Location>code7788 >text

Reverse WeChat (VII)

Popularity:439 ℃/2024-10-07 21:57:19

The previous post describes how to grab HTTPS data from applets by sniffing MojoIPC.

This reverse microsoft client local database related matters.

This post is at the blogspot address/bbqzsl/p/18423518

WeChat PC client has two main types of data storage, one is based on sqlcipher, the other is based on protobuf. besides these two there are others, not in this post.

They are the classes that correspond to the two mainStorageBasemarry sb. (of woman)ConfigInfoStorageStorageBase uses sqlcipher as storage and ConfigInfoStorage uses protobuf to store KeyValue.

StorageBase is a single table operation wrapper class , it contains the database name and table name and other information . It encapsulates the underlying operations such as opening and querying. Its StorageBase::init method opens the database and sets up the necessary settings, including the CipherAndKey. Reverse analyzing until now, I realized that WeChat is using a mixed code segment for code protection, which is located at the end of the StorageBase::init calls DBFactory::openDBbyName method to complete all the opening work. This DBFactory::openDBbyName method, which has all the strings of the log information mixed up, obviously does not want people to know. And the main executable logic of DBFactory::openDBbyName is edited in the mixed dishes code segment. The purpose of mixed dishes code is not only to make people idiots, but more importantly, to make the reverse tools idiots, including the caller. The mixed dishes used by WeChat are characterized by a sky full of call instructions. As long as you are clear that the call instruction is just the equivalent of jmp& push, you understand its disgusting. The caller's call stack frame function can only be used to analyze ebp, eip this kind of call in the middle, mixed dishes call is not at all call&ret, if you think it will be in the call of the next instruction, ret back to the implementation, you may not be able to wait for it to execute. Including the code analysis function of the reverse tool is also similarly beaten into idiocy. call is equivalent to jmp and push eip. eip at this point is not for ret, but to open the esp, and eip as the decoding factor for the contents of this stack location later. Or the content of this stack location is directly replaced and discarded later. Not only the code is mixed up, but also the stack structure.

So running into mixed dishes of protected code, Mother Mary comes to me Speaking words of wisdom let it be. although I hypothesize that microsoft may have protected the database KEY here, also in the way the KEY is calculated. I admit I'm still stuck on the magic MD5 (imei+uin) of that Android version from 8 years. Think the PC calculation method is Foo(myPCInfo, uin), which exists somewhere in the client code. Since they are all protected with mixing code, so i listened to Mother Mary, let it be. just as i was thinking this, aAccountService::setDBKeyBut heck yes. Ugh? That's not right. So I rushed windbg tracking. Huh? Doesn't this parameter contain the KEY to my database? I was saying earlier that WeChat had taken the trouble to use the mixing code to protect all the operations of opening the database with sqlcipher, including the KEY setting. Now it's blatantly exposed. Is this a slap in my face, or is it a slap in its own face. I couldn't understand what the play was about. It's desperately trying to cover that up from others, but the thing used to cover it up has a picture of it naked there. It's playing with colored eggs. It wasn't until I read their techpost that I realized, "Security. Based onNot afraid to be cracked, but not for anyone.The principles of", /developer/article/1005575. this word order is a bit familiar, as if I have heard a similarly formatted phrase somewhere. The WeChat development team has shown the way, and you're welcome to crack it, just in case you don't know how. (It turns out that their database also has a proper name WCDB, /developer/article/2406614. I have been dealing with it as a sqlcipher. WCDB is used in mobile terminals, PC should not be.) Although the market about this crack has been written to the rotten street, as long as in the github search wecaht Db crack keywords, there are a whole lot of repos. I will briefly introduce my analysis, and the method, for the audience to have one more perspective.AccountServiceThere are three member variables, theDBKey, RSA Public Key, RSA Private Key. They are all of type std::string. And have a known fixed length. The most lucky thing is that the relative position between them hasn't changed through all these years and versions. The search steps, first through the RSA private key string address, and then the address value combined with the length of the string to find the location of the RSA private key member variable, and then relative offset to get the location of the DBKey member variable. Just as we are familiar with the geometry theorem of three points and fixed surfaces to lock the position. With just three commands, you can achieve the goal with windbg.

x86

s-a 0 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
        * theRes
s-d wechatwin L2000000 theRes 0 0 0 377 37f
        * theRes2
da poi(theRes2 - 18)
        * check if "-----BEGIN PUBLIC KEY-----"
db poi(theRes2 - a8) Lpoi(theRes2 - a4)

x64

s-a 0 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
		* theRes
s-q wechatwin L2000000 theRes 0 377 37f
		* theRes2
da poi(theRes2 - 20)
		* check if "-----BEGIN PUBLIC KEY-----"
db poi(theRes2 - f8) Lpoi(theRes2 - f0) 

By the way, windbg doesn't have the ability to assign variables like gdb, but you can use alias instead. Alias theRes and theRes2 to the result address, or manually replace theRes and theRes2 in the command. besides, you can only search the address space 0x10000000 at most at one time, because you can't find it in the first address segment, please use the following command to scan the whole user space of the address space.

s-a 0 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 10000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 20000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 30000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 40000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 50000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 60000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"
s-a 70000000 L10000000 "-----BEGIN RSA PRIVATE KEY-----"

 

I also follow the trend and write a /bbqz007/CrackMicroMsgDBKey about how to see the key with windbg.

After finding the DBKey, of course, I wanted to know the code to calculate the Key. At first I thought it would be in the Mixed Dishes snippet, but after finding theAccountService::setDBKeyIt is only after this that the truth is revealed. the DBKey is returned by the server and the computation is not on the client, but on the server.

Explore the classes related to Auth on your own if you need to.

The two factors of encryption and decryption are Key and Cipher, and I haven't touched the WeChat database for many years, so I've forgotten the cipher settings. If you find the latest sqlcipher, you can't open the database even if you have the right key. Because the default cipher of each sqlcipher version is different, or the publisher of the distribution software compiles different options, the default cipher is different. cipher settings must also be matched. We can directly query the database it opens directly through the microsoft. There are a total of six items: kdf_iter, cipher_page_size, cipher_use_hmac, cipher_plaintext_header_size, cipher_hmac_algorithm, cipher_kdf_algorithm.

Microsoft encapsulates sqlcipher access into a class for single table operations.StorageBase. It contains the database name, table name, and most importantly the database handle. After all, it's still sqlite3, we just need to find the api table to use all the c-interfaces. The example above is accessing a database handle opened by StorageBase through the c-interface of the api table. Even though StorageBase protects the process of opening a database with a generic mixin code.

After getting the capi table, sqlite3_exec can manipulate the database as demonstrated above and sqlite3_prapare can trace the sql as demonstrated below.

I've been working on myKTL Tools ver0.9.1gitee repository) added patch, convenient for those who need it, just set your cracked out DBKey, you can browse your microsoft database.

The database file directory is under "My Documents", "WeChat Files\wxid_???????? \Msg". If you want to know the wxid of the current login, you can check "WeChat Files\config\", the value of number 4 in the array of string types, and number 10 is the nickname. How to view, is another database type to be introduced next, I also added patch in KTL, to provide the corresponding viewing tool. In this article, the database is a broad, including various formats of data files. For example, the class mongodb can likewise be used as the underlying storage in plaintext. A format of the file can also be made into a custom storage engine through the mysql storage engine interface to be used by mysql.

 

The other database is based on protobuf, with the type nameConfigInfoStorage. Its main data member is micromsg::KeyValueSetting, which is the class generated from the proto file. Although there is no proto file for KeyValueSetting, the root structure can be analyzed from the reverse content.

The root structure has five members, all of which are arrays, each of which is a key-value pair. the key is shaped. Knowing the general framework structure, it is possible to analyze protobuf without a proto file. Although there is no proto definition file, but still can use protoc tool to decode, just do not know the names of the members, all the names are plastic position numbers. But with the root level structure above it is possible to carry out the analysis. Root position #1 is a 32-bit shaped array of values, each value has a number corresponding to its name. Each element of the array is an intkey-value proto, so bit 1 of the element is an intkey and bit 2 is a value, and the following arrays follow in the same way. Root position 2 is an array of type buffer, where some of the buffers are serialized protobufs, which can be thought of as arrays of type object. Root 3 is an array of strings, all the values of the strings are in this array. Root 4 is a 64-bit shaped array. Root 5 is a floating-point array.

protoc tool can not be decoded into JSON format without a proto file, you can only use TextFormat. but this TextFormat is really unique, like DICT or JSON, but different. It can't be easily analyzed using python or json browser. So I added a feature with my KTL that converts the TextFormat decoded by the protoc tool to JSON and provides a visual view. With the converted JSON, you can paste it into any visual tool you like to analyze it, the easiest is to use chrome's devtools and paste it into the console to execute it.

The database file directory is under "My Documents", "WeChat Files\config\". It corresponds to AccoutService class and AccoutStorageMgr class.

This post successively describes how microsoft uses sqlcipher, AccoutService class, protobuf based key-value database, ConfigInfoStorage class. The database is stored on our computer disk and the class runs in our memory. By scanning these, personal information can be collected.The AccoutService class also contains the bound cell phone number. Another example is simply scanning the disk without scanning the microsoft process and without scanning the sqlcipher database. You can also get the current login of the micro-signal, this micro-signal used which small programs, these small programs are which well-known small program applications, which type of small program applications, this micro-signal has some habits of use preferences and needs, and so on. (Each small program has a unique AppID, as well as the bound public number). With scanning the DBKey of the WeChat process, you can directly snoop more content.

in myKTL Tools ver0.9.1gitee repository) Two patches were added to view the sqlcipher database and to view the protobuf data (files).

 

Also straight to the point. Just like a Library. statically compiled into uncountable open source libraries. sqlcipher is one of them. We can also direct.

 

 

That's it for this post, see you in the next one.

Reverse WeChat (vii, find DBKey for sqlcipher, view protobuf file)

Reverse WeChat (six, grab the applet https by sniffing mojo, open the applet devtool)

Reverse WeChat (v, mmmojo, wmpfmojo)

Reverse TDX x Reverse WeChat x Reverse Qt (fun reversal, signal-slot usage you haven't seen before)

Reverse WeChat (IV, mars, web module)

Reverse WeChat (three, EventCenter, event center for all functional modules)

Reverse WeChat (II, WeUIEngine, UI Engine)

Reverse wechat (I, plan to warm up)

I have more.Reverse Calligraphy Series

I have another one.The K-Line Technical Tools Program KTL.You can use C++14 for development of formulas, QT, data analysis and more. Your code JustInTime runs.