138811160
|   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385505d0
|   |   |   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x138455ca0'\u4e0b\u534812:12'
|   |   |   |   |   |   |   |   |   UIImageView:0x1383efa50
|   |   |   |   |   |   |   |   |   UIImageView:0x138613090
|   |   |   |   |   |   |   |   MMInputToolView:0x1386c1840
|   |   |   |   |   |   |   |   |   MMQuickSendEmoticonView:0x1385568a0
|   |   |   |   |   |   |   |   |   |   UIImageView:0x138556f00
|   |   |   |   |   |   |   |   |   InputToolViewBar:0x1386c20f0
|   |   |   |   |   |   |   |   |   |   UIVisualEffectView:0x1385c4f10
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectBackdropView:0x1385459a0
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectFilterView:0x138545d50
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectContentView:0x138546160
|   |   |   |   |   |   |   |   |   |   MMGrowTextView:0x138554440
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x13855eb70
|   |   |   |   |   |   |   |   |   |   |   MMTextView:0x1371df200
|   |   |   |   |   |   |   |   |   |   |   |   _UITextContainerView:0x136d7a920
|   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x13882ff20
|   |   |   |   |   |   |   |   |   |   UIView:0x13854e900
|   |   |   |   |   |   |   |   |   |   MMTransparentButton:0x138553f70'\u6309\u4f4f \u8bf4\u8bdd'
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138593d50
|   |   |   |   |   |   |   |   |   |   |   UIButtonLabel:0x1385547b0'\u6309\u4f4f \u8bf4\u8bdd'
|   |   |   |   |   |   |   |   |   |   UIButton:0x13854ea70
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138591890
|   |   |   |   |   |   |   |   |   |   UIButton:0x138554f50
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138591c90
|   |   |   |   |   |   |   |   |   |   UIButton:0x1385549d0
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x138592090
|   |   |   |   |   |   |   |   |   MMUIView:0x1386c1bb0
|   |   |   |   |   |   |   |   |   |   UIVisualEffectView:0x138681a80
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectBackdropView:0x1380ddac0
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectFilterView:0x138043700
|   |   |   |   |   |   |   |   |   |   |   _UIVisualEffectContentView:0x138340cb0
|   |   |   |   |   |   |   |   |   RecordView:0x13803a360
|   |   |   |   |   |   |   |   |   |   UIImageView:0x13801d840
|   |   |   |   |   |   |   |   |   |   |   UIView:0x136eceb30
|   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x136f3d5f0
|   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x136ef5520
|   |   |   |   |   |   |   |   |   |   |   |   UIActivityIndicatorView:0x1386c9b40
|   |   |   |   |   |   |   |   |   |   |   |   |   UIImageView:0x136ec5f70
|   |   |   |   |   |   |   |   |   |   |   MMTransparentButton:0x1386c9870'\u624b\u6307\u4e0a\u6ed1\uff0c\u53d6\u6d88\u53d1\u9001'
|   |   |   |   |   |   |   |   |   |   |   |   UIButtonLabel:0x1380726a0'\u624b\u6307\u4e0a\u6ed1\uff0c\u53d6\u6d88\u53d1\u9001'
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1383baf80
|   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x1383788e0
|   |   |   |   |   |   |   |   |   |   |   MMUILabel:0x13868e110
|   |   |   |   |   |   |   |   |   UIView:0x1383eb3d0
|   |   |   |   |   |   |   |   |   WASendSessionMsgView:0x138558d80
|   |   |   |   |   |   |   |   |   |   UIImageView:0x138559120
|   |   |   |   |   |   |   |   |   |   UILabel:0x138559440'\u53ef\u80fd\u8981\u53d1\u9001\u7684\ufffc\u5c0f\u7a0b\u5e8f\uff1a'
|   |   |   |   |   |   |   |   |   |   MMWebImageView:0x136ecf560
|   |   |   |   |   |   |   |   |   |   UIActivityIndicatorView:0x13833b540
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x136e748d0
|   |   |   |   |   |   |   |   |   |   UIButton:0x1386c95d0
|   |   |   |   |   |   |   |   |   |   |   UIImageView:0x1385933c0
|   |   |   |   |   |   |   |   |   UIButton:0x138555360
|   |   |   |   |   |   |   |   |   |   UIImageView:0x138592a10
|   |   |   |   |   |   |   |   |   |   MMUILabel:0x138555ae0'\u4f60\u53ef\u80fd\u8981\u53d1\u9001\u7684\u7167\u7247:'
|   |   |   |   |   UIButton:0x138202b80
|   |   |   |   |   UIButton:0x138289d00
|   |   |   |   |   VoiceRecogView:0x1380bda70
|   |   |   |   |   |   UIImageView:0x138093f40
|   |   |   |   |   |   UIImageView:0x13809e220
|   |   |   |   |   |   UIImageView:0x1380a6ef0
|   |   |   |   |   |   UIImageView:0x13809b890
|   |   |   |   |   MMUINavigationBar:0x1383a2bb0
|   |   |   |   |   |   UIView:0x1384a5ef0
|   |   |   |   |   |   _UINavigationBarBackground:0x1383a3320
|   |   |   |   |   |   |   _UIBackdropView:0x13865cf10
|   |   |   |   |   |   |   |   _UIBackdropEffectView:0x13862d540
|   |   |   |   |   |   |   |   UIView:0x13862b140
|   |   |   |   |   |   |   UIImageView:0x13863c750
|   |   |   |   |   |   MMTitleView:0x138606f20
|   |   |   |   |   |   |   UIView:0x1383a0f70
|   |   |   |   |   |   |   |   MMUILabel:0x13834a3e0'\u591c\u8fb0'
|   |   |   |   |   |   |   |   MMUILabel:0x1386da320
|   |   |   |   |   |   |   |   UIImageView:0x138353fc0
|   |   |   |   |   |   UIView:0x1380a79f0
|   |   |   |   |   |   |   MMBarButton:0x138690f10'\u5fae\u4fe1'
|   |   |   |   |   |   |   |   UIImageView:0x1380bb6a0
|   |   |   |   |   |   |   |   UIButtonLabel:0x1386edae0'\u5fae\u4fe1'
|   |   |   |   |   |   UIView:0x13866ca60
|   |   |   |   |   |   |   MMBarButton:0x1388260b0
|   |   |   |   |   |   |   |   UIImageView:0x1386b6540
|   |   |   |   |   |   _UINavigationBarBackIndicatorView:0x1384a96e0
|   |   UITabBar:0x1384c2ba0
|   |   |   _UITabBarBackgroundView:0x136d8ad90
|   |   |   UITabBarButton:0x1383c0bb0
|   |   |   |   UITabBarSwappableImageView:0x1384d4820
|   |   |   |   UITabBarButtonLabel:0x1383c0f50'\u5fae\u4fe1'
|   |   |   UITabBarButton:0x136d6a1a0
|   |   |   |   UITabBarSwappableImageView:0x1383c1410
|   |   |   |   UITabBarButtonLabel:0x138509980'\u901a\u8baf\u5f55'
|   |   |   UITabBarButton:0x1383e5260
|   |   |   |   UITabBarSwappableImageView:0x138507e40
|   |   |   |   UITabBarButtonLabel:0x1383c1180'\u53d1\u73b0'
|   |   |   UITabBarButton:0x1383e4d00
|   |   |   |   UITabBarSwappableImageView:0x1383e9200
|   |   |   |   UITabBarButtonLabel:0x1383e3560'\u6211'
|   |   |   MMBadgeView:0x1383eb1f0
|   |   |   |   MMUILabel:0x1383ec5d0
|   |   |   MMBadgeView:0x1383ed280
|   |   |   |   MMUILabel:0x1383ed660
|   |   |   MMBadgeView:0x1383edea0
|   |   |   |   MMUILabel:0x1383ee260
|   |   |   MMBadgeView:0x1383eeab0
|   |   |   |   MMUILabel:0x1383eee70
|   |   |   UIImageView:0x136d94250

找到一个ViewController下边的UIView:<UIView: 0x12f09d930; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x12f2567e0>>,查看响应者

cy#  [#0x12f09d930 nextResponder]
#"<BaseMsgContentViewController: 0x12e2f1600>"

四. 定位 BaseMsgContentViewController 音讯响应措施

  1. BaseMsgContentViewController头文件所有的不二法门被触发打印音讯

    /opt/theos/bin/logify.pl ./WXHeaders/BaseMsgContentViewController.h > Tweak.xm
    
  2. 编译安装
    注释掉//- (void).cxx_destruct { %log; %orig; }模式,并且在编译中,注释掉所有报错的办法,报错的最着重的原委是找不根本文件。

  3. 设置成功后翻看log信息

    出殡信息,定位和信息相关的措施

    -[<BaseMsgContentViewController: 0x137904600> addMessageNode:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"}  layout:1 addMoreMsg:0]
    
    -[<BaseMsgContentViewController: 0x137904600> addTimeNode:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"}  layout:1 addMoreMsg:0]

    -[<BaseMsgContentViewController: 0x137904600> isShowHeadImage:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"} ]

    -[<BaseMsgContentViewController: 0x137904600> getMessageChatContactByMessageWrap:{m_uiMesLocalID=15, m_ui64MesSvrID=4691907035794540423, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>690750074</sequence_id></msgsource>"}

根据log信息,可以很容易得出`addMessageNode`是我们要找的

安装各个工具

搞反编译在此之前,首先安装各类工具,有的是在 mac
上安装的,有的是在表弟大上的,工具的设置网上广大课程了,百度时而你就精通怎么装了。

工具 作用
class_dump 提取可执行文件所有头文件的工具
Theos hook代码开发工具
Hopper Disassembler 反汇编工具
xcode 安装IPA到手机上
Clutch 砸壳
dumpdecrypted 砸壳2
insert_dylib 注入动态库工具
install_name_tool 改动态库路径
optool 查看动态库注入成功否
CydiaSubstrate 越狱手机上的一个动态库
debugserver 手机调试工具
lldb mac调试工具
iOS App Signer 重签名打包
ldid 重签名工具2
openSSH 手机上远程登录
cydia 手机越狱后的工具
syslogd 打log的,iOS8 才可用
cycript 动态调试工具
logify.pl 生成初始的hook代码

可以见见工具分外多,得投机一个一个安装,比较烦,当时自家设置了2天,网上教程异常详细了自身就不写怎么设置的了,有些在越狱手机的
cydia 中才能设置的,有些在 mac 上就能直接设置的,能在 mac
上平素的设置的工具我全方位包裹起来了,在此地可以下载
反编译工具合集

五. 通过lldb动态调节

  1. vivo连接xcode,iOS上会自动在/Developer/usr/bin/目录下边生成调试工具debugserver

  2. debugserver瘦身和重复签名,并放入HUAWEI /usr/bin /目录下

    #mac上拷贝debugserver
    scp root@192.168.2.24:/Developer/usr/bin/debugserver .
    
    #查看支持的架构
    lipo -info debugserver
    Architectures in the fat file: debugserver are: armv7 armv7s arm64 
    
    #瘦身
    lipo -thin arm64 debugserver -output debugserver.arm64
    
    #使用ldid添加task_for_pid权限
    vi ent.xml
    #添加下面信息
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
            <key>com.apple.springboard.debugapplications</key>
            <true/>
            <key>get-task-allow</key>
            <true/>
            <key>task_for_pid-allow</key>
            <true/>
            <key>run-unsigned-code</key>
            <true/>
    </dict>
    </plist>

    #开始修改
    ldid -S ent.xml debugserver.arm64
    #查看修改后的信息
    ldid -e debugserver.arm64

    #使用codesign添加task_for_pid权限
    vim ent.plist
    codesign -s - --entitlements ent.plist -f debugserver.arm64

    #配合debugserver命令
    cp debugserver.arm64 /usr/local/Cellar 
    ln -s /usr/local/Cellar/debugserver.arm64 /usr/local/bin/debugserver 
    scp debugserver.arm64 root@192.168.2.24:/usr/bin/

    #在iphone改debugserver名字
    mv /usr/bin/debugserver.arm64 /usr/bin/debugserver  
  1. 初始调试(目标: 找出接受音讯的类,不受页面的范围,单例)
    在BlackBerry启动服务

    debugserver *:6666 -a "WeChat"
    

    mac lldb连接debugserver

    lldb
    (lldb) process connect connect://192.168.2.24:6666  //注意ip和端口要和配的相同
    

    调节相关命令

     #查看所有断点
     br list
    
     #添加 -a后的地址是:偏移后符号基地址
     br s -a '0x00000000000a4000+0x0000000101c8bf4c' 
    
     #删除:根据br list标号
     br delete 1
    
     #设置
     b function
     br s –a address
     br s –a 'ASLROffset+address'
    
     #继续运行
     c
    
     #等待断点触发
     bt
    
  2. 总计地址

    地点相关测算逻辑

    偏移后模块基地址 = 偏移前模块基地址 + 模块的ASLR偏移
    偏移后指令基地址 = 偏移前指令基地址 + 指令所在模块的ASLR偏移
    偏移后符号基地址 = 偏移前符号基地址 + 符号所在模块的ASLR偏移
    

    查看ASLR偏移

    (lldb) image list -o -f | grep WeChat
    [  0] 0x00000000000a4000 /var/containers/Bundle/Application/26F5C9BE-61AB-468F-B2E8-9AC2DBD49F40/WeChat.app/WeChat(0x00000001000a4000)
    

    由此Hopper查看addMessageNode的函数基地址

    -[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]:
    0000000101c8bf4c         db  0xff ; '.' ; Objective C Implementation defined at 0x103863320 (instance)
    0000000101c8bf4d         db  0xc3 ; '.'
    0000000101c8bf4e         db  0x05 ; '.'
    

    舞狮后符号基地址 = 0x00000000000a4000 + 0x0000000101c8bf4c

  3. 调剂微信发送音信
    lldb
    添加先是个断点:br s -a '0x00000000000a4000+0x0000000101c8bf4c'
    瞩目:在进入好友聊天界面的时候,会一再调用断点,所以进入是剔除断点,然后再加上。

    发送音信随后,断点停留。然后bt查看堆栈信息,最后c继续

    (lldb) bt
    * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
      * frame #0: 0x0000000101d2ff4c WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4127552
        frame #1: 0x0000000101f999ec WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 6657504
        frame #2: 0x0000000101f83310 WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 6565636
        frame #3: 0x0000000104464ce8 MMCommon`_callExtension + 480
        frame #4: 0x00000001027e35fc WeChat`ClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 15348208
        frame #5: 0x0000000182f1002c Foundation`__NSThreadPerformPerform + 340
        frame #6: 0x00000001824f109c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
        frame #7: 0x00000001824f0b30 CoreFoundation`__CFRunLoopDoSources0 + 540
        frame #8: 0x00000001824ee830 CoreFoundation`__CFRunLoopRun + 724
        frame #9: 0x0000000182418c50 CoreFoundation`CFRunLoopRunSpecific + 384
        frame #10: 0x0000000183d00088 GraphicsServices`GSEventRunModal + 180
        frame #11: 0x0000000187702088 UIKit`UIApplicationMain + 204
        frame #12: 0x0000000100180488 WeChat`_mh_execute_header + 902280
        frame #13: 0x0000000181fb68b8 libdyld.dylib`start + 4
    (lldb) c
    Process 2013 resuming
    (lldb) 
    

    翻看堆栈音信可以的查获:与WeChat相关的有四条消息
    测算四条信息的地点:

    偏移后符号基地址 = 符号所在模块的ASLR偏移 + 偏移前符号基地址
    frame #0: 0x0000000101d2ff4c    =>  0x00000000000a4000 + 0x0000000101c8bf4c
    frame #1: 0x0000000101f999ec    =>  0x00000000000a4000 + ?
    偏移前符号基地址 = 偏移后符号基地址 - 符号所在模块的ASLR偏移
    frame #1: 0x0000000101f999ec    =>  0x00000000000a4000 + (0x101EF59EC)
    frame #2: 0x0000000101f83310    =>  0x00000000000a4000 + (0x101EDF310)
    frame #4: 0x00000001027e35fc    =>  0x00000000000a4000 + (0x10273F5FC)
    

    经过Hopper和测算出的(偏移前符号基地址)查六柱预测关的措施,Hopper中利用高效键G,跳转到某一地址。查看地址不是对应地址,而是地址相关的地点。

    0x101EF59EC:(内部方法)
    0000000101ef5964 adrpx24, #0x102f0f000; XREF=-[BaseMsgContentLogicController DidAddMsg:]+328
    
    0x101EDF310:
    0000000101edf310 adrp x8, #0x103b7c000; XREF=-[BaseMsgContentLogicController OnAddMsg:MsgWrap:]+336
    
    0x10273F5FC: (相关)
     -[CMessageMgr MainThreadNotifyToExt:]:
    

    lldb继续添加断点调试,本次在好友列表页打断点。

    0x0000000101d2ff4c:
    好友聊天页面有效,淘汰!
    
    0x0000000101f999ec: 
    好友聊天页面有效,淘汰!
    
    0x0000000101f83310:
    好友聊天页面有效,淘汰!
    
    0x00000001027e35fc:
    任意页面有效, 找到了!
    

    通过下面分析的出,是[CMessageMgr
    MainThreadNotifyToExt:]主意。然后我们hook
    CMessageMgr类中的所有办法,来找出接受音信的章程。

    ➜  WXHeaders ls -ll *CMessageMgr*
    -rw-r--r--  1 wz  staff  17573  9 28 10:08 CMessageMgr.h
    
    /opt/theos/bin/logify.pl CMessageMgr.h > ../Tweak.xm 
    

    查看日志找出的相关方法:

    [<CMessageMgr: 0x127ab9570> CheckMessageStatus:]
    [<CMessageMgr: 0x127ab9570> AsyncOnPreAddMsg:]
    [<CMessageMgr: 0x127ab9570> AsyncOnAddMsg:]
    [<CMessageMgr: 0x127ab9570> AsyncOnPushMsg:]
    [<CMessageMgr: 0x127ab9570> AsyncOnAddMsgListForSession:]
    

    采取模式:[<CMessageMgr: 0x127ab9570>
    AsyncOnAddMsg:],并且输出参数类型,移除不用的方法,留下部分有用的法子。

```
- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 {
    //%log;
    %orig;
   NSLog(@"arg1: %@,  %@", [arg1 class], arg1);
   NSLog(@"arg2: %@,  %@", [arg2 class], arg2);
}
```

输出内容

```
Sep 29 15:02:44 iPhone WeChat[2394] <Warning>: arg1: __NSCFString,  wxid_y9bs6i3qil6m21
Sep 29 15:02:44 iPhone WeChat[2394] <Warning>: arg2: CMessageWrap,  {m_uiMesLocalID=28, m_ui64MesSvrID=3324982937891416074, m_nsFromUsr=wxi*m21~19, m_nsToUsr=wxi*712~19, m_uiStatus=3, type=1, msgSource="<msgsource><sequence_id>690750088</sequence_id></msgsource>"} 
```

分析消息 CMessageWrap头文件,根据测试得出结论:

```
@interface CMessageWrap
@property(nonatomic) _Bool m_bCdnForward; // @synthesize m_bCdnForward;
@property(nonatomic) _Bool m_bForward; // @synthesize m_bForward;
@property(nonatomic) _Bool m_bIsBrandSendMass; // @synthesize m_bIsBrandSendMass;
@property(nonatomic) _Bool m_bIsFromBrandSession; // @synthesize m_bIsFromBrandSession;
@property(nonatomic) _Bool m_bIsSplit; // @synthesize m_bIsSplit;
@property(nonatomic) _Bool m_bNew; // @synthesize m_bNew;
@property(nonatomic) unsigned int m_bReceiveMessageSwitchStatus; // @synthesize m_bReceiveMessageSwitchStatus;
@property(retain, nonatomic) NSString *m_bizMsgMenuID; // @synthesize m_bizMsgMenuID;
@property(retain, nonatomic) NSMutableDictionary *m_dicForwardParas; // @synthesize m_dicForwardParas=_m_dicForwardParas;
@property(retain, nonatomic) NSData *m_dtThumbnail; // @synthesize m_dtThumbnail;
@property(nonatomic) unsigned int m_forwardType; // @synthesize m_forwardType=_m_forwardType;
@property(nonatomic) _Bool m_isEnterpriseMsg; // @synthesize m_isEnterpriseMsg;
@property(nonatomic) _Bool m_isTempSessionMsg; // @synthesize m_isTempSessionMsg;
@property(nonatomic) long long m_n64MesSvrID; // @synthesize m_n64MesSvrID;
@property(retain, nonatomic) NSString *m_nsAtUserList; // @synthesize m_nsAtUserList;
@property(retain, nonatomic) NSString *m_nsBizChatId; // @synthesize m_nsBizChatId;
@property(retain, nonatomic) NSString *m_nsBizClientMsgID; // @synthesize m_nsBizClientMsgID;
@property(retain, nonatomic) NSString *m_nsContent; // @synthesize m_nsContent;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsFromUsr; // @synthesize m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsKFWorkerOpenID; // @synthesize m_nsKFWorkerOpenID;
@property(retain, nonatomic) NSString *m_nsMsgSource; // @synthesize m_nsMsgSource;
@property(retain, nonatomic) NSString *m_nsPattern; // @synthesize m_nsPattern;
@property(retain, nonatomic) NSString *m_nsPushBody; // @synthesize m_nsPushBody;
@property(retain, nonatomic) NSString *m_nsPushContent; // @synthesize m_nsPushContent;
@property(retain, nonatomic) NSString *m_nsPushPrefix; // @synthesize m_nsPushPrefix;
@property(retain, nonatomic) NSString *m_nsPushTitle; // @synthesize m_nsPushTitle;
@property(retain, nonatomic) NSString *m_nsRealChatUsr; // @synthesize m_nsRealChatUsr;
@property(retain, nonatomic) NSString *m_nsToUsr; // @synthesize m_nsToUsr;
@property(nonatomic) unsigned int m_sequenceId; // @synthesize m_sequenceId;
@property(nonatomic) unsigned int m_uiBizChatVer; // @synthesize m_uiBizChatVer;
@property(nonatomic) unsigned int m_uiCreateTime; // @synthesize m_uiCreateTime;
@property(nonatomic) unsigned int m_uiDownloadStatus; // @synthesize m_uiDownloadStatus;
@property(nonatomic) unsigned int m_uiEmojiStatFlag; // @synthesize m_uiEmojiStatFlag;
@property(nonatomic) unsigned int m_uiImgStatus; // @synthesize m_uiImgStatus;
@property(nonatomic) unsigned int m_uiMesLocalID; // @synthesize m_uiMesLocalID;
@property(nonatomic) int m_uiMessageType; // @synthesize m_uiMessageType;
@property(nonatomic) unsigned int m_uiMsgFlag; // @synthesize m_uiMsgFlag;
@property(nonatomic) unsigned int m_uiPercent; // @synthesize m_uiPercent;
@property(nonatomic) unsigned int m_uiSendTime; // @synthesize m_uiSendTime;
@property(nonatomic) unsigned int m_uiStatus; // @synthesize m_uiStatus;
@end


%hook CMessageMgr

- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)msg {

    NSString *content = [msg m_nsContent];
    NSString *fromUsr = [msg m_nsFromUsr];
    NSString *toUsr = [msg m_nsToUsr];
    int messageType = [msg m_uiMessageType];

    NSLog(@"content: %@", content);
    NSLog(@"fromUsr: %@", fromUsr);
    NSLog(@"toUsr: %@", toUsr);
    NSLog(@"messageType: %d", messageType);

    if (messageType == 1)
    {
        NSLog(@"文本消息");
    }else if (messageType == 3)
    {
        NSLog(@"图片消息");
    }else if (messageType == 48)
    {
        NSLog(@"位置消息");
    }else if (messageType == 49)
    {
        NSLog(@"红包消息、转账消息");
    }else{
        NSLog(@"未知");
    }

    %orig;

}
```

局部逆向的办法

先花几天时间熟知下边那么些工具,下面的始末就假如已经控制了这多少个工具的选用。

六. 红包相关的艺术

点开红包,彰显抢红包页面,然后经过cycript查看页面层级:

iPhone:~ root# cycript -p WeChat
cy# [[UIApp keyWindow] _autolayoutTrace].toString()

红包相关的页面层级:

|   WCRedEnvelopesReceiveHomeView:0x1301296d0
|   |   UIButton:0x1301298c0
|   |   UIImageView:0x12fd566c0
|   |   |   UIView:0x130237de0
|   |   |   UIView:0x130240a70
|   |   |   UIImageView:0x13021d600
|   |   |   UIView:0x13021bad0
|   |   |   |   UIView:0x13023d320
|   |   |   |   UIView:0x13021d1c0
|   |   |   |   UIImageView:0x1302418d0
|   |   |   |   UIImageView:0x13021ed80
|   |   |   |   UIButton:0x13022fe50
|   |   |   UIView:0x1302251f0
|   |   |   |   MMHeadImageView:0x1302328c0
|   |   |   |   |   MMUILongPressImageView:0x1302249a0
|   |   |   |   |   UIImageView:0x1302309c0
|   |   |   MMUILabel:0x1302412f0'\u591c\u8fb0'
|   |   |   MMUILabel:0x13021f740'\u7ed9\u4f60\u53d1\u4e86\u4e00\u4e2a\u7ea2\u5305'
|   |   |   MMUILabel:0x1302436e0'\u8be5\u7ea2\u5305\u5df2\u8d85\u8fc724\u5c0f\u65f6\u3002\u5982\u5df2\u9886\u53d6\uff0c\u53ef\u5728\u201c\u6211\u7684\u7ea2\u5305\u201d\u4e2d...'
|   |   |   UIButton:0x13012d3f0
|   |   |   UIButton:0x13012d690
|   |   |   |   UIImageView:0x13012ddb0
|   |   |   UIImageView:0x13012adf0
|   |   |   UIImageView:0x13012b0b0

调试WCRedEnvelopesReceiveHomeView页面

/opt/theos/bin/logify.pl WXHeaders/WCRedEnvelopesReceiveHomeView.h > Tweak.xm

日志:

Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:8 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> initWithFrame:-- andData:<WCRedEnvelopesControlData: 0x13742e5b0> delegate:<WCRedEnvelopesReceiveControlLogic: 0x13719a0c0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:13 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> refreshViewWithData:<WCRedEnvelopesControlData: 0x13742e5b0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:16 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> shouldShowDetailButtonWithIsSender:0 Type:0 ReceiveStutus:0 envelopeStutus:2 data:<WCRedEnvelopesControlData: 0x13742e5b0>]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:16 DEBUG:  = 0
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:15 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> shouldShowBottomDescriptionWithType:0 envelopeStutus:2]
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:15 DEBUG:  = 0
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:8 DEBUG:  = <WCRedEnvelopesReceiveHomeView: 0x13720c6d0; frame = (0 0; 320 568); clipsToBounds = YES; layer = <CALayer: 0x1370e6d30>>
Oct 20 10:50:22 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:17 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> showAnimation]

点开红包后调用:

Oct 20 10:50:25 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:5 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> OnOpenRedEnvelopes]
Oct 20 10:50:25 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:19 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> startReceiveAnimation]
Oct 20 10:50:26 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:18 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> showSuccessOpenAnimation]
Oct 20 10:50:26 iPhone WeChat[3235] <Notice>: [redpocket] Tweak.xm:14 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> removeView]

有心人分析可以得出多少个和多少相关的主意,其余基本是UI相关

//WCRedEnvelopesControlData & WCRedEnvelopesReceiveControlLogic 初始化一个红包视图
-[<WCRedEnvelopesReceiveHomeView: 0x1370974c0> initWithFrame:-- andData:<WCRedEnvelopesControlData: 0x136cddbf0> delegate:<WCRedEnvelopesReceiveControlLogic: 0x136f4c9b0>]

//根据WCRedEnvelopesControlData刷新界面
-[<WCRedEnvelopesReceiveHomeView: 0x1370974c0> refreshViewWithData:<WCRedEnvelopesControlData: 0x136cddbf0>]

//打开红包操作
-[<WCRedEnvelopesReceiveHomeView: 0x13720c6d0> OnOpenRedEnvelopes]

打开红包的操作才是大家需要的,那么大家走起,通过Hopper反编译OnOpenRedEnvelopes

头文件

@interface WCRedEnvelopesReceiveHomeView{
     id m_delegate;
     NSDictionary *m_dicBaseInfo;
}
@end

%hook WCRedEnvelopesReceiveHomeView

- (void)OnOpenRedEnvelopes { 
    %log;
    //%orig; 
    NSDictionary *dict = MSHookIvar<NSDictionary *>(self, "m_dicBaseInfo");
    NSArray *arr = [dict allKeys];
    for(NSInteger i=0; i<arr.count; i++){
        NSString *key = arr[i];
        id value = [dict valueForKey:key];
        NSLog(@"key : %@   value : %@", key, value);
    }
    id delegate = MSHookIvar<id>(self, "m_delegate");
    NSLog(@"m_delegate class is %@ ", [delegate class]);
 }


%end

日记输出:

Oct 20 15:21:19 iPhone WeChat[3282] <Notice>: [redpocket] Tweak.xm:25 DEBUG: -[<WCRedEnvelopesReceiveHomeView: 0x15e8b0510> OnOpenRedEnvelopes]
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>:Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : watermark   value : 
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : sendUserName   value : wxid_y9bs6i3qil6m21
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : timingIdentifier   value : C2E51DAD13A971F9E5C3EC016C9CA2E7
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : hbStatus   value : 2
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : receiveStatus   value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : sendId   value : 1000039501201710207015233607354
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : isSender   value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>:Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: key : hbType   value : 0
Oct 20 15:21:19 iPhone WeChat[3282] <Warning>: m_delegate class is WCRedEnvelopesReceiveControlLogic 

WeChat 6.5.20
分割线,上边是前面版本,偏移地址不相同,逻辑啥的都平等。App
Store自动升级真是郁闷呀!

Hopper反汇编打开红包方法(和IDA做相比):

    -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes]:
0000000100e586e8   sub     sp, sp, #0x70                               ; Objective C Implementation defined at 0x1036f8b50 (instance)
0000000100e586ec   stp     x24, x23, [sp, #0x30] ;x23+(sp+0x30) = x24
0000000100e586f0   stp     x22, x21, [sp, #0x40] ;x21+(sp+0x40) = x22
0000000100e586f4   stp     x20, x19, [sp, #0x50] ;x19+(sp+0x50) = x20
0000000100e586f8   stp     x29, x30, [sp, #0x60] ;x30+(sp+0x60) = x29
0000000100e586fc   add     x29, sp, #0x60  ;x29 = sp + 0x60
0000000100e58700   mov     x19, x0         ;x19 = x0
0000000100e58704   adrp    x8, #0x103c2a000 ;地址生成self 
0000000100e58708   ldrsw   x24, [x8, #0xfbc] ; x24 = (x8+0xfbc) objc_ivar_offset_WCRedEnvelopesReceiveHomeView_m_dicBaseInfo  self.m_dicBaseInfo  
0000000100e5870c   ldr     x0, [x19, x24]  ;x0 = (x19+x24)
0000000100e58710   adrp    x8, #0x103b7d000 
0000000100e58714   ldr     x20, [x8, #0xee0]                           ; "objectForKey:",@selector(objectForKey:) ;方法地址
0000000100e58718   adrp    x2, #0x1033a6000
0000000100e5871c   add     x2, x2, #0xfb8                              ; @"isSender"
0000000100e58720   mov     x1, x20
0000000100e58724   bl      imp___stubs__objc_msgSend ;调用 [self.m_dicBaseInfo objectForKey:@"isSender"] 

0000000100e58728   mov     x29, x29
0000000100e5872c   bl      imp___stubs__objc_retainAutoreleasedReturnValue 返回值在x0

0000000100e58730   mov     x21, x0
0000000100e58734   adrp    x8, #0x103b7f000 ; @selector(WAAppCacheSandboxDirWithAppID:) 
0000000100e58738   ldr     x22, [x8, #0x858] ; "intValue",@selector(intValue)
0000000100e5873c   mov     x1, x22
0000000100e58740   bl      imp___stubs__objc_msgSend  ; 实现appid变为intValue

0000000100e58744   mov     x23, x0
0000000100e58748   mov     x0, x21 ;返回值isSender
0000000100e5874c   bl      imp___stubs__objc_release

0000000100e58750   ldr     x0, [x19, x24] ;x0 = (x19+x24)
0000000100e58754   adrp    x2, #0x1033a6000  
0000000100e58758   add     x2, x2, #0xb18   ;@"hbType" 
0000000100e5875c   mov     x1, x20
0000000100e58760   bl      imp___stubs__objc_msgSend ;[self.m_dicBaseInfo valueForKey:@"hbType"]
0000000100e58764   mov     x29, x29
0000000100e58768   bl      imp___stubs__objc_retainAutoreleasedReturnValue ;返回值

0000000100e5876c   mov     x20, x0
0000000100e58770   mov     x1, x22
0000000100e58774   bl      imp___stubs__objc_msgSend
0000000100e58778   mov     x21, x0
0000000100e5877c   mov     x0, x20
0000000100e58780   bl      imp___stubs__objc_release

0000000100e58784   adrp    x8, #0x103c07000
0000000100e58788   ldr     x0, [x8, #0x7b8] ; x0 = (x8+0x7b8) objc_cls_ref_NSString,_OBJC_CLASS_$_NSString
0000000100e5878c   add     w8, w21, #0x1
0000000100e58790   cmp     w23, #0x0
0000000100e58794   orr     w9, wzr, #0x1
0000000100e58798   cinc    w9, w9, le
0000000100e5879c   adrp    x10, #0x103b7d000
0000000100e587a0   ldr     x1, [x10, #0xf68]                           ; "stringWithFormat:",@selector(stringWithFormat:)
0000000100e587a4   adrp    x10, #0x10330d000
0000000100e587a8   add     x10, x10, #0x18                             ; @""
0000000100e587ac   orr     w11, wzr, #0x2
0000000100e587b0   stp     x11, x10, [sp, #0x20]
0000000100e587b4   stp     x9, xzr, [sp, #0x10]
0000000100e587b8   movz    w9, #0x5
0000000100e587bc   stp     x9, x8, [sp]
0000000100e587c0   adrp    x2, #0x1033a7000
0000000100e587c4   add     x2, x2, #0x2b8   ; @"%u,%u,%u,%u,%u,%@"
0000000100e587c8   bl      imp___stubs__objc_msgSend ; [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"];
0000000100e587cc   mov     x29, x29
0000000100e587d0   bl      imp___stubs__objc_retainAutoreleasedReturnValue


0000000100e587d4   mov     x20, x0
0000000100e587d8   movz    w0, #0x2db5
0000000100e587dc   mov     x1, x20
0000000100e587e0   movz    w2, #0x0
0000000100e587e4   movz    w3, #0x0                                    ; argument "self"
0000000100e587e8   bl      0x102923a8c
0000000100e587ec   adrp    x8, #0x103c2a000
0000000100e587f0   ldrsw   x8, [x8, #0xfd8]                            ; objc_ivar_offset_WCRedEnvelopesReceiveHomeView_m_delegate
0000000100e587f4   add     x0, x19, x8
0000000100e587f8   bl      imp___stubs__objc_loadWeakRetained
0000000100e587fc   mov     x19, x0
0000000100e58800   adrp    x8, #0x103bb1000                            ; @selector(setModifyDefaultAmt:)
0000000100e58804   ldr     x1, [x8, #0xf40]                            ; "WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes",@selector(WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes)
0000000100e58808   bl      imp___stubs__objc_msgSend
0000000100e5880c   mov     x0, x19
0000000100e58810   bl      imp___stubs__objc_release
0000000100e58814   mov     x0, x20
0000000100e58818   ldp     x29, x30, [sp, #0x60]
0000000100e5881c   ldp     x20, x19, [sp, #0x50]
0000000100e58820   ldp     x22, x21, [sp, #0x40]
0000000100e58824   ldp     x24, x23, [sp, #0x30]
0000000100e58828   add     sp, sp, #0x70
0000000100e5882c   b       imp___stubs__objc_release
                        ; endp

IDA反汇编打开红包的措施(IDA
调用方法时比Hopper注释更加详细,所以下面接纳IDA):

  1. IDA 在调用方法时,将艺术的地点,转换为函数名;看反汇编代码更加明显
  2. 调用objc_msgSend方法时:
    X0存放第一个参数receiver,X1存放第二个参数selector,前边的参数依此类推
  3. x0~x7常用做参数,x0常用做再次来到值
  4. adrp地址变更指令,常用做取方法的地点
  5. x8常用做直接寻址
  6. mac终端命令
    只在当前目录遵照情节(MMService(Service)Center)查找有关文件:mdfind -onlyin . MMServiceCenter

text:0000000100E586E8 ; void __cdecl -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes](WCRedEnvelopesReceiveHomeView *self, SEL)
__text:0000000100E586E8 __WCRedEnvelopesReceiveHomeView_OnOpenRedEnvelopes_
__text:0000000100E586E8   SUB     SP, SP, #0x70
__text:0000000100E586EC   STP     X24, X23, [SP,#0x30]
__text:0000000100E586F0   STP     X22, X21, [SP,#0x40]
__text:0000000100E586F4   STP     X20, X19, [SP,#0x50]
__text:0000000100E586F8   STP     X29, X30, [SP,#0x60]
__text:0000000100E586FC   ADD     X29, SP, #0x60
__text:0000000100E58700   MOV     X19, X0
__text:0000000100E58704   ADRP    X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_dicBaseInfo@PAGE
__text:0000000100E58708   LDRSW   X24, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_dicBaseInfo@PAGEOFF] ; NSDictionary *m_dicBaseInfo;
__text:0000000100E5870C   LDR     X0, [X19,X24]
__text:0000000100E58710   ADRP    X8, #selRef_objectForKey_@PAGE 
__text:0000000100E58714   LDR     X20, [X8,#selRef_objectForKey_@PAGEOFF]
__text:0000000100E58718   ADRP    X2, #cfstr_Issender_1@PAGE
__text:0000000100E5871C   ADD     X2, X2, #cfstr_Issender_1@PAGEOFF ; "isSender" 
__text:0000000100E58720   MOV     X1, X20
__text:0000000100E58724   BL      _objc_msgSend
__text:0000000100E58728   MOV     X29, X29
__text:0000000100E5872C   BL      _objc_retainAutoreleasedReturnValue
;上面是返回值: [self.m_dicBaseInfo objectForKey:@"isSender"]

__text:0000000100E58730   MOV     X21, X0
__text:0000000100E58734   ADRP    X8, #selRef_intValue@PAGE
__text:0000000100E58738   LDR     X22, [X8,#selRef_intValue@PAGEOFF]
__text:0000000100E5873C   MOV     X1, X22
__text:0000000100E58740   BL      _objc_msgSend

__text:0000000100E58744   MOV     X23, X0
__text:0000000100E58748   MOV     X0, X21
__text:0000000100E5874C   BL      _objc_release
__text:0000000100E58750   LDR     X0, [X19,X24]
__text:0000000100E58754   ADRP    X2, #cfstr_Hbtype_1@PAGE
__text:0000000100E58758   ADD     X2, X2, #cfstr_Hbtype_1@PAGEOFF ; "hbType"
__text:0000000100E5875C   MOV     X1, X20
__text:0000000100E58760   BL      _objc_msgSend
__text:0000000100E58764   MOV     X29, X29
__text:0000000100E58768   BL      _objc_retainAutoreleasedReturnValue
;上面是返回值: [self.m_dicBaseInfo objectForKey:@"hbType"]

__text:0000000100E5876C   MOV     X20, X0
__text:0000000100E58770   MOV     X1, X22
__text:0000000100E58774   BL      _objc_msgSend
__text:0000000100E58778   MOV     X21, X0
__text:0000000100E5877C   MOV     X0, X20
__text:0000000100E58780   BL      _objc_release
__text:0000000100E58784   ADRP    X8, #classRef_NSString@PAGE
__text:0000000100E58788   LDR     X0, [X8,#classRef_NSString@PAGEOFF]
__text:0000000100E5878C   ADD     W8, W21, #1
__text:0000000100E58790   CMP     W23, #0
__text:0000000100E58794   MOV     W9, #1
__text:0000000100E58798   CINC    W9, W9, LE
__text:0000000100E5879C   ADRP    X10, #selRef_stringWithFormat_@PAGE
__text:0000000100E587A0   LDR     X1, [X10,#selRef_stringWithFormat_@PAGEOFF]
__text:0000000100E587A4   ADRP    X10, #stru_10330D018@PAGE
__text:0000000100E587A8   ADD     X10, X10, #stru_10330D018@PAGEOFF
__text:0000000100E587AC   MOV     W11, #2
__text:0000000100E587B0   STP     X11, X10, [SP,#0x20]
__text:0000000100E587B4   STP     X9, XZR, [SP,#0x10]
__text:0000000100E587B8   MOV     W9, #5
__text:0000000100E587BC   STP     X9, X8, [SP]
__text:0000000100E587C0   ADRP    X2, #cfstr_UUUUU_1@PAGE  ;
__text:0000000100E587C4   ADD     X2, X2, #cfstr_UUUUU_1@PAGEOFF ; "%u,%u,%u,%u,%u,%@"
__text:0000000100E587C8   BL      _objc_msgSend
__text:0000000100E587CC   MOV     X29, X29
__text:0000000100E587D0   BL      _objc_retainAutoreleasedReturnValue
;上面是返回值: [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"]

__text:0000000100E587D4   MOV     X20, X0
__text:0000000100E587D8   MOV     W0, #0x2DB5
__text:0000000100E587DC   MOV     X1, X20
__text:0000000100E587E0   MOV     W2, #0
__text:0000000100E587E4   MOV     W3, #0
__text:0000000100E587E8   BL      sub_102923A8C
__text:0000000100E587EC   ADRP    X8, #_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGE
__text:0000000100E587F0   LDRSW   X8, [X8,#_OBJC_IVAR_$_WCRedEnvelopesReceiveHomeView.m_delegate@PAGEOFF] ; WCRedEnvelopesReceiveHomeViewDelegate *m_delegate;
__text:0000000100E587F4   ADD     X0, X19, X8
__text:0000000100E587F8   BL      _objc_loadWeakRetained
__text:0000000100E587FC   MOV     X19, X0
__text:0000000100E58800   ADRP    X8, #selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGE
__text:0000000100E58804   LDR     X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes@PAGEOFF]
__text:0000000100E58808   BL      _objc_msgSend
; 上面调用: [self.m_delegate WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]
;通过日志可以看出self.m_delegate类的类型为:WCRedEnvelopesReceiveControlLogic

__text:0000000100E5880C   MOV     X0, X19
__text:0000000100E58810   BL      _objc_release
__text:0000000100E58814   MOV     X0, X20
__text:0000000100E58818   LDP     X29, X30, [SP,#0x60]
__text:0000000100E5881C   LDP     X20, X19, [SP,#0x50]
__text:0000000100E58820   LDP     X22, X21, [SP,#0x40]
__text:0000000100E58824   LDP     X24, X23, [SP,#0x30]
__text:0000000100E58828   ADD     SP, SP, #0x70
__text:0000000100E5882C   B       _objc_release
__text:0000000100E5882C ; End of function -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes]

得出的光景伪代码:

//是否是消息发送者
int isSender = [[self.m_dicBaseInfo objectForKey:@"isSender"] intValue];
//红包类型
NSNumber *hbType = [self.m_dicBaseInfo objectForKey:@"hbType"]; 
//后面参数未知
NSString *unknownStr = [NSString stringWithFormat:@"%u,%u,%u,%u,%u,%@"];
//调用打开红包 WCRedEnvelopesReceiveControlLogic
[self.m_delegate WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]

随后我们经过地点调用方法的音讯,反汇编
WCRedEnvelopesReceiveControlLogic的WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes方法:

text:00000001011FF35C ; void __cdecl -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes](WCRedEnvelopesReceiveControlLogic *self, SEL)
__text:00000001011FF35C __WCRedEnvelopesReceiveControlLogic_WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes_
... ;省略部分代码
__text:00000001011FF35C    SUB    SP, SP, #0x130
__text:00000001011FF360    STP    D9, D8, [SP,#0x120+var_60]
__text:00000001011FF364    STP    X28, X27, [SP,#0x120+var_50]
__text:00000001011FF368    STP    X26, X25, [SP,#0x120+var_40]
__text:00000001011FF36C    STP    X24, X23, [SP,#0x120+var_30]
__text:00000001011FF370    STP    X22, X21, [SP,#0x120+var_20]
__text:00000001011FF374    STP    X20, X19, [SP,#0x120+var_10]
__text:00000001011FF378    STP    X29, X30, [SP,#0x120+var_s0]
__text:00000001011FF37C    ADD    X29, SP, #0x120
__text:00000001011FF380    MOV    X27, X0
__text:00000001011FF384    ADRP   X8, #_OBJC_IVAR_$_WCRedEnvelopesControlLogic.m_data@PAGE ; WCRedEnvelopesControlData *m_data;
__text:00000001011FF388    NOP
__text:00000001011FF38C    LDRSW  X21, [X8,#_OBJC_IVAR_$_WCRedEnvelopesControlLogic.m_data@PAGEOFF] ; WCRedEnvelopesControlData *m_data;
__text:00000001011FF390    LDR    X0, [X27,X21] 
__text:00000001011FF394    ADRP   X8, #selRef_m_oSelectedMessageWrap@PAGE
__text:00000001011FF398    LDR    X19, [X8,#selRef_m_oSelectedMessageWrap@PAGEOFF]
__text:00000001011FF39C    MOV    X1, X19
__text:00000001011FF3A0    BL     _objc_msgSend
__text:00000001011FF3A4    MOV    X29, X29
__text:00000001011FF3A8    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];


__text:00000001011FF3AC    MOV    X22, X0 ;x0返回值,是messageWrap的地址
__text:00000001011FF3B0    ADRP   X8, #selRef_m_oWCPayInfoItem@PAGE
__text:00000001011FF3B4    LDR    X1, [X8,#selRef_m_oWCPayInfoItem@PAGEOFF]
__text:00000001011FF3B8    STR    X1, [SP,#0x120+var_100] ;x1是m_oWCPayInfoItem方法地址
__text:00000001011FF3BC    BL     _objc_msgSend
__text:00000001011FF3C0    MOV    X29, X29
__text:00000001011FF3C4    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];

__text:00000001011FF3C8    MOV    X23, X0
__text:00000001011FF3CC    ADRP   X8, #selRef_m_c2cNativeUrl@PAGE
__text:00000001011FF3D0    LDR    X24, [X8,#selRef_m_c2cNativeUrl@PAGEOFF]
__text:00000001011FF3D4    MOV    X1, X24
__text:00000001011FF3D8    BL     _objc_msgSend
__text:00000001011FF3DC    MOV    X29, X29
__text:00000001011FF3E0    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];

__text:00000001011FF3E4    MOV    X25, X0
__text:00000001011FF3E8    ADRP   X8, #selRef_length@PAGE
__text:00000001011FF3EC    LDR    X1, [X8,#selRef_length@PAGEOFF]
__text:00000001011FF3F0    ADRP   X0, #cfstr_WxpayC2cbizmes_0@PAGE ; "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
__text:00000001011FF3F4    ADD    X0, X0, #cfstr_WxpayC2cbizmes_0@PAGEOFF ; "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
__text:00000001011FF3F8    STR    X1, [SP,#0x120+var_F8] ;[SP,#0x120+var_F8] = 字符串length方法
__text:00000001011FF3FC    BL     _objc_msgSend
__text:00000001011FF400    MOV    X2, X0
__text:00000001011FF404    ADRP   X8, #selRef_substringFromIndex_@PAGE
__text:00000001011FF408    LDR    X1, [X8,#selRef_substringFromIndex_@PAGEOFF]
__text:00000001011FF40C    MOV    X0, X25
__text:00000001011FF410    BL     _objc_msgSend
__text:00000001011FF414    MOV    X29, X29
__text:00000001011FF418    BL     _objc_retainAutoreleasedReturnValue
;上面有两个方法:1. [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length] 2. [m_c2cNativeUrl substringFromIndex]
;NSInterger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
;上面的返回值 :  NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];

__text:00000001011FF41C    MOV    X20, X0 ;x20是nativeUrlData
__text:00000001011FF420    MOV    X0, X25 ;此时的x25是m_c2cNativeUrl的地址
__text:00000001011FF424    BL     _objc_release
__text:00000001011FF428    MOV    X0, X23
__text:00000001011FF42C    BL     _objc_release
__text:00000001011FF430    MOV    X0, X22  ; x22 是messageWrap的地址
__text:00000001011FF434    BL     _objc_release
__text:00000001011FF438    ADRP   X8, #classRef_WCBizUtil@PAGE
__text:00000001011FF43C    LDR    X0, [X8,#classRef_WCBizUtil@PAGEOFF]  ;x0是WCBizUtil
__text:00000001011FF440    ADRP   X8, #selRef_dictionaryWithDecodedComponets_separator_@PAGE
__text:00000001011FF444    LDR    X1, [X8,#selRef_dictionaryWithDecodedComponets_separator_@PAGEOFF] ;x1是dictionaryWithDecodedComponets_separator
__text:00000001011FF448    ADRP   X3, #stru_10330F0F8@PAGE  ; "&" x3是字符串 "&"
__text:00000001011FF44C    ADD    X3, X3, #stru_10330F0F8@PAGEOFF  ; "&"
__text:00000001011FF450    STR    X20, [SP,#0x120+var_E0]
__text:00000001011FF454    MOV    X2, X20  ;x2 是nativeUrlData
__text:00000001011FF458    BL     _objc_msgSend
__text:00000001011FF45C    MOV    X29, X29
__text:00000001011FF460    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:
;NSDictionary *nativeUrlDict = [WCBizUtil dictionaryWithDecodedComponets:nativeUrlData separator:@"&"]

__text:00000001011FF464    MOV    X20, X0 ;x20 是 nativeUrlDict
__text:00000001011FF468    ADRP   X8, #classRef_NSMutableDictionary@PAGE
__text:00000001011FF46C    LDR    X0, [X8,#classRef_NSMutableDictionary@PAGEOFF] ;x0是NSMutableDictionary
__text:00000001011FF470    ADRP   X8, #selRef_dictionary@PAGE
__text:00000001011FF474    LDR    X1, [X8,#selRef_dictionary@PAGEOFF] ;x1是dictionary
__text:00000001011FF478    BL     _objc_msgSend
__text:00000001011FF47C    MOV    X29, X29
__text:00000001011FF480    BL     _objc_retainAutoreleasedReturnValue
;上面返回值: NSMutableDictionary *dictM = [NSMutableDictionary dictionary];

__text:00000001011FF484    MOV    X22, X0 ;x22是dictM
__text:00000001011FF488    ADRP   X8, #selRef_safeSetObject_forKey_@PAGE
__text:00000001011FF48C    LDR    X25, [X8,#selRef_safeSetObject_forKey_@PAGEOFF]
__text:00000001011FF490    ADRP   X2, #cfstr_1@PAGE ; "1"
__text:00000001011FF494    ADD    X2, X2, #cfstr_1@PAGEOFF ; "1"
__text:00000001011FF498    ADRP   X3, #cfstr_Msgtype_1@PAGE ; "msgType"
__text:00000001011FF49C    ADD    X3, X3, #cfstr_Msgtype_1@PAGEOFF ; "msgType"
__text:00000001011FF4A0    MOV    X1, X25
__text:00000001011FF4A4    BL     _objc_msgSend 
;上面代码: [dictM setObject:@1 forKey:@"msgType"];

__text:00000001011FF4A8    ADRP   X8, #selRef_objectForKey_@PAGE
__text:00000001011FF4AC    LDR    X23, [X8,#selRef_objectForKey_@PAGEOFF]
__text:00000001011FF4B0    ADRP   X2, #cfstr_Sendid_2@PAGE ; "sendid"
__text:00000001011FF4B4    ADD    X2, X2, #cfstr_Sendid_2@PAGEOFF ; "sendid"
__text:00000001011FF4B8    MOV    X0, X20 ;x20是nativeUrlData
__text:00000001011FF4BC    MOV    X1, X23
__text:00000001011FF4C0    BL     _objc_msgSend
__text:00000001011FF4C4    MOV    X29, X29
__text:00000001011FF4C8    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id sendId = [nativeUrlData objectForKey:@"sendid"];

__text:00000001011FF4CC    MOV    X26, X0 ;X26是 sendId
__text:00000001011FF4D0    ADRP   X3, #cfstr_Sendid_1@PAGE ; "sendId"
__text:00000001011FF4D4    ADD    X3, X3, #cfstr_Sendid_1@PAGEOFF ; "sendId"
__text:00000001011FF4D8    MOV    X0, X22 ;x22是dictM
__text:00000001011FF4DC    MOV    X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF4E0    MOV    X2, X26 ;X26是sendId
__text:00000001011FF4E4    BL     _objc_msgSend
;上面代码:[dictM setObject:sendId forKey: @"sendId"]

__text:00000001011FF4E8    MOV    X0, X26
__text:00000001011FF4EC    MOV    X26, X21
__text:00000001011FF4F0    BL     _objc_release
__text:00000001011FF4F4    ADRP   X2, #cfstr_Channelid_0@PAGE ; "channelid"
__text:00000001011FF4F8    ADD    X2, X2, #cfstr_Channelid_0@PAGEOFF ; "channelid"
__text:00000001011FF4FC    STR    X20, [SP,#0x120+var_E8]
__text:00000001011FF500    MOV    X0, X20 ;x20是nativeUrlData
__text:00000001011FF504    MOV    X1, X23 ;X23是 objectForKey
__text:00000001011FF508    BL     _objc_msgSend
__text:00000001011FF50C    MOV    X29, X29
__text:00000001011FF510    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id channelId = [nativeUrlData objectForKey:@"channelid"]

__text:00000001011FF514    MOV    X23, X0
__text:00000001011FF518    ADRP   X3, #cfstr_Channelid@PAGE ; "channelId"
__text:00000001011FF51C    ADD    X3, X3, #cfstr_Channelid@PAGEOFF ; "channelId"
__text:00000001011FF520    MOV    X0, X22
__text:00000001011FF524    MOV    X1, X25
__text:00000001011FF528    MOV    X2, X23
__text:00000001011FF52C    BL     _objc_msgSend
;上面代码:[dictM setObject:channelId forKey:@"channelId"]

__text:00000001011FF530    MOV    X0, X23
__text:00000001011FF534    BL     _objc_release
__text:00000001011FF538    ADRP   X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FF53C    LDR    X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ;x0是MMServiceCenter
__text:00000001011FF540    ADRP   X8, #selRef_defaultCenter@PAGE
__text:00000001011FF544    LDR    X28, [X8,#selRef_defaultCenter@PAGEOFF]
__text:00000001011FF548    MOV    X1, X28 ;x8是defaultCenter
__text:00000001011FF54C    BL     _objc_msgSend
__text:00000001011FF550    MOV    X29, X29
__text:00000001011FF554    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
;MMServiceCenter 比较神奇,从classdump里找不到相关的头文件信息

__text:00000001011FF558    MOV    X23, X0
__text:00000001011FF55C    ADRP   X8, #classRef_CContactMgr@PAGE
__text:00000001011FF560    LDR    X0, [X8,#classRef_CContactMgr@PAGEOFF]
__text:00000001011FF564    ADRP   X8, #selRef_class@PAGE
__text:00000001011FF568    LDR    X1, [X8,#selRef_class@PAGEOFF]
__text:00000001011FF56C    STR    X1, [SP,#0x120+var_D0]
__text:00000001011FF570    BL     _objc_msgSend
;上面代码:Class contactMgrCls = [CContactMgr class];

__text:00000001011FF574    MOV    X2, X0
__text:00000001011FF578    ADRP   X8, #selRef_getService_@PAGE
__text:00000001011FF57C    LDR    X1, [X8,#selRef_getService_@PAGEOFF]
__text:00000001011FF580    MOV    X0, X23  ;X23是serviceCenter
__text:00000001011FF584    STR    X1, [SP,#0x120+var_D8]
__text:00000001011FF588    BL     _objc_msgSend
__text:00000001011FF58C    MOV    X29, X29
__text:00000001011FF590    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id contactMgrSer = [serviceCenter getService: contactMrgCls]

__text:00000001011FF594    MOV    X21, X0
__text:00000001011FF598    ADRP   X8, #selRef_getSelfContact@PAGE
__text:00000001011FF59C    LDR    X1, [X8,#selRef_getSelfContact@PAGEOFF]
__text:00000001011FF5A0    BL     _objc_msgSend
__text:00000001011FF5A4    MOV    X29, X29
__text:00000001011FF5A8    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id contactMgrSelfContact = [contactMgrSer getSelfContact];

__text:00000001011FF5AC    MOV    X20, X0
__text:00000001011FF5B0    MOV    X0, X21
__text:00000001011FF5B4    BL     _objc_release
__text:00000001011FF5B8    MOV    X0, X23
__text:00000001011FF5BC    BL     _objc_release
__text:00000001011FF5C0    ADRP   X8, #selRef_getContactDisplayName@PAGE
__text:00000001011FF5C4    LDR    X1, [X8,#selRef_getContactDisplayName@PAGEOFF]
__text:00000001011FF5C8    MOV    X0, X20
__text:00000001011FF5CC    BL     _objc_msgSend
__text:00000001011FF5D0    MOV    X29, X29
__text:00000001011FF5D4    BL     _objc_retainAutoreleasedReturnValue
;上面返回值: NSString *displayName = [contactMgrSelfContact getContactDisplayName];

__text:00000001011FF5D8    MOV    X21, X0
__text:00000001011FF5DC    ADRP   X3, #cfstr_Nickname_4@PAGE ; "nickName"
__text:00000001011FF5E0    ADD    X3, X3, #cfstr_Nickname_4@PAGEOFF ; "nickName"
__text:00000001011FF5E4    MOV    X0, X22 ;x22是dictM
__text:00000001011FF5E8    MOV    X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF5EC    MOV    X2, X21 
__text:00000001011FF5F0    BL     _objc_msgSend
;上面代码: [dictM setObject:displayName forKey: @"nickName"];

__text:00000001011FF5F4    MOV    X0, X21
__text:00000001011FF5F8    BL     _objc_release
__text:00000001011FF5FC    ADRP   X8, #selRef_m_nsHeadImgUrl@PAGE
__text:00000001011FF600    LDR    X1, [X8,#selRef_m_nsHeadImgUrl@PAGEOFF]
__text:00000001011FF604    STR    X20, [SP,#0x120+var_F0]
__text:00000001011FF608    MOV    X0, X20
__text:00000001011FF60C    BL     _objc_msgSend
__text:00000001011FF610    MOV    X29, X29
__text:00000001011FF614    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];

__text:00000001011FF618    MOV    X21, X0
__text:00000001011FF61C    ADRP   X3, #cfstr_Headimg_2@PAGE ; "headImg"
__text:00000001011FF620    ADD    X3, X3, #cfstr_Headimg_2@PAGEOFF ; "headImg"
__text:00000001011FF624    MOV    X0, X22
__text:00000001011FF628    MOV    X1, X25
__text:00000001011FF62C    MOV    X2, X21
__text:00000001011FF630    BL     _objc_msgSend
;上面代码:[dictM setObject: headImgUrl forKey:@"headImg"]

__text:00000001011FF634    MOV    X0, X21
__text:00000001011FF638    BL     _objc_release
__text:00000001011FF63C    LDR    X0, [X27,X26] ;x26=X21 即[X27, x26] = [x27,x21] self.m_data
__text:00000001011FF640    MOV    X1, X19 ;X19是m_oSelectedMessageWrap方法
__text:00000001011FF644    BL     _objc_msgSend
__text:00000001011FF648    MOV    X29, X29
__text:00000001011FF64C    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];

__text:00000001011FF650    MOV    X21, X0
__text:00000001011FF654    BL     _objc_release

__text:00000001011FF658    CBZ    X21, loc_1011FF6CC ;如果messageWrap为空跳转loc_1011FF6CC
__text:00000001011FF65C    LDR    X0, [X27,X26]
__text:00000001011FF660    MOV    X1, X19
__text:00000001011FF664    BL     _objc_msgSend
__text:00000001011FF668    MOV    X29, X29
__text:00000001011FF66C    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];

__text:00000001011FF670    MOV    X19, X0 ;x19是messageWrap
__text:00000001011FF674    LDR    X1, [SP,#0x120+var_100] ; [SP,#0x120+var_100] 是m_oWCPayInfoItem方法地址
__text:00000001011FF678    BL     _objc_msgSend
__text:00000001011FF67C    MOV    X29, X29
__text:00000001011FF680    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];

__text:00000001011FF684    MOV    X21, X0
__text:00000001011FF688    MOV    X1, X24
__text:00000001011FF68C    BL     _objc_msgSend
__text:00000001011FF690    MOV    X29, X29
__text:00000001011FF694    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];

__text:00000001011FF698    MOV    X23, X0
__text:00000001011FF69C    ADRP   X3, #cfstr_Nativeurl_4@PAGE ; "nativeUrl"
__text:00000001011FF6A0    ADD    X3, X3, #cfstr_Nativeurl_4@PAGEOFF ; "nativeUrl"
__text:00000001011FF6A4    MOV    X0, X22 ;x22是dictM
__text:00000001011FF6A8    MOV    X1, X25 ;x25是方法setObject: forKey:
__text:00000001011FF6AC    MOV    X2, X23 ;
__text:00000001011FF6B0    BL     _objc_msgSend
;上面代码:[dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];

__text:00000001011FF6B4    MOV    X0, X23
__text:00000001011FF6B8    BL     _objc_release
__text:00000001011FF6BC    MOV    X0, X21
__text:00000001011FF6C0    BL     _objc_release
__text:00000001011FF6C4    MOV    X0, X19
__text:00000001011FF6C8    BL     _objc_release

__text:00000001011FF6CC
__text:00000001011FF6CC loc_1011FF6CC                  ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+2FC↑j
__text:00000001011FF6CC    ADRP   X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FF6D0    LDR    X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ;MMServiceCenter
__text:00000001011FF6D4    STR    X28, [SP,#0x120+var_100]
__text:00000001011FF6D8    MOV    X1, X28  ;x28是defaultCenter
__text:00000001011FF6DC    BL     _objc_msgSend
__text:00000001011FF6E0    MOV    X29, X29
__text:00000001011FF6E4    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];

__text:00000001011FF6E8    MOV    X21, X0
__text:00000001011FF6EC    ADRP   X8, #classRef_MMMsgLogicManager@PAGE
__text:00000001011FF6F0    LDR    X0, [X8,#classRef_MMMsgLogicManager@PAGEOFF] ; MMMsgLogicManager
__text:00000001011FF6F4    LDR    X1, [SP,#0x120+var_D0] ;class方法
__text:00000001011FF6F8    BL     _objc_msgSend
;上面代码: Class logicMgrCls = [MMMsgLogicManager class];

__text:00000001011FF6FC    MOV    X2, X0
__text:00000001011FF700    MOV    X0, X21
__text:00000001011FF704    LDR    X1, [SP,#0x120+var_D8] ;getService方法
__text:00000001011FF708    BL     _objc_msgSend
__text:00000001011FF70C    MOV    X29, X29
__text:00000001011FF710    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id logicMgrSer = [serviceCenter getService:logicMgrCls];

__text:00000001011FF714    MOV    X23, X0
__text:00000001011FF718    ADRP   X8, #selRef_GetCurrentLogicController@PAGE
__text:00000001011FF71C    LDR    X1, [X8,#selRef_GetCurrentLogicController@PAGEOFF]
__text:00000001011FF720    BL     _objc_msgSend
__text:00000001011FF724    MOV    X29, X29
__text:00000001011FF728    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id currentVC = [logicMgrSer GetCurrentLogicController];

__text:00000001011FF72C    MOV    X28, X0
__text:00000001011FF730    MOV    X0, X23
__text:00000001011FF734    BL     _objc_release
__text:00000001011FF738    MOV    X0, X21
__text:00000001011FF73C    BL     _objc_release
__text:00000001011FF740    CBZ    X28, loc_1011FF810 ;如果currentVC为nil,跳转到loc_1011FF810
__text:00000001011FF744    ADRP   X8, #selRef_m_contact@PAGE
__text:00000001011FF748    LDR    X21, [X8,#selRef_m_contact@PAGEOFF]
__text:00000001011FF74C    MOV    X0, X28
__text:00000001011FF750    MOV    X1, X21
__text:00000001011FF754    BL     _objc_msgSend
__text:00000001011FF758    MOV    X29, X29
__text:00000001011FF75C    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];

__text:00000001011FF760    MOV    X23, X0 
__text:00000001011FF764    CBZ    X23, loc_1011FF810 ;如果contact为nil,跳转loc_1011FF810
__text:00000001011FF768    MOV    X0, X28 
__text:00000001011FF76C    MOV    X1, X21 
__text:00000001011FF770    BL     _objc_msgSend
__text:00000001011FF774    MOV    X29, X29
__text:00000001011FF778    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];

__text:00000001011FF77C    MOV    X19, X26
__text:00000001011FF780    MOV    X26, X0
__text:00000001011FF784    ADRP   X8, #selRef_m_nsUsrName@PAGE
__text:00000001011FF788    LDR    X24, [X8,#selRef_m_nsUsrName@PAGEOFF]
__text:00000001011FF78C    MOV    X1, X24
__text:00000001011FF790    BL     _objc_msgSend
__text:00000001011FF794    MOV    X29, X29
__text:00000001011FF798    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *userName = [contact m_nsUsrName];

__text:00000001011FF79C    MOV    X20, X0
__text:00000001011FF7A0    BL     _objc_release
__text:00000001011FF7A4    MOV    X0, X26
__text:00000001011FF7A8    MOV    X26, X19
__text:00000001011FF7AC    BL     _objc_release
__text:00000001011FF7B0    MOV    X0, X23
__text:00000001011FF7B4    BL     _objc_release
__text:00000001011FF7B8    CBZ    X20, loc_1011FF810 ;如果userName为空跳转到loc_1011FF810
__text:00000001011FF7BC    MOV    X0, X28
__text:00000001011FF7C0    MOV    X1, X21
__text:00000001011FF7C4    BL     _objc_msgSend
__text:00000001011FF7C8    MOV    X29, X29
__text:00000001011FF7CC    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:id contact = [currentVC m_contact];

__text:00000001011FF7D0    MOV    X20, X0
__text:00000001011FF7D4    MOV    X1, X24
__text:00000001011FF7D8    BL     _objc_msgSend
__text:00000001011FF7DC    MOV    X29, X29
__text:00000001011FF7E0    BL     _objc_retainAutoreleasedReturnValue
;上面返回值:NSString *userName = [contact m_nsUsrName];

__text:00000001011FF7E4    MOV    X21, X0
__text:00000001011FF7E8    ADRP   X3, #cfstr_Sessionusernam@PAGE ; "sessionUserName"
__text:00000001011FF7EC    ADD    X3, X3, #cfstr_Sessionusernam@PAGEOFF ; "sessionUserName"
__text:00000001011FF7F0    MOV    X0, X22 ;x22是dictM
__text:00000001011FF7F4    MOV    X1, X25 ;x25是方法setObject
__text:00000001011FF7F8    MOV    X2, X21 ;x21是username
__text:00000001011FF7FC    BL     _objc_msgSend
;上面代码: [dictM setObject:userName forKey:@"sessionUserName"]
__text:00000001011FF800    MOV    X0, X21
__text:00000001011FF804    BL     _objc_release
__text:00000001011FF808    MOV    X0, X20
__text:00000001011FF80C    BL     _objc_release
;判断语句结束

__text:00000001011FF810
__text:00000001011FF810 loc_1011FF810                  ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+3E4↑j
__text:00000001011FF810                                ;            -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+408↑j ...
__text:00000001011FF810    STP    X28, X26, [SP,#0x120+var_110]
__text:00000001011FF814    LDR    X0, [X27,X26] ;x0是 self.m_data
__text:00000001011FF818    ADRP   X8, #selRef_m_structDicRedEnvelopesBaseInfo@PAGE ;m_structDicRedEnvelopesBaseInfo
__text:00000001011FF81C    LDR    X24, [X8,#selRef_m_structDicRedEnvelopesBaseInfo@PAGEOFF]
__text:00000001011FF820    MOV    X1, X24
__text:00000001011FF824    BL     _objc_msgSend
__text:00000001011FF828    MOV    X29, X29
__text:00000001011FF82C    BL     _objc_retainAutoreleasedReturnValue
;返回值:NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];

__text:00000001011FF830    MOV    X20, X0
__text:00000001011FF834    ADRP   X8, #selRef_stringForKey_@PAGE
__text:00000001011FF838    LDR    X1, [X8,#selRef_stringForKey_@PAGEOFF]
__text:00000001011FF83C    ADRP   X2, #cfstr_Timingidentifi@PAGE ; "timingIdentifier"
__text:00000001011FF840    ADD    X2, X2, #cfstr_Timingidentifi@PAGEOFF ; "timingIdentifier"
__text:00000001011FF844    BL     _objc_msgSend
__text:00000001011FF848    MOV    X29, X29
__text:00000001011FF84C    BL     _objc_retainAutoreleasedReturnValue
; NSString *timingIdentifier = [baseInfoDict stringForKey:@"timingIdentifier"];

__text:00000001011FF850    MOV    X19, X0
__text:00000001011FF854    MOV    X0, X20
__text:00000001011FF858    BL     _objc_release
__text:00000001011FF85C    MOV    X0, X19
__text:00000001011FF860    LDR    X1, [SP,#0x120+var_F8] ;字符串length方法
__text:00000001011FF864    BL     _objc_msgSend
; [timingIdentifier length]

__text:00000001011FF868    CBZ    X0, loc_1011FF884 ;如果[timingIdentifier length] = 0 跳转 loc_1011FF884
__text:00000001011FF86C    ADRP   X3, #cfstr_Timingidentifi@PAGE ; "timingIdentifier"
__text:00000001011FF870    ADD    X3, X3, #cfstr_Timingidentifi@PAGEOFF ; "timingIdentifier"
__text:00000001011FF874    MOV    X0, X22 
__text:00000001011FF878    MOV    X1, X25
__text:00000001011FF87C    MOV    X2, X19
__text:00000001011FF880    BL     _objc_msgSend
; [dictM setObject:timingIdentifier forKey:@"timingIdentifier"];

__text:00000001011FF884
__text:00000001011FF884 loc_1011FF884                  ; CODE XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+50C↑j
__text:00000001011FF884    SUB    X0, X29, #-var_68 ;x0 = (x29-var_68)
__text:00000001011FF888    MOV    X1, X27
__text:00000001011FF88C    BL     _objc_initWeak
__text:00000001011FF890    ADRP   X28, #classRef_MMServiceCenter@PAGE
__text:00000001011FF894    LDR    X0, [X28,#classRef_MMServiceCenter@PAGEOFF]
__text:00000001011FF898    LDR    X26, [SP,#0x120+var_100]
__text:00000001011FF89C    MOV    X1, X26
__text:00000001011FF8A0    BL     _objc_msgSend
__text:00000001011FF8A4    MOV    X29, X29
__text:00000001011FF8A8    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];

__text:00000001011FF8AC    MOV    X20, X0
__text:00000001011FF8B0    STR    X19, [SP,#0x120+var_F8]
__text:00000001011FF8B4    MOV    X19, X27
__text:00000001011FF8B8    ADRP   X27, #classRef_WCPayLogicMgr@PAGE
__text:00000001011FF8BC    LDR    X0, [X27,#classRef_WCPayLogicMgr@PAGEOFF]
__text:00000001011FF8C0    LDR    X21, [SP,#0x120+var_D0]
__text:00000001011FF8C4    MOV    X1, X21 ;x21是class
__text:00000001011FF8C8    BL     _objc_msgSend
;Class payLogicMgrCls =  [WCPayLogicMgr class];

__text:00000001011FF8CC    MOV    X2, X0
__text:00000001011FF8D0    MOV    X0, X20 ;serviceCenter
__text:00000001011FF8D4    MOV    X25, X22
__text:00000001011FF8D8    LDR    X22, [SP,#0x120+var_D8] ;getService方法
__text:00000001011FF8DC    MOV    X1, X22
__text:00000001011FF8E0    BL     _objc_msgSend
__text:00000001011FF8E4    MOV    X29, X29
__text:00000001011FF8E8    BL     _objc_retainAutoreleasedReturnValue
;id payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];

__text:00000001011FF8EC    MOV    X23, X0
__text:00000001011FF8F0    ADRP   X8, #selRef_setRealnameReportScene_@PAGE
__text:00000001011FF8F4    LDR    X1, [X8,#selRef_setRealnameReportScene_@PAGEOFF]
__text:00000001011FF8F8    MOV    W2, #0x3EB
__text:00000001011FF8FC    BL     _objc_msgSend
;[payLogicMgrSer setRealnameReportScene:@"0x3EB"]

__text:00000001011FF900    MOV    X0, X23
__text:00000001011FF904    BL     _objc_release
__text:00000001011FF908    MOV    X0, X20
__text:00000001011FF90C    BL     _objc_release
__text:00000001011FF910    ADD    X8, SP, #0x120+var_C8
__text:00000001011FF914    ADD    X8, X8, #0x28
__text:00000001011FF918    STR    X8, [SP,#0x120+var_118]
__text:00000001011FF91C    LDR    X0, [X28,#classRef_MMServiceCenter@PAGEOFF]
__text:00000001011FF920    MOV    X1, X26
__text:00000001011FF924    BL     _objc_msgSend
__text:00000001011FF928    MOV    X29, X29
__text:00000001011FF92C    BL     _objc_retainAutoreleasedReturnValue
;上面返回值 MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];

__text:00000001011FF930    MOV    X26, X0
__text:00000001011FF934    LDR    X0, [X27,#classRef_WCPayLogicMgr@PAGEOFF]
__text:00000001011FF938    MOV    X1, X21
__text:00000001011FF93C    BL     _objc_msgSend
__text:00000001011FF940    MOV    X2, X0
__text:00000001011FF944    MOV    X0, X26
__text:00000001011FF948    MOV    X1, X22 
__text:00000001011FF94C    BL     _objc_msgSend
__text:00000001011FF950    MOV    X29, X29
__text:00000001011FF954    BL     _objc_retainAutoreleasedReturnValue
;Class payLogicMgrCls =  [WCPayLogicMgr class];

__text:00000001011FF958    MOV    X27, X0
__text:00000001011FF95C    LDR    X8, [SP,#0x120+var_108]
__text:00000001011FF960    LDR    X0, [X19,X8]
__text:00000001011FF964    MOV    X1, X24
__text:00000001011FF968    BL     _objc_msgSend
__text:00000001011FF96C    MOV    X29, X29
__text:00000001011FF970    BL     _objc_retainAutoreleasedReturnValue
;返回值:NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];

__text:00000001011FF974    MOV    X24, X0
__text:00000001011FF978    ADRP   X8, #selRef_objectForKeyedSubscript_@PAGE
__text:00000001011FF97C    LDR    X1, [X8,#selRef_objectForKeyedSubscript_@PAGEOFF]
__text:00000001011FF980    ADRP   X2, #cfstr_AgreeDuty@PAGE ; "agree_duty"
__text:00000001011FF984    ADD    X2, X2, #cfstr_AgreeDuty@PAGEOFF ; "agree_duty"
__text:00000001011FF988    BL     _objc_msgSend
__text:00000001011FF98C    MOV    X29, X29
__text:00000001011FF990    BL     _objc_retainAutoreleasedReturnValue
; id agreeDuty = [baseInfoDict objectForKeyedSubscript:@"agree_duty"]

__text:00000001011FF994    MOV    X20, X0
__text:00000001011FF998    ADRP   X28, #__NSConcreteStackBlock_ptr@PAGE
__text:00000001011FF99C    LDR    X28, [X28,#__NSConcreteStackBlock_ptr@PAGEOFF] ; x28是NSConcreteStackBlock_ptr
__text:00000001011FF9A0    STR    X28, [SP,#0x120+var_98]  ;(sp+0x120+var_98) = x28
__text:00000001011FF9A4    ADRP   X8, #qword_103101B78@PAGE
__text:00000001011FF9A8    LDR    D8, [X8,#qword_103101B78@PAGEOFF]
__text:00000001011FF9AC    ADR    X8, sub_1011FFAD8
__text:00000001011FF9B0    NOP
;sub_1011FFAD8 子程序,分析里面的代码

__text:00000001011FF9B4    STR    D8, [SP,#0x120+var_90]
__text:00000001011FF9B8    STR    X8, [SP,#0x120+var_88]
__text:00000001011FF9BC    ADRP   X8, #unk_1032B3238@PAGE
__text:00000001011FF9C0    ADD    X8, X8, #unk_1032B3238@PAGEOFF
__text:00000001011FF9C4    STP    X8, X25, [SP,#0x120+var_80]
__text:00000001011FF9C8    MOV    X0, X25  ;x25是dictM
__text:00000001011FF9CC    BL     _objc_retain
__text:00000001011FF9D0    MOV    X22, X0
__text:00000001011FF9D4    MOV    X0, X19
__text:00000001011FF9D8    BL     _objc_retain
;第一个block参数 #0x120+var_98

__text:00000001011FF9DC    MOV    X23, X0
__text:00000001011FF9E0    STR    X23, [SP,#0x120+var_70]
__text:00000001011FF9E4    STR    X28, [SP,#0x120+var_C8]
__text:00000001011FF9E8    STR    D8, [SP,#0x120+var_C0]
__text:00000001011FF9EC    ADR    X8, sub_1011FFBF0
__text:00000001011FF9F0    NOP
;sub_1011FFBF0 子程序,分析里面的代码

__text:00000001011FF9F4    STR    X8, [SP,#0x120+var_B8]
__text:00000001011FF9F8    ADRP   X8, #unk_1032B3268@PAGE
__text:00000001011FF9FC    ADD    X8, X8, #unk_1032B3268@PAGEOFF
__text:00000001011FFA00    STR    X8, [SP,#0x120+var_B0]
__text:00000001011FFA04    SUB    X1, X29, #-var_68
__text:00000001011FFA08    LDR    X19, [SP,#0x120+var_118]
__text:00000001011FFA0C    MOV    X0, X19
__text:00000001011FFA10    BL     _objc_copyWeak
__text:00000001011FFA14    MOV    X0, X23
__text:00000001011FFA18    BL     _objc_retain
;第二个block参数 #0x120+var_C8

__text:00000001011FFA1C    STR    X0, [SP,#0x120+var_A8]
__text:00000001011FFA20    ADRP   X8, #selRef_checkHongbaoOpenLicense_acceptCallback_denyCallback_@PAGE
__text:00000001011FFA24    LDR    X1, [X8,#selRef_checkHongbaoOpenLicense_acceptCallback_denyCallback_@PAGEOFF]
__text:00000001011FFA28    ADD    X3, SP, #0x120+var_98
__text:00000001011FFA2C    ADD    X4, SP, #0x120+var_C8
__text:00000001011FFA30    MOV    X0, X27
__text:00000001011FFA34    MOV    X2, X20
__text:00000001011FFA38    BL     _objc_msgSend
;- (void)checkHongbaoOpenLicense:(id)arg1 acceptCallback:(CDUnknownBlockType)arg2 denyCallback:(CDUnknownBlockType)arg3;
; [payLogicMgrCls checkHongbaoOpenLicense:agreeDuty acceptCallback: denyCallback: ]

__text:00000001011FFA3C    MOV    X0, X20
__text:00000001011FFA40    BL     _objc_release
__text:00000001011FFA44    MOV    X0, X24
__text:00000001011FFA48    BL     _objc_release
__text:00000001011FFA4C    MOV    X0, X27
__text:00000001011FFA50    BL     _objc_release
__text:00000001011FFA54    MOV    X0, X26
__text:00000001011FFA58    BL     _objc_release
__text:00000001011FFA5C    LDR    X0, [SP,#0x120+var_A8]
__text:00000001011FFA60    BL     _objc_release
__text:00000001011FFA64    MOV    X0, X19
__text:00000001011FFA68    BL     _objc_destroyWeak
__text:00000001011FFA6C    LDR    X0, [SP,#0x120+var_70]
__text:00000001011FFA70    BL     _objc_release
__text:00000001011FFA74    LDR    X0, [SP,#0x120+var_78]
__text:00000001011FFA78    BL     _objc_release
__text:00000001011FFA7C    MOV    X0, X22
__text:00000001011FFA80    BL     _objc_release
__text:00000001011FFA84    SUB    X0, X29, #-var_68
__text:00000001011FFA88    BL     _objc_destroyWeak
__text:00000001011FFA8C    LDR    X0, [SP,#0x120+var_F8]
__text:00000001011FFA90    BL     _objc_release
__text:00000001011FFA94    LDR    X0, [SP,#0x120+var_110]
__text:00000001011FFA98    BL     _objc_release
__text:00000001011FFA9C    LDR    X0, [SP,#0x120+var_F0]
__text:00000001011FFAA0    BL     _objc_release
__text:00000001011FFAA4    LDR    X0, [SP,#0x120+var_E8]
__text:00000001011FFAA8    BL     _objc_release
__text:00000001011FFAAC    LDR    X0, [SP,#0x120+var_E0]
__text:00000001011FFAB0    BL     _objc_release
__text:00000001011FFAB4    LDP    X29, X30, [SP,#0x120+var_s0]
__text:00000001011FFAB8    LDP    X20, X19, [SP,#0x120+var_10]
__text:00000001011FFABC    LDP    X22, X21, [SP,#0x120+var_20]
__text:00000001011FFAC0    LDP    X24, X23, [SP,#0x120+var_30]
__text:00000001011FFAC4    LDP    X26, X25, [SP,#0x120+var_40]
__text:00000001011FFAC8    LDP    X28, X27, [SP,#0x120+var_50]
__text:00000001011FFACC    LDP    D9, D8, [SP,#0x120+var_60]
__text:00000001011FFAD0    ADD    SP, SP, #0x130
__text:00000001011FFAD4    RET
__text:00000001011FFAD4 ; End of function -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]



__text:00000001011FFAD4
__text:00000001011FFAD8
__text:00000001011FFAD8 ; =============== S U B R O U T I N E =======================================
__text:00000001011FFAD8
__text:00000001011FFAD8 ; Attributes: bp-based frame
__text:00000001011FFAD8 ; 第一个block参数里面的代码
__text:00000001011FFAD8 sub_1011FFAD8                           ; DATA XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+650↑o
__text:00000001011FFAD8
__text:00000001011FFAD8 var_20          = -0x20
__text:00000001011FFAD8 var_10          = -0x10
__text:00000001011FFAD8 var_s0          =  0
__text:00000001011FFAD8
__text:00000001011FFAD8                 STP             X22, X21, [SP,#-0x10+var_20]!
__text:00000001011FFADC                 STP             X20, X19, [SP,#0x20+var_10]
__text:00000001011FFAE0                 STP             X29, X30, [SP,#0x20+var_s0]
__text:00000001011FFAE4                 ADD             X29, SP, #0x20
__text:00000001011FFAE8                 MOV             X19, X0
__text:00000001011FFAEC                 ADRP            X8, #classRef_MMServiceCenter@PAGE
__text:00000001011FFAF0                 LDR             X0, [X8,#classRef_MMServiceCenter@PAGEOFF] ; void *
__text:00000001011FFAF4                 ADRP            X8, #selRef_defaultCenter@PAGE
__text:00000001011FFAF8                 LDR             X1, [X8,#selRef_defaultCenter@PAGEOFF] ; char *
__text:00000001011FFAFC                 BL              _objc_msgSend
__text:00000001011FFB00                 MOV             X29, X29
__text:00000001011FFB04                 BL              _objc_retainAutoreleasedReturnValue
; [MMServiceCenter defaultCenter]

__text:00000001011FFB08                 MOV             X20, X0
__text:00000001011FFB0C                 ADRP            X8, #classRef_WCRedEnvelopesLogicMgr@PAGE
__text:00000001011FFB10                 LDR             X0, [X8,#classRef_WCRedEnvelopesLogicMgr@PAGEOFF] ; void *
__text:00000001011FFB14                 ADRP            X8, #selRef_class@PAGE
__text:00000001011FFB18                 LDR             X1, [X8,#selRef_class@PAGEOFF] ; char *
__text:00000001011FFB1C                 BL              _objc_msgSend
; [WCRedEnvelopesLogicMgr class]

__text:00000001011FFB20                 MOV             X2, X0
__text:00000001011FFB24                 ADRP            X8, #selRef_getService_@PAGE
__text:00000001011FFB28                 LDR             X1, [X8,#selRef_getService_@PAGEOFF] ; char *
__text:00000001011FFB2C                 MOV             X0, X20 ; void *
__text:00000001011FFB30                 BL              _objc_msgSend
__text:00000001011FFB34                 MOV             X29, X29
__text:00000001011FFB38                 BL              _objc_retainAutoreleasedReturnValue
; WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[MMServiceCenter defaultCenter] getService: [WCRedEnvelopesLogicMgr class]];

__text:00000001011FFB3C                 MOV             X21, X0
__text:00000001011FFB40                 LDR             X2, [X19,#0x20] ;[X19,#0x20] 是
__text:00000001011FFB44                 ADRP            X8, #selRef_OpenRedEnvelopesRequest_@PAGE
__text:00000001011FFB48                 LDR             X1, [X8,#selRef_OpenRedEnvelopesRequest_@PAGEOFF] ; char *
__text:00000001011FFB4C                 BL              _objc_msgSend
; [redEnvelopesLogicMgr OpenRedEnvelopesRequest: ]

;下面是打开红包的后的UI操作
__text:00000001011FFB50                 MOV             X0, X21
__text:00000001011FFB54                 BL              _objc_release
__text:00000001011FFB58                 MOV             X0, X20
__text:00000001011FFB5C                 BL              _objc_release
__text:00000001011FFB60                 LDR             X8, [X19,#0x28]
__text:00000001011FFB64                 ADRP            X9, #_OBJC_IVAR_$_WCBaseControlLogic.m_uiLogicStatus@PAGE ; unsigned int m_uiLogicStatus;
__text:00000001011FFB68                 NOP
__text:00000001011FFB6C                 LDRSW           X9, [X9,#_OBJC_IVAR_$_WCBaseControlLogic.m_uiLogicStatus@PAGEOFF] ; unsigned int m_uiLogicStatus;
__text:00000001011FFB70                 MOV             W10, #4
__text:00000001011FFB74                 STR             W10, [X8,X9]
__text:00000001011FFB78                 LDR             X8, [X19,#0x28]
__text:00000001011FFB7C                 ADRP            X9, #_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGE ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFB80                 LDRSW           X9, [X9,#_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGEOFF] ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFB84                 LDR             X0, [X8,X9]
__text:00000001011FFB88                 ADRP            X8, #selRef_startReceiveAnimation@PAGE
__text:00000001011FFB8C                 LDR             X1, [X8,#selRef_startReceiveAnimation@PAGEOFF]
__text:00000001011FFB90                 LDP             X29, X30, [SP,#0x20+var_s0]
__text:00000001011FFB94                 LDP             X20, X19, [SP,#0x20+var_10]
__text:00000001011FFB98                 LDP             X22, X21, [SP+0x20+var_20],#0x30
__text:00000001011FFB9C                 B               _objc_msgSend
;显示打开红包的UI

__text:00000001011FFB9C ; End of function sub_1011FFAD8
__text:00000001011FFB9C


_
__text:00000001011FFBF0 sub_1011FFBF0                           ; DATA XREF: -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes]+690↑o
__text:00000001011FFBF0
__text:00000001011FFBF0 var_10          = -0x10
__text:00000001011FFBF0 var_s0          =  0
__text:00000001011FFBF0
__text:00000001011FFBF0                 STP             X20, X19, [SP,#-0x10+var_10]!
__text:00000001011FFBF4                 STP             X29, X30, [SP,#0x10+var_s0]
__text:00000001011FFBF8                 ADD             X29, SP, #0x10
__text:00000001011FFBFC                 MOV             X19, X0
__text:00000001011FFC00                 ADD             X0, X19, #0x28
__text:00000001011FFC04                 BL              _objc_loadWeakRetained
__text:00000001011FFC08                 MOV             X20, X0
__text:00000001011FFC0C                 ADRP            X8, #selRef_WCRedEnvelopesReceiveHomeViewBack@PAGE
__text:00000001011FFC10                 LDR             X1, [X8,#selRef_WCRedEnvelopesReceiveHomeViewBack@PAGEOFF] ; char *
__text:00000001011FFC14                 BL              _objc_msgSend
__text:00000001011FFC18                 MOV             X0, X20
__text:00000001011FFC1C                 BL              _objc_release
__text:00000001011FFC20                 LDR             X8, [X19,#0x20]
__text:00000001011FFC24                 ADRP            X9, #_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGE ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFC28                 LDRSW           X9, [X9,#_OBJC_IVAR_$_WCRedEnvelopesReceiveControlLogic.introView@PAGEOFF] ; WCRedEnvelopesReceiveHomeView *introView;
__text:00000001011FFC2C                 LDR             X0, [X8,X9]
__text:00000001011FFC30                 ADRP            X8, #selRef_endAnimation@PAGE
__text:00000001011FFC34                 LDR             X1, [X8,#selRef_endAnimation@PAGEOFF]
__text:00000001011FFC38                 LDP             X29, X30, [SP,#0x10+var_s0]
__text:00000001011FFC3C                 LDP             X20, X19, [SP+0x10+var_10],#0x20
__text:00000001011FFC40                 B               _objc_msgSend ;结束动画
__text:00000001011FFC40 ; End of function sub_1011FFBF0

由此反汇编分析出的OC代码:

CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSInterger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
NSDictionary *nativeUrlDict = [WCBizUtil dictionaryWithDecodedComponets:nativeUrlData separator:@"&"]
NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
[dictM setObject:@1 forKey:@"msgType"];
id sendId = [nativeUrlData objectForKey:@"sendid"];
[dictM setObject:sendId forKey: @"sendId"]
id channelId = [nativeUrlData objectForKey:@"channelid"]
[dictM setObject:channelId forKey:@"channelId"]
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class contactMgrCls = [CContactMgr class];
CContactMgr *contactMgrSer = [serviceCenter getService: contactMrgCls]
CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
NSString *displayName = [contactMgrSelfContact getContactDisplayName];
[dictM setObject:displayName forKey: @"nickName"];
NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
[dictM setObject: headImgUrl forKey:@"headImg"]

if([self.m_data m_oSelectedMessageWrap]){
    CMessageWrap *messageWrap = [self.m_data m_oSelectedMessageWrap];
    WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
    NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
    [dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];
}
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class logicMgrCls = [MMMsgLogicManager class];
MMMsgLogicManager *logicMgrSer = [serviceCenter getService:logicMgrCls];
BaseMsgContentLogicController *currentVC = [logicMgrSer GetCurrentLogicController];
if([currentVC m_contact];){
    id contact = [currentVC m_contact];
    NSString *userName = [contact m_nsUsrName];
    id contact = [currentVC m_contact];
    NSString *userName = [contact m_nsUsrName];
    [dictM setObject:userName forKey:@"sessionUserName"]
}
NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
NSString *timingIdentifier = [baseInfoDict stringForKey:@"timingIdentifier"];
if([timingIdentifier length] > 0){
    [dictM setObject:timingIdentifier forKey:@"timingIdentifier"];
}
MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
Class payLogicMgrCls =  [WCPayLogicMgr class];
WCPayLogicMgr *payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];
[payLogicMgrSer setRealnameReportScene:@"0x3EB"]

MMServiceCenter *serviceCenter = [MMServiceCenter defaultCenter];
NSDictionary* baseInfoDict = [self.m_data m_structDicRedEnvelopesBaseInfo];
id agreeDuty = [baseInfoDict objectForKeyedSubscript:@"agree_duty"];

 //点击打开红包后的操作
[payLogicMgrSer checkHongbaoOpenLicense:agreeDuty acceptCallback: denyCallback: ];

acceptCallback block里面的相干的代码:

WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[MMServiceCenter defaultCenter] getService: [WCRedEnvelopesLogicMgr class]];

[redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM]

编制Tweak工程有关的代码,其中点击打开红包后的操作只行使 acceptCallback
block里面的操作,另外的关系到UI操作的简单:

@interface WCBizUtil 
+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;
@end

@interface MMServiceCenter
+ (id)defaultCenter;
- (id)getService:(id)cls;
@end

@interface WCRedEnvelopesReceiveHomeView{
     id m_delegate;
     NSDictionary *m_dicBaseInfo;
}
@end

@interface WCPayInfoItem 
@property(retain, nonatomic) NSString *m_c2cNativeUrl; // @synthesize m_oSelectedMessageWrap;
@end

@interface CMessageWrap
@property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem; 
@end

@interface WCRedEnvelopesControlData 

@property(retain, nonatomic) CMessageWrap *m_oSelectedMessageWrap; 
@property(retain, nonatomic) NSDictionary *m_structDicRedEnvelopesBaseInfo;
@end

@interface WCRedEnvelopesReceiveControlLogic
{
    WCRedEnvelopesControlData *m_data;
}
- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;
@end



@interface CContactMgr
- (id)getSelfContact;
@end

@interface CBaseContact

@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsUsrName;
- (id)getContactDisplayName;

@end

@interface MMMsgLogicManager

- (id)GetCurrentLogicController;

@end

@interface BaseMsgContentLogicController

@property(retain, nonatomic) CBaseContact *m_contact;
@end

@interface WCPayLogicMgr 
-(void)setRealnameReportScene:(int)sence;
@end

@interface WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1;
@end

%hook WCRedEnvelopesReceiveControlLogic

- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes { 
// %orig; 
     WCRedEnvelopesControlData *mData = MSHookIvar<WCRedEnvelopesControlData *>(self, "m_data");
    CMessageWrap *messageWrap = [mData m_oSelectedMessageWrap];
    WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];

    NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
    NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
    NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];

    NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];
    NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
    [dictM setObject:@"1" forKey:@"msgType"];
    id sendId = [nativeUrlDict objectForKey:@"sendid"];
    [dictM setObject:sendId forKey: @"sendId"];
    id channelId = [nativeUrlDict objectForKey:@"channelid"];
    [dictM setObject:channelId forKey:@"channelId"];

    MMServiceCenter *serviceCenter = [%c(MMServiceCenter) defaultCenter];
    Class contactMgrCls = [%c(CContactMgr) class];
    CContactMgr *contactMgrSer = [serviceCenter getService: contactMgrCls];
    CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
    NSString *displayName = [contactMgrSelfContact getContactDisplayName];
    [dictM setObject:displayName forKey: @"nickName"];
    NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
    [dictM setObject: headImgUrl forKey:@"headImg"];

    if([mData m_oSelectedMessageWrap]){
        CMessageWrap *messageWrap = [mData m_oSelectedMessageWrap];
        WCPayInfoItem *payInfoItem = [messageWrap m_oWCPayInfoItem];
        NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
        [dictM setObject:m_c2cNativeUrl forKey: @"nativeUrl"];
    }

    Class logicMgrCls = [%c(MMMsgLogicManager) class];
    MMMsgLogicManager *logicMgrSer = [serviceCenter getService:logicMgrCls];
    BaseMsgContentLogicController *currentVC = [logicMgrSer GetCurrentLogicController];
    if([currentVC m_contact]){
        CBaseContact *contact = [currentVC m_contact];
        NSString *userName = [contact m_nsUsrName];
        [dictM setObject:userName forKey:@"sessionUserName"];
    }
    NSDictionary* baseInfoDict = [mData m_structDicRedEnvelopesBaseInfo];
    NSString *timingIdentifier = [baseInfoDict objectForKey:@"timingIdentifier"];
    if([timingIdentifier length] > 0){
        [dictM setObject:timingIdentifier forKey:@"timingIdentifier"];
    }

    Class payLogicMgrCls =  [%c(WCPayLogicMgr) class];
    WCPayLogicMgr *payLogicMgrSer = [serviceCenter getService: payLogicMgrCls];
    [payLogicMgrSer setRealnameReportScene:0x3EB];

    NSLog(@"\nDictM\n\n  %@", dictM);

    //block 调用
    WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [serviceCenter getService: [%c(WCRedEnvelopesLogicMgr) class]];
    [redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM];

}

%end

到这里我们会深感越来越接近了,然后将编辑的Tweak.xm运行起来,发送红包已抢成功!
到那我们举行分析WCRedEnvelopesLogicMgr

/opt/theos/bin/logify.pl ./WXHeaders/WCRedEnvelopesLogicMgr.h > Tweak.xm

%hook WCRedEnvelopesLogicMgr
// - (void).cxx_destruct { %log; %orig; }
- (void)AsyncBizSubcribeRequest:(id)arg1 { %log; %orig; }
- (void)CheckAuthBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)ClearserSendOrReceiveRedEnveloperListRequest:(id)arg1 { %log; %orig; }
- (void)DeleteRedEnvelopesRecord:(id)arg1 { %log; %orig; }
- (void)GenH5RedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GenRedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GenYearRedEnvelopesPayRequest:(id)arg1 { %log; %orig; }
- (void)GetEnterpriseHongbaoBizRequest:(id)arg1 CMDID:(unsigned int)arg2 SendKey:(id)arg3 OutputType:(unsigned int)arg4 { %log; %orig; }
- (void)GetEnterpriseHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 SendKey:(id)arg3 OutputType:(unsigned int)arg4 ShouldSubscribe:(_Bool)arg5 { %log; %orig; }
- (void)GetHongbaoBusinessRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3 { %log; %orig; }
- (void)GetYearHongbaoRequest:(id)arg1 CMDID:(unsigned int)arg2 OutputType:(unsigned int)arg3 { %log; %orig; }
- (void)OnWCToAsyncBizSubscribeResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToBizHBCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToEnterpriseHBCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OnWCToHongbaoCommonSystemErrorResponse:(id)arg1 Request:(id)arg2 { %log; %orig; }
- (void)OpenBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)OpenEnterpriseRedEnvelopesRequest:(id)arg1 SendKey:(id)arg2 ShouldSubscribe:(_Bool)arg3 { %log; %orig; }
- (void)OpenRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesDetailRequest:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesUserInfo:(id)arg1 { %log; %orig; }
- (void)QueryRedEnvelopesUserInfoNoCache:(id)arg1 { %log; %orig; }
- (void)QueryUserSendOrReceiveRedEnveloperListRequest:(id)arg1 { %log; %orig; }
- (void)ReceiveBizEnterpriseRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)SendShareRedEnvelopesoRequest:(id)arg1 { %log; %orig; }
- (void)ThanksForRedEnvelopesRequest:(id)arg1 { %log; %orig; }
- (void)addReceiveSystemMsgWithDic:(id)arg1 { %log; %orig; }
- (id)init { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
// - (void)setM_senderNickNameHelper:(ContactUpdateHelper *)m_senderNickNameHelper { %log; %orig; }
// - (ContactUpdateHelper *)m_senderNickNameHelper { %log; ContactUpdateHelper * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (NSString *)debugDescription { %log; NSString * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (NSString *)description { %log; NSString * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (unsigned long long )hash { %log; unsigned long long  r = %orig; HBLogDebug(@" = %llu", r); return r; }
- (Class )superclass { %log; Class  r = %orig; HBLogDebug(@" = %@", r); return r; }
%end

运行查看日志:

打开红包View的日志:
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:31 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> ReceiverQueryRedEnvelopesRequest:{
        agreeDuty = 0;
        channelId = 1;
        inWay = 1;
        msgType = 1;
        nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
        sendId = 1000039401201711157020140209144;
    }]
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:11 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> GetHongbaoBusinessRequest:{
        agreeDuty = 0;
        channelId = 1;
        inWay = 1;
        msgType = 1;
        nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
        sendId = 1000039401201711157020140209144;
    } CMDID:3 OutputType:1]
Nov 15 19:02:36 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:21 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x1609aa360> Request:<HongBaoReq: 0x160901060>]



点击红包view上面的开后的日志:
Nov 15 19:06:03 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:25 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OpenRedEnvelopesRequest:{
        channelId = 1;
        headImg = "http://wx.qlogo.cn/mmhead/ver_1/dE3om8P2WCFmIe3beWMRicvRPveuUVF7X8xqpOle86QY9iaoqiazgaujFibEu9MhjLFtV4SoY8xZ2ExbrFYH4oxVRA/132";
        msgType = 1;
        nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
        nickName = "\U6e05\U53f6\U6a80";
        sendId = 1000039401201711157020140209144;
        sessionUserName = "wxid_y9bs6i3qil6m21";
        timingIdentifier = DEF5E3380DD95D53177182E094AB8619;
    }]
Nov 15 19:06:03 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:11 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> GetHongbaoBusinessRequest:{
        channelId = 1;
        headImg = "http://wx.qlogo.cn/mmhead/ver_1/dE3om8P2WCFmIe3beWMRicvRPveuUVF7X8xqpOle86QY9iaoqiazgaujFibEu9MhjLFtV4SoY8xZ2ExbrFYH4oxVRA/132";
        msgType = 1;
        nativeUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?msgtype=1&channelid=1&sendid=1000039401201711157020140209144&sendusername=wxid_y9bs6i3qil6m21&ver=6&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5";
        nickName = "\U6e05\U53f6\U6a80";
        sendId = 1000039401201711157020140209144;
        sessionUserName = "wxid_y9bs6i3qil6m21";
        timingIdentifier = DEF5E3380DD95D53177182E094AB8619;
    } CMDID:4 OutputType:1]
Nov 15 19:06:04 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:21 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x16094c730> Request:<HongBaoReq: 0x160883210>]
Nov 15 19:06:04 iPhone WeChat[8954] <Notice>: [redpocket] Tweak.xm:34 DEBUG: -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> addReceiveSystemMsgWithDic:{
        SystemMsgContext = "<img src=\"SystemMessages_HongbaoIcon.png\"/>  \U4f60\U9886\U53d6\U4e86$wxid_y9bs6i3qil6m21$\U7684<_wc_custom_link_ color=\"#FD9931\" href=\"weixin://weixinhongbao/opendetail?sendid=1000039401201711157020140209144&sign=cb7ee087ec43110c0bc02a9120e5f2cca5194d7249f2384ec67a8a6d140a2664cc91bd9f3a6df2a1413e740620ddc015796f7d21d18da3c60ac48f0fe06044f5ac0b87b4724ca218adb6345e25f573e5&ver=6\">\U7ea2\U5305</_wc_custom_link_>";
        amount = 10;
        canShare = 0;
        changeWording = "\U5df2\U5b58\U5165\U96f6\U94b1\Uff0c\U53ef\U76f4\U63a5\U8f6c\U8d26";
        hasWriteAnswer = 0;
        hbStatus = 4;
        hbType = 0;
        headTitle = "";
        isContinue = 0;
        isSender = 0;
        jumpChange = 1;
        operationHeader =     (
        );
        "real_name_info" =     {
            "guide_flag" = 0;
        };
        recAmount = 10;
        recNum = 1;
        receiveId = 1000039401000711157020140209144;
        receiveStatus = 2;
        record =     (
                    {
                answer = "";
                receiveAmount = 10;
                receiveId = 1000039401000711157020140209144;
                receiveOpenId = 1000039401000711157020140209144;
                receiveTime = 1510743964;
                state = 1;
                userName = "wxid_3ylu53d9rpy712";
            }
        );
        sendId = 1000039401201711157020140209144;
        sendUserName = "wxid_y9bs6i3qil6m21";
        sessionUserName = "wxid_y9bs6i3qil6m21";
        statusMess = "";
        totalAmount = 10;
        totalNum = 1;
        watermark = "";
        wishing = "\U606d\U559c\U53d1\U8d22\Uff0c\U5927\U5409\U5927\U5229";
    }]

因而日记分析可知:

  1. -[WCRedEnvelopesLogicMgr ReceiverQueryRedEnvelopesRequest:{}]
    类似获取红包音讯的操作,拆开红包前调用
  2. -[<WCRedEnvelopesLogicMgr: 0x1600e9e30> OnWCToHongbaoCommonResponse:<HongBaoRes: 0x1609aa360> Request:<HongBaoReq: 0x160901060>]
    拆开红包前后都调用
  3. -[WCRedEnvelopesLogicMgr OpenRedEnvelopesRequest:{}]拆开红包后调用,是的确控制抢红包的章程

要害分析这三个法子:

%hook WCRedEnvelopesLogicMgr
- (void)OnWCToHongbaoCommonResponse:(HongBaoRes *)arg1 Request:(HongBaoReq *)arg2 {
    // %log; 
    %orig;
    NSLog(@"HongBaoRes --->  cgiCmdid: %d  platRet: %d  retText: %@ platMsg : %@ ",arg1.cgiCmdid, arg1.platRet, arg1.retText, arg1.platMsg);

    NSLog(@"HongBaoReq --->  cgiCmdid: %d  outPutType : %d  reqText: %@ ",arg2.cgiCmd, arg2.outPutType, arg2.reqText);

    NSLog(@"HongBaoRes buffer: %@", [[NSString alloc] initWithData:arg1.retText.buffer encoding:NSUTF8StringEncoding]);
    NSLog(@"HongBaoReq buffer:  %@", [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding]);

    if (arg1.retText.buffer.length>0)
    {
        // NSLog(@"arg1.retText.buffer:\n");

        NSDictionary *retTextObj =  [NSJSONSerialization JSONObjectWithData:arg1.retText.buffer options:0 error:nil];
        NSLog(@"%@", retTextObj);
        // NSString *retTextStr = [[NSString alloc] initWithData:arg1.retText.buffer encoding:NSUTF8StringEncoding];
        // NSDictionary *retTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:retTextStr separator:@"&"];
        // NSLog(@"retTextDict: %@",retTextDict);
    }

    if (arg2.reqText.buffer.length>0)
    {
        // NSLog(@"arg2.reqText.buffer :\n");
        NSString *reqTextStr = [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding];
        NSDictionary *reqTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:reqTextStr separator:@"&"];
        NSLog(@"reqTextDict: %@",reqTextDict);
    }


}

%end

%hook WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1 {
    %orig;
    %log;
    NSLog(@"OpenRedEnvelopesRequest param: %@", [arg1 class]);

}

- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
%end

东拼西凑参数,编写自动抢红包代码:

#import "YCHongBaoMgr.h"

@interface WCBizUtil 
+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;
+ (void)showAlert:(NSString *)msg;
+ (void)enableAutoOpenWithNativeUrl:(NSString *)nativeUrl;
+ (BOOL)isEnableAutoOpenWithNativeUrl:(NSString *)nativeUrl;
+ (void)autoOpenWithNativeUrl:(NSString *)nativeUrl;
@end

@interface SKBuiltinBuffer_t 

+ (id)skBufferWithData:(id)arg1;

// Remaining properties
@property(retain, nonatomic) NSData *buffer; // @dynamic buffer;
@property(nonatomic) unsigned int iLen; // @dynamic iLen;

@end

@interface HongBaoReq 

@property(retain, nonatomic) SKBuiltinBuffer_t *reqText; // @dynamic reqText;
@property(nonatomic) unsigned int cgiCmd; // @dynamic cgiCmd;
@property(nonatomic) unsigned int outPutType; // @dynamic outPutType;



@end

@interface HongBaoRes 

@property(retain, nonatomic) SKBuiltinBuffer_t *retText; // @dynamic reqText;
@property(nonatomic) unsigned int cgiCmdid; // @dynamic cgiCmd;
@property(retain, nonatomic) NSString *platMsg; // @dynamic platMsg;
@property(nonatomic) int platRet; // @dynamic platRet;

@end

@interface MMServiceCenter
+ (id)defaultCenter;
- (id)getService:(id)cls;
@end

@interface CContactMgr
- (id)getSelfContact;
@end

@interface CBaseContact

@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsUsrName;
- (id)getContactDisplayName;

@end

@interface WCPayInfoItem 
@property(retain, nonatomic) NSString *m_c2cNativeUrl; // @synthesize m_oSelectedMessageWrap;
@end

@interface CMessageWrap
@property(retain, nonatomic) NSString *m_nsContent; // @synthesize m_nsContent;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsFromUsr; // @synthesize m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsToUsr; // @synthesize m_nsToUsr;
@property(nonatomic) int m_uiMessageType; // @synthesize m_uiMessageType;
@property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem; 

@end

@interface WCRedEnvelopesLogicMgr

- (void)OpenRedEnvelopesRequest:(id)arg1;
- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1;
@end


%hook CMessageMgr

- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)msg {

    %orig;

    int messageType = [msg m_uiMessageType];
    NSString *fromUsr = [msg m_nsFromUsr];

    if (messageType == 49)
    {
        NSLog(@"红包消息、转账消息");

        WCPayInfoItem *payInfoItem = [msg m_oWCPayInfoItem];
        NSString *m_c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
        NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
        NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];
        NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];

        BOOL isGroupHB = [fromUsr containsString:@"chatroom"];

        //if msgtype == 1 is enable auto open red envelopes
        id msgType = [nativeUrlDict valueForKey:@"msgtype"];
        if([msgType isEqual: @"1"]){
            [%c(WCBizUtil) enableAutoOpenWithNativeUrl:m_c2cNativeUrl];

            //************ auto get red envelopes info ****************//
            NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
            //msgType: group and friend are same , value is 1
            [dictM setObject:@"1" forKey:@"msgType"]; 
            // agreeDuty is 0
            [dictM setValue:@"0" forKey:@"agreeDuty"];
            [dictM setValue:m_c2cNativeUrl forKey:@"nativeUrl"];
            id sendId = [nativeUrlDict objectForKey:@"sendid"];
            [dictM setObject:sendId forKey: @"sendId"];
            id channelId = [nativeUrlDict objectForKey:@"channelid"];
            [dictM setObject:channelId forKey:@"channelId"];
            //group hb is 0 ,friend hb is 1
            if(isGroupHB){
                [dictM setObject:@"0" forKey:@"inWay"];
            }else{
                [dictM setObject:@"1" forKey:@"inWay"]; 
            }

            NSLog(@"dictM: %@", dictM);
            // auto get red envelope info
            WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService: [%c(WCRedEnvelopesLogicMgr) class]];
            [redEnvelopesLogicMgr ReceiverQueryRedEnvelopesRequest:dictM];


        }else{
            NSLog(@"msgtype : %@  mgtype class: %@", msgType, [msgType class]);
        }
    } 

}
%end


%hook WCRedEnvelopesLogicMgr
- (void)OnWCToHongbaoCommonResponse:(HongBaoRes *)arg1 Request:(HongBaoReq *)arg2 {
    %orig;

    //HongBaoRes.cgiCmdid = 3 is get hongbao info, .cgiCmdid = 4 is open hongbao
    if(arg1.retText.buffer.length>0 && arg2.reqText.buffer.length>0 && arg1.cgiCmdid == 3 ){

        //********** auto open red envelopes **********//

        //HonBaoRes
        NSDictionary *retTextObj =  [NSJSONSerialization JSONObjectWithData:arg1.retText.buffer options:0 error:nil];
        //HonBaoReq
        NSString *reqTextStr = [[NSString alloc] initWithData:arg2.reqText.buffer encoding:NSUTF8StringEncoding];
        NSDictionary *reqTextDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:reqTextStr separator:@"&"];

        NSMutableDictionary *dictM = [NSMutableDictionary dictionary];
        [dictM setValue:@"1" forKey:@"msgType"];
        //m_c2cNativeUrl is url encode
        NSString *m_c2cNativeUrl = [reqTextDict valueForKey:@"nativeUrl"];

        //decode url 
        m_c2cNativeUrl = (NSString *)CFBridgingRelease(CFURLCreateStringByReplacingPercentEscapesUsingEncoding(kCFAllocatorDefault,(CFStringRef)m_c2cNativeUrl, CFSTR(""),kCFStringEncodingUTF8));


        if(![%c(WCBizUtil) isEnableAutoOpenWithNativeUrl:m_c2cNativeUrl]){
            return;
        }else{
            [%c(WCBizUtil) autoOpenWithNativeUrl:m_c2cNativeUrl];
        }

        NSInteger index = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
        NSString *nativeUrlData = [m_c2cNativeUrl substringFromIndex:index];

        NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrlData separator:@"&"];
        id sendId = [nativeUrlDict valueForKey:@"sendid"];
        [dictM setValue:sendId forKey: @"sendId"];
        id channelId = [nativeUrlDict valueForKey:@"channelid"];
        [dictM setValue:channelId forKey:@"channelId"];

        MMServiceCenter *serviceCenter = [%c(MMServiceCenter) defaultCenter];
        Class contactMgrCls = [%c(CContactMgr) class];
        CContactMgr *contactMgrSer = [serviceCenter getService: contactMgrCls];
        CBaseContact *contactMgrSelfContact = [contactMgrSer getSelfContact];
        NSString *displayName = [contactMgrSelfContact getContactDisplayName];
        [dictM setValue:displayName forKey: @"nickName"];
        NSString *headImgUrl = [contactMgrSelfContact m_nsHeadImgUrl];
        [dictM setValue: headImgUrl forKey:@"headImg"];
        [dictM setValue:m_c2cNativeUrl forKey: @"nativeUrl"];

        NSString *userName = [nativeUrlDict valueForKey:@"sendusername"];
        if(userName.length > 0){
            [dictM setValue:[nativeUrlDict valueForKey:@"sendusername"] forKey:@"sessionUserName"];
        }

        NSString *timingIdentifier = [retTextObj valueForKey:@"timingIdentifier"];
        if([timingIdentifier length] > 0){
            [dictM setValue:timingIdentifier forKey:@"timingIdentifier"];
        }

        NSLog(@"dictM Count:%lu data: %@",[dictM count], dictM);

        //等待0.5s
        dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
            //auto open red envelopes
            WCRedEnvelopesLogicMgr *redEnvelopesLogicMgr = [serviceCenter getService: [%c(WCRedEnvelopesLogicMgr) class]];
            [redEnvelopesLogicMgr OpenRedEnvelopesRequest: dictM];
        });
    }
}


%end

%hook WCRedEnvelopesLogicMgr
- (void)OpenRedEnvelopesRequest:(id)arg1 {
    %orig;
    %log;
}

- (void)ReceiverQueryRedEnvelopesRequest:(id)arg1 { %log; %orig; }
%end


%hook MicroMessengerAppDelegate

- (_Bool)application:(id)arg1 didFinishLaunchingWithOptions:(id)arg2 {
     %log;
     [%c(YCHongBaoMgr) showAlert:@"start...."];
     return  %orig;
}

%end

%hook WCBizUtil

%new
+ (void)enableAutoOpenWithNativeUrl:(NSString *)nativeUrl{

    NSMutableDictionary *dictM =  [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];

    if (!dictM) {
        dictM = [NSMutableDictionary dictionary];
    }else{
        dictM = [NSMutableDictionary dictionaryWithDictionary:dictM];
    }
    [dictM setValue:@1 forKey:nativeUrl];
    [[NSUserDefaults standardUserDefaults] setObject:dictM forKey:@"AutoOpenWithNativeUrl"];
}
%new
+ (BOOL)isEnableAutoOpenWithNativeUrl:(NSString *)nativeUrl{
    NSMutableDictionary *dictM =  [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];
    if (dictM) {
        NSNumber *val = [dictM valueForKey:nativeUrl];
        if (val.intValue == 1) {
            return true;
        }
    }

    return false;
}
%new
+ (void)autoOpenWithNativeUrl:(NSString *)nativeUrl {
    NSMutableDictionary *dictM =  [[NSUserDefaults standardUserDefaults] valueForKey:@"AutoOpenWithNativeUrl"];
    if (dictM) {
        dictM = [NSMutableDictionary dictionaryWithDictionary:dictM];
        [dictM setValue:@0 forKey:nativeUrl];
        [[NSUserDefaults standardUserDefaults] setObject:dictM forKey:@"AutoOpenWithNativeUrl"];
    }

}


%new
+ (void)showAlert:(NSString *)msg {
    [[[UIAlertView alloc] initWithTitle:msg message:nil delegate:nil cancelButtonTitle:@"confirm" otherButtonTitles:nil, nil] show];
}

%end

经过 UI 元素找到呼应的 Controller,并查阅里面方法

openSSH连接手机:ssh root@手机IP
流入微信的历程:ps -e | grep -i wechat // 找到微信进程的 pid
cycript -p 微信的pid
通过这句话就可以打印出UI结构图了:UIApp.keyWindow.recursiveDescription().toString()
如下图:

据悉 iOS View的树结构,找个 NavigationController 下边的 UIView,按照iOS
view的响应链机制,不断打印一个 view 的 nextResponder
[#0x14e0c09a0 nextResponder];
直白往上找,就能找出聊天界面的 controller 是
NewMainFrameViewController。

class_dump 能提取出具有头文件
那么就可以看到 NewMainFrameViewController.h 头文件之中的情节了
cat NewMainFrameViewController.h 即可

分析一个动作

先给要考察的目标的装有办法加上 log

logify.pl 能自动生成打印 log 的 hook 代码
logify.pl NewMainFrameViewController.h > test.xm
如下图:

(id)arg1:id 是 类型 可以经过 [arg1 class] 打印出来,arg1
参数直接打,打印出 id 类型,找出他对应的头文件,修改他 – (NSString
*)description;
方法,再流入,可以打印出这些目的中颇具属性的值,参数值你就可以找出来了。

%orig;公海赌船网址, 是本来方法的代码,可以在末端加自己的代码,向下图一律

%log 是调 unix 的系统日志打印服务。

而是 syslogd 在 ios9 以上用持续了,唯有 ios8 才能用,我那时候想过来 ios9
上的 syslogd 服务,相比费心,ios9
的体系删掉太多东西了,于是我就写了上面代码打印
log,即使会当挡住界面,不过能实时看到。

// 加入显示 log 的 textView
dispatch_async(dispatch_get_main_queue(), ^{
    NSArray *array = [UIApplication sharedApplication].keyWindow.subviews;
    for (UIView *v in array) {
        if ([v isMemberOfClass:[UITextView class]] && v.tag == 1234) {
            [v removeFromSuperview];
        }
    }
    UITextView *tv = [[UITextView alloc] init];
    tv.tag = 1234;
    tv.frame = CGRectMake(0, 100, 200, 240);
    tv.font = [UIFont systemFontOfSize:15];
    [[UIApplication sharedApplication].keyWindow addSubview:tv];
});

///////////////

// 向 textView 写入一条 log 的函数
- (void)ck_log:(NSString *)str {
    dispatch_async(dispatch_get_main_queue(), ^{
        NSArray *array = [UIApplication sharedApplication].keyWindow.subviews;
        for (UIView *v in array) {
            if ([v isMemberOfClass:[UITextView class]] && v.tag == 1234) {
                UITextView *tv = (UITextView *)v;
                tv.text = [NSString stringWithFormat:@"%@\n---%@\n", tv.text, str];
            }
        }
    });
}

剖析一个目标的动作

譬如我要分析聊天界面点击一个密友时发生了何等
率先找出聊天界面的controller 是 NewMainFrameViewController

先是遍 hook:把他里面的不二法门漫天打上 log
找到一个密友的头像点击,观察措施调用的各种。
然后您就能了然调用方法的依次。

第二遍 hook:把现身过的法门,把他 id 类型的参数打出去 [arg1 class]
就能还原参数类型。

其三次 hook:找到重点想询问的参数类型,注入 description
方法,你就可以得到爆发动作时候的有着参数值。
接下来您可以自己协会这些参数值,实现自动点击功效。

剖析函数调用栈

奇迹有个函数 func() 突然被调用了,你想理解是什么人调用它的。

率先在 hopper 中找到这些函数地址,假假诺 0x2222

再用 lldb + debugserver 启动手机中的 wechat
用 image list -o -f 打印 wechat 模块,找到 wechat 的舞狮地址,假诺是
0x1111

那么这一个函数的其实运作地址为:基址 + 偏移
即 0x2222 + 0x1111 = 0x3333
因为操作系统加载一个可执行文件会分配一段内存地址给她,不自然是从0开首,所以就有了个偏移。

下一场 br s -a ‘0x3333’ 设个断点

去APP上再一次启程 func() 函数的调用,lldb 会停在这边。
lldb 中用 bt 命令,打印函数调用栈

如下图

你会发觉函数栈里有两个 WeChat 的函数
假定他前方的地方是 0x4444,这多少个是实在地址,要减去 0x1111,才是 hopper
中的地址,即 0x4444-0x1111 = 0x3333
接下来去 hopper 中找 0x3333 的地址,你就可以了然函数名了。

还有打印 x20, x29 寄存器可以收获五个参数的始末。

写 hook 代码

剖析完了一个动作的函数调用顺序,参数值,你就能够 hook
特定的函数,写相应的 tweak 代码,实现自动 XXX 的效益了。


反编译旁人软件是违纪的,不要干坏事哦。有些怕违法的东西本身就不写出来了,目前抓的挺严的。

说到底发个方便,微信自动抢红包的 iOS 插件
下载地址

相关文章