破解原理:加密过的SQLITE数据库,调用sqlite3_open函数后,会调用sqlite3_key函数进行密码设置,此时通过Hook sqlite3.dll中sqlite3_key函数获取数据库密码。
具体实现步骤:
1.编写Hook sqlite3.dll中sqlite3_key函数代码的DLL.
library HookAPI;
uses
Windows, HookUtils, Classes, Dialogs;
const
SQLiteDLL = 'sqlite3.dll';
type
TSQLiteDB = Pointer;
function sqlite3_key(ADb: TSQLiteDB; AKey: PAnsiChar; AKeySize: Integer):
Integer; cdecl; external SQLiteDLL name 'sqlite3_key';
var
sqlite3_keyEx: function(ADb: TSQLiteDB; AKey: PAnsiChar;
AKeySize: Integer): Integer; stdcall;
function sqlite3_keyExCallBack(ADb: TSQLiteDB; AKey: PAnsiChar; AKeySize:
Integer): Integer; stdcall;
var
aStringList: TStringList;
begin
aStringList := TStringList.Create;
try
aStringList.Text := AKey;
if aStringList.Count > 0 then
begin
ShowMessage('SQLiteDBPWD:' + AKey);
aStringList.SaveToFile('SQLiteDBPWD.txt');
end;
finally
aStringList.Free;
end;
// 此处sqlite3_key函数已被替换,需去除钩子,执行才有效
if HookUtils.UnHookProc(@SQLite3_KeyEx) then
Result := sqlite3_key(ADb, AKey, AKeySize);
end;
procedure DllEntryPoint(dwReason: DWord);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
HookUtils.HookProc('sqlite3.dll', 'sqlite3_key', @sqlite3_keyExCallBack,
@sqlite3_keyEx);
end;
DLL_PROCESS_DETACH:
begin
//HookUtils.UnHookProc(@SQLite3_KeyEx);
end;
DLL_THREAD_ATTACH:
begin
end;
DLL_THREAD_DETACH:
begin
end;
end;
end;
begin
DllProc := @DllEntryPoint;
DllEntryPoint(DLL_PROCESS_ATTACH);
end.
2.将上边编写的DLL注入到目标进程,目标进程在打开SQLITE加密数据库时,会触发sqlite3_keyExCallBack回调方法,这样就能获取到数据库密码了,具体如何将DLL注入到进程,需了解下DLL注入技术,此处就不贴代码了,感兴趣的朋友可以站内私信我沟通DLL注入相关技术。