XXPC端技术研究-解密微信的数据库(数据文件)
本帖最后由 Kido 于 2019-6-6 18:32 编辑正如我之前帖子所说,对ReadFile,下个断点,然后对读取的内存地址下个硬件断点。解密的时候跟一下就知道了。没难度的。
两幅图说明问题
---
更新微信dat文件反编译工具
适用于反编译 你的文档\WeChat Files\你的微信名\Data 里的dat文件 本帖最后由 JuncoJet 于 2019-3-7 11:15 编辑
好吧,刚才只是说加密的数据文件,比如图片表情包、视频等
这个才是真正的数据库解密算法,MMX指令,1是看不懂,2是OD显示显得无能为力了。
---
补充,那个OD无法解析的指令位SSSE3指令
指令介绍参照这里 https://www.cnblogs.com/celerychen/archive/2013/03/29/2989254.html
代码不要F5,就算F5也看不懂的,呵呵哒
@JuncoJet
这是pc数据库解密算法,pc端和安卓端通知,由define控制,我已经测试过了
#include "stdafx.h"
#include <Windows.h>
#include <openssl/rand.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/hmac.h>
//#define ANDROID_WECHAT
#undef _UNICODE
#define SQLITE_FILE_HEADER "SQLite format 3" //length == 16
#define IV_SIZE 16
#define HMAC_SHA1_SIZE 20
#define KEY_SIZE 32
#define SL3SIGNLEN 20
#ifndef ANDROID_WECHAT
#define DEFAULT_PAGESIZE 4096 //4048数据 + 16IV + 20 HMAC + 12
#define DEFAULT_ITER 64000
#else
#define NO_USE_HMAC_SHA1
#define DEFAULT_PAGESIZE 1024
#define DEFAULT_ITER 4000
#endif
//安卓端这里密码是7位,pc端是经过算法得到的32位pass。
//下面附pc端拿密码的OD图
// 72-91 为0
unsigned char pass[] = { 0x59,0x54,0xA7,0xE4,0xAE,0xCC,0x4D,0x5A,0x80,0xC5,0xBD,0x4F,0xE1,0xDE,0x04,0xF3,0x37,0xDB,0xAE,0xEC,0x19,0xC2,0x49,0x6C,0x93,0x85,0x70,0xDF,0xCB,0x5C,0xB8,0xBD};
//unsigned char pass = {0};
unsigned char aeskey[] = {0x14, 0x97, 0x7A, 0xAA, 0xD5, 0xC2, 0xB3, 0x99, 0xA6, 0xA7, 0xB9, 0x13, 0x94, 0xE3, 0x36, 0x0E, 0xC8, 0x5E, 0x14, 0xFE, 0x40, 0x3F, 0xBB, 0x27, 0x7F, 0xD9, 0xCE, 0x96, 0x19, 0xB4, 0x5E, 0x91};
char dbfilename[] = "Misc.db";
int Decryptdb();
int CheckKey();
int CheckAESKey();
int DecryptAESdb(UCHAR* AES_key);
int _tmain(int argc, _TCHAR* argv[])
{
Decryptdb();
// CheckAESKey();
// DecryptAESdb(aeskey);
// getchar();
return 0;
}
int Decryptdb()
{
FILE *fpdb = fopen(dbfilename, "rb+");
if (!fpdb)
{
printf("Open Source File Failed!");
getchar();
return 0;
}
fseek(fpdb, 0, SEEK_END);
long nFileSize = ftell(fpdb);
fseek(fpdb, 0, SEEK_SET);
unsigned char *pDbBuffer = new unsigned char;
fread(pDbBuffer, 1, nFileSize, fpdb);
fclose(fpdb);
unsigned char salt = { 0 };
memcpy(salt, pDbBuffer, 16);
#ifndef NO_USE_HMAC_SHA1
unsigned char mac_salt = { 0 };
memcpy(mac_salt, salt, 16);
for (int i = 0; i < sizeof(salt); i++)
{
mac_salt ^= 0x3a;
}
#endif
int reserve = IV_SIZE; //校验码长度,PC端每4096字节有48字节
#ifndef NO_USE_HMAC_SHA1
reserve += HMAC_SHA1_SIZE;
#endif
reserve = ((reserve % AES_BLOCK_SIZE) == 0) ? reserve : ((reserve / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
unsigned char key = { 0 };
unsigned char mac_key = { 0 };
OpenSSL_add_all_algorithms();
PKCS5_PBKDF2_HMAC_SHA1((const char *)pass, sizeof(pass), salt, sizeof(salt), DEFAULT_ITER, sizeof(key), key);
#ifndef NO_USE_HMAC_SHA1
PKCS5_PBKDF2_HMAC_SHA1((const char *)key, sizeof(key), mac_salt, sizeof(mac_salt), 2, sizeof(mac_key), mac_key);
#endif
unsigned char *pTemp = pDbBuffer;
unsigned char pDecryptPerPageBuffer;
int nPage = 1;
int offset = 16;
while (pTemp < pDbBuffer + nFileSize)
{
printf("decrypt page:%d/%d \n", nPage, nFileSize / DEFAULT_PAGESIZE);
#ifndef NO_USE_HMAC_SHA1
//check hmac
unsigned char hash_mac = { 0 };
unsigned int hash_len = 0;
HMAC_CTX hctx;
HMAC_CTX_init(&hctx);
HMAC_Init_ex(&hctx, mac_key, sizeof(mac_key), EVP_sha1(), NULL);
HMAC_Update(&hctx, pTemp + offset, DEFAULT_PAGESIZE - reserve - offset + IV_SIZE);
HMAC_Update(&hctx, (const unsigned char *)&nPage, sizeof(nPage));
HMAC_Final(&hctx, hash_mac, &hash_len);
HMAC_CTX_cleanup(&hctx);
if (0 != memcmp(hash_mac, pTemp + DEFAULT_PAGESIZE - reserve + IV_SIZE, sizeof(hash_mac)))
{
//hash check err
printf("\n Hash check err! \n");
getchar();
return 0;
}
#endif
//
if (nPage == 1)
{
memcpy(pDecryptPerPageBuffer, SQLITE_FILE_HEADER, offset);
}
//aes decrypt
EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
EVP_CipherInit_ex(ectx, EVP_get_cipherbyname("aes-256-cbc"), NULL, NULL, NULL, 0);
EVP_CIPHER_CTX_set_padding(ectx, 0);
EVP_CipherInit_ex(ectx, NULL, NULL, key, pTemp + (DEFAULT_PAGESIZE - reserve), 0);
int nDecryptLen = 0;
int nTotal = 0;
EVP_CipherUpdate(ectx, pDecryptPerPageBuffer + offset, &nDecryptLen, pTemp + offset, DEFAULT_PAGESIZE - reserve - offset);
nTotal = nDecryptLen;
EVP_CipherFinal_ex(ectx, pDecryptPerPageBuffer + offset + nDecryptLen, &nDecryptLen);
nTotal += nDecryptLen;
EVP_CIPHER_CTX_free(ectx);
//assert(nTotal == DEFAULT_PAGESIZE - reserve - offset);
//no necessary ,just like sqlcipher
memcpy(pDecryptPerPageBuffer + DEFAULT_PAGESIZE - reserve, pTemp + DEFAULT_PAGESIZE - reserve, reserve);
char decFile = {0};
sprintf(decFile,"dec_%s",dbfilename);
FILE *fp = fopen(decFile, "ab+");
{
fwrite(pDecryptPerPageBuffer, 1, DEFAULT_PAGESIZE, fp);
fclose(fp);
}
nPage++;
offset = 0;
pTemp += DEFAULT_PAGESIZE;
}
printf("\n ALL DONE! \n");
// getchar();
return 0;
}
不明觉厉啊 明天出个闭源小公举验证一下吧,验证完成更新详细教程。有望申精吗(′。✪ω✪。`)hiahiahia 学习一下 这个数据库有什么用途吗 一如既往的牛逼{:1_893:} 大佬,帮我看一下啊 每周三帖 发表于 2019-3-7 01:50
大佬,帮我看一下啊
https://www.52pojie.cn/thread-886944-1-1.html 微信Data文件夹下的文件就是异或运算。一般就是jpg,png,gif,bmp几种格式文件。根据每种文件的头部标志计算一个字节的异或值就可以了。