The whole process of reverse analysis of new fetion chat record

Source: Internet
Author: User

Self-taught reverse has a period of time, today to a post!

Go straight to the chase:

Install fetion, log in to Fetion, and make a little chat history.
A file was found under the C:\Users\% user name%\documents\fetion\ "Fly Signal" path (you can click to open the history file location in the fetion settings)
to see the name. The Fetion database file is the goods. The
UE opens to observe this file, and at a glance knows it must be encrypted. Do not do a long explanation
<ignore_js_op>
Open the Fetion home directory and observe the DLLs in the Fetion directory.
Look at the DLL name, guess the message record processing of the DLL, fetion home directory found in the directory data\history, there is a History.dll in the directory, guess this is processing history of the DLL
so open Od,od open fetion.exe,alt+e Follow History.dll, probably meow a few eyes, and then CTRL + N View the name in the module,
find a _fhopendb, see the name to know what this is, according to OD display, this function from Fhlib.dll, so with Exescope View the import and export information for this DLL
found imported advaip in the import information. DLL (very IMPORTANT!!!!) , this DLL is a library of Windows-brought cryptographic algorithms, so open IDA Pro, ready to start distracting Fhlib.dll. The
found in the import table  cryptcreatehash, Crypthashdata, CryptDeriveKey, Cryptdestroyhash and other very conspicuous functions!!
feel tell me, this is the decoding part,
then reverse this part of the code, after completion with OD tracking, determine the variable parameters of the functions of the content, haha, the most important production of hash and key key is actually flying signal, immediately open vs write code,
success will v5_ History.dat decoding, with the UE open to observe the decoded file, I 艹!! File signature Good familiar, this is not my usual sqlite3? And Sqlite3 is a lightweight, small, open-source database. The
then uses the database visualization tool to view the contents of the database, and the chat history is unobstructed. Cracked success.
Attach code!!!

[C + +]Plain Text view copy code View Source print?
01 * - 将解密的数据库文件放入系统临时目录
02 */
03 intIS_FetionV5History::DeCryptFetionDB()
04 {
05 HCRYPTPROV hProv = NULL;
06 HCRYPTHASH hHash = NULL;
07 LPCTSTRlpszPwd = (LPCTSTR)szFetionNum;//密码,飞信号
08 HCRYPTKEY hKey = NULL;
09
10 CryptAcquireContext(&hProv, 0, "Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xF0000000);
11 CryptCreateHash(hProv,0x8004,0,0,&hHash);
12 CryptHashData(hHash,(constBYTE *)lpszPwd,strlen((const char*)lpszPwd),0);
13 CryptDeriveKey(hProv,0x6801,hHash,0,&hKey);
14 CryptDestroyHash(hHash);
15
16 /**************************************************************/
17 HANDLEpInFile,pOutFile;//文件句柄
18 DWORDdwReadLen = 0x400 ,dwReadSize ,dwWriteSize;//想要读取的数据长度;实际读取文件大小;实际写入数据
19
20 {//打开源文件
21 pInFile = ::CreateFile(strEvidencePath.c_str(), GENERIC_READ, 0, NULL, OPEN_EXISTING,
22 FILE_ATTRIBUTE_NORMAL | FILE_ATTRIBUTE_READONLY, NULL); //用这个函数比OpenFile好
23 if( pInFile == INVALID_HANDLE_VALUE)
24 {
25 CloseHandle(pInFile); //一定注意在函数退出之前对句柄进行释放。
26 return-1;
27 }
28 }
29 {//打开写入文件
30 pOutFile = ::CreateFile(strDstPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,
31 FILE_ATTRIBUTE_NORMAL, NULL); //用这个函数比OpenFile好
32 if( pOutFile == INVALID_HANDLE_VALUE)
33 {
34 CloseHandle(pOutFile); //一定注意在函数退出之前对句柄进行释放。
35 return-1;
36 }
37 }
38 /**************************************************************/
39 BYTEszBuf[0x400 + 1] = {0}; //__in__out 输入加密内容,输出解密后内容
40
41 //循环读取文件
42 do
43 {
44 ReadFile(pInFile, szBuf, dwReadLen, &dwReadSize, NULL);
45
46 if(dwReadLen < dwReadSize)
47 CryptDecrypt(hKey,0,TRUE,0,szBuf,&dwReadLen);
48 else
49 CryptDecrypt(hKey,0,TRUE,0,szBuf,&dwReadSize);
50 //写入文件
51 WriteFile(pOutFile,szBuf,dwReadSize,&dwWriteSize,NULL);
52
53 memset(szBuf,0,0x400 + 1);
54 }while( dwReadSize == dwReadLen);
55
56 CloseHandle(pInFile);
57 CloseHandle(pOutFile);
58 return0;
59 }//DeCryptFetionDB()

Https://www.0xaa55.com/forum.php?mod=viewthread&tid=1787&extra=page%3D1

The whole process of reverse analysis of new fetion chat record

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.