From 6a58ad71b10fd8b874f43b92d7a8b169f794729b Mon Sep 17 00:00:00 2001
From: hugy <504650082@qq.com>
Date: Mon, 27 Mar 2023 23:00:22 +0800
Subject: [PATCH] =?UTF-8?q?=E5=BE=AE=E4=BF=A1=E6=95=B0=E6=8D=AE=E5=BA=93?=
 =?UTF-8?q?=E8=A7=A3=E5=AF=86=E5=B7=A5=E5=85=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md         |  2 +-
 python/decrpty.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 python/decrpty.py

diff --git a/README.md b/README.md
index 5094062..31b2b53 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ dll在注入成功时，创建了一个默认端口为19088的http服务端，
 源码和主要实现在相应的分支内。  
 src:主要的dll代码  
 tool：简单的注入工具，一个是控制台，一个是图形界面。  
-python: 简单的服务器，用以接收消息内容。    
+python: tcpserver.py: 简单的服务器，用以接收消息内容。decrpty.py: 微信数据库解密工具。      
 source: 简单的命令行远程注入源码。   
 
 
diff --git a/python/decrpty.py b/python/decrpty.py
new file mode 100644
index 0000000..d1802a2
--- /dev/null
+++ b/python/decrpty.py
@@ -0,0 +1,51 @@
+import ctypes
+import hashlib
+import hmac
+
+# pip install pycryptodome
+from Crypto.Cipher import AES
+
+
+def decrypt(password, input_file, out_file):
+    password = bytes.fromhex(password.replace(' ', ''))
+    with open(input_file, 'rb') as (f):
+        blist = f.read()
+    print(len(blist))
+    salt = blist[:16]
+    key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)
+    first = blist[16:DEFAULT_PAGESIZE]
+    mac_salt = bytes([x ^ 58 for x in salt])
+    mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)
+    hash_mac = hmac.new(mac_key, digestmod='sha1')
+    hash_mac.update(first[:-32])
+    hash_mac.update(bytes(ctypes.c_int(1)))
+    if hash_mac.digest() == first[-32:-12]:
+        print('decrypt success')
+    else:
+        print('password error')
+        return
+    blist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)]
+    with open(out_file, 'wb') as (f):
+        f.write(SQLITE_FILE_HEADER)
+        t = AES.new(key, AES.MODE_CBC, first[-48:-32])
+        f.write(t.decrypt(first[:-48]))
+        f.write(first[-48:])
+        for i in blist:
+            t = AES.new(key, AES.MODE_CBC, i[-48:-32])
+            f.write(t.decrypt(i[:-48]))
+            f.write(i[-48:])
+
+
+def main():
+    password = '565735E30E474DA09250CB5AA047E3940FFA1C6F767C4263B13ABB512933DA49'
+    input_file = 'C:/var/Applet.db'
+    out_file = 'c:/var/out/Applet.db'
+    decrypt(password, input_file, out_file)
+
+
+if __name__ == '__main__':
+    SQLITE_FILE_HEADER = bytes('SQLite format 3', encoding='ASCII') + bytes(1)
+    KEY_SIZE = 32
+    DEFAULT_PAGESIZE = 4096
+    DEFAULT_ITER = 64000
+    main()