FakeWeChatLoc

[TOC]

This article is driven by my strong interest in reverse engineering. I read "iOS Application Reverse Engineering" and implemented an interesting function. I want to share it with you and it is also a simple summary of my own learning. BTW iOS Reverse Forum iOSRe is a good iOS reverse communication community.

All code and tools for this example are hosted on GitHub. Please check https://github.com/jackrex/FakeWeChatLoc

All this article is purely for personal entertainment and learning value. The related technology is only for learning and communication. Please do not use it for illegal purposes or for any other commercial purposes! ! !

iOS system jailbreaking, to put it bluntly, is similar to Android Root. It is equivalent to increasing the permissions of the mobile phone, allowing you to control things that you could not control before.

Since Objective-C is an object-oriented high-level language, the file format Mach-O used by iOS contains a lot of metadata information, allowing us to use class-dump to restore its header files. This is a good start for iOS reverse engineering.

MobileSubstrate is a framework that allows iOS development to facilitate hooking. MobileSubstrate consists of the following three parts:

MobileSubstrate

1. MobileHooker uses iOS Runtime to dynamically replace functions and forward messages to achieve the so-called hook technology
2. MobileLoader is mainly used to load third-party dynamic libraries, namely tweak/*.dylib
3. Safe Mode safe mode to prevent the impact of third-party plug-in crashes on the main App

• It can be seen that with Mobile Substrate as the cornerstone and reverse engineering, we can accomplish almost anything we want to do

This kind of operating system derived from Unix generally has the same directory hierarchy. You might as well compare Android and MacOS and you will find that many directory names are the same. Let’s pick some and briefly explain them:

 `/bin binnary` ，系统常用的基本二进制文件 例如 cd, ls, ps 等
`/usr` 包含大多用户工具库
`/var variable` 存放经常更改的东西，例如 logs，用户数据，/var/mobile/Applications 是纺织AppStore 下载的 App
`/Applications` 存放所有系统App，以及从Cydia下载的App路径
`/Library`  存放了系统App的数据，其中有一个/Library/MobileSubstrate 目录，MobileSubstrate 是一个hook 功能开发平台，其中内容如下图所示，我们所开发的插件都被放置到这个里面
`/Library/MobileSubstrate` 里面文件类型主要有 dylib，plist
dylib 是动态加载库，就是tweak
plist 配合dylib 使用的filter 文件，指定注入目标，及hook的目标
`/System` 存放iOS 各种系统framework
`/User` 指向 /var/mobile 即是我们一般用户的主目录 

• iOS installation package format

1. ipa is an iOS proprietary installation package launched by Apple. It is generally a package format downloaded from the AppStore. The installation path is /var/mobile/Applications. Long press to delete.
2. deb is an installation package unique to the Debain system (everyone who has used the debian Linux system knows it). The iOS system originated from Unix, so it is compatible with the deb installation package. The App downloaded by Cydia is in deb format. The installation path is to /Applications, long press It cannot be deleted and must be removed using the command line with root privileges or Cydia.
3. pxl ( This format originated from pkg on Mac and is now deprecated It was originally a format based on zip packaging created by 91 Mobile Assistant. All apps in this format are installed as root, so not elegant)

• Comparison of iOS installation packages . In fact, although the major software packages have different formats, such as .apk, .ipa, .deb, .app, etc., they are actually all a zip that lists the binary and resource files in a reasonable manner.

1. Package content comparison: Payload folder: It contains pictures and binary files used by the app. iTunesArtwork: It is actually a png picture without a suffix. It is displayed on iTunes, etc. and uses iTunesMetadata.plist to record the buyer's information, software version, and selling price. etc. com.apple.ZipMetadata.plist is

The Deb structure is actually a gzip of the Library Applications control file in data.tar.gz and puts it in control.tar.gz.

2. Permissions: deb is installed under /Applications and belongs to the root user group, so the read and write permissions are different from those of general .ipa mobile users.
3. The way to install the Deb file is to completely copy your own file path to the iOS system. When there are scripts such as postinst in the control package, execute the script according to the rules.

• Other iOS program types

1. Dynamic Library The DynamicLibraries we mentioned above are where MobileSubstrate places dynamic libraries. Those in this directory will be automatically and selectively loaded by ms.
2. Daemon is a background running program, a daemon process, such as a process that always monitors incoming calls, etc. I won’t go into details about this.

• Mac
• Jailbroken iDevice

• iOSOpenDev
• TheOS

Commonly used tools for dynamic debugging and static analysis in reverse engineering:

• class-dump

class-dump is a tool used to dump all header files of a jailbroken App.

• IDA

IDA is the best decompilation tool. In fact, simple reverse engineering can be completed using IDA alone.

• Hopper

Hopper Disassembler can be used under OS X with a low licensing fee

• LLDB

The powerful tool for dynamic debugging works with IDA to make everything move and stay still.

• Reveal

A debug tool that facilitates UI debugging and positioning. We can quickly identify which App interface corresponds to a certain class.

• iFunBox

Convenient file management assistant software

• OpenSSH

OpenSSH allows your computer to log in to your phone remotely

• Cyscript

A very powerful tool that allows developers to interact with applications from the command line and view and modify applications at runtime.

• iFile

A software that conveniently manages the file system on mobile phones, such as iFunbox and Android's Re manager, which can easily modify files and install Deb binaries.

• APPSync

APPsync is the most commonly installed patch after jailbreaking iPhone, iPad, and iPod touch. After installation, you can bypass system signature verification and install and run cracked ipa software at will.

Based on the above understanding, since we want to simulate positioning in WeChat, we use WeChat as our analysis object. Use class-dump to export the header file of WeChat. Although we see the direct export method class-dump -H xxx -o output/ on the class-dump official website, it is not possible to directly decompress the wechat in the ipa and dump it. We will It was found that there was only the CDStructures.h file in the output folder, and it was empty.

The reason for this is because after uploading to the AppStore, the AppStore automatically encrypts all ipas, so we need to shell the WeChat binary before dumping.

We should first try the more convenient Clutch

When Clutch fails, try the following steps. We need a tool like dumpdecrypted.dylib to dump the shell on our App. We first ssh to our iOS phone, we end all programs, open WeChat and execute

ps - e //列出当前运行的进程

TODO You can see that the process listed starting with /var/mobile/Containers/ is the WeChat process. We know that the sandbox path of all Apps is /var/mobile/Containers/Bundle/Application/03B61840-2349-4559-B28E- 0E2C6541F879/ , but we don’t know which App 03B61840-2349-4559-B28E-0E2C6541F879 is. It would be very difficult if we go to the directory to find them one by one.

At this time cycript comes in handy, execute

 cycript -p WeChat 
 cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-2146128611EE/Documents/"

In this way, we get the WeChat Documents directory. Next, use scp or ifunbox to copy dumpdecrypted.dylib to the Documents directory of WeChat.

Start breaking the shell

 DYLD_INSERT_LIBRARIES=/path/to/dumpdecrypted.dylib /path/to/executable

WeChat.decrypted will be generated in the current directory. This is WeChat that has been shelled. We can dump it. Before dumping, we can use the otool tool to view the file information of Match-o.

otool -H WeChat.decrypted

Use otool -l WeChat.decrypted to find the cryptid, and use lipo to split out the decrypted structure.

implement

 ./class-dump -H WeChat.decrypted --arch armv7  -o output/

Generate an Output folder in the current directory, which contains all the header files exported by WeChat, including third-party sdk, etc. We put all these header files into an empty Xcode project for easy viewing.

Based on intuition, we found that Appdelegate is WeChat's MircoMessengerAppDelegate. We can roughly see WeChat's project structure, etc. In fact, reverse engineering is also a way of learning.

Then let's think about the function we want to implement. We want to change our location to change nearby people. We can roughly guess that this class should be submitted to Nearby Location or the like, and we can search for the corresponding header file.

We found that there are so many after searching Nearby, which one is it?

In fact, in addition to the elimination method and one-by-one speculation, we can use the powerful tool Reveal to help us locate

It can be said that class-dump helps us list the entire header file, giving us a general understanding of the overall structure of the project, but the corresponding implementation plan in .m is still a black box for us. At this time we need to use IDA's powerful tools for analysis.

Open IDA and select new

We take out the WeChat binary from Wechat.app and drag it to the IDA above. Since I am using itouch 5 CPU and the architecture is armv7, I use the first one. If it is used incorrectly, the offset obtained by the break point will be wrong. , thus unable to debg normally

After the processing is completed, it will be as shown in the figure below

Among them, we can easily see the implementation of specific methods in MicroMessengerAppDelegate. Press the space bar to expand to view mode.

Here we can see the implementation in .m

Dynamic debugging is when we do not have the source code, we use lldb to set breakpoints at the location of the code for debugging. The main purpose is to calculate the execution address of the corresponding code and how to debug to obtain the value we want. As mentioned above, we use the decompilation results of IDA

1. iOS opens debugserver and listens to port 1234 debugserver *:1234 -a "WeChat"

2. Run lldb on the Mac and keep connected to the iOS server. Run lldb process connect connect://iOSIP:1234

3. Get ASLR offset image list -o -f

offset is 0xd000

4. Get the breakpoint address br s -a 0xd000+0x649D8 // Lower breakpoint

5. Start debugging ni po and other debugging commands

Start an App directly: debugserver -x backboard *:1234 /path/to/app/executable

libsubstrate.dylib

Tweak means "fine-tuning" in the word. It is actually the third-party dynamic link library dylib. Tweak is written based on MobileSubstrate and can change the hook's App at runtime.

Theos is a jailbreak development toolkit. This method is also introduced in the "iOS Application Reverse Engineering Book", but I personally prefer to use iOSOpenDev to create projects (ps: After getting familiar with the git command line, I thought to use sourceTree More intuitive), so I will briefly mention it here. It feels like iOSOpenDev turns the command-line NIC template into a visual one. In fact, it is almost not that difficult.

1. The installation is very simple. Download the installer and install it.

2. After the installation is complete, create a new project and iOSOpenDev will appear in the template iOS

3. Here we choose Logos Tweak and the creation is completed as follows

There is a file fakeloc.xm, which is where we want to write code. Open the fakeloc.xm file and we can see that the code inside is completed using logos. For logos, a new language, you don’t have to worry. Its basic syntax is similar to Objc. There are several specific syntaxes that require special attention:

Logos basic syntax: %hook specifies the class that needs to be hooked. It must end with %end. %log writes function information to syslog to print information. %orig executes the hooked function and can only be executed within the %hook specific method.

fakeloc.xm corresponds to fakeloc.mm

We are above

As you can see on the build Settings, there is a column at the bottom called User-Define. Here is our customized part. In the iOSOpenDevDevice place, write the IP address of our iOS device (LAN address such as 192.168.1.103). The premise is that the iOS device is installed OpenSSH

ssh authentication error iosod sshkey -h 192.168.1.109

At first, I thought that creating a jailbroken App must be written in Logos syntax, which scared me to death. In fact, the development of an iOS jailbreak App is almost exactly the same as a normal App.

First, we still create a project. Just like creating a normal project, you can also use CocoaPods to manage your third-party libraries.

First create a new project as normal, configure it as follows and then change the Build Settings.

Add Run Script and remove control from copy bundle resources

Overall project structure

Build for Profiling executor

After generating App and Tweak, how do we call Tweak in our App? The answer is to use dlopen

 void *handle = dlopen(TWEAK_PATH, RTLD_LAZY); //TWEAK_PATH 是dylib 的地址
    if (handle) {
        NSLog(@"handle");
        if (0 != dlclose(handle)) {
            printf("dlclose failed! %sn", dlerror());
        }else {

        }
    } else {
         NSLog(@"nohandle");
        printf("dlopen failed! %sn", dlerror());
    }

Then dynamically obtain the corresponding custom class

Class TweakBridge = NSClassFromString(@"TweakBridge");

I was puzzled by this problem at first, and finally adopted the most stable and simplest method to achieve it, which is to read and write data to the same file. This file can be used as a medium for transmitting data. But at the beginning, I put the file in /var/mobile/xxx.plist, but tweak could not read the value. The reason is that tweak and our App have different permissions, so we need to find a place where it can be written publicly. This place is **/var/mobile/Library/Preferences/ ** Therefore, our App and Tweak information interaction uses one writing method and the other reading method to achieve the purpose of transmission. If you have a better and more direct method, you can propose it. Let's discuss together

So the final code is:

 - (void)setLocWithLat:(double)lat andLng:(double)lng {
    NSLog(@"set lat & lng is %f &&&& %f", lat, lng);
    Class TweakBridge = NSClassFromString(@"TweakBridge");
    void *handle = dlopen(TWEAK_PATH, RTLD_LAZY);
    if (handle) {
        NSLog(@"handle");
        TweakBridge = NSClassFromString(@"TweakBridge");
        NSDictionary *dict = @{@"lat":[NSNumber numberWithDouble:lat], @"long":[NSNumber numberWithDouble:lng]};
        BOOL isSuccess = [dict writeToFile:LOCATION_PATH atomically:YES];
        NSLog(@"isSuccess, %d", isSuccess);
        CLLocation *location = [[TweakBridge shareInstance] getCoreLocation];
        if (0 != dlclose(handle)) {
            printf("dlclose failed! %sn", dlerror());
        }else {

        }
    } else {
         NSLog(@"nohandle");
        printf("dlopen failed! %sn", dlerror());
    }
}

So how do we combine our Tweak with our App so that users can use it directly after installation? In view of the deb format we mentioned above, the packaging method and structure and zip are actually the same and can be installed by the iOS system. We have already explained the package format and structure above, now how to generate the Deb package

We take out the generated directories of dylib and app respectively.

Put them all into a separate Package directory. The final directory structure is as shown below.

We arrange all files according to the directory structure arranged by Deb according to the hierarchy shown below, and then use the dpkg-deb method to package. Note that it is best not to have .DS_Store files in the deb when packaging. I wrote the following script to remove it. Generate Deb files at the same time

 #!/bin/bash
find ./Package -name ".DS_Store" -depth -exec rm {} ;
dpkg-deb -Zgzip -b Package fakeLoc.deb

The generated installation package is as follows, and then we scp it to the device

We use iFunbox to drag the generated fakeLoc .deb to the root directory, then open iFile on the phone and click fakeLoc.deb to install the program. After installation, we reinstall AppSync and restart the phone, and then we can open our App. , and also found that our App cannot be uninstalled by long-pressing it, just like system applications, Cydia, etc. This should be because we installed it under /Applications. To uninstall, we can use the command line to delete it, or use Cydia.

After the installation is complete, just restart the device.

Open the App, let us enter the precision and latitude, and then execute it. Finally, open WeChat People Nearby to see if the people nearby have changed. If we do it better, the precision latitude is selected on the map. When our core function is The explanation ends here. Our simple test results are as follows:

We can select different locations in the map address selector for testing

1. First we enter the coordinates of Beijing
2. Then the person who opens the WeChat attachment

You can see that most of the people are from Beijing

3. We are re-entering an address, such as Guangzhou, and then opening WeChat

Successfully simulated people nearby on WeChat

This is not like publishing to the AppStore. First you need a hosting source. If you don’t want to build it yourself, you can use thebigboss.org/hosting-repository-cydia/submit-your-app

Fill in the relevant information, these will not be described again.

This article is an introduction to the topic. I hope you will have a preliminary understanding of iOS jailbreak, be able to complete any of your own apps, and develop more fun Tweaks. For example, the plug-in for grabbing red envelopes on WeChat seems not difficult to implement. This example project is all Hosted on Github, where fakeloc is dylib, that is, tweak TestFakeTweak is the app project, HackAppTool Our above article describes the third-party tools that need to be used

Project address: https://github.com/jackrex/FakeWeChatLoc

1. After installing the software, the software solution does not appear on the desktop:

重新安装下AppSync 并重启SpringBoard

2. iOS6 system Crash solution:

由于iOS7之后引入一些新的类库等，在iOS6设备上的兼容性一般，所以在工程的framework 中把 require 改为 option

3. Solution for forgetting the root password after iOS jailbreak:

 root密码文件存放地方： / etc / master . passwd
用iFile的文本编辑功能打开master . passwd ，更改之前记得权限
你会找到类似这样的一行字符—— root : UlD3amElwHEpc : 0 : 0 :: 0 : 0 : System
UlD3amElwHEpc就是加密过的密码
把它更替为ab3z4hnHA5WdU ，这是对应的密码就是abc123 。
保存，重启。
有了密码abc123你就可以进一步修改成其它的密码了

1. "iOS Application Reverse Engineering"
2. http://iosopendev.com/
3. http://iphonedevwiki.net/
4. http://security.ios-wiki.com/