XXPC端技术研究-解密微信的数据库（数据文件）

JuncoJet

正如我之前帖子所说，

对ReadFile，下个断点，然后对读取的内存地址下个硬件断点。解密的时候跟一下就知道了。没难度的。

两幅图说明问题

---
更新微信dat文件反编译工具
适用于反编译 你的文档\WeChat Files\你的微信名\Data 里的dat文件

JuncoJet

好吧，刚才只是说加密的数据文件，比如图片表情包、视频等
这个才是真正的数据库解密算法，MMX指令，1是看不懂，2是OD显示显得无能为力了。



---
补充，那个OD无法解析的指令位SSSE3指令

指令介绍参照这里 https://www.cnblogs.com/celerych ... /03/29/2989254.html
代码不要F5，就算F5也看不懂的，呵呵哒

SN1t2lO

@JuncoJet
这是pc数据库解密算法，pc端和安卓端通知，由define控制，我已经测试过了

[C] 纯文本查看 复制代码

#include "stdafx.h"
#include <Windows.h>
#include <openssl/rand.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/hmac.h>

//#define ANDROID_WECHAT
#undef _UNICODE
#define SQLITE_FILE_HEADER "SQLite format 3" //length == 16
#define IV_SIZE 16
#define HMAC_SHA1_SIZE 20
#define KEY_SIZE 32

#define SL3SIGNLEN 20

#ifndef ANDROID_WECHAT
#define DEFAULT_PAGESIZE 4096		//4048数据 + 16IV + 20 HMAC + 12
#define DEFAULT_ITER 64000
#else
#define NO_USE_HMAC_SHA1
#define DEFAULT_PAGESIZE 1024
#define DEFAULT_ITER 4000
#endif
	//安卓端这里密码是7位，pc端是经过算法得到的32位pass。
	//下面附pc端拿密码的OD图
	// 72-91 为0
unsigned char pass[] = { 0x59,0x54,0xA7,0xE4,0xAE,0xCC,0x4D,0x5A,0x80,0xC5,0xBD,0x4F,0xE1,0xDE,0x04,0xF3,0x37,0xDB,0xAE,0xEC,0x19,0xC2,0x49,0x6C,0x93,0x85,0x70,0xDF,0xCB,0x5C,0xB8,0xBD};
//unsigned char pass[32] = {0};
unsigned char aeskey[] = {0x14, 0x97, 0x7A, 0xAA, 0xD5, 0xC2, 0xB3, 0x99, 0xA6, 0xA7, 0xB9, 0x13, 0x94, 0xE3, 0x36, 0x0E, 	0xC8, 0x5E, 0x14, 0xFE, 0x40, 0x3F, 0xBB, 0x27, 0x7F, 0xD9, 0xCE, 0x96, 0x19, 0xB4, 0x5E, 0x91};
char dbfilename[] = "Misc.db";
int Decryptdb();
int CheckKey();
int CheckAESKey();
int DecryptAESdb(UCHAR* AES_key);
int _tmain(int argc, _TCHAR* argv[])
{

	Decryptdb();
//	CheckAESKey();
//	DecryptAESdb(aeskey);
//	getchar();
	return 0;
}

int Decryptdb()
{
	FILE *fpdb = fopen(dbfilename, "rb+");
	if (!fpdb)
	{
		printf("Open Source File Failed!");
		getchar();
		return 0;
	}
	fseek(fpdb, 0, SEEK_END);
	long nFileSize = ftell(fpdb);
	fseek(fpdb, 0, SEEK_SET);
	unsigned char *pDbBuffer = new unsigned char[nFileSize];
	fread(pDbBuffer, 1, nFileSize, fpdb);
	fclose(fpdb);

	unsigned char salt[16] = { 0 };
	memcpy(salt, pDbBuffer, 16);

#ifndef NO_USE_HMAC_SHA1
	unsigned char mac_salt[16] = { 0 };
	memcpy(mac_salt, salt, 16);
	for (int i = 0; i < sizeof(salt); i++)
	{
		mac_salt[i] ^= 0x3a;
	}
#endif

	int reserve = IV_SIZE;		//校验码长度,PC端每4096字节有48字节
#ifndef NO_USE_HMAC_SHA1
	reserve += HMAC_SHA1_SIZE;
#endif
	reserve = ((reserve % AES_BLOCK_SIZE) == 0) ? reserve : ((reserve / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;

	unsigned char key[KEY_SIZE] = { 0 };
	unsigned char mac_key[KEY_SIZE] = { 0 };

	OpenSSL_add_all_algorithms();
	PKCS5_PBKDF2_HMAC_SHA1((const char *)pass, sizeof(pass), salt, sizeof(salt), DEFAULT_ITER, sizeof(key), key);
#ifndef NO_USE_HMAC_SHA1
	PKCS5_PBKDF2_HMAC_SHA1((const char *)key, sizeof(key), mac_salt, sizeof(mac_salt), 2, sizeof(mac_key), mac_key);
#endif

	unsigned char *pTemp = pDbBuffer;
	unsigned char pDecryptPerPageBuffer[DEFAULT_PAGESIZE];
	int nPage = 1;
	int offset = 16;
	while (pTemp < pDbBuffer + nFileSize)
	{
		printf("decrypt page:%d/%d \n", nPage, nFileSize / DEFAULT_PAGESIZE);

#ifndef NO_USE_HMAC_SHA1
		//check hmac
		unsigned char hash_mac[HMAC_SHA1_SIZE] = { 0 };
		unsigned int hash_len = 0;
		HMAC_CTX hctx;
		HMAC_CTX_init(&hctx);
		HMAC_Init_ex(&hctx, mac_key, sizeof(mac_key), EVP_sha1(), NULL);
		HMAC_Update(&hctx, pTemp + offset, DEFAULT_PAGESIZE - reserve - offset + IV_SIZE);
		HMAC_Update(&hctx, (const unsigned char *)&nPage, sizeof(nPage));
		HMAC_Final(&hctx, hash_mac, &hash_len);
		HMAC_CTX_cleanup(&hctx);
		if (0 != memcmp(hash_mac, pTemp + DEFAULT_PAGESIZE - reserve + IV_SIZE, sizeof(hash_mac)))
		{
			//hash check err
			printf("\n Hash check err! \n");
			getchar();
			return 0;
		}
#endif
		//
		if (nPage == 1)
		{
			memcpy(pDecryptPerPageBuffer, SQLITE_FILE_HEADER, offset);
		}

		//aes decrypt
		EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
		EVP_CipherInit_ex(ectx, EVP_get_cipherbyname("aes-256-cbc"), NULL, NULL, NULL, 0);
		EVP_CIPHER_CTX_set_padding(ectx, 0);
		EVP_CipherInit_ex(ectx, NULL, NULL, key, pTemp + (DEFAULT_PAGESIZE - reserve), 0);

		int nDecryptLen = 0;
		int nTotal = 0;
		EVP_CipherUpdate(ectx, pDecryptPerPageBuffer + offset, &nDecryptLen, pTemp + offset, DEFAULT_PAGESIZE - reserve - offset);
		nTotal = nDecryptLen;
		EVP_CipherFinal_ex(ectx, pDecryptPerPageBuffer + offset + nDecryptLen, &nDecryptLen);
		nTotal += nDecryptLen;
		EVP_CIPHER_CTX_free(ectx);

		//assert(nTotal == DEFAULT_PAGESIZE - reserve - offset);

		//no necessary ,just like sqlcipher
		memcpy(pDecryptPerPageBuffer + DEFAULT_PAGESIZE - reserve, pTemp + DEFAULT_PAGESIZE - reserve, reserve);
		char decFile[1024] = {0};
		sprintf(decFile,"dec_%s",dbfilename);
		FILE *fp = fopen(decFile, "ab+");
		{
			fwrite(pDecryptPerPageBuffer, 1, DEFAULT_PAGESIZE, fp);
			fclose(fp);
		}

		nPage++;
		offset = 0;
		pTemp += DEFAULT_PAGESIZE;
	}
	printf("\n ALL DONE! \n");
//	getchar();
	return 0;
}

旺仔大馒头

不明觉厉啊

JuncoJet

明天出个闭源小公举验证一下吧，验证完成更新详细教程。有望申精吗(′｡✪ω✪｡｀)hiahiahia

沉默挺好的

学习一下

陈世界

这个数据库有什么用途吗

zqguang3708

一如既往的牛逼

每周三帖

大佬，帮我看一下啊

每周三帖

每周三帖 发表于 2019-3-7 01:50
大佬，帮我看一下啊

https://www.52pojie.cn/thread-886944-1-1.html

SN1t2lO

微信Data文件夹下的文件就是异或运算。一般就是jpg，png，gif，bmp几种格式文件。根据每种文件的头部标志计算一个字节的异或值就可以了。