👋
- Wechat: RyukieW
- 📦 Technical article archive
- 🐙 making
| My personal project | Mine Elic endless sky ladder | Dream of books |
|---|---|---|
| type | The game | financial |
| AppStore | Elic | Umemi |
- Lawliet’s iOS Reverse Lab series is recommended
- Research on function security of some video software
preface
I was inspired by a personal project, so I found a product that offered similar functions and was ready to reverse research a wave. Got the IPA package, and found the database file from the package. But I ran into a problem trying to get a look at the database.
The database is encrypted 🤷♂️
As bald reverse engineers (not really), how can we give up so easily?
Determine the reverse target:
- Obtaining the database password
- Clearing a Database Password
Kai Sen ~ finally completed 👌
1. Locate the database SDK
Let’s see what’s in the Framework folder in the IPA
Is CoreData used? Let’s go a little further
Analysis of MachO
We use Hopper for analysis, dropping the executable file (MachO) from the IPA into the Hopper.
Oh ho ~ obviously using FMDB. All right, let’s locate the cryptographic function.
Location password function
Look at the FMDB API for the entry point. Found – (BOOL)setKey:(NSString*)key; Get ready to Hook.
@interface FMDatabase : NSObject {
/** Set encryption key. @param key The key to be used. @return `YES` if success, `NO` on error. @see http://www.sqlite-encrypt.com/develop-guide.htm @warning You need to have purchased the sqlite encryption extensions for this method to work. */
- (BOOL)setKey:(NSString*)key;
}
Copy the code3. Hook objective function
App shell cracking (make sure you have a jailbroken phone), re-signature, and Logos are not discussed here and are not the focus of this article. If you want to read more, please leave a comment. If you want to read more, I’ll write a few separate posts.
Use the followingLogosSyntax is simpleHook.
@interface FMDatabase : NSObject
@end
%hook FMDatabase
- (void)setKey:(NSString*)key {
NSLog(@"🔓 obtained database password %@", key);
%orig;// Call the original implementation
}
%end
Copy the codeTrigger database operations in the application after running, and log output:
2021-07-24 12:26:26.561085+0800 xx[16475:3222446] 🔓 Intercepted database password XXXXCopy the codeYeah ~ successfully intercepted the password 👏
Remove the password
Let’s make a copy of the database file first.
Use my gadget -RemoveDataBasePassword to retrieve the passwordless database file
Get the database file for removing the password. You can open it normally
4.1 Usage of RemoveDataBasePassword
GitHub-RemoveDataBasePassword
If it helps you, leave a little star ⭐️ ~
- Drag your database file into the project
- Modify the
YourDataBasePassWordFor the password - Modify the
YourDataBaseNameName for your database file - Run the program, emulator
- When you see the screen appear
ClickClick on the screen - If you look at Log, you can get the path
- Enjoy it!
4.2 Navicat error
I have been using Navicat to check the database, but when I open the database to remove the password, it is wrong.
It’s wrong, but it’s okay.
Double-click Main to continue accessing the data.
Fifth, summary thinking
The whole process of research was relatively smooth, and I also reminded myself:
- If the local database information is important, just adding a password to the database is not enough
- It’s easy to get for a player who knows something about reverse
- I feel it is time to share some with you
Protective measuresthe - Welcome to like, comment and communicate