From 6a58ad71b10fd8b874f43b92d7a8b169f794729b Mon Sep 17 00:00:00 2001 From: hugy <504650082@qq.com> Date: Mon, 27 Mar 2023 23:00:22 +0800 Subject: [PATCH] =?UTF-8?q?=E5=BE=AE=E4=BF=A1=E6=95=B0=E6=8D=AE=E5=BA=93?= =?UTF-8?q?=E8=A7=A3=E5=AF=86=E5=B7=A5=E5=85=B7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- python/decrpty.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 python/decrpty.py diff --git a/README.md b/README.md index 5094062..31b2b53 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ dll在注入成功时,创建了一个默认端口为19088的http服务端, 源码和主要实现在相应的分支内。 src:主要的dll代码 tool:简单的注入工具,一个是控制台,一个是图形界面。 -python: 简单的服务器,用以接收消息内容。 +python: tcpserver.py: 简单的服务器,用以接收消息内容。decrpty.py: 微信数据库解密工具。 source: 简单的命令行远程注入源码。 diff --git a/python/decrpty.py b/python/decrpty.py new file mode 100644 index 0000000..d1802a2 --- /dev/null +++ b/python/decrpty.py @@ -0,0 +1,51 @@ +import ctypes +import hashlib +import hmac + +# pip install pycryptodome +from Crypto.Cipher import AES + + +def decrypt(password, input_file, out_file): + password = bytes.fromhex(password.replace(' ', '')) + with open(input_file, 'rb') as (f): + blist = f.read() + print(len(blist)) + salt = blist[:16] + key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE) + first = blist[16:DEFAULT_PAGESIZE] + mac_salt = bytes([x ^ 58 for x in salt]) + mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE) + hash_mac = hmac.new(mac_key, digestmod='sha1') + hash_mac.update(first[:-32]) + hash_mac.update(bytes(ctypes.c_int(1))) + if hash_mac.digest() == first[-32:-12]: + print('decrypt success') + else: + print('password error') + return + blist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)] + with open(out_file, 'wb') as (f): + f.write(SQLITE_FILE_HEADER) + t = AES.new(key, AES.MODE_CBC, first[-48:-32]) + f.write(t.decrypt(first[:-48])) + f.write(first[-48:]) + for i in blist: + t = AES.new(key, AES.MODE_CBC, i[-48:-32]) + f.write(t.decrypt(i[:-48])) + f.write(i[-48:]) + + +def main(): + password = '565735E30E474DA09250CB5AA047E3940FFA1C6F767C4263B13ABB512933DA49' + input_file = 'C:/var/Applet.db' + out_file = 'c:/var/out/Applet.db' + decrypt(password, input_file, out_file) + + +if __name__ == '__main__': + SQLITE_FILE_HEADER = bytes('SQLite format 3', encoding='ASCII') + bytes(1) + KEY_SIZE = 32 + DEFAULT_PAGESIZE = 4096 + DEFAULT_ITER = 64000 + main()