《Android逆向之2-优雅拦截sqlcipher sqlite数据库密码》要点:
本文介绍了Android逆向之2-优雅拦截sqlcipher sqlite数据库密码,希望对您有用。如果有疑问,可以联系我们。
在你逆向分析**app时,分析分析其数据存储结构绝对是事倍功倍.
知识准备
1:懂的利用xposed框架或Cydia框架hook技术
2 :jadx工具(定位分析工具)
static public void wechatOpenDatabase(String wechatVersionName,final XC_LoadPackage.LoadPackageParam lpparam) {
/**
* //主要第3个参数是sqlite的暗码
public static sqliteDatabase openDatabase(String paramString1,LockedDevice paramLockedDevice,String paramString2,Arithmetic paramArithmetic,CursorFactory paramCursorFactory,int paramInt1,DatabaseErrorHandler paramDatabaseErrorHandler,boolean paramBoolean,int paramInt2)
{
sqliteDatabase localsqliteDatabase = new sqliteDatabase(paramString1,paramInt1,paramCursorFactory,paramDatabaseErrorHandler);
localsqliteDatabase.open(paramLockedDevice,paramString2,paramArithmetic,paramBoolean,paramInt2);
return localsqliteDatabase;
}
*/
try {
Class clazzPalue3= null;
if (wechatVersionName.equals("6.3.13.56_r238e8af")){
clazzPalue3 = String.class;
}else {
clazzPalue3 = byte[].class;
}
XposedHelpers.findAndHookMethod(PluginsConfigWechatsqlite.WECHAT_sqliteDatabase_CLASSE,lpparam.classLoader,"openDatabase",
String.class,//sqlite 数据库文件全路径如:/data/data/com.tencent.mm/MicroMsg/71daf7e10a38aa48ee8bad199dde232a/EnMicroMsg.db
lpparam.classLoader.loadClass(PluginsConfigWechatsqlite.WECHAT_sqliteDatabase_CLASSE+"$LockedDevice"),
clazzPalue3,//byte[].class,//String.class,//6.3.13版本string.class6.3.31是byte[].class sqlite数据库的暗码如21e8906
lpparam.classLoader.loadClass(PluginsConfigWechatsqlite.WECHAT_sqliteDatabase_CLASSE+"$Arithmetic"),
lpparam.classLoader.loadClass(PluginsConfigWechatsqlite.WECHAT_sqliteDatabase_CLASSE+"$CursorFactory"),
int.class,
lpparam.classLoader.loadClass(PluginsConfigWechatsqlite.WECHAT_sqliteDatabase_3Level_CLASSE+".DatabaseErrorHandler"),
boolean.class,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String strsqliteDatabaseFilePaht= (String) param.args[0];
//if (strsqliteDatabaseFilePaht.endsWith("EnMicroMsg.db") && EnMicroMsgsqliteDatabaSEObject ==null) { //获取EnMicroMsg对应的sqliteDatabase
if (strsqliteDatabaseFilePaht.endsWith("EnMicroMsg.db")) { //获取EnMicroMsg对应的sqliteDatabase
EnMicroMsgsqliteDatabaSEObject = param.getResult();
System.out.println("sqliteDatabaSEObject的类名:"+ EnMicroMsgsqliteDatabaSEObject.getClass().getName());
}
}
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
//sqliteDatabase db = sqliteDatabase openDatabase(String path,sqliteDatabase.CursorFactory factory,int flags)
String mm ="";
if (param.args[2] !=null){
String str= param.args[2].getClass().getName();
if (str.equals("[B")){
byte[] mmbytes = (byte[]) param.args[2];
mm = new String(mmbytes,"UTF-8");
}else if (str.equals("java.lang.String")) {
mm =""+param.args[2];
}
}
//Log.i(TAG,"openDatabase String 0参数sqlite全路径和暗码: " +param.args[0]+"参数sqlite暗码:" +param.args[2].toString());
Log.i(TAG,"openDatabase String 0参数sqlite全路径和暗码: " +param.args[0]+"参数sqlite暗码:" +mm);
}
});
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
}
jadx工具分析定位在com.tencent.mmdb.database.sqliteDatabase
启动**发现微信启动时同时打开的数据库有
最后感谢今日头条提供的分享平台,你觉得有用可以收藏便利以后查阅.
分享是一种美德,牵手是一种生活方式.
欢迎参与《Android逆向之2-优雅拦截sqlcipher sqlite数据库密码》讨论,分享您的想法,编程之家PHP学院为您提供专业教程。