ios uibutton 倒计时抖动_[iOS]关于iOS版QQ抖动窗口那些事

★★推荐关注本公众号！会有更多精彩内容等着大家！本期邀请链接藏在文章内哦！！

★★(点击上面“飘云阁”即可关注)

[iOS]关于iOS版QQ抖动窗口那些事

1.内容简介

初涉iOS逆向，蓄势待发，偶然被一好友无限抖动的头疼，所以就想去看看iOS版QQ是否也能无限抖动，就当练手了。
当然了，作为一只菜鸟，仅是分享自己的学习过程，大牛勿喷，么么哒。
所需工具：Reveal、IDA、theos
QQ版本：6.0.0
测试环境：iOS8.4、iPhone 5s
备注：QQ为App Store安装已提前砸壳并导出头文件

2.寻找切入点

首先打开QQ界面，并打开Reveal选择iPhone看QQ界面的控件。因为点击抖一抖图片才会发送抖动所以在控件的头文件或者Controller里面有响应事件。


发现控件类是QQRichControl，转至头文件去看一下。

#import "UIButton.h"

#import "AvatarServiceDelegate.h"

[url=home.php?mod=space&uid=341152]@Class[/url] NSString, UIImageView;

@interface QQRichControl : UIButton 
{
    NSString *_controlKey;
    unsigned long long _flag;
    id _userData;
    _Bool _shouldShowRedPoint;
    int _xo;
    NSString *_imageName;
    UIImageView *_redPoint;
}
+ (id)buttonWithFlag:(unsigned long long)arg1;
+ (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3;
+ (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3 userData:(id)arg4;
- (void)dealloc;
- (void)didLoadImage:(id)arg1 identity:(id)arg2 type:(int)arg3 size:(int)arg4 shape:(int)arg5 avatarInfo:(id)arg6;
- (struct CGRect)imageRectForContentRect:(struct CGRect)arg1;
- (id)initWithFrame:(struct CGRect)arg1;
- (void)loadImageWithImageName:(id)arg1 defaultImage:(id)arg2;
- (id)redPoint;
@property(nonatomic) _Bool shouldShowRedPoint; // [url=home.php?mod=space&uid=422403]@Dynamic[/url] shouldShowRedPoint;
- (struct CGRect)titleRectForContentRect:(struct CGRect)arg1;
// Remaining properties
@property(retain, nonatomic) NSString *controlKey; // @dynamic controlKey;
@property(readonly, copy) NSString *debugDescription;
@property(readonly, copy) NSString *description;
@property(nonatomic) unsigned long long flag; // @dynamic flag;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;
@property(retain, nonatomic) id userData; // @dynamic userData;
@end

QQRichControl继承自UIButton，但是在头文件里面并没有发现有跟点击相关的，去Controller的头文件里面去看看。



今日邀请链接：

https://www.chinapyg.com/home.php?mod=invite&id=4730&c=z38s0s

//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#import "QQBaseChatViewController.h"

#import "GetTroopMemberProtocol.h"
#import "GetTroopRemarkProtocol.h"
#import "UIAlertViewDelegate.h"

@class NSDictionary, NSMutableArray, NSMutableDictionary, NSString, QC2CRoamMessageService, QCCallEntry, QQAIOTipModel, QQBlueTimer, QQEncounterChatSettingController, QQMessageModel, QQNetWorkTipsView, QQPublicAccountLoadingView, QQRichMsgPreviewDialog, UIActionSheet, UIActivityIndicatorView, UIButton, UILabel, UIProgressView, UIView;

@interface QQChatViewController : QQBaseChatViewController 
{
    UIButton *_historyButton;
    UIButton *_voiceModal;
    UIButton *_cardButton;
    QQBlueTimer *timer;
    QQBlueTimer *processTimer;
    UIProgressView *progress;
    UIActivityIndicatorView *act;
    NSDictionary *Imagedict;
    NSMutableDictionary *identDic;
    _Bool ifint;
    _Bool KeyBoard;
    int _displayMsgCount;
    _Bool _flagMsgBarInfoGroup;
    int _flagMsgTmp;
    NSString *_flagMsgBarValueUin;
    _Bool _isReqVideActionSheetShow;
    _Bool _supportInterfaceRote;
    ............
}
- (void)ActionSelectVideoFromAlbum;
- (void)ActionShakeWindowMsg;
- (_Bool)Confirmation;
       ........
@end

发现了个可疑的方法“- (void)ActionShakeWindowMsg;”。Shake的意思是抖动的意思。(事实其实是我刚开始也不确定是不是这个，用lldb挂载QQ后下断后才确定就是抖动函数:)。

至此，切入点已经找到，下一节将分析它的实现。

3.逻辑分析



汇编代码如下：

__text:00000001003F3990                 MOV             X19, X0
__text:00000001003F3994                 BL              _CFAbsoluteTimeGetCurrent
__text:00000001003F3998                 ADRP            X8, #qword_10368B8F8@PAGE
__text:00000001003F399C                 LDR             D1, [X8,#qword_10368B8F8@PAGEOFF]
__text:00000001003F39A0                 FSUB            D1, D0, D1
__text:00000001003F39A4                 FCMP            D0, #0.0
__text:00000001003F39A8                 FMOV            D2, #10.0
__text:00000001003F39AC                 FCCMP           D1, D2, #8, PL
__text:00000001003F39B0                 B.MI            loc_1003F3C24

CFAbsoluteTimeGetCurrent看函数名就猜出是获取当前时间。
“__text:00000001003F39A8 FMOV D2, #10.0”
这句赋值给D2一个常量10，而QQ的抖动间隔正是10S的时间。

分析到这其实修改跳转就已经理论实现无间隔抖动了(经测试手机抖动有效果，Windows下还是一样，应该是接收消息的函数有判断)。

4.tweak实现

#import "QQShakeOffImpose.h"

%hook QQChatViewController

- (void)ActionShakeWindowMsg
{

    QQMessageModel *message = [%c(QQMessageModel) new];
    [message setLoadingState:YES];
    [message setTime:[[%c(CIMEngine) GetInstance] GetServerTimeDiff]];
    [message setContent:@"抖一抖"];
    [message setInOut:NO];
    [message setRead:1];
    [message setMsgType:157];
    [message setMsgState:1];

    QQBaseChatModel *TchatModel = [self GetBaseChatModel];
    NSString* Tuin = [TchatModel uin];
    [message setUin:Tuin];
    [message setGroupCode:nil];
    unsigned int random = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageRandom];

    unsigned short msgseq = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageSeq:[message uin].longLongValue];

    [message setMsgSeq:msgseq];
    [message setMessageRandom:random];

    [message setMsgUid:[%c(QQMessageModel) randomToUid:random]];
    QQPlatform *Tplatform = [%c(QQPlatform) sharedPlatform];
    QQServiceCenter* TserviceCenter = [Tplatform QQServiceCenter];
    C2CDBService_MultiTable *multiTablwDB =[TserviceCenter C2CMultiTableDB];
    [multiTablwDB insertSendMessage:message];
    QQAIOMsgModel *msgModel = [%c(QQAIOMsgModel) createAIOModelWithMessageModel:message];

    QQChatListManager* listManager = [[%c(QServiceFactory) sharedFactory] getMessageListService];

    [listManager addMessage:message];
    [self appendMessage:msgModel];
    [[%c(QQF2FMessageSender) getInstance] SendPbShakeWindowMessage:message];

}

%end

如果大家有好的文章，也可以在公众号菜单里面选择“更多”→“我要投稿”，若被采纳：

1.将被编辑发布到公众号内

2.对于没有邀请码的朋友将赠送邀请码一枚。