来源:https://xxzkid.github.io/2024/decrypt-wechat-msg-1/
前置条件
frida, frida-tools, adb
获取密码
h.js
console.log('script loaded successfully');
function xx() {
function strf(str, replacements) {
return str.replace(/\$\{\w+\}/g, function(placeholderWithDelimiters) {
var placeholderWithoutDelimiters = placeholderWithDelimiters.substring(2, placeholderWithDelimiters.length - 1);
var stringReplacement = replacements[placeholderWithoutDelimiters];
return stringReplacement;
});
}
function x_db() {
var String = Java.use("java.lang.String");
var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
SQLiteDatabase["openDatabase"].overload('java.lang.String', '[B', 'com.tencent.wcdb.database.SQLiteCipherSpec', 'com.tencent.wcdb.database.SQLiteDatabase$CursorFactory', 'int', 'com.tencent.wcdb.DatabaseErrorHandler', 'int').implementation = function (str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3) {
console.log(strf('str=${0} bArr=${1}', [str, bArr == null ? "" : String.$new(bArr)]));
var result = this["openDatabase"](str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3);
return result;
};
}
Java.perform(function () {
x_db();
});
}
setTimeout(xx, 0);
frida -U -l h.js --no-pause -f com.tencent.mm
拉取数据库到本地
adb pull /data/user/0/com.tencent.mm/MicroMsg/替换成你自己的字符串/EnMicroMsg.db .
下载 sqlcipher
sqlcipher-shell64.exe EnMicroMsg.db
sqlite> PRAGMA key = '你自己的密钥';
sqlite> PRAGMA cipher_use_hmac = off;
sqlite> PRAGMA kdf_iter = 4000;
sqlite> PRAGMA cipher_page_size = 1024;
sqlite> PRAGMA cipher_hmac_algorithm = HMAC_SHA1;
sqlite> PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;
sqlite> ATTACH DATABASE 'plaintext.db' AS plaintext KEY '';
sqlite> SELECT sqlcipher_export('plaintext');
sqlite> DETACH DATABASE plaintext;
下载DB Browser for SQLite
选择plaintext.db 就可以看到数据啦