One, guess data storage path
Micro-letter is now suitable for all ages, the streets are in use, has replaced the traditional SMS chat way, as long as the chat must have privacy information, then this article to explain how to obtain micro-letter chat records and address book information.
First of all, when we do not have a network, open the micro-letter can also see the chat record, stating that the micro-letter will save the chat log to the local, so much information will certainly be kept in the database, so we can go to see the databases directory of micro-letters to see the content:
Unfortunately, we did not find some useful data in this, so this time to understand the micro-letter because the important information of the database under the other directory, we can direct the entire sandbox data of the micro-letter to export all, and then look up the db file:
Some DB files were found in this directory:
See that there are a lot of db files in this directory, we can view one at a, here can be directly used SQLite Expert visualization tools to view:
Unfortunately, the opening here failed, see the hint message should understand, the database file is encrypted. This also makes us believe that the database is very important information, and from a security point of view, the encryption operation is also very normal.
Second, static mode to crack the micro-letter analysis
Ok here, it seems to go to see the code, because the database encryption, since the encryption must have the decryption process, we go to analyze the code to obtain its password.
First we can use the Apktool tool to decompile, here does not demonstrate that the micro-letter itself does not strengthen the operation, so the decompile did not error:
Attention:
The-D argument is added to the command here to generate the Java file instead of the Smali file after the decompile. Easy to import into eclipse later
After the decompile, then we start to import the file into Eclipse, about how to import, here is not introduced, do not understand the students can move here: Eclipse dynamic debugging Smali Source code after we successfully imported:
Here to see some errors, but this does not care too much, we analyze the source can be, in fact, some students here may think of Speed debugging:
With the help of the previous Mprop tool to modify the system's debug Properties Ro.debuggable attribute values , do not understand this tool can read this article: How to take off the 360 reinforced shell, if you do not want to use this tool is a bit of trouble, Modify the debug properties in the Androidmanifest.xml after the decompile, and then compile it, but unfortunately, I tried to fail several times in the process, so I finally used the Mprop tool to do the operation. After modifying the system debug properties, you can see:
The micro-letter is in debug mode, so we just follow the steps of dynamically debugging the Samli source code in the eclipse mentioned earlier. But there is a problem, that is, in the process of debugging will be stuck, I tried many times the results have failed, so here I gave up the dynamic way to crack the micro-letter, but the static way to crack the micro-letter access to the password.
Third, the crack steps
Before talking about using the static method to crack the 1th, must find the key point, our problem is to know the database, but this is encrypted, we need the password, then in Android if the use of the database, will certainly involve a class:sqlitedatabase , we can search for this class in eclipse first:
Because the micro-letter engineering code is very large, so in the search process to wait for a period of time:
The definition of the Com.tencent.kingkong.database.SQLiteDatabase class was found in the Samli, because the Smali syntax seemed rather laborious, so we used the JADX tool for visualization, which was described in the previous article: Android in reverse The analysis of the sharp weapon here explains the principle of apktool and JADX tools, Why say JADX easy to use? Mainly he is open source, and is written in Java, but also support the tracking of methods , this is very useful for confusing code tracking.
There is a problem here, because the APK is too big, so we have to separate view, because the micro-letter has multiple Dex files, and just see the Sqlitedatabase class is in the first Dex, we use JADX to view the first Dex file can:
This looks like a lot more convenient, we find this class, first of all, certainly look at his OpenDatabase method, but there will be a lot of overloaded methods, but the end of the call is the OpenDatabase method:
The interior then calls the open method and continues to follow:
The Openinner method is called internally, followed by:
Called the Sqliteconnectionpool Open method, followed by:
Haha, finally found the core of the place, here to see sure there is a password field, then this value is sqlitedatabase in the OpenDatabase method of the second parameter, So now we're going to analyze where the Sqlitedatabase OpenDatabase method is invoked, because Sqlitedatabase's OpenDatabase overload method is too much, so one of them is hard to find, So you can directly search sqlitedatabase is called place, you can directly use the JADX search tracking function:
Find results:
Here you will find that many places are called and look very troublesome, so here's a way to shrink the lookup range, and we've just seen that the open method in the Sqlitedatabase class is static, so it's definitely used when it's called: lcom/tencent/ Kingkong/database/sqlitedatabase; This is the standard Smali syntax invocation form, so this is where we go to eclipse to search for this string content globally:
Finally see in COM.TENCENT.MM.BB.E this class, there are many places are called, we go to see this class again:
Sure enough, the open method of the database was called in the D method, and the incoming str2 was the password, where the trace D method was invoked:
Click into view:
Here's this. EE is the password, look at his assignment, is to first call the J method to construct a string, then take the first 7 characters, and then look at the J method:
This method looks familiar to me, to calculate the MD5 value of a string, note here that the value of the MD5 is lowercase, OK, so here we know: The password is actually the first 7-bit string of the MD5 value of a string, then the question continues to follow which string to compute MD5:
Where to continue tracking a method is called:
After you find it, click Enter:
Continue to find this a method and where is called, where the call is deep, so need to search for tracking, patience can:
Finally, in the method of this class, we see that the my value is obtained by my method, and the J2 value is transformed by the I value above:
To view the implementation of my method, it is simple to get the IMEI value of the device, while the I value is assigned before:
See, it's a UIn value, and look at where this UIn value is being assigned:
See here on the rest assured that the original UIn value stored in the sharedpreferences, then simple, we at the beginning of the sandbox data are all exported to the global search UIn string values:
Haha, found this value here.
Summarize:
Here we have analyzed the micro-letter database encryption password acquisition process, the following to summarize:
1, first of all we look at the global Sqlitedatabase class, because this class is the core operation of the database class, he is a breakthrough.
2. After you find the definition of this class, look again at his Open series method, because there must be an open method to manipulate the database.
3, and then to the global lookup Sqlitedatabase open method of Call place, where the call is more, so we need patience to find, and in order to narrow the search scope, we can call the format of the Smali syntax of the string content to find.
4, found this method of the stolen place, the following began a step-by-step downward tracking, to a core approach to understand that the password is a string to calculate MD5 after the first 7 string values.
5, continue to trace, to find this computed MD5 string content, and finally tracked to this string is actually the device's IMEI plus the user's UIn value, and this uin value is stored in the sharedpreferences.
Although the above found a password, but we know how to encrypt the data? Here must draw on the experience, because now the mainstream of SQLite data encryption technology is Sqlitecipher, do not understand the classmate can go to see, this database encryption needs to use so file, we go to micro-letter libs below view:
The sqlitecipher.so file was not found here, but we saw the libkkdb.so file, which looks like he was manipulating the database, using IDA to open the view:
See, here's the SQLite operations are carried out in the native layer, so if we want to view the database, we need to use the Sqlcipher software to view, the software online download a lot of, specifically used to view the Sqlitecipher encrypted database information.
Four, the database password constructs
First get the IMEI device, you can directly dial: * #06 # can be viewed, and then see his uin value, directly read the value of Sharedpreferences, and then splicing together, with TXT file files saved, The MD5 value is obtained by using the Hashtab tool to view properties, about the hashtab tool:
This tool is also very useful, you can easily right-click the file properties to view the MD5 value of the file:
See here the top seven is: 748b34d, note character lowercase = "748b34d:
After you enter a password, you can view individual table information in the database:
You can find that there are a lot of table contents in this database, but here we are most concerned with the Address Book information table and chat record table:
See, Chat record form is message, Address Book form is recontact:
And here's a fun stuff, is that you have previously deleted friends, will exist, this is the micro-letter will keep your address book to the server, timely you delete the local contact, but the server will not be deleted, so if you want to find your previously deleted friends, you can find a new friend in the second.
Summary summary:
Here we use the static method to crack the micro-letter, know the password of the database encryption, and then see that he is using the mainstream database encryption framework: Sqlitecipher, and now many apps use this framework, such as some novel app, here is not to specify who the I have compiled several novel apps, two of which are encrypted using this framework.
V. Cracking process Summary
1, guess information is stored in the local database
To get chat logs and Address book information, our idea is that this information is also viewable when the device is not connected to the network, so we suspect that the information is stored in a local database.
2. Use SQLite tool to view information error
We export the micro-letter sandbox data to the local, and then find the DB file, found the enmicromsg.db file, using the SQLite Expert tool to view the error, prompted the database is encrypted.
3, according to the general use of the database process to find the entrance
When we use the database in Android, we use the Sqlitedatabase class, so we can search the class globally, find the definition of the class, and then find some of his open methods to see where the methods are called.
4, through the database entry method for code tracking
When you know the call place for the Open series method, you start using the JADX tool to trace the code, and finally trace the advantageous information, that is, the password is the Imei+uin value of the user device to calculate the MD5 value, note that lowercase characters, and then take MD5 the first 7 characters of the password.
5, access to the password process
Here know the composition of the password, access is relatively simple, using * #06 # Dial directly to obtain the IMEI value, and then go to see the Auth_info_key_prefs.xml file in Sharedpreferences _auth_uin value is the user's UIn value , and then stitching, using Hashtab to calculate the MD5 value, get the first 7-bit string.
6, use the Sqlcipher tool to view the database
After you get the password, use the Sqlcipher tool to view the database, you can find the Address book form recontact and chat record form message.
Summary: The core database of the micro-letter is enmicromsg.db, but it is encrypted, and the encrypted password is the UIn value of the device's imei+ user (saved in the SP), the MD5 (the character is lowercase), and the first 7-digit character is taken out.
Vi. extension of
1, micro-letter Address book information and chat record information for a user is very important privacy, so this is also the micro-letter to the database encryption, but no matter how the final encryption, will need to decrypt, so this is the key to our crack, as long as the decryption operation in the local, the password can certainly be obtained.
2, about the micro-letter password acquisition rules will not change, and some students will think that micro-letter will get rid of the database encryption password acquisition algorithm? The answer is no, the reason is very simple, if the password algorithm changed, will affect the old users, such as the new version of the password changed, the old user update, when reading the database to decrypt, then the encrypted database is old, the new encryption algorithm is decrypted failure, the user experience will be crazy, that some students said, Upgrade the database, but this upgrade must ensure that the old data can not be lost, then there is an old data migration work, this work is huge, because now many micro-letter use process if not to actively erase data, chat information very much, that database will be very large, Dozens of M is normal, then the risk in the data migration is very large, so the micro-letter in the short term will not change the password algorithm rules, in fact, I have tried a lot of old version of the decompile, I found that the algorithm is always the case. So be sure to remember that the micro-letter database encryption algorithm is: MD5 (Imei+uni) => the first 7 characters.
3. Why use static method to analyze here? The reason is that the micro-letter packet is too large, if dynamic debugging is always the case of panic, there is no way to follow the operation, so use the static way to crack.
Vii. Security
After this article, we should all know how to crack the micro-letter chat record information and address book information, as long as you get the encrypted database, you get the password, but these two steps are not easy to get, first how to obtain the encrypted database, this information is stored in the micro-letter sandbox data, So get the device root, the device's IMEI information is simple, then the problem comes, if a user's device root, then malicious program can start to steal information. And in a previous article: the security issues raised by the Allowbackup attribute in Android This article introduces the version of Allowbackup before 5.1 The default value is true, that is, without root, you can get the micro-letter sandbox data, then this security is too exposed. Now there are a lot of micro-mail directory backup tools, in fact, is the database information synchronization. As long as there is a micro-letter of this database, then the crack is very simple, because the password is stipulated.
Viii. Use of
1, if you want to see the people around the micro-letter information, then here is to provide you with the best program, especially your favorite person, such as daughter-in-law always don't let you see her micro-letter, but they want to see, then the opportunity to come.
2, for the device after the root can steal the user's micro-information in the background of the IMEI upload to the service side, and then in the manual analysis to get the important information in the chat record.
3, when our device mistakenly deleted the chat record, this time you can export the local database, and then use the Sqlcipher tool to view both can find the previous data
The focus and intention of this article is: How to use static mode to crack the apk idea, and for the micro-letter, this is not a loophole is not a problem, because we mentioned above the data are in the micro-letter sandbox, so it is generally impossible to obtain, so for attackers not much meaning. So the intention of this article is very simple to explain the static way to crack apk a thought.
Ix. Summary
The above analyzes the reason of the encryption operation of the micro-trust database, and the database password construction algorithm, but also analyzed that this algorithm is not possible to change in the short term, from the security, for the new version of the micro-letter, if the device root, then the malicious program has a stolen entry, While the micro-letter chat record information is equivalent to the user's privacy, but also involves some interest-related, so the micro-letter in the future of this database operation hope to be able to improve the operation as soon as possible.
The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.