Self-taught reverse has a period of time, today to a post!
Go straight to the chase:
Install fetion, log in to Fetion, and make a little chat history.
A file was found under the C:\Users\% user name%\documents\fetion\ "Fly Signal" path (you can click to open the history file location in the fetion settings)
to see the name. The Fetion database file is the goods. The
UE opens to observe this file, and at a glance knows it must be encrypted. Do not do a long explanation
<ignore_js_op>
Open the Fetion home directory and observe the DLLs in the Fetion directory.
Look at the DLL name, guess the message record processing of the DLL, fetion home directory found in the directory data\history, there is a History.dll in the directory, guess this is processing history of the DLL
so open Od,od open fetion.exe,alt+e Follow History.dll, probably meow a few eyes, and then CTRL + N View the name in the module,
find a _fhopendb, see the name to know what this is, according to OD display, this function from Fhlib.dll, so with Exescope View the import and export information for this DLL
found imported advaip in the import information. DLL (very IMPORTANT!!!!) , this DLL is a library of Windows-brought cryptographic algorithms, so open IDA Pro, ready to start distracting Fhlib.dll. The
found in the import table cryptcreatehash, Crypthashdata, CryptDeriveKey, Cryptdestroyhash and other very conspicuous functions!!
feel tell me, this is the decoding part,
then reverse this part of the code, after completion with OD tracking, determine the variable parameters of the functions of the content, haha, the most important production of hash and key key is actually flying signal, immediately open vs write code,
success will v5_ History.dat decoding, with the UE open to observe the decoded file, I 艹!! File signature Good familiar, this is not my usual sqlite3? And Sqlite3 is a lightweight, small, open-source database. The
then uses the database visualization tool to view the contents of the database, and the chat history is unobstructed. Cracked success.
Attach code!!!
[C + +]Plain Text view copy code View Source print?
03 |
intIS_FetionV5History::DeCryptFetionDB() |
05 |
HCRYPTPROV hProv = NULL; |
06 |
HCRYPTHASH hHash = NULL; |
07 |
LPCTSTRlpszPwd = (LPCTSTR)szFetionNum;//密码,飞信号 |
08 |
HCRYPTKEY hKey = NULL; |
10 |
CryptAcquireContext(&hProv, 0, "Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xF0000000); |
11 |
CryptCreateHash(hProv,0x8004,0,0,&hHash); |
12 |
CryptHashData(hHash,(constBYTE *)lpszPwd,strlen((const char*)lpszPwd),0); |
13 |
CryptDeriveKey(hProv,0x6801,hHash,0,&hKey); |
14 |
CryptDestroyHash(hHash); |
16 |
/**************************************************************/ |
17 |
HANDLEpInFile,pOutFile;//文件句柄 |
18 |
DWORDdwReadLen = 0x400 ,dwReadSize ,dwWriteSize;//想要读取的数据长度;实际读取文件大小;实际写入数据 |
21 |
pInFile = ::CreateFile(strEvidencePath.c_str(), GENERIC_READ, 0, NULL, OPEN_EXISTING, |
22 |
FILE_ATTRIBUTE_NORMAL | FILE_ATTRIBUTE_READONLY, NULL); //用这个函数比OpenFile好 |
23 |
if( pInFile == INVALID_HANDLE_VALUE) |
25 |
CloseHandle(pInFile); //一定注意在函数退出之前对句柄进行释放。 |
30 |
pOutFile = ::CreateFile(strDstPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, |
31 |
FILE_ATTRIBUTE_NORMAL, NULL); //用这个函数比OpenFile好 |
32 |
if( pOutFile == INVALID_HANDLE_VALUE) |
34 |
CloseHandle(pOutFile); //一定注意在函数退出之前对句柄进行释放。 |
38 |
/**************************************************************/ |
39 |
BYTEszBuf[0x400 + 1] = {0}; //__in__out 输入加密内容,输出解密后内容 |
44 |
ReadFile(pInFile, szBuf, dwReadLen, &dwReadSize, NULL); |
46 |
if(dwReadLen < dwReadSize) |
47 |
CryptDecrypt(hKey,0,TRUE,0,szBuf,&dwReadLen); |
49 |
CryptDecrypt(hKey,0,TRUE,0,szBuf,&dwReadSize); |
51 |
WriteFile(pOutFile,szBuf,dwReadSize,&dwWriteSize,NULL); |
53 |
memset(szBuf,0,0x400 + 1); |
54 |
}while( dwReadSize == dwReadLen); |
57 |
CloseHandle(pOutFile); |
Https://www.0xaa55.com/forum.php?mod=viewthread&tid=1787&extra=page%3D1
The whole process of reverse analysis of new fetion chat record
