飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

查看: 7256|回复: 8

[iOS] 关于IOS QQ6.0抖动窗口那些事

[复制链接]
  • TA的每日心情
    慵懒
    2024-9-14 09:23
  • 签到天数: 9 天

    [LV.3]偶尔看看II

    发表于 2016-6-6 18:40:17 | 显示全部楼层 |阅读模式
    初涉iOS逆向,蓄势待发,偶然被一好友无限抖动的头疼,所以就去想去看看IOS QQ是否也能无限抖动.就当练手了.
    当然了,作为一只菜鸟,仅是分享自己的学习过程,大牛勿喷,么么哒.
    所需工具:Reveal,IDA,theos
    QQ版本:6.0.0
    测试环境:ios8.4,iPhone 5s
    备注:QQ为App Store安装已提前砸壳并导出头文件

    首先打开QQ界面,并打开Reveal选择iphone看QQ界面的控件.因为点击抖一抖图片才会发送抖动,所以在控件的头文件或者Controller里面有响应事件.
    1111.png

    发现控件类是QQRichControl,转至头文件去看一下.
    [Objective-C] 纯文本查看 复制代码
    #import "UIButton.h"
       
    #import "AvatarServiceDelegate.h"
       
    [url=home.php?mod=space&uid=341152]@Class[/url] NSString, UIImageView;
       
    @interface QQRichControl : UIButton <AvatarServiceDelegate>
    {
        NSString *_controlKey;
        unsigned long long _flag;
        id _userData;
        _Bool _shouldShowRedPoint;
        int _xo;
        NSString *_imageName;
        UIImageView *_redPoint;
    }
       
    + (id)buttonWithFlag:(unsigned long long)arg1;
    + (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3;
    + (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3 userData:(id)arg4;
    - (void)dealloc;
    - (void)didLoadImage:(id)arg1 identity:(id)arg2 type:(int)arg3 size:(int)arg4 shape:(int)arg5 avatarInfo:(id)arg6;
    - (struct CGRect)imageRectForContentRect:(struct CGRect)arg1;
    - (id)initWithFrame:(struct CGRect)arg1;
    - (void)loadImageWithImageName:(id)arg1 defaultImage:(id)arg2;
    - (id)redPoint;
    @property(nonatomic) _Bool shouldShowRedPoint; // [url=home.php?mod=space&uid=422403]@Dynamic[/url] shouldShowRedPoint;
    - (struct CGRect)titleRectForContentRect:(struct CGRect)arg1;
       
    // Remaining properties
    @property(retain, nonatomic) NSString *controlKey; // @dynamic controlKey;
    @property(readonly, copy) NSString *debugDescription;
    @property(readonly, copy) NSString *description;
    @property(nonatomic) unsigned long long flag; // @dynamic flag;
    @property(readonly) unsigned long long hash;
    @property(readonly) Class superclass;
    @property(retain, nonatomic) id userData; // @dynamic userData;
       
    @end



    QQRichControl继承自UIButton,但是在头文件里面并没有发现有跟点击相关的 去Controller的头文件里面去看看


    2222.png


    [Objective-C] 纯文本查看 复制代码
    //
    //     Generated by class-dump 3.5 (64 bit).
    //
    //     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
    //
       
    #import "QQBaseChatViewController.h"
       
    #import "GetTroopMemberProtocol.h"
    #import "GetTroopRemarkProtocol.h"
    #import "UIAlertViewDelegate.h"
       
    @class NSDictionary, NSMutableArray, NSMutableDictionary, NSString, QC2CRoamMessageService, QCCallEntry, QQAIOTipModel, QQBlueTimer, QQEncounterChatSettingController, QQMessageModel, QQNetWorkTipsView, QQPublicAccountLoadingView, QQRichMsgPreviewDialog, UIActionSheet, UIActivityIndicatorView, UIButton, UILabel, UIProgressView, UIView;
       
    @interface QQChatViewController : QQBaseChatViewController <UIAlertViewDelegate, GetTroopMemberProtocol, GetTroopRemarkProtocol>
    {
        UIButton *_historyButton;
        UIButton *_voiceModal;
        UIButton *_cardButton;
        QQBlueTimer *timer;
        QQBlueTimer *processTimer;
        UIProgressView *progress;
        UIActivityIndicatorView *act;
        NSDictionary *Imagedict;
        NSMutableDictionary *identDic;
        _Bool ifint;
        _Bool KeyBoard;
        int _displayMsgCount;
        _Bool _flagMsgBarInfoGroup;
        int _flagMsgTmp;
        NSString *_flagMsgBarValueUin;
        _Bool _isReqVideActionSheetShow;
        _Bool _supportInterfaceRote;
        ............
    }
       
    - (void)ActionSelectVideoFromAlbum;
    - (void)ActionShakeWindowMsg;
    - (_Bool)Confirmation;
           ........
       
    @end


    发现了个可疑的函数 - (void)ActionShakeWindowMsg; Shake的意思是抖动的意思.(事实其实是我刚开始也不确定是不是这个,用lldb挂载QQ后下断后才确定就是抖动函数:)
    在IDA中 转到 [QQChatViewController ActionShakeWindowMsg];


    3333.png


    [Objective-C] 纯文本查看 复制代码
    __text:00000001003F3990                 MOV             X19, X0
    __text:00000001003F3994                 BL              _CFAbsoluteTimeGetCurrent
    __text:00000001003F3998                 ADRP            X8, #qword_10368B8F8@PAGE
    __text:00000001003F399C                 LDR             D1, [X8,#qword_10368B8F8@PAGEOFF]
    __text:00000001003F39A0                 FSUB            D1, D0, D1
    __text:00000001003F39A4                 FCMP            D0, #0.0
    __text:00000001003F39A8                 FMOV            D2, #10.0
    __text:00000001003F39AC                 FCCMP           D1, D2, #8, PL
    __text:00000001003F39B0                 B.MI            loc_1003F3C24


    CFAbsoluteTimeGetCurrent   看函数名就猜出是获取当前时间
    __text:00000001003F39A8 FMOV D2, #10.0
    这句赋值给D2一个常量10,而QQ的抖动间隔正是10S的时间.

    分析到这其实修改跳转就已经理论实现无间隔抖动了(经测试手机抖动有效果,Windows下还是一样,应该是接收消息的函数有判断).
    但是并不会用Tweak修改App的二进制内存,在Windows下直接劫持补丁或者WriteProcesMemory就ok了.被难到了.
    于是苦逼的去逆了那段间隔大于10S才执行的函数.(具体过程就不贴了)
    直接贴代码,英文太渣,大牛看见命名一笑而过就好了...


    Tweak.xm
    [AppleScript] 纯文本查看 复制代码
    #import "QQShakeOffImpose.h"
       
    %hook QQChatViewController
       
    - (void)ActionShakeWindowMsg
    {
       
        QQMessageModel *message = [%c(QQMessageModel) new];
        [message setLoadingState:YES];
        [message setTime:[[%c(CIMEngine) GetInstance] GetServerTimeDiff]];
        [message setContent:@"抖一抖"];
    [message setInOut:NO];
    [message setRead:1];
    [message setMsgType:157];
    [message setMsgState:1];
       
    QQBaseChatModel *TchatModel = [self GetBaseChatModel];
    NSString* Tuin = [TchatModel uin];
    [message setUin:Tuin];
    [message setGroupCode:nil];
    unsigned int random = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageRandom];
       
    unsigned short msgseq = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageSeq:[message uin].longLongValue];
       
    [message setMsgSeq:msgseq];
    [message setMessageRandom:random];
       
    [message setMsgUid:[%c(QQMessageModel) randomToUid:random]];
    QQPlatform *Tplatform = [%c(QQPlatform) sharedPlatform];
    QQServiceCenter* TserviceCenter = [Tplatform QQServiceCenter];
    C2CDBService_MultiTable *multiTablwDB =[TserviceCenter C2CMultiTableDB];
    [multiTablwDB insertSendMessage:message];
    QQAIOMsgModel *msgModel = [%c(QQAIOMsgModel) createAIOModelWithMessageModel:message];
       
    QQChatListManager* listManager = [[%c(QServiceFactory) sharedFactory] getMessageListService];
       
    [listManager addMessage:message];
    [self appendMessage:msgModel];
    [[%c(QQF2FMessageSender) getInstance] SendPbShakeWindowMessage:message];
       
    }
       
    %end


    QQShakeOffImpose.h


    [Objective-C] 纯文本查看 复制代码
    @interface QServiceFactory : NSObject
    + (id)sharedFactory;
    - (id)getMessageListService;
    @end
       
    @interface C2CDBService_MultiTable : NSObject
    - (_Bool)insertSendMessage:(id)arg1;
    @end
       
    @interface QQServiceCenter : NSObject
    {
        C2CDBService_MultiTable *m_c2cMultiTableDB;
    }
    - (id)C2CMultiTableDB;
    @end
       
    @interface CIMEngine : NSObject
    + (id)GetInstance;
    - (int)GetServerTimeDiff;
    @end
       
       
    @interface QQPlatform : NSObject
    + (id)sharedPlatform;
    - (id)QQServiceCenter;
    @end
       
    @interface QQMsgSyncManager : NSObject
       
    + (id)sharedInstance;
    - (unsigned int)getC2CSendMessageRandom;
    - (unsigned short)getC2CSendMessageSeq:(long long)arg1;
    @end
       
    @interface QQChatListManager : NSObject
    - (void)addMessage:(id)arg1;
    @end
       
    @interface QQAIOModel : NSObject
    + (id)createAIOModelWithMessageModel:(id)arg1;
    @end
       
    @interface QQAIOMsgModel : QQAIOModel
    {
    }
    @end
       
    @interface QQPbMsgSenderBase : NSObject
    - (int)SendPbShakeWindowMessage:(id)arg1;
    @end
       
    @interface QQF2FMessageSender : QQPbMsgSenderBase
    + (id)getInstance;
    @end
       
    @interface QQBaseChatModel : NSObject
    @property(retain, nonatomic) NSString *uin;
    @end
       
       
    @interface QQMessageModel : NSObject
    @property(nonatomic) _Bool loadingState;
    @property(nonatomic) unsigned long long time;
    @property(retain, nonatomic) id content;
    @property(nonatomic) _Bool inOut;
    @property(nonatomic) int read;
    @property(nonatomic) int msgType;
    @property(nonatomic, getter=msgState) int msgState;
    @property(retain, nonatomic) NSString *uin;
    @property(retain, nonatomic) NSString *groupCode;
    @property(nonatomic) long long msgSeq;
    @property(nonatomic) long long messageRandom;
    @property(nonatomic) long long msgUid;
       
    + (unsigned long long)randomToUid:(unsigned int)arg1;
       
    @end
       
       
       
       
    @interface QQBaseChatViewController : NSObject
    {
            QQBaseChatModel *_chatModel;
    }
    - (void)appendMessage:(id)arg1;
    - (id)GetBaseChatModel;
    @end
       
    @interface QQChatViewController : QQBaseChatViewController
    @end


    Makefile


    [Objective-C] 纯文本查看 复制代码
    THEOS_DEVICE_IP = 192.168.0.100 [color=#ff00ff]//此行为make package install使用 生成deb可删除[/color]
    ARCHS = armv7 arm64
       
    TARGET = iPhone:latest:7.0
       
    include theos/makefiles/common.mk
       
    TWEAK_NAME = QQShakeOffImpose
    QQShakeOffImpose_FILES = Tweak.xm
       
    include $(THEOS_MAKE_PATH)/tweak.mk
       
    after-install::
        install.exec "killall -9 QQ"




    control


    [Objective-C] 纯文本查看 复制代码
    Package: com.brack.qqshakeoffimpose
    Name: QQShakeOffImpose
    Depends: mobilesubstrate
    Version: 0.0.1
    Architecture: iphoneos-arm
    Description: An awesome MobileSubstrate tweak!
    Maintainer: brack
    Author: brack
    Section: Tweaks


    评分

    参与人数 2威望 +40 飘云币 +40 收起 理由
    tree_fly + 20 + 20 PYG有你更精彩!
    Dxer + 20 + 20 打劫brack**

    查看全部评分

    PYG19周年生日快乐!
  • TA的每日心情
    开心
    2019-3-11 17:12
  • 签到天数: 9 天

    [LV.3]偶尔看看II

    发表于 2016-6-6 22:03:17 | 显示全部楼层
    ontroller : QQBaseChatViewController
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    难过
    2024-3-10 19:49
  • 签到天数: 473 天

    [LV.9]以坛为家II

    发表于 2016-6-7 09:05:39 | 显示全部楼层
    打劫,把**之类的全部上缴
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2018-12-14 15:33
  • 签到天数: 268 天

    [LV.8]以坛为家I

    发表于 2016-6-7 09:27:19 | 显示全部楼层
    学习咯谢谢啦
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2019-3-17 22:44
  • 签到天数: 132 天

    [LV.7]常住居民III

    发表于 2016-6-7 13:16:47 | 显示全部楼层
    支持支持,希望发布更多优秀的帖子~
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2016-7-30 10:08
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2016-6-18 11:18:32 | 显示全部楼层
    我竟然有点看不懂了
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    7 天前
  • 签到天数: 180 天

    [LV.7]常住居民III

    发表于 2019-2-28 17:07:38 | 显示全部楼层
    感谢楼主分享,学习了~
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表