First step in iOS reverse engineering: Modifying WeChat without jailbreaking (Appearance)

In 1946, American scholar Edgar Dale proposed the theory of "Cone of Learning". He mentioned that more than 50% of the learning effect is active learning, including discussion, practice and teaching. I hope to consolidate the knowledge I have learned by taking notes and share this knowledge with other people who are interested in it.

Preface

WeChat has been around for more than seven years, and the main interface has not changed. It is as simple and pure as when it was first launched. But after looking at this single theme for a long time, I always get a little tired of it. I happened to see a beautified version of WeChat on the Internet. These "clone versions" and "beautified versions" of WeChat clients have reserved a large number of high-risk interfaces. If you are not careful, your phone will be attacked. So I had the idea of ​​tinkering with it myself. At the beginning, I didn't know anything and did a lot of useless work. I wrote it down to prevent more people from making the same mistakes.

iMazing import (failed)

• I have used iMazing on Mac to modify the data of several small games before, so I tried to export it from iMazing first. It turned out that the exported .imazingapp file only had a few simple data (I guess it was a file not protected by a signature). There was nothing that could be modified at all. I was disappointed.

PP/Aisi Assistant import (failed)

• This is the most common method on the Internet. Download the genuine ipa on PP Assistant, extract the files, and find that the colors of the circle of friends are in the color.css file in its root directory. Open it directly with Notepad and modify a few RGB colors at will, and save it. When importing it to the phone, a prompt of verification failure appears, which is obviously a signature problem. There are different opinions on this issue on the Internet. I personally think it is a version problem. Before the completion of this article, iOS 11.2 still cannot be jailbroken, and third-party assistant tools have not found the corresponding vulnerabilities of this version, so it does not support importing modified ipa, and my mentality continues to collapse.

IPAPatch Import (Successful)

This method involves wonderful iOS reverse engineering. Thanks to Naituw for opening the door to a new world for me.

What is IPAPatch?

GitHub user Naituw said that the previous open source method of turning off HTTPS certificate verification for Facebook for iOS was too cumbersome. In order to further simplify debugging and verification operations, IPAPatch was developed, which can provide a simple way to patch iOS applications without jailbreaking.

What can IPAPatch do?

Similar to "HackingFacebook", "IPAPatch" mainly allows you to "add" your own code to third-party IPA files, but the process is very different:

Great God Github: https://github.com/Naituw/

Open

1. Final effect display

My interface

2. Tools and equipment required

• A clear mind
• Developer account (or certificate)
• Macbook
• Xcode for Mac
• Reveal for Mac
• PlistEdit Pro for Mac

3. Specific implementation steps

1. Download the open source project IPAPatch, download address: Baidu network disk password: wu1m;

2. Open Reveal, click Help → Show Reveal Library in Finder → iOS Library in the menu bar, get the integrated file RevealServer.framework in iOS Library, and move this integrated file to the IPAPatch/Assets/Frameworks folder;

3. Prepare a decrypted WeChat .ipa file. You can crack the shell by yourself. Since I don’t have a jailbroken phone, I downloaded the jailbroken version from PP Assistant. Put the cracked 6.6.6 version: Baidu Netdisk https://pan.baidu.com/share/init?surl=zP4MlvUfLkVXwgFGqcRZtA Password: ipyj;

4. Modify the file and save;

5. Rename WeChat.ipa to app.ipa and replace the template file app.ipa in the folder IPAPatch/Assets;

6. Open the IPAPatch.xcodeproj file, click the triangle exclamation mark in the upper left corner of the project bar to move the interface to Show the Issue navigator, then click to enter the IPAPatch-DummyApp label on the left, and configure the Bundle Identifier and developer certificate in the detailed information on the right. The Display Name will be added as a prefix to the changed App after it is changed;

7. Connect your iPhone, and while the computer is not paying attention, quickly click the run button in the upper left corner, and wait for a moment, the App will be automatically installed on your phone;

• The above operation is actually very simple. The key compilation, execution, and injection steps have been written into the patch.sh script by the master. When compiling and running, all operations are completed automatically.
• After Build Succeed, I became interested in modifying more data, and I happened to find a lot of iOS theme packages made by another great author on the Internet.
• Just download a theme replacement package, and basically everything that can be replaced is already included in it. After unzipping, drag the file to be replaced into the previous app.ipa and wait for the file replacement to be completed.

Repeat step 7.

A brief introduction to some replacement files, which need further exploration

• app.ipa/AppIcon**x**@*x.png: WeChat icon. After the change, the original icon is still displayed on the mobile phone desktop. The reason is unknown.
• app.ipa/Expression_**@2x.png: old-fashioned expressions

• app.ipa/zh_CN.lproj/InfoPlist.strings: Contains the name of WeChat and several text items on the discovery page (friend circle, scan)

• app.ipa/zh_CN.lproj/mm.strings: Most of the text options are in this file and can be modified. I just modified two items.

• app.ipa/Assets.car: Most icon files are integrated into this file
• app.ipa/in.caf : message ringtone

4. Several problems encountered and precautions

1. The personal description certificate is valid for only seven days and needs to be reinstalled after seven days.
2. WeChat installed with its own certificate does not support web sharing on the Safiri browser. This should be a common problem for clients that are not listed on the App store.
3. Sometimes no notification is sent, or only one notification is sent, for unknown reasons.
4. The unzipped IPAPatch file can only be run once with Xcode. The second run will result in "apple match-o linker error". There is no solution to this problem yet. I hope all the experts can give me some advice.
5. When you enter WeChat for the first time or open WeChat again after ending the process, there will be a prompt that the hook is successful. This prompt can be changed in the IPAPatchEntry.mm file (alertControllerWithTitle;message;alertControlleraddAction;).

Paste the code

Summarize

This article only records how to modify the appearance of the App. Other functional modules such as anti-withdrawal, automatic red envelope grabbing, and hiding the red dot involve more Objective-C knowledge. I have just come into contact with OC and have not yet understood its profound syntax. In the coming days, I will continue to explore in depth.