Use CocoaPods to print and receive messages for WeChat integrated SDK

Recommendation

This article introduces a set of reverse engineering tools that can add plugins to any application on a non-jailbroken phone. In the example at the end of the article, the author uses WeChat as an example to show the function of printing and receiving messages in WeChat.

This set of tools can speed up reverse development, and its re-signing concept can also be used for secondary distribution of other people's applications.

In fact, this also shows that Apple’s application security protection needs to be strengthened. I hope "Ms. Dong" can see this article (snickering).

About the author: Liu Peiqing, currently working in the information security department of NetEase. Personal blog address: http://www.alonemonkey.com/. Thanks to the author for authorizing the repost.

background

The author is an iOS reverse engineering enthusiast. When I was using iOSOpenDev to develop jailbreak plug-ins in Xcode, the tool had not been updated for several years and there were many problems with installation and use. So at first I just wanted to improve the compatibility issues of iOSOpenDev. Later, new ideas kept emerging during the development and were implemented in the tool. So there was MonkeyDev, a tool that I will strongly recommend to you in this article.

use

Before using it, everyone is concerned about its functions and what it can do. So what can MonkeyDev do? In summary, it can do the following:

• You can use Xcode to develop CaptainHook Tweak, Logos Tweak and Command-line Tool, and develop plug-ins on jailbroken machines. This is a migration and improvement of the original iOSOpenDev function.
• Just drag in a shell application, automatically integrate Reveal, Cycript and injected dynamic libraries, and re-sign and install them on non-jailbroken machines.
• Support debugging of self-written dynamic libraries and third-party apps
• It supports the integration of SDK and non-jailbreak plug-ins through third-party applications of CocoaPods. In simple terms, a non-jailbreak plug-in store is built through CocoaPods.

After having a general understanding, let's experience its power through specific practical applications.

Environment Preparation

Before using it, you must first configure the environment. If the configuration is incorrect, some strange problems may occur. You can also use Wiki to operate it.

• Install the latest theos

 git clone --recursive https://github.com/theos/theos.git /opt/theos  

• Install ldid

 brew install ldid

If it is used for jailbreak development, you need to configure password-free login to the jailbroken device. If you do not have a jailbroken machine, you can skip this step.

 ssh-keygen -t rsa -P ''   
 
 ssh-copy-id -i /Users/username/.ssh/id_rsa root@ip

Install

You can select a specific Xcode to install using the following command, or you can install it by default.

• To specify Xcode installation:

 sudo xcode- select -s /Applications/Xcode-xxx.app

• Default installation of Xcode:

 xcode- select -p

• Execute the installation command:

 git clone https://github.com/AloneMonkey/MonkeyDev.git 
 
 cd MonkeyDev/bin 
 
 sudo ./md-install

• To uninstall, execute the uninstall command:

 sudo ./md-uninstall

• If you need to update, execute the update command:

 sudo ./md-update  

Module Introduction

After the installation is complete, open Xcode, click File - New - Project..., select iOS and scroll to the bottom to see the modules provided by MonkeyDev:

Here are the uses of these modules:

Jailbreak module

• CaptainHook Tweak

Use the header file provided by CaptainHook to hook the OC function and obtain the attributes.

• Logos Tweak

Use the logify.pl tool provided by theos to convert the .xm file into a .mm file for compilation. CydiaSubstrate is integrated by default. You can use MSHookMessageEx and MSHookFunction to Hook OC functions and specify addresses.

• Command-line Tools

You can directly create command line tools that run on jailbroken devices

Non-jailbreak module

• MonkeyApp

This is a module that automatically integrates Reveal, Cycript and dylib injection into third-party applications. It supports debugging dylib and third-party applications, and supports Pod to integrate SDK into third-party applications. You only need to prepare a shelled ipa or app file.

Function Introduction

The use of CaptainHook Tweak, Logos Tweak and Command-line Tool will not be introduced here. If you have any questions, please check the project Wiki

The following mainly introduces the use of MonkeyApp, starting your journey of non-jailbreak plug-in development~

Prepare

Before you start using it, you need to prepare a shelled application. You can use a jailbroken phone to shell it, and then get the ipa or app. If you don't have a jailbroken phone, you can directly download the jailbroken application from an assistant.

Create a project

Click File - New - Project... to create an iOS project and select MonkeyApp.

After the creation is complete, you will get a project like this:

The name of the project I created here is MonkeyApp, so the following corresponds to MonkeyApp. The name of the project you create depends on your project name! In addition, Xcode 8 needs to add dynamic library dependencies to App, as follows:

MonkeyAppDylib is the dynamic library that will be injected into the target App. You can write the code you want to hook in the MonkeyAppDylib.m file. I have written some Demo codes in it. You can run it directly to see the effect. It supports OC runtime HOOK and C function fishhook.

AntiAntiDebug contains anti-debugging code.

fishhook is an automatically integrated fishhook module.

Below, Framewroks has automatically integrated Reveal.framework and Cycript.framework.

Drag and drop the shell application to compile

Open an assistant and select the jailbreak app in the app game. When you download an app, it will have its shell cracked.

Then open the TargetApp directory and copy the ipa file to the current directory, as shown below:

Then click Run. After running, you can see from the console that the dynamic library has been injected successfully and Reveal has been successfully loaded! Of course, it also runs on the phone!

Open Reveal on Mac to view the interface structure of the application! As shown below:

Cycript is also integrated by default. Download the SDK from the Cycript official website, then go into the SDK directory and run the following command:

 ./cycript -r iphoneip:6666

Get WeChat messages

Let's take a simple example of getting the messages received by WeChat to further introduce its use. First, open the MonkeyAppDylib.m file and write the following code at the bottom:

 @interface CMessageWrap
 @property (nonatomic, strong) NSString* m_nsContent;
 @property (nonatomic, assign) NSInteger m_uiMessageType;
 @ end  
 CHDeclareClass(CMessageMgr) 
 
 CHMethod2(void, CMessageMgr, AsyncOnAddMsg, NSString*, msg, MsgWrap, CMessageWrap*, msgWrap){
    NSString* content = [msgWrap m_nsContent];
    if([msgWrap m_uiMessageType] == 1){
 NSLog(@ "Received message: %@" , content);
 }
    CHSuper2(CMessageMgr, AsyncOnAddMsg, msg, MsgWrap, msgWrap);
 } 
 
 CHConstructor{
    CHLoadLateClass(CMessageMgr);
    CHClassHook2(CMessageMgr, AsyncOnAddMsg, MsgWrap);
 }

Then re-run to see the effect:

Then you can happily develop non-jailbreak plugins and debug them directly!

Integrate the SDK using CocoaPods

 target 'MonkeyAppDylib' do
 pod 'FLEX'  
 end  

Here, the Target should be set to dynamic library instead of App, and then execute Pod install. Then change the following option back to Yes.

Add SDK initialization code to the MonkeyAppDylib.m file:

 #import <FLEX/FLEXManager.h> 
 
 void initCycriptServer(){
    [[NSNotificationCenter defaultCenter] addObserverForName:UIApplicationDidFinishLaunchingNotification object:nil queue:[NSOperationQueue mainQueue] usingBlock:^(NSNotification * _Nonnull note) {
        [[FLEXManager sharedManager] showExplorer];
 CYListenServer(6666);
 }];
 }

The operation effect is as follows:

Non-jailbreak add-on store

Now that CocoaPods is supported, you can upload your own non-jailbreak plugins to CocoaPods and install them with one click through pod!

Next, put the WeChat message plug-in written above into CocoaPods, create a new Cocoa Touch Framework project, then add the header file CaptainHook.h and your own source file PrintWXMessage.m, and copy the above code, as shown in the following figure:

Then generate the framework into a zip package (the zip package needs to contain the architecture of the simulator and the real machine to pass local verification), edit the PrintWXMessage.podspec file as follows:

 Pod::Spec.new do |spec|
  spec. name = "PrintWXMessage"  
  spec.version = "1.0.0"  
  spec.summary = "Print WX Message for MonkeyDev"  
  spec.description = <<- DESC  
                          - Print WX Message for MonkeyDev
 DESC   
 
  spec.homepage = "https://github.com/AloneMonkey/MonkeyDev"   
 
  spec.license = { :type => "BSD" , :file => "LICENSE" }
  spec.author = { "AloneMonkey" => "[email protected]" }
  spec.social_media_url = "http://weibo.com/xiaoqing28"  
  spec.platform = :ios, "8.0"  
  spec.source = { :http => "https://github.com/AloneMonkey/MonkeyDevPod/raw/master/PrintWXMessage/LatestBuild/PrintWXMessage.zip" }
  spec.vendored_frameworks = "PrintWXMessage.framework"  
 end  

Here, source directly writes the address of the zip package, which contains the framework dynamic library generated by the author.

Add private CocosPods:

 pod repo add MonkeyDevSpecs https://github.com/AloneMonkey/MonkeyDevSpecs.git

Publish the PrintWXMessage package to a private Pod:

 pod repo push MonkeyDevSpecs PrintWXMessage.podspec

Modify the Podfile file content as follows, then run pod install, and delete the code for printing WeChat messages originally written in MonkeyAppDylib.m.

 source 'https://github.com/AloneMonkey/MonkeyDevSpecs.git'   
 
 target 'MonkeyAppDylib' do
 pod 'PrintWXMessage'  
 end   
 
 ~ MonkeyApp pod install
 Cloning spec repo `alonemonkey` from `https://github.com/AloneMonkey/MonkeyDevSpecs.git`
 Analyzing dependencies
 Downloading dependencies
 Installing PrintWXMessage (1.0.0)
 Generating Pods project
 Integrating client project 
 
 [!] Please close   any   current Xcode sessions and use `MonkeyPod.xcworkspace` for this project from now on .
 Pod installation complete! There is 1 dependency from the Podfile and 1 total pod installed.

Run and you can see that the plug-in has been perfectly integrated!!!

Please click here to view the MonkeyDev project address.