github/WeChatMsg110
1
0
Fork 0
mirror of https://github.com/wtc86939209/WeChatMsg110.git synced 2026-05-18 10:10:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

新增PC数据库解密

Browse Source
This commit is contained in:
shuaikangzhou
2023-11-12 21:51:33 +08:00
parent 20b4b91366
commit ff482fc5e1
20 changed files with 1347 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/decrypt/decrypt.py
+125
View File
@@ -0,0 +1,125 @@
import hashlib
import hmac
import os
from typing import Union, List
from Cryptodome.Cipher import AES
# from Crypto.Cipher import AES # 如果上面的导入失败,可以尝试使用这个
SQLITE_FILE_HEADER = "SQLite format 3\x00" # SQLite文件头
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096
DEFAULT_ITER = 64000
# 通过密钥解密数据库
def decrypt(key: str, db_path, out_path):
if not os.path.exists(db_path):
return f"[-] db_path:'{db_path}' File not found!"
if not os.path.exists(os.path.dirname(out_path)):
return f"[-] out_path:'{out_path}' File not found!"
if len(key) != 64:
return f"[-] key:'{key}' Error!"
password = bytes.fromhex(key.strip())
with open(db_path, "rb") as file:
blist = file.read()
salt = blist[:16]
byteKey = hashlib.pbkdf2_hmac("sha1", password, salt, DEFAULT_ITER, KEY_SIZE)
first = blist[16:DEFAULT_PAGESIZE]
mac_salt = bytes([(salt[i] ^ 58) for i in range(16)])
mac_key = hashlib.pbkdf2_hmac("sha1", byteKey, mac_salt, 2, KEY_SIZE)
hash_mac = hmac.new(mac_key, first[:-32], hashlib.sha1)
hash_mac.update(b'\x01\x00\x00\x00')
if hash_mac.digest() != first[-32:-12]:
return f"[-] Password Error! (key:'{key}'; db_path:'{db_path}'; out_path:'{out_path}' )"
newblist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)]
with open(out_path, "wb") as deFile:
deFile.write(SQLITE_FILE_HEADER.encode())
t = AES.new(byteKey, AES.MODE_CBC, first[-48:-32])
decrypted = t.decrypt(first[:-48])
deFile.write(decrypted)
deFile.write(first[-48:])
for i in newblist:
t = AES.new(byteKey, AES.MODE_CBC, i[-48:-32])
decrypted = t.decrypt(i[:-48])
deFile.write(decrypted)
deFile.write(i[-48:])
return [True, db_path, out_path, key]
def batch_decrypt(key: str, db_path: Union[str, List[str]], out_path: str):
if not isinstance(key, str) or not isinstance(out_path, str) or not os.path.exists(out_path) or len(key) != 64:
return f"[-] (key:'{key}' or out_path:'{out_path}') Error!"
process_list = []
if isinstance(db_path, str):
if not os.path.exists(db_path):
return f"[-] db_path:'{db_path}' not found!"
if os.path.isfile(db_path):
inpath = db_path
outpath = os.path.join(out_path, 'de_' + os.path.basename(db_path))
process_list.append([key, inpath, outpath])
elif os.path.isdir(db_path):
for root, dirs, files in os.walk(db_path):
for file in files:
inpath = os.path.join(root, file)
rel = os.path.relpath(root, db_path)
outpath = os.path.join(out_path, rel, 'de_' + file)
if not os.path.exists(os.path.dirname(outpath)):
os.makedirs(os.path.dirname(outpath))
process_list.append([key, inpath, outpath])
else:
return f"[-] db_path:'{db_path}' Error "
elif isinstance(db_path, list):
rt_path = os.path.commonprefix(db_path)
if not os.path.exists(rt_path):
rt_path = os.path.dirname(rt_path)
for inpath in db_path:
if not os.path.exists(inpath):
return f"[-] db_path:'{db_path}' not found!"
inpath = os.path.normpath(inpath)
rel = os.path.relpath(os.path.dirname(inpath), rt_path)
outpath = os.path.join(out_path, rel, 'de_' + os.path.basename(inpath))
if not os.path.exists(os.path.dirname(outpath)):
os.makedirs(os.path.dirname(outpath))
process_list.append([key, inpath, outpath])
else:
return f"[-] db_path:'{db_path}' Error "
result = []
for i in process_list:
result.append(decrypt(*i)) # 解密
# 删除空文件夹
for root, dirs, files in os.walk(out_path, topdown=False):
for dir in dirs:
if not os.listdir(os.path.join(root, dir)):
os.rmdir(os.path.join(root, dir))
return result
if __name__ == '__main__':
# 调用 decrypt 函数,并传入参数
key = "2aafab10af7940328bb92ac9d2a8ab5fc07a685646b14f2e9ae6948a7060c0fc"
db_path = "D:\Project\Python\PyWxDump\pywxdump\decrypted"
out_path = "test"
result = batch_decrypt(key, db_path, out_path)
for i in result:
if isinstance(i, str):
print(i)
else:
print(f'[+] "{i[1]}" -> "{i[2]}"')
app/decrypt/get_wx_info.py
+141
View File
@@ -0,0 +1,141 @@
# -*- coding: utf-8 -*-#
# -------------------------------------------------------------------------------
# Name: getwxinfo.py
# Description:
# Author: xaoyaoo
# Date: 2023/08/21
# -------------------------------------------------------------------------------
import argparse
import ctypes
import json
import psutil
from win32com.client import Dispatch
ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory
void_p = ctypes.c_void_p
# 读取内存中的字符串(非key部分)
def get_info_without_key(h_process, address, n_size=64):
array = ctypes.create_string_buffer(n_size)
if ReadProcessMemory(h_process, void_p(address), array, n_size, 0) == 0: return "None"
array = bytes(array).split(b"\x00")[0] if b"\x00" in array else bytes(array)
text = array.decode('utf-8', errors='ignore')
return text.strip() if text.strip() != "" else "None"
def get_info_wxid(h_process, address, n_size=32, address_len=8):
array = ctypes.create_string_buffer(address_len)
if ReadProcessMemory(h_process, void_p(address), array, address_len, 0) == 0: return "None"
address = int.from_bytes(array, byteorder='little') # 逆序转换为int地址(key地址)
wxid = get_info_without_key(h_process, address, n_size)
if not wxid.startswith("wxid_"): wxid = "None"
return wxid
# 读取内存中的key
def get_key(h_process, address, address_len=8):
array = ctypes.create_string_buffer(address_len)
if ReadProcessMemory(h_process, void_p(address), array, address_len, 0) == 0: return "None"
address = int.from_bytes(array, byteorder='little') # 逆序转换为int地址(key地址)
key = ctypes.create_string_buffer(32)
if ReadProcessMemory(h_process, void_p(address), key, 32, 0) == 0: return "None"
key_string = bytes(key).hex()
return key_string
# 读取微信信息(account,mobile,name,mail,wxid,key)
def read_info(version_list):
wechat_process = []
result = []
for process in psutil.process_iter(['name', 'exe', 'pid', 'cmdline']):
if process.name() == 'WeChat.exe':
wechat_process.append(process)
if len(wechat_process) == 0:
return "[-] WeChat No Run"
for process in wechat_process:
tmp_rd = {}
tmp_rd['pid'] = process.pid
tmp_rd['version'] = Dispatch("Scripting.FileSystemObject").GetFileVersion(process.exe())
bias_list = version_list.get(tmp_rd['version'], None)
if not isinstance(bias_list, list):
return f"[-] WeChat Current Version {tmp_rd['version']} Is Not Supported"
wechat_base_address = 0
for module in process.memory_maps(grouped=False):
if module.path and 'WeChatWin.dll' in module.path:
wechat_base_address = int(module.addr, 16)
break
if wechat_base_address == 0:
return f"[-] WeChat WeChatWin.dll Not Found"
Handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, process.pid)
name_baseaddr = wechat_base_address + bias_list[0]
account__baseaddr = wechat_base_address + bias_list[1]
mobile_baseaddr = wechat_base_address + bias_list[2]
mail_baseaddr = wechat_base_address + bias_list[3]
key_baseaddr = wechat_base_address + bias_list[4]
wxid_baseaddr = wechat_base_address + bias_list[5]
addrLen = 4 if tmp_rd['version'] in ["3.9.2.23", "3.9.2.26"] else 8
tmp_rd['account'] = get_info_without_key(Handle, account__baseaddr, 32) if bias_list[1] != 0 else "None"
tmp_rd['mobile'] = get_info_without_key(Handle, mobile_baseaddr, 64) if bias_list[2] != 0 else "None"
tmp_rd['name'] = get_info_without_key(Handle, name_baseaddr, 64) if bias_list[0] != 0 else "None"
tmp_rd['mail'] = get_info_without_key(Handle, mail_baseaddr, 64) if bias_list[3] != 0 else "None"
tmp_rd['wxid'] = get_info_wxid(Handle, wxid_baseaddr, 24, addrLen) if bias_list[5] != 0 else "None"
tmp_rd['key'] = get_key(Handle, key_baseaddr, addrLen) if bias_list[4] != 0 else "None"
result.append(tmp_rd)
return result
def get_info():
VERSION_LIST_PATH = "app/decrypt/version_list.json"
with open(VERSION_LIST_PATH, "r", encoding="utf-8") as f:
VERSION_LIST = json.load(f)
result = read_info(VERSION_LIST) # 读取微信信息
return result
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--vlfile", type=str, help="手机号", required=False)
parser.add_argument("--vldict", type=str, help="微信昵称", required=False)
args = parser.parse_args()
# 读取微信各版本偏移
if args.vlfile:
VERSION_LIST_PATH = args.vlfile
with open(VERSION_LIST_PATH, "r", encoding="utf-8") as f:
VERSION_LIST = json.load(f)
if args.vldict:
VERSION_LIST = json.loads(args.vldict)
if not args.vlfile and not args.vldict:
VERSION_LIST_PATH = "./version_list.json"
with open(VERSION_LIST_PATH, "r", encoding="utf-8") as f:
VERSION_LIST = json.load(f)
result = read_info(VERSION_LIST) # 读取微信信息
print("=" * 32)
if isinstance(result, str): # 输出报错
print(result)
else: # 输出结果
for i, rlt in enumerate(result):
for k, v in rlt.items():
print(f"[+] {k:>7}: {v}")
print(end="-" * 32 + "\n" if i != len(result) - 1 else "")
print("=" * 32)
app/decrypt/version_list.json
+386
View File
@@ -0,0 +1,386 @@
{
"3.2.1.154": [
328121948,
328122328,
328123056,
328121976,
328123020,
0
],
"3.3.0.115": [
31323364,
31323744,
31324472,
31323392,
31324436,
0
],
"3.3.0.84": [
31315212,
31315592,
31316320,
31315240,
31316284,
0
],
"3.3.0.93": [
31323364,
31323744,
31324472,
31323392,
31324436,
0
],
"3.3.5.34": [
30603028,
30603408,
30604120,
30603056,
30604100,
0
],
"3.3.5.42": [
30603012,
30603392,
30604120,
30603040,
30604084,
0
],
"3.3.5.46": [
30578372,
30578752,
30579480,
30578400,
30579444,
0
],
"3.4.0.37": [
31608116,
31608496,
31609224,
31608144,
31609188,
0
],
"3.4.0.38": [
31604044,
31604424,
31605152,
31604072,
31605116,
0
],
"3.4.0.50": [
31688500,
31688880,
31689608,
31688528,
31689572,
0
],
"3.4.0.54": [
31700852,
31701248,
31700920,
31700880,
31701924,
0
],
"3.4.5.27": [
32133788,
32134168,
32134896,
32133816,
32134860,
0
],
"3.4.5.45": [
32147012,
32147392,
32147064,
32147040,
32148084,
0
],
"3.5.0.20": [
35494484,
35494864,
35494536,
35494512,
35495556,
0
],
"3.5.0.29": [
35507980,
35508360,
35508032,
35508008,
35509052,
0
],
"3.5.0.33": [
35512140,
35512520,
35512192,
35512168,
35513212,
0
],
"3.5.0.39": [
35516236,
35516616,
35516288,
35516264,
35517308,
0
],
"3.5.0.42": [
35512140,
35512520,
35512192,
35512168,
35513212,
0
],
"3.5.0.44": [
35510836,
35511216,
35510896,
35510864,
35511908,
0
],
"3.5.0.46": [
35506740,
35507120,
35506800,
35506768,
35507812,
0
],
"3.6.0.18": [
35842996,
35843376,
35843048,
35843024,
35844068,
0
],
"3.6.5.7": [
35864356,
35864736,
35864408,
35864384,
35865428,
0
],
"3.6.5.16": [
35909428,
35909808,
35909480,
35909456,
35910500,
0
],
"3.7.0.26": [
37105908,
37106288,
37105960,
37105936,
37106980,
0
],
"3.7.0.29": [
37105908,
37106288,
37105960,
37105936,
37106980,
0
],
"3.7.0.30": [
37118196,
37118576,
37118248,
37118224,
37119268,
0
],
"3.7.5.11": [
37883280,
37884088,
37883136,
37883008,
37884052,
0
],
"3.7.5.23": [
37895736,
37896544,
37895592,
37883008,
37896508,
0
],
"3.7.5.27": [
37895736,
37896544,
37895592,
37895464,
37896508,
0
],
"3.7.5.31": [
37903928,
37904736,
37903784,
37903656,
37904700,
0
],
"3.7.6.24": [
38978840,
38979648,
38978696,
38978604,
38979612,
0
],
"3.7.6.29": [
38986376,
38987184,
38986232,
38986104,
38987148,
0
],
"3.7.6.44": [
39016520,
39017328,
39016376,
38986104,
39017292,
0
],
"3.8.0.31": [
46064088,
46064912,
46063944,
38986104,
46064876,
0
],
"3.8.0.33": [
46059992,
46060816,
46059848,
38986104,
46060780,
0
],
"3.8.0.41": [
46064024,
46064848,
46063880,
38986104,
46064812,
0
],
"3.8.1.26": [
46409448,
46410272,
46409304,
38986104,
46410236,
0
],
"3.9.0.28": [
48418376,
48419280,
48418232,
38986104,
48419244,
0
],
"3.9.2.23": [
50320784,
50321712,
50320640,
38986104,
50321676,
50592864
],
"3.9.2.26": [
50329040,
50329968,
50328896,
38986104,
50329932,
0
],
"3.9.5.81": [
61650872,
61652208,
61650680,
0,
61652144,
0
],
"3.9.5.91": [
61654904,
61656240,
61654712,
38986104,
61656176,
61677112
],
"3.9.6.19": [
61997688,
61997464,
61997496,
38986104,
61998960,
0
],
"3.9.6.33": [
62030600,
62031936,
62030408,
0,
62031872,
0
],
"3.9.7.15": [
63482696,
63484032,
63482504,
0,
63483968,
0
],
"3.9.7.25": [
63482760,
63484096,
63482568,
0,
63484032,
0
],
"3.9.7.29": [
63486984,
63488320,
63486792,
0,
63488256,
63488352
],
"3.9.8.15": [
64996632,
64997968,
64996440,
0,
64997904,
65011632
]
}