前置条件
frida, frida-tools, adb
获取密码
h.js
console.log('script loaded successfully');function xx() {function strf(str, replacements) {return str.replace(/\$\{\w+\}/g, function(placeholderWithDelimiters) {var placeholderWithoutDelimiters = placeholderWithDelimiters.substring(2, placeholderWithDelimiters.length - 1);var stringReplacement = replacements[placeholderWithoutDelimiters];return stringReplacement;});}function x_db() {var String = Java.use("java.lang.String");var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");SQLiteDatabase["openDatabase"].overload('java.lang.String', '[B', 'com.tencent.wcdb.database.SQLiteCipherSpec', 'com.tencent.wcdb.database.SQLiteDatabase$CursorFactory', 'int', 'com.tencent.wcdb.DatabaseErrorHandler', 'int').implementation = function (str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3) {console.log(strf('str=${0} bArr=${1}', [str, bArr == null ? "" : String.$new(bArr)]));var result = this["openDatabase"](str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3);return result;};}Java.perform(function () {x_db();});
}setTimeout(xx, 0);
frida -U -l h.js --no-pause -f com.tencent.mm
拉取数据库到本地
adb pull /data/user/0/com.tencent.mm/MicroMsg/替换成你自己的字符串/EnMicroMsg.db .
下载 sqlcipher
sqlcipher-shell64.exe EnMicroMsg.dbsqlite> PRAGMA key = '你自己的密钥';
sqlite> PRAGMA cipher_use_hmac = off;
sqlite> PRAGMA kdf_iter = 4000;
sqlite> PRAGMA cipher_page_size = 1024;
sqlite> PRAGMA cipher_hmac_algorithm = HMAC_SHA1;
sqlite> PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;
sqlite> ATTACH DATABASE 'plaintext.db' AS plaintext KEY '';
sqlite> SELECT sqlcipher_export('plaintext');sqlite> DETACH DATABASE plaintext;
下载DB Browser for SQLite
选择plaintext.db 就可以看到数据啦
)
)
 函数)
)
)
服务安全)
)
