解密Android某信聊天记录

frida
android, frida, java

解密Android某信聊天记录

前置条件

frida, frida-tools, adb

获取密码

h.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
console.log('script loaded successfully');
function xx() {
    function strf(str, replacements) {
		return str.replace(/\$\{\w+\}/g, function(placeholderWithDelimiters) {
			var placeholderWithoutDelimiters = placeholderWithDelimiters.substring(2, placeholderWithDelimiters.length - 1);
			var stringReplacement = replacements[placeholderWithoutDelimiters];
			return stringReplacement;
		});
	}
    function x_db() {
        var String = Java.use("java.lang.String");
        
        var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
        SQLiteDatabase["openDatabase"].overload('java.lang.String', '[B', 'com.tencent.wcdb.database.SQLiteCipherSpec', 'com.tencent.wcdb.database.SQLiteDatabase$CursorFactory', 'int', 'com.tencent.wcdb.DatabaseErrorHandler', 'int').implementation = function (str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3) {
            console.log(strf('str=${0} bArr=${1}', [str, bArr == null ? "" : String.$new(bArr)]));
            var result = this["openDatabase"](str, bArr, sQLiteCipherSpec, cursorFactory, i2, databaseErrorHandler, i3);
            return result;
        };
    }
    
    Java.perform(function () {
		x_db();
    });
}
setTimeout(xx, 0);

1
frida -U -l h.js --no-pause -f com.tencent.mm

拉取数据库到本地

1
adb pull /data/user/0/com.tencent.mm/MicroMsg/替换成你自己的字符串/EnMicroMsg.db .

下载 sqlcipher

1
2
3
4
5
6
7
8
9
10
sqlcipher-shell64.exe EnMicroMsg.db
sqlite> PRAGMA key = '你自己的密钥';
sqlite> PRAGMA cipher_use_hmac = off;
sqlite> PRAGMA kdf_iter = 4000;
sqlite> PRAGMA cipher_page_size = 1024;
sqlite> PRAGMA cipher_hmac_algorithm = HMAC_SHA1;
sqlite> PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;
sqlite> ATTACH DATABASE 'plaintext.db' AS plaintext KEY '';
sqlite> SELECT sqlcipher_export('plaintext');
sqlite> DETACH DATABASE plaintext;

下载DB Browser for SQLite

1
选择plaintext.db 就可以看到数据啦
本文由 xxzkid | 我叫王也道长创作,采用 CC BY 3.0 CN协议 进行许可。 可自由转载、引用,但需署名作者且注明文章出处。
本文标题:解密Android某信聊天记录
本文链接:https://xxzkid.github.io/2024/decrypt-wechat-msg-1/