The rear camera points to the Grand Canton Tower

Making the warehouse

1. An overview of the

Two days ago, I reversed wechat to achieve camouflage positioning, and wanted to achieve a fun trick as consolidation, and then push forward to the next stage. Automatic grab red envelopes, not very interested in, and has been implemented; New message preview of the article reading interface, this is what I just need, but someone has implemented it, keep it for some time to practice again. Finally, after a long thought, simply do a previous hand Q once had the function of it — chat page background perspective, walking chat anti-fall.

The process is still the same: crack the shell -> class-dump -> Hopper decompile -> locate the classes and functions you want to hook -> write tweak. Shell breaking and class-dump have been practiced before, here is no more crap, directly from the location of hook point start.

2. Hook point positioning

Here is a tip, we can change the language of the system to English, programmers know that the English name of the function is generally similar to the name of the class in the project, which can help us locate the corresponding class more quickly. For example, the English name of People Nearby in wechat is People Nearby, but actually the source file name also contains this keyword.

2.1 pass Reveal analysis

For the chat details page, there is no place to see the corresponding “feature English name”, so we use the special tool “Reveal” to insert afterDisguised wechat positioning article(mentioned), to analyze wechat’s interface, a process that excites me as much as shedding girlish clothes:

Go to the chat details page and select the view corresponding to controller in the view hierarchy. Then you can see its controller in the Identify Inspector on the right:


All of a sudden, we have identified the class we need to hook.

2.2 Hook method conjecture

Let’s start with a brief analysis of the features we need to implement:

  1. The background of the chat details page is replaced with a live image from the rear camera
  2. NavigationBar added a button to the right to control the perspective switch

Easy to prove, we need to do hook in the following functions:

  • ViewWillAppear: Adds a control button that will fail on the second entry in viewDidLoad
  • ViewDidAppear: A small optimization to make the perspective turn on when entering the details page the same as it did last time
  • ViewWillDisappear: If you want to exit the detail page, close the perspective and release the related resources
  • WillRotateToInterfaceOrientation: page rotation leads to abnormal previewer layout, the need to stop when the previewer when the page is rotating, rotating after open again. Here, wechat still uses the old method of Desperated and doesn’t use Apple’s advice, which can be known by class-dump header files or hopper decompilation
  • DidRotateFromInterfaceOrientation: same as above

The code will not be posted, it is not interesting, to see the source can be viewed on Github

3. Theos

The project for Theos uses a Manager to manage avFoundation-related operations for me, which needs to be specified with the ARC feature in the Makefile (a more detailed logos syntax can be found in the wiki) :

AVManager.m_CFLAGS = -fobjc-arc
Copy the code

The complete Makefile is posted here:

THEOS_DEVICE_IP = 192.168.0.137 ARCH = arm64 TARGET = iPhone :9.3 include $(THEOS)/makefiles/common.mk TWEAK_NAME = WeTransparentChat WeTransparentChat_FILES = Tweak.xm AVManager.m WeTransparentChat_FRAMEWORKS = UIKit AVFoundation AVManager.m_CFLAGS = -fobjc-arc include $(THEOS_MAKE_PATH)/tweak.mk after-install:: install.exec "killall -9 WeChat"Copy the code

In addition, it is also necessary to note that the use of %log is directly copied from the description of the original book, I do not know whether because of system differences, the original book mentioned /var/logs/syslog does not exist by default, you need to do some configuration, or directly use another method to obtain syslog in real time.

Search cydia and install Socat. Socat is a powerful alternative to Netcat on Linux. It provides a two-way channel between two streams. Get syslog in real time with the following command:

socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock
Copy the code

> watch
Copy the code

It then outputs a bunch of random messages, including our %log data, but the target process’s output is fortunately highlighted in iTerm. In addition, I have not found a way to filter the output for the time being. It seems that the output obtained by * filtering is a historical array, not real time.

All that remains is a round-robin test of make Package Install.