search

dylanljones / pyrekordbox

Inofficial Python package for interacting with the database and other files (XML, ANLZ, MySettings) of Pioneers Rekordbox DJ software
https://pyrekordbox.readthedocs.io/en/latest/
MIT License
181 stars 24 forks source link

Alternative method for capturing database key #89

Closed gsuberland closed 1 year ago

gsuberland commented 1 year ago

Here's a backup method for getting the database key, which might be worth documenting:

  1. Download x64dbg and run it.
  2. Options -> Preferences. Make sure "Entry Breakpoint" is set in the Events tab.
  3. File -> Open... rekordbox.exe (the main application executable)
  4. Look at the status bar. It should have a yellow "Paused" icon followed by some status text. Right now it should say "System breakpoint reached!"
  5. Hit F9 or press the Run button in the top bar. The status text should change to "INT3 breakpoint 'entry breakpoint' at ".
  6. Click in the disassembly window, then press Ctrl+G to open the Go To Expression box, and search for sqlite3_key_v2 and press OK. This should jump you to the code for that function, which typically starts with mov dword ptr ss:[rsp+xx], r9d or similar.
  7. Without clicking anywhere on the disassembly window, press F2 to toggle breakpoint. The top instruction's address should turn red.
  8. Hit F9 or press the Run button in the top bar. The status text will start changing a bunch, while the program starts up. Wait until the status bar goes back to "Paused" in yellow. If the status text says something like "First chance exception on..." press F9 again.
  9. The status bar should go to "Paused" in yellow again, this time with status text that says "INT3 breakpoint at ". This means our breakpoint has been hit.
  10. Click the register panel (top right, where RAX, RBX, RCX, etc. are listed) so it updates. Right click the red address next to R8, and click "Follow in dump".
  11. The dump at the bottom left will move to that address. Right click the dump panel and select Text -> ASCII at the bottom. You should now see the key as a string. You can drag-select it, then right click to copy selected line.
  12. Go to Debug -> Close to close the process, then close x64dbg.

image

This is pretty much guaranteed to work regardless of what they do with future upgrades, since you're breakpointing the function that sets the key when the database opens, and the API interface is set by the makers of sqlcipher so it won't change.

gsuberland commented 1 year ago

As a side note, I attempted to automate this procedure using a proxy DLL, i.e. a DLL that replaces sqlite3.dll and calls out to the real sqlite3.dll while grabbing register values, but was unsuccessful. The program launched OK but for some reason the database just ended up corrupted.

There's an alternative way to automate this using a more targeted runtime hook, but I don't have the time to write it at the moment. I'll investigate at a later date.