Android微信数据库解密2

Android微信数据库解密2

上篇文章讲了下微信数据库密码规则,以及相关的代码.

本篇文章主要讲解下使用xpose获取对应的数据库密码.

public class HookModule implements IXposedHookLoadPackage {

    public static final String TAG = "HookModule";

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        Log.e(TAG, "handleLoadPackage");
        if ("com.tencent.mm".equals(
                lpparam.packageName)) {
            Log.e(TAG, "handleLoadPackage wx start");
            Class sqliteDatabase = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteDatabase", lpparam.classLoader);

            Log.e(TAG, "sqliteDatabase:" + sqliteDatabase);

            Class config = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteDatabaseConfiguration", lpparam.classLoader);
            Log.e(TAG, "SQLiteDatabaseConfiguration:" + config);

            Class spec = XposedHelpers.findClass("com.tencent.wcdb.database.SQLiteCipherSpec", lpparam.classLoader);
            Log.e(TAG, "SQLiteCipherSpec:" + spec);

            XposedHelpers.findAndHookMethod("com.tencent.wcdb.database.SQLiteConnectionPool", lpparam.classLoader, "open", sqliteDatabase, config, byte[].class, spec, int.class, new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    super.beforeHookedMethod(param);
                    byte[] bytes = (byte[]) param.args[2];
                    Log.e(TAG, "pwd:" + new String(bytes));

                }

                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    super.afterHookedMethod(param);
                }
            });
        }
    }

如图所示: 可以得到对应的密码 为c96bc7f.

我们拿到imei以及uin验证下结果. (我的设备是root设备)

根据路径拿到 /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml

经过拼接 获取md5可得到 :c96bc7f81c81d322dbef5bbcd1297d24

如下图所示结果: