IOS Wechat Reverse - Realization of Custom Functions such as Jailbreak Free, Red Envelope Anti-withdrawal

WeChat smash shell

CrackerXI+ crack the shell, or manually use dumpdecrypted to crack the shell

Export the shelled wech using scp or assistant at.ipa

 

monkeydev

MonkeyDev is integrated on xcode, which can quickly develop hook codes, link to Mach-O files, and support jailbreak-free installation after modifying ipa.

Create a new MonkeyDev project

 

Drag the shelled WeChat ipa into the TargetApp directory in the project

run compile real machine debugging

Open the WeChat settings page, and open Debug View Hierarychy in xcode to view the hierarchy.

New control class WCTableViewManager 

%hook NewSettingViewController
- (void)reloadTableData{
    %orig;
    WCTableViewManager *tableViewMgr = MSHookIvar<id>(self, "m_tableViewMgr");
    MMTableView *tableView = [tableViewMgr getTableView];
    WCTableViewNormalCellManager *newCell = [%c(WCTableViewNormalCellManager) normalCellForSel:@selector(setting) target:self title:@"你懂的"];
    [((WCTableViewSectionManager*)tableViewMgr.sections[0]) addCell: newCell];
    [tableView reloadData];
}

%new
- (void)setting {
    UIViewController *vc = [[HZWechatSettingController alloc] init];
    [((UIViewController *)self).navigationController PushViewController:vc animated:true];
}

%end

Added options for automatically grabbing red envelopes, anti-retraction of messages, and modification of WeChat steps

WCTableViewCellManager *autoEnvelopCell = [HZWechat switchCellWithSel:@selector(autoEnvelopSwitchChange:) target:self title:@"自动抢红包" switchOn:[HZWechatConfig autoRedEnvelop]];
[nidongde addCell:autoEnvelopCell];

WCTableViewCellManager *revokeIntercept = [HZWechat switchCellWithSel:@selector(revokeIntercept:) target:self title:@"消息防撤回" switchOn:[HZWechatConfig preventRevoke]];
[nidongde addCell:revokeIntercept];

WCTableViewCellManager *changeStepsCell = [HZWechat switchCellWithSel:@selector(changedSteps:) target:self title:@"修改微信步数" switchOn:[HZWechatConfig changeSteps]];
[nidongde addCell:changeStepsCell];

Hook red envelope message to realize automatic snatching 

BOOL (^shouldReceiveRedEnvelop)() = ^BOOL() {
                    if (!HZWechatConfig.autoRedEnvelop) { return NO; }
                    if (isGroupInBlackList()) { return NO; }
                    if (isContaintKeyWords()) { return NO; }
                    return isGroupReceiver() ||
                           (isGroupSender() && isReceiveSelfRedEnvelop()) ||
                           (!isGroupReceiver() && HZWechatConfig.personalRedEnvelopEnable);
                };

                NSDictionary *(^parseNativeUrl)(NSString *nativeUrl) = ^(NSString *nativeUrl) {
                    nativeUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]];
                    return [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrl separator:@"&"];
                };

Anti-withdrawal implementation

%hook CMessageMgr
  - (void)onRevokeMsg:(CMessageWrap *)arg1 {

    if (HZWechatConfig.preventRevoke) {
        NSString *msgContent = arg1.m_nsContent;

        NSString *(^parseParam)(NSString *, NSString *,NSString *) = ^NSString *(NSString *content, NSString *paramBegin,NSString *paramEnd) {
            NSUInteger startIndex = [content rangeOfString:paramBegin].location + paramBegin.length;
            NSUInteger endIndex = [content rangeOfString:paramEnd].location;
            NSRange range = NSMakeRange(startIndex, endIndex - startIndex);
            return [content substringWithRange:range];
        };

        NSString *session = parseParam(msgContent, @"<session>", @"</session>");
        NSString *newmsgid = parseParam(msgContent, @"<newmsgid>", @"</newmsgid>");
        NSString *fromUsrName = parseParam(msgContent, @"<![CDATA[", @"撤回了一条消息");
        CMessageWrap *revokemsg = [self GetMsg:session n64SvrID:[newmsgid integerValue]];

        CContactMgr *contactMgr = [[objc_getClass("MMServiceCenter") defaultCenter] getService:objc_getClass("CContactMgr")];
        CContact *selfContact = [contactMgr getSelfContact];
        NSString *newMsgContent = @"";


        if ([revokemsg.m_nsFromUsr isEqualToString:selfContact.m_nsUsrName]) {
            if (revokemsg.m_uiMessageType == 1) {       // 判断是否为文本消息
                newMsgContent = [NSString stringWithFormat:@"拦截到你撤回了一条消息：\n %@",revokemsg.m_nsContent];
            } else {
                newMsgContent = @"拦截到你撤回一条消息";
            }
        } else {
            if (revokemsg.m_uiMessageType == 1) {
                newMsgContent = [NSString stringWithFormat:@"拦截到一条 %@撤回消息：\n %@",fromUsrName, revokemsg.m_nsContent];
            } else {
                newMsgContent = [NSString stringWithFormat:@"拦截到一条 %@撤回消息",fromUsrName];
            }
        }

        CMessageWrap *newWrap = ({
            CMessageWrap *msg = [[%c(CMessageWrap) alloc] initWithMsgType:0x2710];
            [msg setM_nsFromUsr:revokemsg.m_nsFromUsr];
            [msg setM_nsToUsr:revokemsg.m_nsToUsr];
            [msg setM_uiStatus:0x4];
            [msg setM_nsContent:newMsgContent];
            [msg setM_uiCreateTime:[arg1 m_uiCreateTime]];

            msg;
        });

        [self AddLocalMsg:session MsgWrap:newWrap fixTime:0x1 NewMsgArriveNotify:0x0];
        return;
    }
    %orig;
}

%end

Modify the number of WeChat exercise steps

%hook WCDeviceStepObject
-(NSInteger)m7StepCount {
    NSInteger stepCount = %orig;
    NSInteger newStepCount = HZWechatConfig.changedSteps;

    return HZWechatConfig.changeSteps ? newStepCount : stepCount;
}

-(NSInteger)hkStepCount {
    NSInteger stepCount = %orig;
    NSInteger newStepCount = HZWechatConfig.changedSteps;

    return HZWechatConfig.changeSteps ? newStepCount : stepCount;
}

%end

Multi-opening after self-signed packaging, it is better to eat with AltDeploy+AltStore

 grateful