前言

使用以下代码实现隐藏自己的头像和昵称

重点研究WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes

CContactMgr *contactManager = [[%c(MMServiceCenter) defaultCenter] getService:[%c(CContactMgr) class]];
CContact *selfContact = [contactManager getSelfContact];
[args setObject:[selfContact getContactDisplayName] forKey:@"nickName"];
[args setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];

以下方法为拆红包的方法。

void -[WCRedEnvelopesLogicMgr ReceiverQueryRedEnvelopesRequest:](void * self, void * _cmd, void * arg2) {
    loc_e0b79c(self, @selector(GetHongbaoBusinessRequest:CMDID:OutputType:), arg2, 0x3, 0x1, r7, lr);
    return;
}
void -[WCRedEnvelopesLogicMgr OpenRedEnvelopesRequest:](void * self, void * _cmd, void * arg2) {
    loc_e0b79c(self, @selector(GetHongbaoBusinessRequest:CMDID:OutputType:), arg2, 0x4, 0x1, r7, lr);
    return;
}
                            loc_1c0d080(stack[2023], stack[2012], r5, @"sessionUserName");

sessionUserName大概是会话名称,也就是群名称

[args setObject:nativeUrl forKey:@"nativeUrl"];
[args setObject:xxx forKey:@"sessionUserName"];

下来这一段还是用mmservicecenter来获取WCRedLogicMgr对象,然后调用WCRedLogicMgr的open方法来拆红包,可以想象open方法的参数就是上面我们辛苦组装的字典

loc_1c0d0f4();
    loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
    r4 = loc_1c0d08c();
    loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(WCPayLogicMgr), @selector(class)));
    r0 = loc_1c0d08c();
    loc_1c0d080(r0, @selector(setRealnameReportScene:), 0x3eb);
    loc_1c0d090(r0);
    loc_1c0d090(r4);
    loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
    r4 = loc_1c0d08c();
    loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(WCPayLogicMgr), @selector(class)));
    loc_1c0d08c();
    loc_1c0d080(*(stack[2024] + stack[2022]), @selector(m_structDicRedEnvelopesBaseInfo));
    loc_1c0d08c();
    loc_1c0d080();
    r4 = loc_1c0d08c();
    r5 = stack[2024];
    asm { strd       fp, r0, [sp, #0x8c + var_30] };
    loc_1c0d094(stack[2023]);
    r8 = loc_1c0d094(r5);
    r5 = sp + 0x38;
    asm { stm.w      r0, {r6, sl, fp} };
    loc_1c0d0f0();
    loc_1c0d094(r8);
    loc_1c0d080(stack[2020], @selector(checkHongbaoOpenLicense:acceptCallback:denyCallback:), r4, sp + 0x54, r5);
    loc_1c0d090(r4);
    loc_1c0d090(stack[2022]);
[[[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]] OpenRedEnvelopesRequest:args];

领红包逻辑


到这里,我们再总结一下我们上面分析的过程……

得到m_oWCPayInfoItem属性
解析m_oWCPayInfoItem的m_c2cNativeUrl属性
得到selfcontact
组装相关参数
调用OpenRedEnvelopesRequest:领取红包

最终的抢红包代码合并起来如下:

#import "WxMsgPreview.h"

%hook CMessageMgr

-(void)AsyncOnAddMsg:(id)message MsgWrap:(CMessageWrap* )msgWrap {
    %log;
    %orig;
    if(msgWrap.m_uiMessageType == 49){
        CContactMgr *contactManager = [[%c(MMServiceCenter) defaultCenter] getService:[%c(CContactMgr) class]];
        CContact *selfContact = [contactManager getSelfContact];

        if ([msgWrap.m_nsContent rangeOfString:@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao"].location != NSNotFound) { // 红包

            NSString *nativeUrl = [[msgWrap m_oWCPayInfoItem] m_c2cNativeUrl];
            nativeUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]];

            NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrl separator:@"&"];

            NSMutableDictionary *args = [[%c(NSMutableDictionary) alloc] init];
            [args setObject:nativeUrlDict[@"msgtype"] forKey:@"msgType"];
            [args setObject:nativeUrlDict[@"sendid"] forKey:@"sendId"];
            [args setObject:nativeUrlDict[@"channelid"] forKey:@"channelId"];
            [args setObject:[selfContact getContactDisplayName] forKey:@"nickName"];
            [args setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];
            [args setObject:nativeUrl forKey:@"nativeUrl"];
            [args setObject:msgWrap.m_nsFromUsr forKey:@"sessionUserName"];

            [[[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]] OpenRedEnvelopesRequest:args];
        }
    }
}

%end

iOS逆向
44 声望15 粉丝