Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to conduct Wechat forensics under Windows and MacOS. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

Wechat forensics under Windows and MacOS will be demonstrated soon.

Preparatory work

Wechat version: 2.6.x

Tool: my love cracked the special edition of OD

Wechat forensics under Windows

1. Get Wechat chat database files

My path is:

C:\ Users\ free04k\ Documents\ WeChat Files\ XXXX\ Msg

two。 Read the key from memory

A. Open OD and then Wechat, and use OD to attach Wechat login process

B, click the file menu, select "attach", the pop-up dialog box to find the name of the process named Wechat, the window name is "login", and then click attach

C. Select View-executable module

D, find the name Wechatwin.dll, double-click to select

E. Select a Chinese search engine in the plug-in-search ASCII

F. Right-click Find in the window and enter "DBFactory::encryptDB" in the search box.

G, double-click

H, set breakpoint to test edx edx

I, switch to the Wechat login page, click Login, and then go to the mobile phone to confirm login.

This is when the data in the OllyDbg interface scrolls until the EDX is no longer all zero and the contents of each window stop scrolling.

J, right-click on the value of EDX, select "follow in the data window" in the pop-up menu, and the content of EDX is displayed in the data window.

The location of xxxx is the Wechat id to be decrypted, and the contents of the directory are as follows

If you want to decrypt ChatMsg.db, enter instructions in the command line window

Dewechat ChatMsg.db

Just enter.

After the decryption is successful, de_ChatMsg.db will be generated in the directory, which can be opened with sqlite database management software.

It can also be operated under Windows,MacOS.

Wechat forensics under MacOS

1. Find the Wechat database file

~ / Library/Containers/com.tencent.xinWeChat/Data/Library/Application Support/com.tencent.xinWeChat/XXX/XXX/Message

two。 Read the key from memory

A. Open the Mac version of Wechat

B. Open terminal data: lldb-p $(pgrep WeChat)

Enter the sub-shell interface of lldb

C, enter br set-n sqlite_key and c

D. Log in to Wechat and you will get stuck in the interface where you are logging in.

E, and then enter: memory read-- size 1-- format x-- count 32$ rsi at the terminal

This is the key of a 64-bit string.

0x600001c2dfa0 0x600001c2dfa8 0x600001c2dfb0 0x600001c2dfb8

3. Read data

Use the DB Browser for SQLite MAC version to read.

After reading the above, do you have any further understanding of how to conduct Wechat forensics under Windows and MacOS? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.