search

QQBackup / qq-win-db-key

全平台 QQ 聊天数据库解密
Other
472 stars 53 forks source link

key not found #1

Closed saucer-man closed 1 year ago

saucer-man commented 1 year ago
Young-Lord commented 1 year ago 
        if (dbName.replaceAll('/', '\\\\').split('\\\\').pop().toLowerCase() == 'Msg3.0.db'.toLowerCase() || false) {
            should_show = true;
            target_db = args[0];
            // disable memory cache
            //console.log("¦- db: " + args[0]);
            key_length = args[2].toInt32()
            console.log("¦- nKey: " + key_length);
            //console.log("¦- pkey: " + args[1]);
            console.log("¦- *pkey: " + buf2hex(args[1].readByteArray(key_length)));
            console.log("¦- dbName: " + name_function_caller(args[0], NULL).readUtf8String());
            //console.log("¦- *pkey: " + buf2hex(Memory.readByteArray(new UInt64(args[1]), key_length)));
            if(key_length == TARGET_KEY_LENGTH){
                Memory.copy(original_password, args[1], key_length)
                should_copy = true;
                send("!!MSG3.0: " + dbName)
                recv('file_path', function(msg){file_path = msg['path']}).wait();
                send("open new db: " + open_function_caller(Memory.allocUtf8String(file_path), new_database_handle))
                new_database_handle_point_to = new_database_handle.readPointer()
                send("decrypt new db: " + key_function_caller(new_database_handle_point_to, original_password, key_length))
                send("rekey new db: " + rekey_function_caller(new_database_handle_point_to, empty_password, key_length))
                send("close new db: " + close_function_caller(new_database_handle_point_to, 0))
                send("!!POS3.0: " + file_path)
            }
        }

改成

        if (dbName.replaceAll('/', '\\\\').split('\\\\').pop().toLowerCase() == 'Msg3.0.db'.toLowerCase() || true) {
            should_show = true;
            target_db = args[0];
            // disable memory cache
            //console.log("¦- db: " + args[0]);
            key_length = args[2].toInt32()
            console.log("¦- nKey: " + key_length);
            //console.log("¦- pkey: " + args[1]);
            console.log("¦- *pkey: " + buf2hex(args[1].readByteArray(key_length)));
            console.log("¦- dbName: " + name_function_caller(args[0], NULL).readUtf8String());
            //console.log("¦- *pkey: " + buf2hex(Memory.readByteArray(new UInt64(args[1]), key_length)));

再跑一下试试 然后KernelUtil.dll发一下

Young-Lord commented 1 year ago

以及确定是在登录前就开始了hook?

Young-Lord commented 1 year ago

(说起来第一条评论看错了,抱歉) 以及 干掉 qqprotect 试试 如何永久禁用“QQ安全防护进程(Q盾)”,同时QQ还可以正常启动? - 知乎用户的回答 - 知乎 https://www.zhihu.com/question/265963430/answer/2492603110

saucer-man commented 1 year ago

成功获取到key了,之前是因为我开始hook时已经登录了,没仔细看文档不好意思