-
Notifications
You must be signed in to change notification settings - Fork 58
/
ios_get_key.js
92 lines (82 loc) · 2.99 KB
/
ios_get_key.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
// frida [-U/-R/-H/-D] QQ -l ios_get_key.js
const ModuleName = "QQ";
// QQ(iOS) v9.0.1.620
// SQLCipher v4.5.1
const SQLLiteKeyV2Offset = 0xDA1BFB4;
const sqlLiteKeyV2Addr = Module.findBaseAddress(ModuleName).add(SQLLiteKeyV2Offset);
/**
* @param {Array<number>} buffer
* @returns {string}
*/
function buf2hex(buffer) {
const byteArray = new Uint8Array(buffer);
const hexParts = [];
byteArray.forEach(value => {
const hex = value.toString(16);
const paddedHex = ('00' + hex).slice(-2);
hexParts.push(paddedHex);
})
return '0x' + hexParts.join(', 0x');
}
/**
* @param {Array<number>} buffer
* @returns {string}
*/
function buf2str(buffer) {
let result = "";
const byteArray = new Uint8Array(buffer);
byteArray.forEach(value => {
result += String.fromCharCode(value);
})
return result;
}
/**
* @param {Object} sqlite3 - Database connection (struct sqlite3)
* {@link https://github.com/sqlcipher/sqlcipher/blob/2c672e7dd1f3dee4aa1af0b5bf29092db4b10f78/src/sqliteInt.h#L1513-L1655}
* @returns {string} Name of the database file
*/
function getFilenameFromDB(sqlite3) {
let result = "";
try {
let db = sqlite3.add(0x8 * 5).readPointer(); // All backends (Db *)
let pBt = db.add(0x8).readPointer(); // The B*Tree structure for this database file (Btree *)
let pBt2 = pBt.add(0x8).readPointer(); // Sharable content of this btree (BtShared *)
let pPager = pBt2.add(0x0).readPointer(); // The page cache (Pager *)
let zFilename = pPager.add(208).readPointer(); // Name of the database file (char *)
result = zFilename.readCString();
} catch (e) {}
return result;
}
/*
int sqlite3_key_v2(sqlite3 *db, const char *zDb, const void *pKey, int nKey);
*/
Interceptor.attach(sqlLiteKeyV2Addr, {
/**
* @param {array} args
*/
onEnter: function (args) {
const dbPtr = args[0];
const zDbPtr = args[1];
const pKeyPtr = args[2];
const nKeyPtr = args[3];
const nKey = nKeyPtr.toInt32();
const pKeyByteArray = pKeyPtr.readByteArray(nKey)
const pKey = buf2str(pKeyByteArray)
const pKeyHex = buf2hex(pKeyByteArray)
const zDb = zDbPtr.readUtf8String();
const zFilename = getFilenameFromDB(dbPtr)
const zFilenameParts = zFilename.split("/")
const dirName = zFilenameParts[zFilenameParts.length - 3]
const dbName = zFilenameParts[zFilenameParts.length - 1]
if (dirName === "nt_db" || dbName === "nt_msg.db") {
console.log(`¦- db: ${dbPtr}`);
console.log(`¦- *zDb: ${zDb}`);
console.log(`¦- *pkey: ${pKey}`);
console.log(`¦- *pkey-hex: ${pKeyHex}`);
console.log(`¦- nKey: ${nKey}`);
console.log(`¦+`);
console.log(`¦- zFilename: ${zFilename}`);
console.log("+------------");
}
}
});