从ui入手,先找到微信本身的抢红包函数,我们自己来给它构造参数并调?
cy# [#0x18d6dd10 nextResponder]
#"<WCRedEnvelopesRedEnvelopesDetailViewController: 0x193e2400>"
WCRedEnvelopesReceiveHomeView就是开红包弹框的类名
OnOpenRedEnvelopes
知道类名后,用cycript追踪它,点击开红包,在日志中找到了下图中的内容,从名字来看,这是一个事件处理函数,我们现在要做的,就是把他还原成oc代码,真正实现抢红包功能
void -[WCRedEnvelopesReceiveHomeView OnOpenRedEnvelopes](void * self, void * _cmd) {
r7 = (sp - 0x14) + 0xc;
sp = sp - 0x34;
r10 = self;
loc_e0b79c(r10->m_dicBaseInfo, @selector(objectForKey:), @"isSender");
r5 = sub_e0b7a8();
r8 = loc_e0b79c(r5, @selector(intValue));
loc_e0b7ac(r5);
loc_e0b79c(r10->m_dicBaseInfo, @selector(objectForKey:), @"hbType");
r7 = r7;
r0 = sub_e0b7a8();
r4 = loc_e0b79c();
loc_e0b7ac(r0);
if (r8 > 0x0) {
asm { movsgt r3, #0x1 };
}
asm { strd r3, r6, [sp, #0x2c + var_28] };
loc_e0b79c();
r4 = sub_e0b7a8();
loc_e0b7f8(0x2db5, r4);
r5 = loc_e0b7d0(*ivar_offset(m_delegate) + r10);
loc_e0b79c(r5, @selector(WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes));
继续寻找WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes
//抢红包的方法
WCRedEnvelopesLogicMgr *logicMgr = [[objc_getClass("MMServiceCenter") defaultCenter] getService:[objc_getClass("WCRedEnvelopesLogicMgr") class]];
[logicMgr ReceiverQueryRedEnvelopesRequest:params];
void -[WCRedEnvelopesReceiveControlLogic WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes](void * self, void * _cmd) {
r7 = (sp - 0x14) + 0xc;
sp = sp - 0x94;
stack[2024] = self;
loc_1c0d080(self->m_data, @selector(m_oSelectedMessageWrap), objc_ivar_offset_WCRedEnvelopesControlLogic_m_data);
r10 = loc_1c0d08c();
loc_1c0d080(r10, @selector(m_oWCPayInfoItem));
r6 = loc_1c0d08c();
loc_1c0d080(r6, @selector(m_c2cNativeUrl));
r5 = loc_1c0d08c();
loc_1c0d080(r5, @selector(substringFromIndex:), loc_1c0d080(@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?", @selector(length)));
r4 = loc_1c0d08c();
loc_1c0d090(r5);
loc_1c0d090(r6);
loc_1c0d090(r10);
stack[2018] = r4;
loc_1c0d080(@class(WCBizUtil), @selector(dictionaryWithDecodedComponets:separator:), r4, @"&", stack[2011]);
r10 = loc_1c0d08c();
loc_1c0d080(@class(NSMutableDictionary), @selector(dictionary));
r6 = loc_1c0d08c();
loc_1c0d080(r6, @selector(safeSetObject:forKey:), @"1", @"msgType");
loc_1c0d080(r10, @selector(objectForKey:), @"sendid");
r5 = loc_1c0d08c();
loc_1c0d080(r6, @selector(safeSetObject:forKey:), r5, @"sendId");
loc_1c0d090(r5);
r0 = r10;
stack[2017] = r10;
r10 = *ivar_offset(m_data);
r8 = r6;
loc_1c0d080(r0, @selector(objectForKey:), @"channelid");
r4 = loc_1c0d08c();
loc_1c0d080(r8, @selector(safeSetObject:forKey:), r4, @"channelId");
loc_1c0d090(r4);
loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
r4 = loc_1c0d08c();
loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(CContactMgr), @selector(class)));
r5 = loc_1c0d08c();
loc_1c0d080(r5, @selector(getSelfContact));
r6 = loc_1c0d08c();
r0 = r5;
r5 = @selector(m_oSelectedMessageWrap);
loc_1c0d090(r0);
loc_1c0d090(r4);
loc_1c0d080(r6, @selector(getContactDisplayName));
r4 = loc_1c0d08c();
loc_1c0d080(r8, @selector(safeSetObject:forKey:), r4, @"nickName");
loc_1c0d090(r4);
stack[2016] = r6;
loc_1c0d080(r6, @selector(m_nsHeadImgUrl));
r4 = loc_1c0d08c();
loc_1c0d080(r8, @selector(safeSetObject:forKey:), r4, @"headImg");
loc_1c0d090(r4);
loc_1c0d080(*(stack[2024] + r10), r5);
ldr r2, [r1] ; 0x2f2cec0,objc_ivar_offset_WCRedEnvelopesControlLogic_m_data
movw r1, #0x611c ; :lower16:(0x3423ce0 - 0x10edbc4), &@selector(m_oSelectedMessageWrap)
movt r1, #0x233 ; :upper16:(0x3423ce0 - 0x10edbc4), &@selector(m_oSelectedMessageWrap)
add r1, pc ; &@selector(m_oSelectedMessageWrap)
ldr.w r8, [r2] ; objc_ivar_offset_WCRedEnvelopesControlLogic_m_data
ldr r1, [r1] ; "m_oSelectedMessageWrap",@selector(m_oSelectedMessageWrap)
str r1, [sp, #0x8c + var_80]
ldr.w r0, [r0, r8]
blx -[MMMultipleMusicViewController getUpLoadTask:]+1788
mov r7, r7
blx -[MMMultipleMusicViewController getUpLoadTask:]+1800
mov sl, r0
movw r0, #0xde3a ; :lower16:(0x340ba20 - 0x10edbe6), &@selector(m_oWCPayInfoItem)
movt r0, #0x231 ; :upper16:(0x340ba20 - 0x10edbe6), &@selector(m_oWCPayInfoItem)
add r0, pc ; &@selector(m_oWCPayInfoItem)
ldr r1, [r0] ; "m_oWCPayInfoItem",@selector(m_oWCPayInfoItem)
mov r0, sl
str r1, [sp, #0x8c + var_84]
blx -[MMMultipleMusicViewController getUpLoadTask:]+1788
mov r7, r7
blx -[MMMultipleMusicViewController getUpLoadTask:]+1800
mov r6, r0
movw r0, #0xcdb6 ; :lower16:(0x340a9b8 - 0x10edc02), &@selector(m_c2cNativeUrl)
movt r0, #0x231 ; :upper16:(0x340a9b8 - 0x10edc02), &@selector(m_c2cNativeUrl)
add r0, pc ; &@selector(m_c2cNativeUrl)
ldr r1, [r0] ; "m_c2cNativeUrl",@selector(m_c2cNativeUrl)
mov r0, r6
str r1, [sp, #0x8c + var_88]
blx -[MMMultipleMusicViewController getUpLoadTask:]+1788
mov r7, r7
blx -[MMMultipleMusicViewController getUpLoadTask:]+1800
mov r5, r0
movw r0, #0xc082 ; :lower16:(0x3409ca0 - 0x10edc1e), &@selector(length)
movt r0, #0x231 ; :upper16:(0x3409ca0 - 0x10edc1e), &@selector(length)
add r0, pc ; &@selector(length)
ldr r1, [r0] ; "length",@selector(length)
movw r0, #0x5134 ; :lower16:(0x2fe2d60 - 0x10edc2c), @"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
movt r0, #0x1ef ; :upper16:(0x2fe2d60 - 0x10edc2c), @"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
str r1, [sp, #0x8c + var_7C]
add r0, pc ; @"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?"
NSString *nativeUrl = [[msgWrap m_oWCPayInfoItem] m_c2cNativeUrl];
nativeUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]];
NSDictionary *nativeUrlDict = [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrl separator:@"&"];
最终得到的代码如下:
NSMutableDictionary *args = [[%c(NSMutableDictionary) alloc] init];
[args setObject:nativeUrlDict[@"msgtype"] forKey:@"msgType"];
[args setObject:nativeUrlDict[@"sendid"] forKey:@"sendId"];
[args setObject:nativeUrlDict[@"channelid"] forKey:@"channelId"];
共分为四步
loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(MMMsgLogicManager), @selector(class)));
r5 = loc_1c0d08c();
loc_1c0d080(r5, @selector(GetCurrentLogicController));
1、调用了mmservicecenter的defaultcenter方法来获取mmservicecenter实例
2、调用了CContactMgr的class方法
loc_1c0d080(r6, @selector(m_contact));
3、调用了第一步获取的mmservicecenter实例的getservice方法,而这个方法是把第二步得到的class作为参数
4、很明白了吧,第三步得到了CContactMgr实例,这里就是调用CContactMgr实例的getselfcontact方法获取自己的账户资料
}
loc_1c0d0f4();
loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
r4 = loc_1c0d08c();
loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(WCPayLogicMgr), @selector(class)));
r0 = loc_1c0d08c();
loc_1c0d080(r0, @selector(setRealnameReportScene:), 0x3eb);
loc_1c0d090(r0);
loc_1c0d090(r4);
loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
r4 = loc_1c0d08c();
loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(WCPayLogicMgr), @selector(class)));
loc_1c0d08c();
loc_1c0d080(*(stack[2024] + stack[2022]), @selector(m_structDicRedEnvelopesBaseInfo));
loc_1c0d08c();
loc_1c0d080();
r4 = loc_1c0d08c();
r5 = stack[2024];
asm { strd fp, r0, [sp, #0x8c + var_30] };
loc_1c0d094(stack[2023]);
r8 = loc_1c0d094(r5);
r5 = sp + 0x38;
asm { stm.w r0, {r6, sl, fp} };
loc_1c0d0f0();
loc_1c0d094(r8);
loc_1c0d080(stack[2020], @selector(checkHongbaoOpenLicense:acceptCallback:denyCallback:), r4, sp + 0x54, r5);
loc_1c0d090(r4);
loc_1c0d080(@class(MMServiceCenter), @selector(defaultCenter));
r4 = loc_1c0d08c();
loc_1c0d080(r4, @selector(getService:), loc_1c0d080(@class(CContactMgr), @selector(class)));
r5 = loc_1c0d08c();
loc_1c0d080(r5, @selector(getSelfContact));
r6 = loc_1c0d08c();
shi
CContactMgr *contactManager = [[%c(MMServiceCenter) defaultCenter] getService:[%c(CContactMgr) class]];
CContact *selfContact = [contactManager getSelfContact];
[args setObject:[selfContact getContactDisplayName] forKey:@"nickName"];
[args setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];
yi