在你逆向分析**app時(shí),分析分析其數(shù)據(jù)存儲(chǔ)結(jié)構(gòu)絕對(duì)是事倍功倍.

下面是我在hook 微信sqlite暗碼的分享

知識(shí)準(zhǔn)備

1：懂的利用xposed框架或Cydia框架hook技術(shù)

2 ：jadx工具(定位分析工具)

static public void wechatOpenDatabase(String wechatVersionName, final XC_LoadPackage.LoadPackageParam lpparam) {

/**

*調(diào)用生成SQLiteDatabase 重要入口

* //主要第3個(gè)參數(shù)是sqlite的暗碼

public static SQLiteDatabase openDatabase(String paramString1, LockedDevice paramLockedDevice, String paramString2, Arithmetic paramArithmetic, CursorFactory paramCursorFactory, int paramInt1, DatabaseErrorHandler paramDatabaseErrorHandler, boolean paramBoolean, int paramInt2)

{

SQLiteDatabase localSQLiteDatabase = new SQLiteDatabase(paramString1, paramInt1, paramCursorFactory, paramDatabaseErrorHandler);

localSQLiteDatabase.open(paramLockedDevice, paramString2, paramArithmetic, paramBoolean, paramInt2);

return localSQLiteDatabase;

}

*/

try {

Class clazzPalue3= null;

if (wechatVersionName.equals("6.3.13.56_r238e8af")){

clazzPalue3 = String.class;

}else {

clazzPalue3 = byte[].class;

}

XposedHelpers.findAndHookMethod(PluginsConfigWechatSqlite.WECHAT_SQLiteDatabase_CLASSE, lpparam.classLoader, "openDatabase",

String.class, //sqlite 數(shù)據(jù)庫(kù)文件全路徑如：/data/data/com.tencent.mm/MicroMsg/71daf7e10a38aa48ee8bad199dde232a/EnMicroMsg.db

lpparam.classLoader.loadClass(PluginsConfigWechatSqlite.WECHAT_SQLiteDatabase_CLASSE+"$LockedDevice"),

clazzPalue3,//byte[].class,//String.class, //6.3.13版本string.class6.3.31是byte[].class sqlite數(shù)據(jù)庫(kù)的暗碼如21e8906

lpparam.classLoader.loadClass(PluginsConfigWechatSqlite.WECHAT_SQLiteDatabase_CLASSE+"$Arithmetic"),

lpparam.classLoader.loadClass(PluginsConfigWechatSqlite.WECHAT_SQLiteDatabase_CLASSE+"$CursorFactory"),

int.class,

lpparam.classLoader.loadClass(PluginsConfigWechatSqlite.WECHAT_SQLiteDatabase_3Level_CLASSE+".DatabaseErrorHandler"),

boolean.class,

int.class,

new XC_MethodHook() {

@Override

protected void afterHookedMethod(MethodHookParam param) throws Throwable {

super.afterHookedMethod(param);

String strSqliteDatabaseFilePaht= (String) param.args[0];

//if (strSqliteDatabaseFilePaht.endsWith("EnMicroMsg.db") && EnMicroMsgSQLiteDatabaseObject ==null) { //獲取EnMicroMsg對(duì)應(yīng)的SQLiteDatabase

if (strSqliteDatabaseFilePaht.endsWith("EnMicroMsg.db")) { //獲取EnMicroMsg對(duì)應(yīng)的SQLiteDatabase

EnMicroMsgSQLiteDatabaseObject = param.getResult();

System.out.println("SQLiteDatabaseObject的類名:"+ EnMicroMsgSQLiteDatabaseObject.getClass().getName());

}

}

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

//SQLiteDatabase db = SQLiteDatabase openDatabase(String path, SQLiteDatabase.CursorFactory factory, int flags)

String mm ="";

if (param.args[2] !=null){

String str= param.args[2].getClass().getName();

if (str.equals("[B")){

byte[] mmbytes = (byte[]) param.args[2];

mm = new String(mmbytes,"UTF-8");

}else if (str.equals("java.lang.String")) {

mm =""+param.args[2];

}

}

//Log.i(TAG,"openDatabase String 0參數(shù)sqlite全路徑和暗碼： " +param.args[0]+"參數(shù)sqlite暗碼：" +param.args[2].toString());

Log.i(TAG,"openDatabase String 0參數(shù)sqlite全路徑和暗碼： " +param.args[0]+"參數(shù)sqlite暗碼：" +mm);

}

});

} catch (ClassNotFoundException e) {

e.printStackTrace();

}

}

jadx工具分析定位在com.tencent.mmdb.database.SQLiteDatabase

啟動(dòng)**發(fā)現(xiàn)微信啟動(dòng)時(shí)同時(shí)打開(kāi)的數(shù)據(jù)庫(kù)有

最后感謝今日頭條提供的分享平臺(tái),你覺(jué)得有用可以收藏便利以后查閱.

分享是一種美德,牽手是一種生活方式.