Attackers can use Android phones to crack the WeChat encrypted database EnMicroMsg. db and enmicromsg. db.

Attackers can exploit the Android mobile phone to crack the encrypted database EnMicroMsg. db and enmicromsg. db.

※First, we will briefly introduce how to crack the encrypted database EnMicroMsg. db:

I 'd like to criticize the fact that the open-source database encryption method is used. Isn't this a perfect solution...

If your simulator or real machine has the root permission, you can directly copy the database files that record chat records. The specific storage location of the database files is as follows:

In/data:

(Digression: the android native simulator root is very complicated. We recommend a third-party simulator: genymotion, which is very convenient)

※After obtaining EnMicroMsg. db, we open it with common database management software and find that EnMicroMsg. db is encrypted, but the password generation rules are simple, as shown below:

(Mobile phone imei + uin) Get the first seven digits of MD5

Get IMEI of Mobile Phone: Dial number input: * #06 #

Uin get: http://blog.csdn.net/yuanbohx/article/details/41280837

However, even if the password is decrypted, we still find that the database management software we just used cannot be opened. The encryption algorithm of the sqlcipheropen source database is used. The software sqlcipher.exe is downloaded online. When the. db file is opened, enter the calculated password to open the EnMicroMsg. db file:

※As mentioned above, SQLCipher is a third-party open-source database that provides the function of encrypting and decrypting database files. Let's first visit their official website to find out:

Https://www.zetetic.net/sqlcipher/open-source/

We were pleasantly surprised to find that SQLCipher now provides an open source library for the Android operating system. The source code can be downloaded on Github, but I tried to download the project on Github, A lot of problems encountered during compilation, resulting in the final failure to compile successfully. We recommend that you download the Open Source library package as shown in:

Decompress the downloaded package, as shown in the following figure:

※The following describes how to create and import the SQLCipher open-source library for Android projects:

Create Android project is not detailed, after creating the project, directly copy all the content in the sqlcipher-for-android-v3.2.0 folder to the android project can be:

The following steps are also critical:

Right-click the project, Build Path → Configure Build Path, add the corresponding jar package as shown, and delete the android self-owned Library:

Finally, add the key code for reading the encrypted database to the program:

Public void readWeChatDatabase () {SQLiteDatabase. loadLibs (this); String password = "XXXXXXX"; File databaseFile = getDatabasePath ("/data/com. tencent. mm/MicroMsg/47d58c79e692e212XXXXXXXXXXXXX/EnMicroMsg. db "); // File databaseFile = getDatabasePath (" EnMicroMsg. db "); eventsData = new myDataHelper (this); SQLiteDatabaseHook hook = new SQLiteDatabaseHook () {public void preKey (SQLiteDatabase database) {} p Ublic void postKey (SQLiteDatabase database) {database. rawExecSQL ("PRAGMA cipher_migrate;"); // The most critical sentence !!! }}; Try {SQLiteDatabase db = SQLiteDatabase. openOrCreateDatabase (databaseFile, "XXXXXXX (password)", null, hook); Cursor c = db. query ("message", null, null); while (c. moveToNext () {int _ id = c. getInt (c. getColumnIndex ("msgId"); String name = c. getString (c. getColumnIndex ("content"); Log. I ("db", "_ id =>" + _ id + ", content =>" + name);} c. close (); db. close () ;}catch (Exception e ){}}

The program is very simple. The password is the encrypted password of the database, databaseFile is the path of the database file, and database. rawExecSQL ("PRAGMA cipher_migrate") is the most critical statement, for the following reasons:

Currently, SQLCipher for Android is 3. version X, but it is still in version 2. in the era of X, this sentence is to be able to use 3. X open-source library compatibility 2. if this clause is not added, the database cannot be decrypted.

(Digression: SQLCipher is indeed quite powerful. I am only introducing the tip of the iceberg. More functions can be explored through the Engineering Code provided on its official website or Github)

Finally, we will show the program running effect. From the Logcat information, we can see that we have successfully read the message data table in the EnMicroMsg. db file:

Of course, there are obvious shortcomings in my work, that is, we need to calculate the password for database decryption through various manual methods, and then decrypt the. db file. Interested users can try to get IMEI and uin directly in the Program (this should be difficult), then MD5 takes the first seven digits, and finally uses the calculated password to decrypt the database.