国产 无码 综合区,色欲AV无码国产永久播放,无码天堂亚洲国产AV,国产日韩欧美女同一区二区

  1. Toy模板網(wǎng)首頁
  2. >Toy博客

MacOS微信逆向分析-Frida

2年前作者:wei_java144分類:Toy博客閱讀(22)違法舉報(bào)

這篇具有很好參考價(jià)值的文章主要介紹了MacOS微信逆向分析-Frida。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方,請(qǐng)大家不吝賜教,您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問。

PC下的微信二次開發(fā)相信大家都會(huì)了,那么本篇文章將帶領(lǐng)大家使用Frida框架對(duì)Mac下微信來進(jìn)行二次開發(fā)!

PS:還有一種靜態(tài)注入的方式也不錯(cuò),但是考慮到大家xcode安裝包太大就不在這里展開啦。

PS:frida如何去使用大家得自己去學(xué),本文不過多展開。

主要功能涉及如下:

  1. 微信消息發(fā)送
  2. 微信消息監(jiān)聽

1.微信版本

frida mac,ipad,macos,ipad,微信,云計(jì)算,大數(shù)據(jù)

預(yù)先善其事,必先利其器!請(qǐng)先準(zhǔn)備如下分析工具

  1. Hopper?Disassembler
  2. Class-dump
  3. Frida
  4. Pycharm(可選)
  5. Vscode(可選)

3.Dump 出頭文件

首先利用Class-Dump拿到微信的頭文件,打開終端執(zhí)行:

1

class-dump?-H?/Applications/WeChat.app

成功執(zhí)行之后會(huì)生成很多的頭文件了,如下所示

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

-rw-r--r--??1?n? staff???927B??2?15?19:19?WXCPbQcwxtalkPackage.h

-rw-r--r--??1?n? staff???975B??2?15?19:19?WXCPbReportItem.h

-rw-r--r--??1?n? staff???1.7K??2?15?19:19?WXCPbSCAddVoiceGroupMemberResp.h

-rw-r--r--??1?n? staff???772B??2?15?19:19?WXCPbSCCancelCreateVoiceGroupResp.h

-rw-r--r--??1?n? staff???7.2K??2?15?19:19?WXCPbSCCreateVoiceGroupResp.h

-rw-r--r--??1?n? staff???6.9K??2?15?19:19?WXCPbSCEnterVoiceRoomResp.h

-rw-r--r--??1?n? staff???1.1K??2?15?19:19?WXCPbSCExitVoiceRoomResp.h

-rw-r--r--??1?n? staff???1.2K??2?15?19:19?WXCPbSCModifyVoiceGroupInfoResp.h

-rw-r--r--??1?n? staff???872B??2?15?19:19?WXCPbSCSubscribeLargeVideoResp.h

-rw-r--r--??1?n? staff???867B??2?15?19:19?WXCPbSCSubscribeVideoResp.h

-rw-r--r--??1?n? staff???2.0K??2?15?19:19?WXCPbSCVoiceClientSceneReportResp.h

-rw-r--r--??1?n? staff???864B??2?15?19:19?WXCPbSCVoiceGetGroupInfoBatchResp.h

-rw-r--r--??1?n? staff???637B??2?15?19:19?WXCPbSCVoiceMemberWhisperResp.h

-rw-r--r--??1?n? staff???5.9K??2?15?19:19?WXCPbSCVoiceRedirectResp.h

-rw-r--r--??1?n? staff???1.1K??2?15?19:19?WXCPbSCVoiceRoomHelloResp.h

-rw-r--r--??1?n? staff???904B??2?15?19:19?WXCPbSKBuiltinBuffer_t.h

-rw-r--r--??1?n? staff???686B??2?15?19:19?WXCPbSubscribeVideoMember.h

-rw-r--r--??1?n? staff???2.7K??2?15?19:19?WXCPbSwitchVideoGroupResp.h

-rw-r--r--??1?n? staff???1.4K??2?15?19:19?WXCPbVideoGroupMember.h

-rw-r--r--??1?n? staff???671B??2?15?19:19?WXCPbVoiceClientScene.h

-rw-r--r--??1?n? staff???1.2K??2?15?19:19?WXCPbVoiceClientSceneExt.h

-rw-r--r--??1?n? staff???2.9K??2?15?19:19?WXCPbVoiceConf.h

?首先那么多的文件我們肯定不能一個(gè)個(gè)的去看,那樣效率太低。相信大家做開發(fā)為了自己好維護(hù)代碼,肯定不會(huì)給對(duì)象隨便命名為abc這種吧!不會(huì)吧!不會(huì)吧!真的有這種人?。。?!但是我相信騰訊的程序員肯定不會(huì)這么做??!微信核心的功能是啥?是發(fā)消息哦,那么消息的英文是啥?Message?!對(duì)就是他。所以我們就先塞選下這個(gè)Message

# n @ localhost in ~/vscodewsp/wechat/dump [20:58:22]
$ ll |wc -l
    4922
 
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:29]
$ ll -l |grep Message|wc -l
     157
 
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:42]

?執(zhí)行如上命令我們把文件數(shù)從4922個(gè)轉(zhuǎn)變到157了。這樣就縮小了范圍啦!如何再次縮小范圍尼!那么就得是看大家的開發(fā)習(xí)慣啦,我一般做業(yè)務(wù)我都喜歡寫service,controller,這種業(yè)務(wù)類名,于是我再次....

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

# n @ localhost in ~/vscodewsp/wechat/dump [20:58:42]

$ ll?-l |grep Message|grep Service|wc?-l

???????9

# n @ localhost in ~/vscodewsp/wechat/dump [21:02:13]

$ ll?-l |grep Message|grep Service

-rw-r--r--??1?n? staff???5.1K??2?15?19:19?FTSFileMessageService.h

-rw-r--r--??1?n? staff???382B??2?15?19:19?IMessageServiceAppExt-Protocol.h

-rw-r--r--??1?n? staff???980B??2?15?19:19?IMessageServiceFileExt-Protocol.h

-rw-r--r--??1?n? staff???381B??2?15?19:19?IMessageServiceFileReTransferExt-Protocol.h

-rw-r--r--??1?n? staff???755B??2?15?19:19?IMessageServiceImageExt-Protocol.h

-rw-r--r--??1?n? staff???780B??2?15?19:19?IMessageServiceVideoExt-Protocol.h

-rw-r--r--??1?n? staff???407B??2?15?19:19?IMessageServiceVideoReTransferExt-Protocol.h

-rw-r--r--??1?n? staff???3.1K??2?15?19:19?MMFTSMessageService.h

-rw-r--r--??1?n? staff????20K??2?15?19:19?MessageService.h

# n @ localhost in ~/vscodewsp/wechat/dump [21:02:25]

$

哎呦哎呦,就剩9個(gè)文件啦???那么這個(gè)一個(gè)個(gè)看也不礙事!!有時(shí)間就是任性!??!哼。最終定位到MessageService.h?打開一看,果然尼!真是運(yùn)氣好!?

1

2

3

4

5

6

7

8

9

-?(id)SendLocationMsgFromUser:(id)arg1 toUser:(id)arg2 withLatitude:(double)arg3 longitude:(double)arg4 poiName:(id)arg5 label:(id)arg6;

-?(id)SendNamecardMsgFromUser:(id)arg1 toUser:(id)arg2 containingContact:(id)arg3;

-?(id)SendStickerStoreEmoticonMsgFromUsr:(id)arg1 toUsrName:(id)arg2 md5:(id)arg3 productID:(id)arg4;

-?(id)SendEmoticonMsgFromUsr:(id)arg1 toUsrName:(id)arg2 md5:(id)arg3 emoticonType:(unsigned?int)arg4;

-?(id)SendImgMessage:(id)arg1 toUsrName:(id)arg2 thumbImgData:(id)arg3 midImgData:(id)arg4 imgData:(id)arg5 imgInfo:(id)arg6;

-?(id)SendTextMessage:(id)arg1 toUsrName:(id)arg2 msgText:(id)arg3 atUserList:(id)arg4;

-?(id)SendAppMusicMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbnailData:(id)arg6;

-?(id)SendAppURLMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbnailData:(id)arg6;

-?(id)SendAppURLMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbUrl:(id)arg6 sourceUserName:(id)arg7 sourceDisplayName:(id)arg8;

你看這功能不就來了嘛?Send開頭的都是發(fā)送消息的函數(shù)啊。OK完事。那么就開始搞它!

PS:其實(shí)分析時(shí)候還是挺費(fèi)事的,但是大家自己多動(dòng)手肯定能找到的!

5.FridaHook驗(yàn)證

為了驗(yàn)證自己的分析是不是正確的,我們得進(jìn)行驗(yàn)證啊,怎么驗(yàn)證?frida大法好!執(zhí)行以下命令:

frida-trace -m "-[MessageService Send*]" 微信

1

2

3

4

5

6

7

$ frida-trace?-m?"-[MessageService Send*]"?微信

Instrumenting...???????????????????????????????????????????????????????

-[MessageService SendTextMessageWithString:toUser:]: Auto-generated handler at?"/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendTextMessageWithString_toUser_.js"

-[MessageService SendAppURLMessageFromUser:toUsrName:withTitle:url:description:thumbUrl:sourceUserName:sourceDisplayName:]: Auto-generated handler at?"/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendAppURLMessageFromUser_toUsrN_eaefd0af.js"

------------------------------------------------------------------------------

-[MessageService SendNamecardMsgFromUser:toUser:containingContact:]: Auto-generated handler at?"/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendNamecardMsgFromUser_toUser_c_b5899e8d.js"

Started tracing?18?functions. Press Ctrl+C to stop.

然后會(huì)在當(dāng)前目錄生成handlers文件夾,里面是frida為我們自動(dòng)生成的hook腳本文件。我們使用微信發(fā)送一條消息試試。

然后終端會(huì)輸出一條信息:

195323 ms -[MessageService SendTextMessage:0x600000b6fae0 toUsrName:0x6503cfa934d442eb msgText:0x6000002ec860 atUserList:0x600000a73570]

這個(gè)就是觸發(fā)了發(fā)送消息的hook信息啦。SendTextMessage?是不是跟我們?cè)陬^文件信息里面看到的一樣。

我們找到handles文件夾下SendTextMessage這個(gè)js文件,試試修改log輸出然后再執(zhí)行

frida-trace -m "-[MessageService Send*]" 微信

我們可以看到輸出變啦
2908 ms -[我的消息測(cè)試 SendTextMessage:0x600000b6fae0 toUsrName:0x6503cfa934d442eb msgText:0x6722df8306c2767b atUserList:0x6000009c2760]

如此可以確定我們找到的函數(shù)就是發(fā)送消息的函數(shù)。那么看看能不能打印出自己發(fā)送的消息內(nèi)容

- (id)SendTextMessage:(id)arg1 toUsrName:(id)arg2 msgText:(id)arg3 atUserList:(id)arg4;

可以看到這個(gè)函數(shù)一共有4個(gè)參數(shù):參數(shù)一:暫時(shí)不知道。參數(shù)二:toUsrName,我們可以知道是消息發(fā)送給誰的。參數(shù)三:msgText 消息內(nèi)容,消息四:暫時(shí)不知道

分別把這四個(gè)參數(shù)給打印出來試試!修改js文件

1

2

3

4

5

6

7

onEnter(log, args, state) {

????console.log(`-[我的消息測(cè)試 SendTextMessage:${args[2]} toUsrName:${args[3]} msgText:${args[4]} atUserList:${args[5]}]`);

????console.log("arg[1] -> "?+?new ObjC.Object(args[2]))

????console.log("arg[2] -> "?+?new ObjC.Object(args[3]))

????console.log("arg[3] -> "?+?new ObjC.Object(args[4]))

????console.log("arg[4] -> "?+?new ObjC.Object(args[5]))

??},

然后執(zhí)行?frida-trace -m "-[MessageService Send*]" 微信?發(fā)送一條消息

frida mac,ipad,macos,ipad,微信,云計(jì)算,大數(shù)據(jù)

1

2

3

4

5

6

arg[1]?-> wxid_*****63i822

arg[2]?-> filehelper

arg[3]?-> 這個(gè)是消息測(cè)試

arg[4]?->

???????????/*?TID?0x307?*/

?14534?ms??-[我的消息測(cè)試 SendTextMessage:0x600000b6fae0?toUsrName:0x6503cfa934d442eb?msgText:0x600000adefd0?atUserList:0x600000add470]

我們可以看到終端正確響應(yīng)了,輸出的正是我們發(fā)送的消息。那么我修改發(fā)送內(nèi)容試試??添加如下代碼:

??args[4] = ObjC.classes.NSString.stringWithString_("MacOS微信分析")

然后微信發(fā)送任何消息,對(duì)方都將收到的是MacOS微信分析

frida mac,ipad,macos,ipad,微信,云計(jì)算,大數(shù)據(jù)

這樣我們就確定了發(fā)送文本消息的函數(shù)就是這個(gè)。那么我們?nèi)绾沃鲃?dòng)調(diào)用它呢?

6.Hopper分析程序代碼

從上面的分析我們看到發(fā)送消息需要四個(gè)參數(shù)。第一個(gè):通過分析應(yīng)該是我們自己的微信id,第二個(gè):對(duì)方的微信id,第三個(gè):消息內(nèi)容,第四個(gè):可以為null

那么就打開hopper拖入微信具體分析分析吧

應(yīng)用程序->微信->顯示包內(nèi)容->Contents->MacOS->WeChat 拖進(jìn)hopper然后默認(rèn)選項(xiàng)即可

frida mac,ipad,macos,ipad,微信,云計(jì)算,大數(shù)據(jù)

在左邊輸入SendTextMessage搜索我們可以看到上面四個(gè)應(yīng)該是我們所需要的,都打開看下偽代碼。(我們分析需要找到函數(shù)調(diào)用的地方就能知道傳參,然后再去分析參數(shù)是如何而來。那么除了函數(shù)定義地方代碼,其余的都可以找到。

MMMessageSendLogic?:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

/*?@class?MMMessageSendLogic?*/

-(unsigned char)sendTextMessageWithString:(void?*)arg2 mentionedUsers:(void?*)arg3 {

????r14?=?self;

????r15?=?[arg2 retain];

????r12?=?[arg3 retain];

????r13?=?[[CUtility filterStringForTextMessage:r15] retain];

????[r15 release];

????if?([r13 length] !=?0x0) {

????????????stack[-64]?=?r12;

????????????rax?=?[r13 lengthOfBytesUsingEncoding:0x4];

????????????rbx?=?rax;

????????????if?(rax >=?0x4001) {

????????????????????rax?=?[[NSString alloc] initWithFormat:@"ERROR: Text too long, length: %lu, utf8 length: %lu", [r13 length], rbx];

????????????????????stack[0]?=?"-[MMMessageSendLogic sendTextMessageWithString:mentionedUsers:]";

????????????????????[MMLogger logWithMMLogLevel:0x2?module:"ComposeInputView"?file:0x103e0e162?line:0x112?func:stack[0] message:rax];

????????????????????[rax release];

????????????????????rax?=?[NSBundle mainBundle];

????????????????????rax?=?[rax retain];

????????????????????stack[-72]?=?rax;

????????????????????r15?=?[[rax localizedStringForKey:@"Message.Input.Too.Long.Title"?value:@"" table:0x0] retain];

????????????????????rax?=?[NSBundle mainBundle];

????????????????????rax?=?[rax retain];

????????????????????r14?=?rax;

????????????????????rax?=?[rax localizedStringForKey:@"Message.Input.Too.Long.Content"?value:@"" table:0x0];

????????????????????rax?=?[rax retain];

????????????????????[NSAlert showAlertSheetWithTitle:r15 message:rax completion:0x0];

????????????????????[rax release];

????????????????????[r14 release];

????????????????????[r15 release];

????????????????????[stack[-72] release];

????????????????????r14?=?0x0;

????????????????????r12?=?stack[-64];

????????????}

????????????else?{

????????????????????rax?=?[WeChat sharedInstance];

????????????????????rax?=?[rax retain];

????????????????????r15?=?[[rax CurrentUserName] retain];

????????????????????[rax release];

????????????????????rax?=?[r14 currnetChatContact];

????????????????????rax?=?[rax retain];

????????????????????r14?=?[[rax m_nsUsrName] retain];

????????????????????[rax release];

????????????????????r12?=?[[MMServiceCenter defaultCenter] retain];

????????????????????objc_unsafeClaimAutoreleasedReturnValue([[[r12 getService:[MessageService?class]] retain] SendTextMessage:r15 toUsrName:r14 msgText:r13 atUserList:stack[-64]]);

????????????????????[rax release];

????????????????????[r12 release];

????????????????????[r14 release];

????????????????????[r15 release];

????????????????????r14?=?0x1;

????????????????????r12?=?stack[-64];

????????????????????r13?=?r13;

????????????}

????}

????else?{

????????????rax?=?[[NSString alloc] initWithFormat:@"ERROR: Text is empty, can't send"];

????????????stack[0]?=?"-[MMMessageSendLogic sendTextMessageWithString:mentionedUsers:]";

????????????[MMLogger logWithMMLogLevel:0x2?module:"ComposeInputView"?file:0x103e0e162?line:0x10c?func:stack[0] message:rax];

????????????[rax release];

????????????r14?=?0x0;

????}

????[r13 release];

????[r12 release];

????rax?=?r14 &?0xff;

????return?rax;

}

這個(gè)偽代碼看的就比較清楚了,

objc_unsafeClaimAutoreleasedReturnValue([[[r12 getService:[MessageService class]] retain] SendTextMessage:r15 toUsrName:r14 msgText:r13 atUserList:stack[-64]]);

我們可以看到第一個(gè)參數(shù)是r15,網(wǎng)上追溯r15,

r15 = [[rax CurrentUserName] retain];?r15是這里賦值的,那么再看看CurrentUserName方法內(nèi)容。

1

2

3

4

5

6

7

8

9

10

-(void?*)CurrentUserName {

????if?([self?isLoggedIn] !=?0x0) {

????????????rdi?=?[[CUtility GetCurrentUserName] retain];

????}

????else?{

????????????rdi?=?0x0;

????}

????rax?=?[rdi autorelease];

????return?rax;

}

可以看到是先判斷是不是已經(jīng)登錄,然后調(diào)用CUtility類里面的GetCurrentUserName方法獲得的。那么第一個(gè)參數(shù)我們就知道了。其余三個(gè)參數(shù)我們也很容易的可以手動(dòng)構(gòu)造。我們編寫js腳本代碼

7.編寫frida腳本

1

2

3

4

5

6

7

8

9

10

11

console.log("init success");

function SendTextMessage(wxid, msg) {

????var message?=?ObjC.chooseSync(ObjC.classes.MessageService)[0]

????var username?=?ObjC.classes.CUtility.GetCurrentUserName();

????console.log(username)

????console.log("Type of arg[0] -> "?+?message)

????var toUsrName?=?ObjC.classes.NSString.stringWithString_(wxid);

????var msgText?=?ObjC.classes.NSString.stringWithString_(msg);

????message["- SendTextMessage:toUsrName:msgText:atUserList:"](username, toUsrName, msgText, null);

}

SendTextMessage("filehelper","主動(dòng)調(diào)用發(fā)送信息!")

將以上文本保存js文件,然后執(zhí)行以下命令:

frida 微信 --debug --runtime=v8 --no-pause -l test.js

我們就可以看到微信上發(fā)送了一條消息

frida mac,ipad,macos,ipad,微信,云計(jì)算,大數(shù)據(jù)

8.消息監(jiān)聽

上面我們實(shí)現(xiàn)了微信消息的篡改及主動(dòng)發(fā)送功能。那么我們?cè)偃タ纯次⑿攀侨绾谓拥较⑿畔⒌?!每?dāng)有人活或者群給我們發(fā)送消息的時(shí)候電腦或手機(jī)上一般都會(huì)提示通知,那么通知的英文是什么?notify?翻譯就是通知的意思,我們碰碰運(yùn)氣看看能不能找到相關(guān)字樣。還是在MessageService里面我們找到了- (void)notifyAddMsgOnMainThread:(id)arg1 msgData:(id)arg2;?這個(gè)方法,如何去確定它到底是不是尼?還是繼續(xù)用frida去進(jìn)行驗(yàn)證。

?

?

1

frida-trace?-m?"-[MessageService notify*]"?微信

 
$ frida-trace -m "-[MessageService notify*]" 微信
Instrumenting...                                                       
-[MessageService notifyModMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyModMsgOnMainThread_msgData_.js"
-[MessageService notifyAppMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAppMsgUploadProgress_msgDa_9b03499e.js"
-[MessageService notifyVideoMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyVideoMsgUploadProgress_msg_e1db5f92.js"
-[MessageService notifyNewMsgNotificationOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyNewMsgNotificationOnMainTh_d56d83b5.js"
-[MessageService notifyChatSyncMsgsOnMainThread:msgList:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyChatSyncMsgsOnMainThread_msgList_.js"
-[MessageService notifyChatSyncMessagesMergedOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyChatSyncMessagesMergedOnMainThread_.js"
-[MessageService notifyRevokePatMsgOnMainThread:n64MsgId:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyRevokePatMsgOnMainThread_n64MsgId_.js"
-[MessageService notifyAddRevokePromptMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddRevokePromptMsgOnMainTh_81637ebf.js"
-[MessageService notifyDelMsgOnMainThread:msgData:isRevoke:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyDelMsgOnMainThread_msgData_5bbc2297.js"
-[MessageService notifyMsgDeletedForSessionOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyMsgDeletedForSessionOnMainThread_.js"
-[MessageService notifyDelAllMsgOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyDelAllMsgOnMainThread_.js"
-[MessageService notifyAddMsgListForSessionOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgListForSessionOnMainThread_.js"
-[MessageService notifyUnreadCntChangeOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyUnreadCntChangeOnMainThread_.js"
-[MessageService notifyMsgResendOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyMsgResendOnMainThread_msgData_.js"
-[MessageService notifyImgMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyImgMsgUploadProgress_msgDa_e4e0cd43.js"
-[MessageService notifyAppMsgDownloadProgress:msgData:downloadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAppMsgDownloadProgress_msg_4e191704.js"
-[MessageService notifyUIAndSessionOnMainThread:withMsg:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyUIAndSessionOnMainThread_withMsg_.js"
-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"
Started tracing 18 functions. Press Ctrl+C to stop.

?

我們可以看到有不少的方法被hook了,但是沒事。我們用微信發(fā)送一個(gè)消息給自己或者其他人都可以看看輸出。

1

2

3

4

5

6

???????????/*?TID?0x307?*/

157082?ms??-[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb?msgData:0x7fd903c9fa00]

???????????/*?TID?0x31e17?*/

157092?ms??-[MessageService notifyUnreadCntChangeOnMainThread:0x6503cfa934d442eb]

???????????/*?TID?0xb5c27?*/

157228?ms??-[MessageService notifyModMsgOnMainThread:0x6503cfa934d442eb?msgData:0x7fd903c9fa00]

我們可以看到三層相關(guān)的調(diào)用,那么我們就先看第一個(gè)notifyAddMsgOnMainThread?修改下js文件。

1

2

3

onEnter(log, args, state) {

??log(`-[MessageService notifyAddMsgOnMainThread:${args[2]} msgData:${args[3]}]`);

},

以我們上面的經(jīng)驗(yàn)很快的就可以看出這個(gè)應(yīng)該就是消息接受的方法,msgdata就是我們所需要的消息內(nèi)容。那么我們還是得繼續(xù)驗(yàn)證。把參數(shù)都打印出來看看。修改添加如下js

1

2

console.log("Type of arg[2] -> "?+?new ObjC.Object(args[2]).$className)

console.log("Type of arg[3] -> "?+?new ObjC.Object(args[3]).$className)

這兩句話是為了輸出2個(gè)參數(shù)的類型。然后也修改下frida命令執(zhí)行

1

frida-trace?-m?"-[MessageService notifyAddMsgOnMainThread*]"?微信

可以看到第一個(gè)參數(shù)是String,第二個(gè)參數(shù)是MessageData

1

2

3

4

5

6

7

8

$ frida-trace?-m?"-[MessageService notifyAddMsgOnMainThread*]"?微信

Instrumenting...???????????????????????????????????????????????????????

-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at?"/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"

Started tracing?1?function. Press Ctrl+C to stop.??????????????????????

Type?of arg[2]?-> NSTaggedPointerString

Type?of arg[3]?-> MessageData

???????????/*?TID?0x307?*/

??2170?ms??-[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb?msgData:0x7fd90401c960]

MessageData是消息的結(jié)構(gòu)體,那么我們就去頭文件中搜索一下這個(gè)MessageData

1

2

3

4

5

6

7

8

9

10

# n @ localhost in ~/vscodewsp/wechat/dump [7:46:01] C:1

$ ll?-l|grep MessageData???????

-rw-r--r--??1?n? staff???2.5K??2?15?19:19?FTSFileMessageData.h

-rw-r--r--??1?n? staff???2.0K??2?15?19:19?FTSMessageData.h

-rw-r--r--??1?n? staff???794B??2?15?19:19?IMessageDataExt-Protocol.h

-rw-r--r--??1?n? staff???6.2K??2?15?19:19?MMChatMessageDataSource.h

-rw-r--r--??1?n? staff????25K??2?15?19:19?MessageData.h

-rw-r--r--??1?n? staff???550B??2?15?19:19?MessageDataGroup.h

-rw-r--r--??1?n? staff???2.9K??2?15?19:19?MessageDataPackedInfo.h

-rw-r--r--??1?n? staff???262B??2?15?19:19?NSPasteboard-MessageData.h

可以看到是有MessageData這個(gè)文件的。那么我們打開看看

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

@interface?MessageData : NSObject <NSPasteboardItemDataProvider, IAppMsgPathMgr, IMsgExtendOperation, NSCopying, WCTTableCoding, WCTColumnCoding>

{

????unsigned?int?mesLocalID;

????long?long?mesSvrID;

????NSString?*fromUsrName;

????NSString?*toUsrName;

????unsigned?int?messageType;

????NSString?*msgContent;

????NSString?*msgVoiceText;

????unsigned?int?m_uiVoiceToTextStatus;

????unsigned?int?msgStatus;

????unsigned?int?msgImgStatus;

????NSString?*msgRealChatUsr;

????NSString?*msgPushContent;

????unsigned?int?m_uiTranslateStatus;

????NSString?*msgSource;

????unsigned?int?mesDes;

????unsigned?int?msgSeq;

????BOOL?bForward;

????NSData?*m_dtThumbnail;

????unsigned?int?msgCreateTime;

????unsigned?int?m_uiSendTime;

????unsigned?int?m_uiDownloadStatus;

????id?<IMsgExtendOperation> m_extendInfoWithMsgType;

????id?<IMsgExtendOperation> m_extendInfoWithFromUsr;

????BOOL?isAutoIncrement;

????BOOL?m_bShouldShowAll;

????BOOL?m_bIsMultiForwardMessage;

????BOOL?m_shouldReloadOriginal;

????BOOL?m_bHasOriginalMessage;

????unsigned?int?IntRes1;

????unsigned?int?IntRes2;

????unsigned?int?m_uiFileUploadStatus;

????unsigned?int?m_uiOriginalImgHeight;

????unsigned?int?m_uiOriginalImgWidth;

????unsigned?int?m_uiSrcCreateTime;

????unsigned?int?_m_nsMsgCrc32;

????unsigned?int?_m_uiUploadedBytes;

????unsigned?int?_m_uiDownloadedBytes;

????unsigned?int?_m_uiTotalBytes;

????int?_m_nCdnServerRetCode;

????unsigned?int?_m_uiResendMessageCount;

????long?long?lastInsertedRowID;

????NSString?*StrRes1;

????NSString?*StrRes2;

????MMTranslateResult?*m_nsTranslationResult;

????NSString?*m_nsFilePath;

????NSString?*m_nsVideoPath;

????NSString?*m_nsVideoThumbPath;

????NSString?*dataMd5;

????MessageData?*m_refMessageData;

????MessageDataPackedInfo?*m_packedInfo;

????NSString?*m_nsSrcUserName;

????NSString?*m_nsSrcNickName;

????NSString?*m_nsAtUserList;

????NSString?*_m_nsImgFileName;

????NSString?*_m_nsBigFileErrMsg;

????SecondMsgNode?*_secondMsgNode;

????MessageData?*_referHostMsg;

}

看各個(gè)屬性名應(yīng)該沒問題,就是他。那么我們直接修改js代碼進(jìn)行輸出試試。

1

2

3

4

????var MessageData?=?new ObjC.Object(args[3]).$ivars;

console.log("fromUsrName -> "?+?MessageData.fromUsrName)

console.log("toUsrName -> "?+?MessageData.toUsrName)

console.log("msgContent -> "?+?MessageData.msgContent)

運(yùn)行frida-trace -m "-[MessageService notifyAddMsgOnMainThread*]" 微信

1

2

3

4

5

6

7

8

9

-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at?"/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"

Started tracing?1?function. Press Ctrl+C to stop.??????????????????????

Type?of arg[2]?-> NSTaggedPointerString

Type?of arg[3]?-> MessageData

fromUsrName?-> wxid_pk1reltk63i822

toUsrName?-> filehelper

msgContent?-> 消息監(jiān)聽測(cè)試

???????????/*?TID?0x307?*/

?14909?ms??-[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb?msgData:0x7fd904426980]

如上我們可以看到成功接收到別人發(fā)送的消息內(nèi)容。文章來源地址http://www.zghlxwxcb.cn/news/detail-758620.html

到了這里,關(guān)于MacOS微信逆向分析-Frida的文章就介紹完了。如果您還想了解更多內(nèi)容,請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章,希望大家以后多多支持TOY模板網(wǎng)!

本文來自互聯(lián)網(wǎng)用戶投稿,該文觀點(diǎn)僅代表作者本人,不代表本站立場(chǎng)。本站僅提供信息存儲(chǔ)空間服務(wù),不擁有所有權(quán),不承擔(dān)相關(guān)法律責(zé)任。如若轉(zhuǎn)載,請(qǐng)注明出處: 如若內(nèi)容造成侵權(quán)/違法違規(guī)/事實(shí)不符,請(qǐng)點(diǎn)擊違法舉報(bào)進(jìn)行投訴反饋,一經(jīng)查實(shí),立即刪除!

領(lǐng)支付寶紅包贊助服務(wù)器費(fèi)用

相關(guān)文章

  • 老Mac電腦安裝macOS Ventura實(shí)戰(zhàn)

    老Mac電腦安裝macOS Ventura實(shí)戰(zhàn)

    前提說明:此實(shí)戰(zhàn)適用于老舊Mac電腦(2015年之前的,無法在系統(tǒng)設(shè)置中升級(jí)macOS Ventura系統(tǒng)的電腦)安裝macOS Ventura系統(tǒng)! 軟件: OpenCore-Patcher-GUI.app.zip? ? 2023年版本v1.2.1已支持 macOS Sonoma new------------2024更新----------------------------- macOS 14.2 系統(tǒng)部分機(jī)型和基于Metal 3802顯卡的機(jī)型

    2024年02月09日
    瀏覽(24)
  • Mac | 關(guān)于 MacBookPro MacOS 13 經(jīng)??ㄋ? decoding=

    Mac | 關(guān)于 MacBookPro MacOS 13 經(jīng)常卡死

    電腦配置:MacBook Pro M1,系統(tǒng) 13.3 最近在Mac日常使用中經(jīng)常出現(xiàn)卡住,接著就是鼠標(biāo)點(diǎn)到哪,哪就轉(zhuǎn)圈。強(qiáng)制退出軟件也不行,只能通過重啟恢復(fù)一段時(shí)間。這個(gè)頻率基本一天一次,有時(shí)候一天能出現(xiàn)兩次,簡(jiǎn)直讓人崩潰!! Mac的BUG,是由于其Mac自帶的簡(jiǎn)體中文輸入法(Sim

    2024年02月11日
    瀏覽(26)
  • Mac OS黑蘋果系統(tǒng)安裝工具及懶人版鏡像文件 for macOS High Sierra/macOS Sierra

    Mac OS黑蘋果系統(tǒng)安裝工具及懶人版鏡像文件 for macOS High Sierra/macOS Sierra

    Mac OS操作系統(tǒng)安裝工具及懶人版鏡像文件 for macOS High Sierra/macOS Sierra 以下是學(xué)習(xí)資料,理論上來說,近幾年買的臺(tái)式機(jī)安裝都不難,比較難的是筆記本電腦,因?yàn)楦鞣N定制硬件代碼,容易導(dǎo)致不明情況的發(fā)生。祝各位早日吃到黑蘋果系統(tǒng)。 https://www.bilibili.com/video/BV1yq4y1o7cT?

    2024年02月07日
    瀏覽(38)
  • Mac中idea快捷鍵(Keymap->macOS)

    Mac中idea快捷鍵(Keymap->macOS)

    ? ? ? ? ? mac:MacBook Pro(13英寸,M2,2022年) ? ? ? ? 系統(tǒng)版本:12.4 ? ? ? ? idea快捷鍵配置:本文快捷鍵設(shè)置基于macOS(Keymap-macOS) 1.command+F ? ?在當(dāng)前文件進(jìn)行文本查找 2.command+shift+F ?進(jìn)行工程和模塊中的文件搜索(全局搜索) 3.command + O 查找類文件 4.command + shift + O 查

    2024年02月07日
    瀏覽(20)

  • 關(guān)于macos:如何在mac上完全卸載vscode

    以下是VSCode在Mac OS X上存儲(chǔ)內(nèi)容的所有地方,除了Visual Studio Code.app本身,它位于Applications文件夾中: 復(fù)制粘貼這一段到終端 然后將vscode拉到垃圾桶即完成

    2024年02月12日
    瀏覽(18)
  • 使用mac自帶VNC公網(wǎng)遠(yuǎn)程控制macOS

    使用mac自帶VNC公網(wǎng)遠(yuǎn)程控制macOS

    macOS系統(tǒng)自帶有VNC遠(yuǎn)程桌面,我們可以在控制端上安裝配置VNC客戶端,以此來實(shí)現(xiàn)遠(yuǎn)程控制macOS。但通常需要在不同網(wǎng)絡(luò)下進(jìn)行遠(yuǎn)程控制,為此,我們可以在macOS被控端上使用cpolar做內(nèi)網(wǎng)穿透,映射VNC默認(rèn)端口5900,通過所生成的公網(wǎng)地址,來實(shí)現(xiàn)在公網(wǎng)環(huán)境下遠(yuǎn)程控制VNC。 1

    2024年02月08日
    瀏覽(46)
  • Mac ? 如何在MacOS上安裝pip軟件包

    Mac ? 如何在MacOS上安裝pip軟件包

    以 requests 工具包為例:

    2024年01月18日
    瀏覽(30)
  • 老舊Mac不能升級(jí)macOS Ventura 13解決方案

    老舊Mac不能升級(jí)macOS Ventura 13解決方案

    ITMS-90725: SDK Version Issue - This app was built with the iOS 15.5 SDK. All iOS apps submitted to the App Store must be built with the iOS 15 SDK or later, included in Xcode 13 or later. 打包上傳的時(shí)候提示這個(gè)類似錯(cuò)誤。這個(gè)錯(cuò)誤很好解決,只需要更新xcode就可以了. 但不幸的是,更新最新的xcode的需要更新最新的系

    2024年02月13日
    瀏覽(27)

  • 終于,老Mac可以跨級(jí)安裝macOS Ventura了

    幾天前,我在GitHub上看到了一條消息。 開發(fā)者Dortania的OpenCore-Legacy-Patcher終于更新了! 開發(fā)者在此版本說明中寫道: OpenCore-Legacy-Patcher終于提供macOS Ventura的測(cè)試版支持了! 喜歡嘗試的果粉可不要錯(cuò)過! 版本更新日志是這樣寫的(翻譯): Ventura特定更新: -解決AMD Polaris外部

    2024年02月04日
    瀏覽(59)
  • 【MacOS】裝 mac-win10 雙系統(tǒng)(2017年的老mac,Intel芯片)

    【MacOS】裝 mac-win10 雙系統(tǒng)(2017年的老mac,Intel芯片)

    昨天給學(xué)妹的mac裝軟件。發(fā)現(xiàn)之前她找維修店裝了雙系統(tǒng),但是win10根本不能用,搞得亂七八糟的,于是我給她重新裝了一下。 電腦狀況: MacBook Air 2017; 128G+8G,有2個(gè)分區(qū)(有問題); Intel i5; MacOS Monterey(12.xx)系統(tǒng); 裝了mac和win10,win10不能用。 Mac裝雙系統(tǒng)基本要求與思

    2024年02月07日
    瀏覽(25)

覺得文章有用就打賞一下文章作者

支付寶掃一掃打賞

博客贊助

微信掃一掃打賞

請(qǐng)作者喝杯咖啡吧~博客贊助

支付寶掃一掃領(lǐng)取紅包,優(yōu)惠每天領(lǐng)

二維碼1

領(lǐng)取紅包

二維碼2

領(lǐng)紅包