MacOS微信逆向分析-Frida
0.前言
PC下的微信二次開發相信大家都會了,那么本篇文章將帶領大家使用Frida框架對Mac下微信來進行二次開發!
PS:還有一種靜態注入的方式也不錯,但是考慮到大家xcode安裝包太大就不在這里展開啦。
PS:frida如何去使用大家得自己去學,本文不過多展開。
主要功能涉及如下:
- 微信消息發送
- 微信消息監聽
1.微信版本
2.工具
預先善其事,必先利其器!請先准備如下分析工具
- Hopper Disassembler
- Class-dump
- Frida
- Pycharm(可選)
- Vscode(可選)
3.Dump 出頭文件
首先利用Class-Dump拿到微信的頭文件,打開終端執行:
class-dump -H /Applications/WeChat.app
成功執行之后會生成很多的頭文件了,如下所示
-rw-r--r-- 1 n staff 927B 2 15 19:19 WXCPbQcwxtalkPackage.h
-rw-r--r-- 1 n staff 975B 2 15 19:19 WXCPbReportItem.h
-rw-r--r-- 1 n staff 1.7K 2 15 19:19 WXCPbSCAddVoiceGroupMemberResp.h
-rw-r--r-- 1 n staff 772B 2 15 19:19 WXCPbSCCancelCreateVoiceGroupResp.h
-rw-r--r-- 1 n staff 7.2K 2 15 19:19 WXCPbSCCreateVoiceGroupResp.h
-rw-r--r-- 1 n staff 6.9K 2 15 19:19 WXCPbSCEnterVoiceRoomResp.h
-rw-r--r-- 1 n staff 1.1K 2 15 19:19 WXCPbSCExitVoiceRoomResp.h
-rw-r--r-- 1 n staff 1.2K 2 15 19:19 WXCPbSCModifyVoiceGroupInfoResp.h
-rw-r--r-- 1 n staff 872B 2 15 19:19 WXCPbSCSubscribeLargeVideoResp.h
-rw-r--r-- 1 n staff 867B 2 15 19:19 WXCPbSCSubscribeVideoResp.h
-rw-r--r-- 1 n staff 2.0K 2 15 19:19 WXCPbSCVoiceClientSceneReportResp.h
-rw-r--r-- 1 n staff 864B 2 15 19:19 WXCPbSCVoiceGetGroupInfoBatchResp.h
-rw-r--r-- 1 n staff 637B 2 15 19:19 WXCPbSCVoiceMemberWhisperResp.h
-rw-r--r-- 1 n staff 5.9K 2 15 19:19 WXCPbSCVoiceRedirectResp.h
-rw-r--r-- 1 n staff 1.1K 2 15 19:19 WXCPbSCVoiceRoomHelloResp.h
-rw-r--r-- 1 n staff 904B 2 15 19:19 WXCPbSKBuiltinBuffer_t.h
-rw-r--r-- 1 n staff 686B 2 15 19:19 WXCPbSubscribeVideoMember.h
-rw-r--r-- 1 n staff 2.7K 2 15 19:19 WXCPbSwitchVideoGroupResp.h
-rw-r--r-- 1 n staff 1.4K 2 15 19:19 WXCPbVideoGroupMember.h
-rw-r--r-- 1 n staff 671B 2 15 19:19 WXCPbVoiceClientScene.h
-rw-r--r-- 1 n staff 1.2K 2 15 19:19 WXCPbVoiceClientSceneExt.h
-rw-r--r-- 1 n staff 2.9K 2 15 19:19 WXCPbVoiceConf.h
4.分析
首先那么多的文件我們肯定不能一個個的去看,那樣效率太低。相信大家做開發為了自己好維護代碼,肯定不會給對象隨便命名為abc這種吧!不會吧!不會吧!真的有這種人啊!!!但是我相信騰訊的程序員肯定不會這么做!!微信核心的功能是啥?是發消息哦,那么消息的英文是啥?Message !對就是他。所以我們就先塞選下這個Message!
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:22]
$ ll |wc -l
4922
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:29]
$ ll -l |grep Message|wc -l
157
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:42]
執行如上命令我們把文件數從4922個轉變到157了。這樣就縮小了范圍啦!如何再次縮小范圍尼!那么就得是看大家的開發習慣啦,我一般做業務我都喜歡寫service,controller,這種業務類名,於是我再次....
# n @ localhost in ~/vscodewsp/wechat/dump [20:58:42]
$ ll -l |grep Message|grep Service|wc -l
9
# n @ localhost in ~/vscodewsp/wechat/dump [21:02:13]
$ ll -l |grep Message|grep Service
-rw-r--r-- 1 n staff 5.1K 2 15 19:19 FTSFileMessageService.h
-rw-r--r-- 1 n staff 382B 2 15 19:19 IMessageServiceAppExt-Protocol.h
-rw-r--r-- 1 n staff 980B 2 15 19:19 IMessageServiceFileExt-Protocol.h
-rw-r--r-- 1 n staff 381B 2 15 19:19 IMessageServiceFileReTransferExt-Protocol.h
-rw-r--r-- 1 n staff 755B 2 15 19:19 IMessageServiceImageExt-Protocol.h
-rw-r--r-- 1 n staff 780B 2 15 19:19 IMessageServiceVideoExt-Protocol.h
-rw-r--r-- 1 n staff 407B 2 15 19:19 IMessageServiceVideoReTransferExt-Protocol.h
-rw-r--r-- 1 n staff 3.1K 2 15 19:19 MMFTSMessageService.h
-rw-r--r-- 1 n staff 20K 2 15 19:19 MessageService.h
# n @ localhost in ~/vscodewsp/wechat/dump [21:02:25]
$
哎呦哎呦,就剩9個文件啦???那么這個一個個看也不礙事!!有時間就是任性!!!哼。最終定位到MessageService.h 打開一看,果然尼!真是運氣好!
- (id)SendLocationMsgFromUser:(id)arg1 toUser:(id)arg2 withLatitude:(double)arg3 longitude:(double)arg4 poiName:(id)arg5 label:(id)arg6;
- (id)SendNamecardMsgFromUser:(id)arg1 toUser:(id)arg2 containingContact:(id)arg3;
- (id)SendStickerStoreEmoticonMsgFromUsr:(id)arg1 toUsrName:(id)arg2 md5:(id)arg3 productID:(id)arg4;
- (id)SendEmoticonMsgFromUsr:(id)arg1 toUsrName:(id)arg2 md5:(id)arg3 emoticonType:(unsigned int)arg4;
- (id)SendImgMessage:(id)arg1 toUsrName:(id)arg2 thumbImgData:(id)arg3 midImgData:(id)arg4 imgData:(id)arg5 imgInfo:(id)arg6;
- (id)SendTextMessage:(id)arg1 toUsrName:(id)arg2 msgText:(id)arg3 atUserList:(id)arg4;
- (id)SendAppMusicMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbnailData:(id)arg6;
- (id)SendAppURLMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbnailData:(id)arg6;
- (id)SendAppURLMessageFromUser:(id)arg1 toUsrName:(id)arg2 withTitle:(id)arg3 url:(id)arg4 description:(id)arg5 thumbUrl:(id)arg6 sourceUserName:(id)arg7 sourceDisplayName:(id)arg8;
你看這功能不就來了嘛?Send開頭的都是發送消息的函數啊。OK完事。那么就開始搞它!
PS:其實分析時候還是挺費事的,但是大家自己多動手肯定能找到的!
5.FridaHook驗證
為了驗證自己的分析是不是正確的,我們得進行驗證啊,怎么驗證?frida大法好!執行以下命令:
frida-trace -m "-[MessageService Send*]" 微信
$ frida-trace -m "-[MessageService Send*]" 微信
Instrumenting...
-[MessageService SendTextMessageWithString:toUser:]: Auto-generated handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendTextMessageWithString_toUser_.js"
-[MessageService SendAppURLMessageFromUser:toUsrName:withTitle:url:description:thumbUrl:sourceUserName:sourceDisplayName:]: Auto-generated handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendAppURLMessageFromUser_toUsrN_eaefd0af.js"
------------------------------------------------------------------------------
-[MessageService SendNamecardMsgFromUser:toUser:containingContact:]: Auto-generated handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/SendNamecardMsgFromUser_toUser_c_b5899e8d.js"
Started tracing 18 functions. Press Ctrl+C to stop.
然后會在當前目錄生成__handlers__文件夾,里面是frida為我們自動生成的hook腳本文件。我們使用微信發送一條消息試試。
然后終端會輸出一條信息:
195323 ms -[MessageService SendTextMessage:0x600000b6fae0 toUsrName:0x6503cfa934d442eb msgText:0x6000002ec860 atUserList:0x600000a73570]
這個就是觸發了發送消息的hook信息啦。SendTextMessage 是不是跟我們在頭文件信息里面看到的一樣。
我們找到handles文件夾下SendTextMessage這個js文件,試試修改log輸出然后再執行
frida-trace -m "-[MessageService Send*]" 微信
我們可以看到輸出變啦
2908 ms -[我的消息測試 SendTextMessage:0x600000b6fae0 toUsrName:0x6503cfa934d442eb msgText:0x6722df8306c2767b atUserList:0x6000009c2760]
如此可以確定我們找到的函數就是發送消息的函數。那么看看能不能打印出自己發送的消息內容
- (id)SendTextMessage:(id)arg1 toUsrName:(id)arg2 msgText:(id)arg3 atUserList:(id)arg4;
可以看到這個函數一共有4個參數:參數一:暫時不知道。參數二:toUsrName,我們可以知道是消息發送給誰的。參數三:msgText 消息內容,消息四:暫時不知道
分別把這四個參數給打印出來試試!修改js文件
onEnter(log, args, state) {
console.log(`-[我的消息測試 SendTextMessage:${args[2]} toUsrName:${args[3]} msgText:${args[4]} atUserList:${args[5]}]`);
console.log("arg[1] -> " + new ObjC.Object(args[2]))
console.log("arg[2] -> " + new ObjC.Object(args[3]))
console.log("arg[3] -> " + new ObjC.Object(args[4]))
console.log("arg[4] -> " + new ObjC.Object(args[5]))
},
然后執行 frida-trace -m "-[MessageService Send*]" 微信 發送一條消息
arg[1] -> wxid_*****63i822
arg[2] -> filehelper
arg[3] -> 這個是消息測試
arg[4] ->
/* TID 0x307 */
14534 ms -[我的消息測試 SendTextMessage:0x600000b6fae0 toUsrName:0x6503cfa934d442eb msgText:0x600000adefd0 atUserList:0x600000add470]
我們可以看到終端正確響應了,輸出的正是我們發送的消息。那么我修改發送內容試試??添加如下代碼:
args[4] = ObjC.classes.NSString.stringWithString_("MacOS微信分析")
然后微信發送任何消息,對方都將收到的是MacOS微信分析
這樣我們就確定了發送文本消息的函數就是這個。那么我們如何主動調用它呢?
6.Hopper分析程序代碼
從上面的分析我們看到發送消息需要四個參數。第一個:通過分析應該是我們自己的微信id,第二個:對方的微信id,第三個:消息內容,第四個:可以為null
那么就打開hopper拖入微信具體分析分析吧
應用程序->微信->顯示包內容->Contents->MacOS->WeChat 拖進hopper然后默認選項即可
在左邊輸入SendTextMessage搜索我們可以看到上面四個應該是我們所需要的,都打開看下偽代碼。(我們分析需要找到函數調用的地方就能知道傳參,然后再去分析參數是如何而來。那么除了函數定義地方代碼,其余的都可以找到。
MMMessageSendLogic :
/* @class MMMessageSendLogic */
-(unsigned char)sendTextMessageWithString:(void *)arg2 mentionedUsers:(void *)arg3 {
r14 = self;
r15 = [arg2 retain];
r12 = [arg3 retain];
r13 = [[CUtility filterStringForTextMessage:r15] retain];
[r15 release];
if ([r13 length] != 0x0) {
stack[-64] = r12;
rax = [r13 lengthOfBytesUsingEncoding:0x4];
rbx = rax;
if (rax >= 0x4001) {
rax = [[NSString alloc] initWithFormat:@"ERROR: Text too long, length: %lu, utf8 length: %lu", [r13 length], rbx];
stack[0] = "-[MMMessageSendLogic sendTextMessageWithString:mentionedUsers:]";
[MMLogger logWithMMLogLevel:0x2 module:"ComposeInputView" file:0x103e0e162 line:0x112 func:stack[0] message:rax];
[rax release];
rax = [NSBundle mainBundle];
rax = [rax retain];
stack[-72] = rax;
r15 = [[rax localizedStringForKey:@"Message.Input.Too.Long.Title" value:@"" table:0x0] retain];
rax = [NSBundle mainBundle];
rax = [rax retain];
r14 = rax;
rax = [rax localizedStringForKey:@"Message.Input.Too.Long.Content" value:@"" table:0x0];
rax = [rax retain];
[NSAlert showAlertSheetWithTitle:r15 message:rax completion:0x0];
[rax release];
[r14 release];
[r15 release];
[stack[-72] release];
r14 = 0x0;
r12 = stack[-64];
}
else {
rax = [WeChat sharedInstance];
rax = [rax retain];
r15 = [[rax CurrentUserName] retain];
[rax release];
rax = [r14 currnetChatContact];
rax = [rax retain];
r14 = [[rax m_nsUsrName] retain];
[rax release];
r12 = [[MMServiceCenter defaultCenter] retain];
objc_unsafeClaimAutoreleasedReturnValue([[[r12 getService:[MessageService class]] retain] SendTextMessage:r15 toUsrName:r14 msgText:r13 atUserList:stack[-64]]);
[rax release];
[r12 release];
[r14 release];
[r15 release];
r14 = 0x1;
r12 = stack[-64];
r13 = r13;
}
}
else {
rax = [[NSString alloc] initWithFormat:@"ERROR: Text is empty, can't send"];
stack[0] = "-[MMMessageSendLogic sendTextMessageWithString:mentionedUsers:]";
[MMLogger logWithMMLogLevel:0x2 module:"ComposeInputView" file:0x103e0e162 line:0x10c func:stack[0] message:rax];
[rax release];
r14 = 0x0;
}
[r13 release];
[r12 release];
rax = r14 & 0xff;
return rax;
}
這個偽代碼看的就比較清楚了,
objc_unsafeClaimAutoreleasedReturnValue([[[r12 getService:[MessageService class]] retain] SendTextMessage:r15 toUsrName:r14 msgText:r13 atUserList:stack[-64]]);
我們可以看到第一個參數是r15,網上追溯r15,
r15 = [[rax CurrentUserName] retain]; r15是這里賦值的,那么再看看CurrentUserName方法內容。
-(void *)CurrentUserName {
if ([self isLoggedIn] != 0x0) {
rdi = [[CUtility GetCurrentUserName] retain];
}
else {
rdi = 0x0;
}
rax = [rdi autorelease];
return rax;
}
可以看到是先判斷是不是已經登錄,然后調用CUtility類里面的GetCurrentUserName方法獲得的。那么第一個參數我們就知道了。其余三個參數我們也很容易的可以手動構造。我們編寫js腳本代碼
7.編寫frida腳本
console.log("init success");
function SendTextMessage(wxid, msg) {
var message = ObjC.chooseSync(ObjC.classes.MessageService)[0]
var username = ObjC.classes.CUtility.GetCurrentUserName();
console.log(username)
console.log("Type of arg[0] -> " + message)
var toUsrName = ObjC.classes.NSString.stringWithString_(wxid);
var msgText = ObjC.classes.NSString.stringWithString_(msg);
message["- SendTextMessage:toUsrName:msgText:atUserList:"](username, toUsrName, msgText, null);
}
SendTextMessage("filehelper","主動調用發送信息!")
將以上文本保存js文件,然后執行以下命令:
frida 微信 --debug --runtime=v8 --no-pause -l test.js
我們就可以看到微信上發送了一條消息
8.消息監聽
上面我們實現了微信消息的篡改及主動發送功能。那么我們再去看看微信是如何接到消息信息的!每當有人活或者群給我們發送消息的時候電腦或手機上一般都會提示通知,那么通知的英文是什么?notify 翻譯就是通知的意思,我們碰碰運氣看看能不能找到相關字樣。還是在MessageService里面我們找到了- (void)notifyAddMsgOnMainThread:(id)arg1 msgData:(id)arg2; 這個方法,如何去確定它到底是不是尼?還是繼續用frida去進行驗證。
frida-trace -m "-[MessageService notify*]" 微信
執行上述命令
$ frida-trace -m "-[MessageService notify*]" 微信
Instrumenting...
-[MessageService notifyModMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyModMsgOnMainThread_msgData_.js"
-[MessageService notifyAppMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAppMsgUploadProgress_msgDa_9b03499e.js"
-[MessageService notifyVideoMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyVideoMsgUploadProgress_msg_e1db5f92.js"
-[MessageService notifyNewMsgNotificationOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyNewMsgNotificationOnMainTh_d56d83b5.js"
-[MessageService notifyChatSyncMsgsOnMainThread:msgList:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyChatSyncMsgsOnMainThread_msgList_.js"
-[MessageService notifyChatSyncMessagesMergedOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyChatSyncMessagesMergedOnMainThread_.js"
-[MessageService notifyRevokePatMsgOnMainThread:n64MsgId:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyRevokePatMsgOnMainThread_n64MsgId_.js"
-[MessageService notifyAddRevokePromptMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddRevokePromptMsgOnMainTh_81637ebf.js"
-[MessageService notifyDelMsgOnMainThread:msgData:isRevoke:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyDelMsgOnMainThread_msgData_5bbc2297.js"
-[MessageService notifyMsgDeletedForSessionOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyMsgDeletedForSessionOnMainThread_.js"
-[MessageService notifyDelAllMsgOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyDelAllMsgOnMainThread_.js"
-[MessageService notifyAddMsgListForSessionOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgListForSessionOnMainThread_.js"
-[MessageService notifyUnreadCntChangeOnMainThread:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyUnreadCntChangeOnMainThread_.js"
-[MessageService notifyMsgResendOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyMsgResendOnMainThread_msgData_.js"
-[MessageService notifyImgMsgUploadProgress:msgData:uploadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyImgMsgUploadProgress_msgDa_e4e0cd43.js"
-[MessageService notifyAppMsgDownloadProgress:msgData:downloadedBytes:totalBytes:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAppMsgDownloadProgress_msg_4e191704.js"
-[MessageService notifyUIAndSessionOnMainThread:withMsg:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyUIAndSessionOnMainThread_withMsg_.js"
-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"
Started tracing 18 functions. Press Ctrl+C to stop.
我們可以看到有不少的方法被hook了,但是沒事。我們用微信發送一個消息給自己或者其他人都可以看看輸出。
/* TID 0x307 */
157082 ms -[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb msgData:0x7fd903c9fa00]
/* TID 0x31e17 */
157092 ms -[MessageService notifyUnreadCntChangeOnMainThread:0x6503cfa934d442eb]
/* TID 0xb5c27 */
157228 ms -[MessageService notifyModMsgOnMainThread:0x6503cfa934d442eb msgData:0x7fd903c9fa00]
我們可以看到三層相關的調用,那么我們就先看第一個notifyAddMsgOnMainThread 修改下js文件。
onEnter(log, args, state) {
log(`-[MessageService notifyAddMsgOnMainThread:${args[2]} msgData:${args[3]}]`);
},
以我們上面的經驗很快的就可以看出這個應該就是消息接受的方法,msgdata就是我們所需要的消息內容。那么我們還是得繼續驗證。把參數都打印出來看看。修改添加如下js
console.log("Type of arg[2] -> " + new ObjC.Object(args[2]).$className)
console.log("Type of arg[3] -> " + new ObjC.Object(args[3]).$className)
這兩句話是為了輸出2個參數的類型。然后也修改下frida命令執行
frida-trace -m "-[MessageService notifyAddMsgOnMainThread*]" 微信
可以看到第一個參數是String,第二個參數是MessageData
$ frida-trace -m "-[MessageService notifyAddMsgOnMainThread*]" 微信
Instrumenting...
-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"
Started tracing 1 function. Press Ctrl+C to stop.
Type of arg[2] -> NSTaggedPointerString
Type of arg[3] -> MessageData
/* TID 0x307 */
2170 ms -[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb msgData:0x7fd90401c960]
MessageData是消息的結構體,那么我們就去頭文件中搜索一下這個MessageData
# n @ localhost in ~/vscodewsp/wechat/dump [7:46:01] C:1
$ ll -l|grep MessageData
-rw-r--r-- 1 n staff 2.5K 2 15 19:19 FTSFileMessageData.h
-rw-r--r-- 1 n staff 2.0K 2 15 19:19 FTSMessageData.h
-rw-r--r-- 1 n staff 794B 2 15 19:19 IMessageDataExt-Protocol.h
-rw-r--r-- 1 n staff 6.2K 2 15 19:19 MMChatMessageDataSource.h
-rw-r--r-- 1 n staff 25K 2 15 19:19 MessageData.h
-rw-r--r-- 1 n staff 550B 2 15 19:19 MessageDataGroup.h
-rw-r--r-- 1 n staff 2.9K 2 15 19:19 MessageDataPackedInfo.h
-rw-r--r-- 1 n staff 262B 2 15 19:19 NSPasteboard-MessageData.h
可以看到是有MessageData這個文件的。那么我們打開看看
@interface MessageData : NSObject <NSPasteboardItemDataProvider, IAppMsgPathMgr, IMsgExtendOperation, NSCopying, WCTTableCoding, WCTColumnCoding>
{
unsigned int mesLocalID;
long long mesSvrID;
NSString *fromUsrName;
NSString *toUsrName;
unsigned int messageType;
NSString *msgContent;
NSString *msgVoiceText;
unsigned int m_uiVoiceToTextStatus;
unsigned int msgStatus;
unsigned int msgImgStatus;
NSString *msgRealChatUsr;
NSString *msgPushContent;
unsigned int m_uiTranslateStatus;
NSString *msgSource;
unsigned int mesDes;
unsigned int msgSeq;
BOOL bForward;
NSData *m_dtThumbnail;
unsigned int msgCreateTime;
unsigned int m_uiSendTime;
unsigned int m_uiDownloadStatus;
id <IMsgExtendOperation> m_extendInfoWithMsgType;
id <IMsgExtendOperation> m_extendInfoWithFromUsr;
BOOL isAutoIncrement;
BOOL m_bShouldShowAll;
BOOL m_bIsMultiForwardMessage;
BOOL m_shouldReloadOriginal;
BOOL m_bHasOriginalMessage;
unsigned int IntRes1;
unsigned int IntRes2;
unsigned int m_uiFileUploadStatus;
unsigned int m_uiOriginalImgHeight;
unsigned int m_uiOriginalImgWidth;
unsigned int m_uiSrcCreateTime;
unsigned int _m_nsMsgCrc32;
unsigned int _m_uiUploadedBytes;
unsigned int _m_uiDownloadedBytes;
unsigned int _m_uiTotalBytes;
int _m_nCdnServerRetCode;
unsigned int _m_uiResendMessageCount;
long long lastInsertedRowID;
NSString *StrRes1;
NSString *StrRes2;
MMTranslateResult *m_nsTranslationResult;
NSString *m_nsFilePath;
NSString *m_nsVideoPath;
NSString *m_nsVideoThumbPath;
NSString *dataMd5;
MessageData *m_refMessageData;
MessageDataPackedInfo *m_packedInfo;
NSString *m_nsSrcUserName;
NSString *m_nsSrcNickName;
NSString *m_nsAtUserList;
NSString *_m_nsImgFileName;
NSString *_m_nsBigFileErrMsg;
SecondMsgNode *_secondMsgNode;
MessageData *_referHostMsg;
}
看各個屬性名應該沒問題,就是他。那么我們直接修改js代碼進行輸出試試。
var MessageData = new ObjC.Object(args[3]).$ivars;
console.log("fromUsrName -> " + MessageData.fromUsrName)
console.log("toUsrName -> " + MessageData.toUsrName)
console.log("msgContent -> " + MessageData.msgContent)
運行frida-trace -m "-[MessageService notifyAddMsgOnMainThread*]" 微信
-[MessageService notifyAddMsgOnMainThread:msgData:]: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MessageService/notifyAddMsgOnMainThread_msgData_.js"
Started tracing 1 function. Press Ctrl+C to stop.
Type of arg[2] -> NSTaggedPointerString
Type of arg[3] -> MessageData
fromUsrName -> wxid_pk1reltk63i822
toUsrName -> filehelper
msgContent -> 消息監聽測試
/* TID 0x307 */
14909 ms -[MessageService notifyAddMsgOnMainThread:0x6503cfa934d442eb msgData:0x7fd904426980]
如上我們可以看到成功接收到別人發送的消息內容。