Closed saucer-man closed 1 year ago
if (dbName.replaceAll('/', '\\\\').split('\\\\').pop().toLowerCase() == 'Msg3.0.db'.toLowerCase() || false) {
should_show = true;
target_db = args[0];
// disable memory cache
//console.log("¦- db: " + args[0]);
key_length = args[2].toInt32()
console.log("¦- nKey: " + key_length);
//console.log("¦- pkey: " + args[1]);
console.log("¦- *pkey: " + buf2hex(args[1].readByteArray(key_length)));
console.log("¦- dbName: " + name_function_caller(args[0], NULL).readUtf8String());
//console.log("¦- *pkey: " + buf2hex(Memory.readByteArray(new UInt64(args[1]), key_length)));
if(key_length == TARGET_KEY_LENGTH){
Memory.copy(original_password, args[1], key_length)
should_copy = true;
send("!!MSG3.0: " + dbName)
recv('file_path', function(msg){file_path = msg['path']}).wait();
send("open new db: " + open_function_caller(Memory.allocUtf8String(file_path), new_database_handle))
new_database_handle_point_to = new_database_handle.readPointer()
send("decrypt new db: " + key_function_caller(new_database_handle_point_to, original_password, key_length))
send("rekey new db: " + rekey_function_caller(new_database_handle_point_to, empty_password, key_length))
send("close new db: " + close_function_caller(new_database_handle_point_to, 0))
send("!!POS3.0: " + file_path)
}
}
改成
if (dbName.replaceAll('/', '\\\\').split('\\\\').pop().toLowerCase() == 'Msg3.0.db'.toLowerCase() || true) {
should_show = true;
target_db = args[0];
// disable memory cache
//console.log("¦- db: " + args[0]);
key_length = args[2].toInt32()
console.log("¦- nKey: " + key_length);
//console.log("¦- pkey: " + args[1]);
console.log("¦- *pkey: " + buf2hex(args[1].readByteArray(key_length)));
console.log("¦- dbName: " + name_function_caller(args[0], NULL).readUtf8String());
//console.log("¦- *pkey: " + buf2hex(Memory.readByteArray(new UInt64(args[1]), key_length)));
再跑一下试试
然后KernelUtil.dll
发一下
以及确定是在登录前就开始了hook?
(说起来第一条评论看错了,抱歉) 以及 干掉 qqprotect 试试 如何永久禁用“QQ安全防护进程(Q盾)”,同时QQ还可以正常启动? - 知乎用户的回答 - 知乎 https://www.zhihu.com/question/265963430/answer/2492603110
成功获取到key了,之前是因为我开始hook时已经登录了,没仔细看文档不好意思