Remember the hack of a hand-tour app data file

Source: Internet
Author: User
Tags ultraedit

Out of some very wretched needs, at the same time I also want to do some fresh try, the weekend spent a large half a day to crack a hand-traveled data files.

The process is smoother than I expected, mainly due to the slack of our developers, cough and cough.

The process is as follows:

  • Download the installation package, unzip, discover several xxx.db files, most interested in a more than 50 m of xxx.db
  • Open XXXwith UltraEdit. DB file, without any clues. Only found that these files have the same file header
  • Search. DB file may be what file, found the Open Source Library SQLite, this is a lightweight database components, iOS used this, immediately before the light
  • Download SQLite command-line tool, found not open. DB file
  • I saved a SQLite database file to do the test, found that it is the plaintext storage
  • It's time to sacrifice the Artifact Ida Pro, Disassembly libxxx.so, discover a lot of sqlite3_xxx functions,. db files should be SQLite database files Yes
  • Search for information about the SQLite encryption, the official encryption implementation is required to authorize, but there is a wxsqlite open source implementation. Privately speculate that the app uses a wxsqlite
  • Wxsqlite is AES algorithm encryption, must find the key, otherwise can not decrypt, heart cool half
  • Continue to look at the disassembly, find the Keysqlite function, found that key is written in the code, is a string of 1 ..., the amount
  • Download Wxsqlite, write a few lines of code to test, found still can't open. Created an encrypted database file, and found that the db file with the app is quite different.
  • Read the Wxsqlite code and discover that the cryptographic algorithm was called in the sqlite3codec function. Found Sqlite3codec in the assembly and found it called a my_encrypt_func (hehe)
  • Read the assembly code of My_encrypt_func, and find that it is reversed by byte (OH)
  • Write a small program to reverse the db file by byte. Then opened with UltraEdit, and saw the familiar plaintext information
  • This data file can be opened with the SQLite command line, dump into TXT file, get the table structure and all the data
  • The last one is the db file with more than 50 m. Print out a table structure discovery is a string name and a binary object. Write a small program that iterates through all the table entries and saves the binary object as a PNG file. Task complete


Harvest:
  • If it is implemented with Wxsqlite encryption, and the key is obtained through the network, it is necessary to find a way to intercept the key at the runtime Hook API. Crack difficulty will rise a big cut ...
  • The ARM assembly of cryptographic functions looks very inefficient .... It makes me wonder. Wrote a piece of the same code himself, found that the Lib is debug, this ....
  • Encryption-related function names are dangerous to expose in a dynamic library, and to add a static,export symbol table to a function declaration, we can only see one address jump.

The disassembled cryptographic functions are the same as those written by yourself and compiled with debug .
. text:002c46e0 EXPORT my_encrypt_func.text:002c46e0 My_encrypt_func; CODE xref:sqlite3codec+11cp.text:002c46e0; Sqlite3codec+190p.text:002c46e0.text:002c46e0 var_3c = -0x3c.text:002c46e0 var_38 = -0x38.text:002C46E0          var_34 = -0x34.text:002c46e0 var_30 = -0x30.text:002c46e0 var_28 = -0x28.text:002c46e0 var_20 = -0x20.text:002c46e0 Var_4 = -4.text:002c46e0.text:002c46e0 STR R11, [SP, #var_4]!.                 Text:002c46e4 ADD R11, SP, #4 +var_4.text:002c46e8 SUB SP, SP, #0x1C. Text:002c46ec                 Str R0, [R11, #0x20 +var_30].text:002c46f0 STR R1, [R11, #0x20 +var_34].text:002c46f4                 Str R2, [R11, #0x20 +var_38].text:002c46f8 STR R3, [R11, #0x20 +VAR_3C].TEXT:002C46FC MOV R3, #0. text:002c4700 STR R3, [R11, #0x20 +var_28].text:002c4704 B loc_2c473c.text:002c4708; ---------------------------------------------------------------------------. text:002c4708.text:002c4708 LOC_ 2c4708;    CODE xref:my_encrypt_func+68j.text:002c4708 LDR R3, [r11,#-0x10].text:002c470c LDRB                 R3, [r3].text:002c4710 MVN R3, r3.text:002c4714 STRB R3, [r11,#-9].text:002c4718                 LDR R3, [r11,#-0x10].text:002c471c LDRB R2, [r11,#-9].text:002c4720 STRB R2, [r3].text:002c4724 LDR R3, [r11,#-0x10].text:002c4728 ADD R3, R3, #1.                 text:002c472c STR R3, [r11,#-0x10].text:002c4730 LDR R3, [r11,#-8].text:002c4734 ADD R3, R3, #1. text:002c4738 STR R3, [r11,#-8].text:002c473c.text:002c473c loc_2c47 3 C; CODEXref:my_encrypt_func+24j.text:002c473c Ldr R2, [r11,#-8].text:002c4740 Ldr R3, [R                 11,#-0x14].text:002c4744 CMP R2, r3.text:002c4748 BCC loc_2c4708.text:002c474c mov R3, #0. text:002c4750 mov R0, r3.text:002c4754 SUB SP, R11, #0 . text:002c4758 LDR R11, [sp+0x20+var_20], #4. text:002c475c BX lr.text:002c475c; End of function My_encrypt_func

compiled with release, the operating efficiency is dozens of times times worse

. text:00001d88; My_encrypt_func (unsigned char *, unsigned int, unsigned char *, unsigned int). Text:00001d88 EXPORT _z15my_                 Encrypt_funcphjs_j.text:00001d88 _z15my_encrypt_funcphjs_j.text:00001d88 MOVS R3, #0. text:00001d8a B loc_1d94.text:00001d8c; ---------------------------------------------------------------------------. text:00001d8c.text:00001d8c LOC_ 1d8c;                 CODE Xref:my_encrypt_func (Uchar *,uint,uchar *,uint) +ej.text:00001d8c ldrb R2, [r0,r3].text:00001d8e Mvns R2, R2.text:00001d90 STRB R2, [r0,r3].text:00001d92 ADDS R3, #1. text:00001d94.text:00001d94 loc_1d94;                 CODE Xref:my_encrypt_func (Uchar *,uint,uchar *,uint) +2j.text:00001d94 CMP R3, r1.text:00001d96     BNE loc_1d8c.text:00001d98 MOVS R0, #0. text:00001d9a BX lr.text:00001d9a; End of function My_encrypt_func (Uchar *,uint,uchar *,uint)


Remember the hack of a hand-tour app data file

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.