Android微信数据库解密2

上篇文章讲了下微信数据库密码规则,以及相关的代码.

本篇文章主要讲解下使用xpose获取对应的数据库密码.

public class HookModule implements IXposedHookLoadPackage {public static final String TAG = "HookModule";@Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {Log.e(TAG, "handleLoadPackage");if ("com.tencent.mm".equals(lpparam.packageName)) {Log.e(TAG, "handleLoadPackage wx start");Class<?> sqliteDatabase = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteDatabase", lpparam.classLoader);Log.e(TAG, "sqliteDatabase:" + sqliteDatabase);Class<?> config = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteDatabaseConfiguration", lpparam.classLoader);Log.e(TAG, "SQLiteDatabaseConfiguration:" + config);Class<?> spec = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteCipherSpec", lpparam.classLoader);Log.e(TAG, "SQLiteCipherSpec:" + spec);XposedHelpers.findAndHookMethod("com.tencent.wcdb.database.SQLiteConnectionPool", lpparam.classLoader, "open", sqliteDatabase, config, byte[].class, spec, int.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);byte[] bytes = (byte[]) param.args[2];Log.e(TAG, "pwd:" + new String(bytes));}@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);}});}}

如图所示: 可以得到对应的密码 为c96bc7f.

我们拿到imei以及uin验证下结果. (我的设备是root设备)

根据路径拿到 /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml

<int name="default_uin" value="1463108995" />

经过拼接 获取md5可得到 :c96bc7f81c81d322dbef5bbcd1297d24

如下图所示结果: