逆向某钉数据库加密算法

逆向某钉数据库加密算法

十一月 13, 2019

逆向某钉数据库加密算法

工具:jadx-gui-0.9.0 frida ida

阿里数据库一贯加密数据库so文件:libdatabase_sqlcrypto.so

lib.png

喵进去搜一搜,可发现是AES128加密

aes.png

跟进去分析可看到数据库初始化函数,疑似密钥拷贝函数

passcopy.png

分析还原下关键代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#include "sqlite3.c"
#include "aes.h"

#define KEYLENGTH 16

typedef struct _codec_ctx
{
char *pszPass;
int nPassLen;

aes_ctx m_ctxde;
aes_ctx m_ctxen;

Btree* m_bt; /* Pointer to B-tree used by DB */

}codec_ctx;



void* sqlite3Codec(void *iCtx, void *data, Pgno pgno, int mode)
{
codec_ctx *ctx = (codec_ctx *) iCtx;
unsigned char *pData = (unsigned char *) data;
int pageSize = sqlite3BtreeGetPageSize(ctx->m_bt);
int nBlock = pageSize / 16;
int i;
unsigned char szTmp[16];

switch(mode) {
case 0: /* decrypt */
case 2:
case 3:
for (i = 0; i < nBlock; i++)
{
aes_decrypt(&pData[i * 16], szTmp, &ctx->m_ctxde);
memcpy(&pData[i * 16], szTmp, 16);
}
break;

case 6: /* encrypt */
for (i = 0; i < nBlock; i++)
{
aes_encrypt(&pData[i * 16], szTmp, &ctx->m_ctxen);
memcpy(&pData[i * 16], szTmp, 16);
}
break;

case 7: /* Encrypt a page for the journal file */
for (i = 0; i < nBlock; i++)
{
aes_encrypt(&pData[i * 16], szTmp, &ctx->m_ctxde);
memcpy(&pData[i * 16], szTmp, 16);
}
break;
}

return data;
}


void sqlite3FreeCodecArg(void *pCodecArg)
{
codec_ctx *ctx = (codec_ctx *)pCodecArg;
if(pCodecArg == NULL)
return;

sqlite3_free(ctx->pszPass);
memset(ctx, 0, sizeof(codec_ctx));
sqlite3_free(ctx);
}


int sqlite3CodecAttach(sqlite3* db, int nDb, const void* zKey, int nKey)
{
struct Db *pDb = &db->aDb[nDb];

if(nKey && zKey && pDb->pBt)
{
codec_ctx *ctx = sqlite3Malloc(sizeof(codec_ctx));

aes_decrypt_key128((const unsigned char *)zKey, &ctx->m_ctxde);
aes_encrypt_key128((const unsigned char *)zKey, &ctx->m_ctxen);

ctx->m_bt = pDb->pBt; /* assign pointer to database btree structure */
ctx->pszPass = (char *)sqlite3Malloc(nKey + 1);
memcpy(ctx->pszPass, zKey, nKey);
ctx->pszPass[nKey] = '\0';
ctx->nPassLen = nKey;

sqlite3PagerSetCodec(sqlite3BtreePager(pDb->pBt), sqlite3Codec, NULL, sqlite3FreeCodecArg, (void *) ctx);

}

return SQLITE_OK;
}


void sqlite3pager_get_codec(Pager *pPager, void **ctx)
{
*ctx = pPager->pCodec;
}


void sqlite3CodecGetKey(sqlite3* db, int nDb, void** zKey, int* nKey)
{
struct Db *pDb = &db->aDb[nDb];

if( pDb->pBt ) {
codec_ctx *ctx;
sqlite3pager_get_codec(pDb->pBt->pBt->pPager, (void **) &ctx);

if(ctx)
{
*zKey = ctx->pszPass;
*nKey = ctx->nPassLen;
}
else
{
*zKey = NULL;
*nKey = 0;
}
}
}

void sqlite3_activate_see(const char *info)
{
//ɶҲһԃض
}

int sqlite3_rekey(sqlite3 *db, const void *zKey, int nKey)
{

return SQLITE_ERROR;
}

int sqlite3_key(sqlite3 *db, const void *zKey, int nKey)
{
/* The key is only set for the main database, not the temp database */
return sqlite3CodecAttach(db, 0, zKey, nKey);
}

HOOK 关键函数,打印参数

hook.png

Hook 脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# -*- coding:utf-8 -*-
import frida,sys


def on_message(message,data):
if message['type']=='send':
print("[*] {0}".format(message['payload']))
else:
print(message)

jscode="""
console.log("Script loaded successfully ");
Java.perform(function(){

var nativePointer=Module.findExportByName("libdatabase_sqlcrypto.so","aes_decrypt_key128");
send("aes_decrypt_key128:"+nativePointer);
Interceptor.attach(nativePointer,{
onEnter:function(args){
send("-----aes_decrypt_key128....");
send(Memory.readCString(args[0]));
send("111decrypt[2]:"+Memory.readCString(args[1]));
send("111decrypt[3]"+args[2]);

},
});
var nativePointer=Module.findExportByName("libdatabase_sqlcrypto.so","aes_encrypt_key128");
send("aes_encrypt_key128:"+nativePointer);
Interceptor.attach(nativePointer,{
onEnter:function(args){
send("-----aes_encrypt_key128....");
send(Memory.readCString(args[0]));
send("222encrypt[2]"+Memory.readCString(args[1]));
send("222encrypt[3]"+args[2]);

},
});

var nativePointer=Module.findExportByName("libdatabase_sqlcrypto.so","sqlite3CodecAttach");
send("sqlite3CodecAttach:"+nativePointer);
Interceptor.attach(nativePointer,{
onEnter:function(args){
send("-----sqlite3CodecAttach....");
send("Attach[1]:"+args[0]);
send("Attach_Memory[1]:"+Memory.readCString(args[0]));
send("Attach[2]:"+args[1]);
send("Attach[3]:"+Memory.readUtf8String(args[2]));
send("Attach[4]:"+args[3]);
},
});



});
"""

process=frida.get_usb_device().attach('com.alibaba.android.rimet')
script=process.create_script(jscode)
script.on('message',on_message)
script.load()
sys.stdin.read()

跟踪分析java代码, 在 SQLiteConnection 中有个 open 函数里面调用了setEncryptKey, 又调用了 Excute

setEncryptKey.png

可以看见”PRAGMA rekey=”+password, HOOK 下passowrd 值

Javamd5.png

Hook脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import frida,sys
def on_message(message,data):
if message['type']=='send':
print("[*] {0}".format(message['payload']))
else:
print(message)

jscode="""
console.log("Script loaded successfully ");
Java.perform(function(){
var haha=Java.use('com.alibaba.sqlcrypto.sqlite.SQLiteDatabaseConfiguration');
var aa=Java.use('java.lang.Class');
var bb=Java.use('java.lang.Exception')
send("HOOK COM...");
haha.$init.overload("java.lang.String","int","java.lang.String").implementation=function(path,openFlags,key){
send("start Hook...");
console.log("xxxx:"+key);
send("over-----------------------------------------------------");
}
});
"""

process=frida.get_usb_device().attach('com.alibaba.android.rimet')
script=process.create_script(jscode)
script.on('message',on_message)
script.load()
sys.stdin.read()

开始追password ,过程跳过,最终的密钥赋值函数

javakey.png

加密密钥参数比较简单,设备的5个参数 中间加”/”

测试结果

argsmd5.png

解密数据库调用 openssl 第三方库,解密测试代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
#include <string>
#include <fstream>
#include <setjmp.h>
#include <openssl/evp.h>

using namespace std;

#define B2L32(A) ((((unsigned int)(A) & 0xff000000) >> 24) | \
(((unsigned int)(A) & 0x00ff0000) >> 8) | \
(((unsigned int)(A) & 0x0000ff00) << 8) | \
(((unsigned int)(A) & 0x000000ff) << 24))

void walChecksumBytes(
int nativeCksum, /* True for native byte-order, false for non-native */
uint8_t *a, /* Content to be checksummed */
int nByte, /* Bytes of content in a[]. Must be a multiple of 8. */
const uint32_t *aIn, /* Initial checksum value input */
uint32_t *aOut /* OUT: Final checksum value output */
) {
uint32_t s1, s2;
uint32_t *aData = (uint32_t *)a;
uint32_t *aEnd = (uint32_t *)&a[nByte];

if (aIn) {
s1 = aIn[0];
s2 = aIn[1];
}
else {
s1 = s2 = 0;
}

if (nativeCksum) {
do {
s1 += *aData++ + s2;
s2 += *aData++ + s1;
} while (aData<aEnd);
}
else {
do {
s1 += B2L32(aData[0]) + s2;
s2 += B2L32(aData[1]) + s1;
aData += 2;
} while (aData<aEnd);
}

aOut[0] = s1;
aOut[1] = s2;
}

void DecryptFile(string srcDB, string dstDB, string key)
{
ifstream dbif;
ofstream dbof;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (EVP_DecryptInit(ctx, EVP_aes_128_ecb(), (const uint8_t *)key.c_str(), NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
return;
}

EVP_CIPHER_CTX_set_padding(ctx, 0);

jmp_buf exitEntry;
switch (setjmp(exitEntry)) {
case 0:
break;
case -3:
dbof.close();
case -2:
dbof.close();
case -1:
EVP_CIPHER_CTX_free(ctx);
return;
default:
break;
}

dbif.open(srcDB, ios::binary | ios::in);
if (!dbif.is_open()) {
return;
}

dbof.open(dstDB, ios::binary | ios::out | ios::trunc);
if (!dbof.is_open()) {
return;
}

uint8_t inbuff[16];
uint8_t outbuff[16];
int outLen = 0;
size_t rd;

while (!dbif.eof() && dbif.good()) {
dbif.read((char *)inbuff, 16);
rd = dbif.gcount();
if (rd != 16) {
break;
}

if (EVP_DecryptUpdate(ctx, outbuff, &outLen, inbuff, (int)rd) != 1) {
break;
}

dbof.write((char *)outbuff, 16);
}

EVP_DecryptFinal(ctx, outbuff, &outLen);
if (outLen > 0) {
dbof.write((char *)outbuff, outLen);
}

dbif.close();
dbof.close();
}

void DecryptFileWal(string src, string dst, string key)
{
ifstream dbif;
ofstream dbof;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (EVP_DecryptInit(ctx, EVP_aes_128_ecb(), (const uint8_t*)key.c_str(), NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
return;
}

EVP_CIPHER_CTX_set_padding(ctx, 0);

jmp_buf exitEntry;
switch (setjmp(exitEntry))
{
case 0:
break;
case -3:
dbof.close();
case -2:
dbif.close();
case -1:
EVP_CIPHER_CTX_free(ctx);
return;
default:
break;
}

dbif.open(src, ios::binary | ios::in);
if (!dbif.is_open()) {
return;
}

dbof.open(dst, ios::binary | ios::out | ios::trunc);
if (!dbof.is_open()) {
return;
}

//先读取wal文件32字节头部
uint8_t walHead[32];
uint32_t cksum[2];
uint32_t pageSize;
dbif.read((char *)walHead, 32);
dbof.write((char *)walHead, 32);
pageSize = B2L32(*(uint32_t *)&walHead[8]);
cksum[0] = B2L32(*(uint32_t *)&walHead[24]);
cksum[1] = B2L32(*(uint32_t *)&walHead[28]);

uint8_t inbuff[0x1000];
uint8_t outbuff[0x1000];
int outLen = 0;
size_t rd;

uint8_t frameHead[24];
while (!dbif.eof() && dbif.good()) {
//读取24字节frame头部
dbif.read((char *)frameHead, 24);
rd = dbif.gcount();
if (rd != 24)
{
break;
}

dbif.read((char*)inbuff, pageSize);
rd = dbif.gcount();
if (rd != pageSize) {
break;
}

if (EVP_DecryptUpdate(ctx, outbuff, &outLen, inbuff, (int)rd) != 1) {
break;
}

walChecksumBytes(1, frameHead, 8, cksum, cksum);
walChecksumBytes(1, outbuff, pageSize, cksum, cksum);
*(uint32_t *)&frameHead[16] = B2L32(cksum[0]);
*(uint32_t *)&frameHead[20] = B2L32(cksum[1]);
dbof.write((char *)frameHead, 24);
dbof.write((char *)outbuff, pageSize);
}

EVP_DecryptFinal(ctx, outbuff, &outLen);
if (outLen > 0) {
dbof.write((char*)outbuff, outLen);
}

EVP_CIPHER_CTX_free(ctx);

dbif.close();
dbof.close();
}

int main(int argc, char *argv[])
{
string key = "1d8d67d43bd27a77155e2669971b29a4";
string srcDB = "db.sqlite";
string dstDB = "dst.sqlite";
string srcWal = "db.sqlite-wal";
string dstWal = "dst.sqlite-wal";

DecryptFile(srcDB, dstDB, key);
DecryptFileWal(srcWal, dstWal, key);

return 0;
}