Remember the hack of a hand-tour app data file

Out of some very wretched needs, at the same time I also want to do some fresh try, the weekend spent a large half a day to crack a hand-traveled data files.

The process is smoother than I expected, mainly due to the slack of our developers, cough and cough.

The process is as follows:

• Download the installation package, unzip, discover several xxx.db files, most interested in a more than 50 m of xxx.db
• Open XXXwith UltraEdit. DB file, without any clues. Only found that these files have the same file header
• Search. DB file may be what file, found the Open Source Library SQLite, this is a lightweight database components, iOS used this, immediately before the light
• Download SQLite command-line tool, found not open. DB file
• I saved a SQLite database file to do the test, found that it is the plaintext storage
• It's time to sacrifice the Artifact Ida Pro, Disassembly libxxx.so, discover a lot of sqlite3_xxx functions,. db files should be SQLite database files Yes
• Search for information about the SQLite encryption, the official encryption implementation is required to authorize, but there is a wxsqlite open source implementation. Privately speculate that the app uses a wxsqlite
• Wxsqlite is AES algorithm encryption, must find the key, otherwise can not decrypt, heart cool half
• Continue to look at the disassembly, find the Keysqlite function, found that key is written in the code, is a string of 1 ..., the amount
• Download Wxsqlite, write a few lines of code to test, found still can't open. Created an encrypted database file, and found that the db file with the app is quite different.
• Read the Wxsqlite code and discover that the cryptographic algorithm was called in the sqlite3codec function. Found Sqlite3codec in the assembly and found it called a my_encrypt_func (hehe)
• Read the assembly code of My_encrypt_func, and find that it is reversed by byte (OH)
• Write a small program to reverse the db file by byte. Then opened with UltraEdit, and saw the familiar plaintext information
• This data file can be opened with the SQLite command line, dump into TXT file, get the table structure and all the data
• The last one is the db file with more than 50 m. Print out a table structure discovery is a string name and a binary object. Write a small program that iterates through all the table entries and saves the binary object as a PNG file. Task complete

Harvest:

• If it is implemented with Wxsqlite encryption, and the key is obtained through the network, it is necessary to find a way to intercept the key at the runtime Hook API. Crack difficulty will rise a big cut ...
• The ARM assembly of cryptographic functions looks very inefficient .... It makes me wonder. Wrote a piece of the same code himself, found that the Lib is debug, this ....
• Encryption-related function names are dangerous to expose in a dynamic library, and to add a static,export symbol table to a function declaration, we can only see one address jump.

The disassembled cryptographic functions are the same as those written by yourself and compiled with debug .

. text:002c46e0 EXPORT my_encrypt_func.text:002c46e0 My_encrypt_func; CODE xref:sqlite3codec+11cp.text:002c46e0; Sqlite3codec+190p.text:002c46e0.text:002c46e0 var_3c = -0x3c.text:002c46e0 var_38 = -0x38.text:002C46E0          var_34 = -0x34.text:002c46e0 var_30 = -0x30.text:002c46e0 var_28 = -0x28.text:002c46e0 var_20 = -0x20.text:002c46e0 Var_4 = -4.text:002c46e0.text:002c46e0 STR R11, [SP, #var_4]!.                 Text:002c46e4 ADD R11, SP, #4 +var_4.text:002c46e8 SUB SP, SP, #0x1C. Text:002c46ec                 Str R0, [R11, #0x20 +var_30].text:002c46f0 STR R1, [R11, #0x20 +var_34].text:002c46f4                 Str R2, [R11, #0x20 +var_38].text:002c46f8 STR R3, [R11, #0x20 +VAR_3C].TEXT:002C46FC MOV R3, #0. text:002c4700 STR R3, [R11, #0x20 +var_28].text:002c4704 B loc_2c473c.text:002c4708; ---------------------------------------------------------------------------. text:002c4708.text:002c4708 LOC_ 2c4708;    CODE xref:my_encrypt_func+68j.text:002c4708 LDR R3, [r11,#-0x10].text:002c470c LDRB                 R3, [r3].text:002c4710 MVN R3, r3.text:002c4714 STRB R3, [r11,#-9].text:002c4718                 LDR R3, [r11,#-0x10].text:002c471c LDRB R2, [r11,#-9].text:002c4720 STRB R2, [r3].text:002c4724 LDR R3, [r11,#-0x10].text:002c4728 ADD R3, R3, #1.                 text:002c472c STR R3, [r11,#-0x10].text:002c4730 LDR R3, [r11,#-8].text:002c4734 ADD R3, R3, #1. text:002c4738 STR R3, [r11,#-8].text:002c473c.text:002c473c loc_2c47 3 C; CODEXref:my_encrypt_func+24j.text:002c473c Ldr R2, [r11,#-8].text:002c4740 Ldr R3, [R                 11,#-0x14].text:002c4744 CMP R2, r3.text:002c4748 BCC loc_2c4708.text:002c474c mov R3, #0. text:002c4750 mov R0, r3.text:002c4754 SUB SP, R11, #0 . text:002c4758 LDR R11, [sp+0x20+var_20], #4. text:002c475c BX lr.text:002c475c; End of function My_encrypt_func

compiled with release, the operating efficiency is dozens of times times worse

. text:00001d88; My_encrypt_func (unsigned char *, unsigned int, unsigned char *, unsigned int). Text:00001d88 EXPORT _z15my_                 Encrypt_funcphjs_j.text:00001d88 _z15my_encrypt_funcphjs_j.text:00001d88 MOVS R3, #0. text:00001d8a B loc_1d94.text:00001d8c; ---------------------------------------------------------------------------. text:00001d8c.text:00001d8c LOC_ 1d8c;                 CODE Xref:my_encrypt_func (Uchar *,uint,uchar *,uint) +ej.text:00001d8c ldrb R2, [r0,r3].text:00001d8e Mvns R2, R2.text:00001d90 STRB R2, [r0,r3].text:00001d92 ADDS R3, #1. text:00001d94.text:00001d94 loc_1d94;                 CODE Xref:my_encrypt_func (Uchar *,uint,uchar *,uint) +2j.text:00001d94 CMP R3, r1.text:00001d96     BNE loc_1d8c.text:00001d98 MOVS R0, #0. text:00001d9a BX lr.text:00001d9a; End of function My_encrypt_func (Uchar *,uint,uchar *,uint)

Remember the hack of a hand-tour app data file