using Newtonsoft.Json; using Newtonsoft.Json.Linq; using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Linq; using System.Reflection.PortableExecutable; using System.Security.Cryptography; using System.Text; using System.Text.Json.Serialization; using System.Threading.Tasks; using System.Windows; using WechatBakTool.Model; using WechatBakTool.Pages; using WechatBakTool.ViewModel; namespace WechatBakTool.Helpers { public class DecryptionHelper { const long IV_SIZE = 16; const int HMAC_SHA1_SIZE = 20; const int KEY_SIZE = 32; const int AES_BLOCK_SIZE = 16; const int DEFAULT_ITER = 64000; const long DEFAULT_PAGESIZE = 4096; //4048数据 + 16IV + 20 HMAC + 12 const string SQLITE_HEADER = "SQLite format 3"; public static byte[]? GetWechatKey(string pid, int find_key_type, string account) { Process process = Process.GetProcessById(int.Parse(pid)); ProcessModule? module = ProcessHelper.FindProcessModule(process.Id, "WeChatWin.dll"); if (module == null) { return null; } string? version = module.FileVersionInfo.FileVersion; if (version == null) { return null; } if (find_key_type == 1) { List? info = null; string json = File.ReadAllText("version.json"); info = JsonConvert.DeserializeObject?>(json); if (info == null) return null; if (info.Count == 0) return null; VersionInfo? cur = info.Find(x => x.Version == version); if (cur == null) return null; //这里加的是版本偏移量，兼容不同版本把这个加给改了 long baseAddress = (long)module.BaseAddress + cur.BaseAddr; byte[]? bytes = ProcessHelper.ReadMemoryDate(process.Handle, (IntPtr)baseAddress, 8); if (bytes != null) { IntPtr baseAddress2 = (IntPtr)(((long)bytes[7] << 56) + ((long)bytes[6] << 48) + ((long)bytes[5] << 40) + ((long)bytes[4] << 32) + ((long)bytes[3] << 24) + ((long)bytes[2] << 16) + ((long)bytes[1] << 8) + (long)bytes[0]); byte[]? twoGet = ProcessHelper.ReadMemoryDate(process.Handle, baseAddress2, 32); if (twoGet != null) { string key = BytesToHex(twoGet); return twoGet; } } } else if(find_key_type == 2) { List read = ProcessHelper.FindProcessMemory(process.Handle, module, account); if (read.Count >= 2) { byte[] buffer = new byte[8]; int key_offset = read[1] - 64; if (NativeAPI.ReadProcessMemory(process.Handle, module.BaseAddress + key_offset, buffer, buffer.Length, out _)) { ulong addr = BitConverter.ToUInt64(buffer, 0); byte[] key_bytes = new byte[32]; if (NativeAPI.ReadProcessMemory(process.Handle, (IntPtr)addr, key_bytes, key_bytes.Length, out _)) { return key_bytes; } } } } else if (find_key_type == 3) { string searchString = "-----BEGIN PUBLIC KEY-----"; List addr = NativeAPIHelper.SearchProcessAllMemory(process, searchString); if (addr.Count > 0) { foreach (long a in addr) { byte[] buffer = new byte[module.ModuleMemorySize]; byte[] search = BitConverter.GetBytes(a); Array.Resize(ref search, 8); int read = 0; List offset = new List(); if (NativeAPI.ReadProcessMemory(process.Handle, module.BaseAddress, buffer, buffer.Length, out read)) { for (int i = 0; i < buffer.Length - 1; i++) { if (buffer[i] == search[0]) { for (int s = 1; s < search.Length; s++) { if (buffer[i + s] != search[s]) break; if (s == search.Length - 1) { long iii = (long)module.BaseAddress + i - 0xd8; byte[] key = new byte[8]; if (NativeAPI.ReadProcessMemory(process.Handle, new IntPtr(iii), key, key.Length, out _)) { ulong key_addr = BitConverter.ToUInt64(key, 0); byte[] key_bytes = new byte[32]; NativeAPI.ReadProcessMemory(process.Handle, (IntPtr)key_addr, key_bytes, key_bytes.Length, out _); string key1 = BitConverter.ToString(key_bytes, 0); return key_bytes; } } } } } } } } else { throw new Exception("搜索不到微信账号，请确认用户名是否正确，如错误请重新新建工作区，务必确认账号是否正确"); } } return null; } public static string GetMD5(string text) { MD5 md5 = MD5.Create(); byte[] bs = Encoding.UTF8.GetBytes(text); byte[] hs = md5.ComputeHash(bs); StringBuilder sb = new StringBuilder(); foreach(byte b in hs) { sb.Append(b.ToString("x2")); } return sb.ToString(); } public static void DecryptDB(string file, string to_file, byte[] password_bytes) { //数据库头16字节是盐值 byte[] salt_key = new byte[16]; FileStream fileStream = new FileStream(file, FileMode.Open, FileAccess.Read); fileStream.Read(salt_key, 0, 16); //HMAC验证时用的盐值需要亦或0x3a byte[] hmac_salt = new byte[16]; for (int i = 0; i < salt_key.Length; i++) { hmac_salt[i] = (byte)(salt_key[i] ^ 0x3a); } //计算保留段长度 long reserved = IV_SIZE; reserved += HMAC_SHA1_SIZE; reserved = ((reserved % AES_BLOCK_SIZE) == 0) ? reserved : ((reserved / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE; //密钥扩展，分别对应AES解密密钥和HMAC验证密钥 byte[] key = new byte[KEY_SIZE]; byte[] hmac_key = new byte[KEY_SIZE]; OpenSSLInterop.PKCS5_PBKDF2_HMAC_SHA1(password_bytes, password_bytes.Length, salt_key, salt_key.Length, DEFAULT_ITER, key.Length, key); OpenSSLInterop.PKCS5_PBKDF2_HMAC_SHA1(key, key.Length, hmac_salt, hmac_salt.Length, 2, hmac_key.Length, hmac_key); long page_no = 0; long offset = 16; Console.WriteLine("开始解密..."); var hmac_sha1 = HMAC.Create("HMACSHA1"); hmac_sha1!.Key = hmac_key; List decrypted_file_bytes = new List(); FileStream tofileStream = new FileStream(to_file, FileMode.OpenOrCreate, FileAccess.Write); using (fileStream) { try { // 当前分页小于计算分页数 while (page_no < fileStream.Length / DEFAULT_PAGESIZE) { // 读内容 byte[] decryped_page_bytes = new byte[DEFAULT_PAGESIZE]; byte[] going_to_hashed = new byte[DEFAULT_PAGESIZE - reserved - offset + IV_SIZE + 4]; fileStream.Seek((page_no * DEFAULT_PAGESIZE) + offset, SeekOrigin.Begin); fileStream.Read(going_to_hashed, 0, Convert.ToInt32(DEFAULT_PAGESIZE - reserved - offset + IV_SIZE)); // 分页标志 var page_bytes = BitConverter.GetBytes(page_no + 1); page_bytes = page_bytes.Take(4).ToArray(); page_bytes.CopyTo(going_to_hashed, DEFAULT_PAGESIZE - reserved - offset + IV_SIZE); var hash_mac_compute = hmac_sha1.ComputeHash(going_to_hashed, 0, going_to_hashed.Length); // 取分页hash byte[] hash_mac_cached = new byte[hash_mac_compute.Length]; fileStream.Seek((page_no * DEFAULT_PAGESIZE) + DEFAULT_PAGESIZE - reserved + IV_SIZE, SeekOrigin.Begin); fileStream.Read(hash_mac_cached, 0, hash_mac_compute.Length); if (!hash_mac_compute.SequenceEqual(hash_mac_cached) && page_no == 0) { Console.WriteLine("Hash错误..."); return; } else { if (page_no == 0) { var header_bytes = Encoding.ASCII.GetBytes(SQLITE_HEADER); header_bytes.CopyTo(decryped_page_bytes, 0); } // 加密内容 byte[] page_content = new byte[DEFAULT_PAGESIZE - reserved - offset]; fileStream.Seek((page_no * DEFAULT_PAGESIZE) + offset, SeekOrigin.Begin); fileStream.Read(page_content, 0, Convert.ToInt32(DEFAULT_PAGESIZE - reserved - offset)); // iv byte[] iv = new byte[16]; fileStream.Seek((page_no * DEFAULT_PAGESIZE) + (DEFAULT_PAGESIZE - reserved), SeekOrigin.Begin); fileStream.Read(iv, 0, 16); var decrypted_content = AESDecrypt(page_content, key, iv); decrypted_content.CopyTo(decryped_page_bytes, offset); // 保留 byte[] reserved_byte = new byte[reserved]; fileStream.Seek((page_no * DEFAULT_PAGESIZE) + DEFAULT_PAGESIZE - reserved, SeekOrigin.Begin); fileStream.Read(reserved_byte, 0, Convert.ToInt32(reserved)); reserved_byte.CopyTo(decryped_page_bytes, DEFAULT_PAGESIZE - reserved); tofileStream.Write(decryped_page_bytes, 0, decryped_page_bytes.Length); } page_no++; offset = 0; } }catch(Exception ex) { File.AppendAllText("err.log", "page=>" + page_no.ToString() + "\r\n"); File.AppendAllText("err.log", "size=>" + fileStream.Length.ToString() + "\r\n"); File.AppendAllText("err.log", "postion=>" + ((page_no * DEFAULT_PAGESIZE) + offset).ToString() + "\r\n"); File.AppendAllText("err.log", ex.ToString() + "\r\n"); } } /* * 旧版解密 while (page_no < fileStream.Length / DEFAULT_PAGESIZE) { byte[] decryped_page_bytes = new byte[DEFAULT_PAGESIZE]; byte[] going_to_hashed = new byte[DEFAULT_PAGESIZE - reserved - offset + IV_SIZE + 4]; db_file_bytes.Skip((page_no * DEFAULT_PAGESIZE) + offset).Take(DEFAULT_PAGESIZE - reserved - offset + IV_SIZE).ToArray().CopyTo(going_to_hashed, 0); var page_bytes = BitConverter.GetBytes(page_no + 1); page_bytes.CopyTo(going_to_hashed, DEFAULT_PAGESIZE - reserved - offset + IV_SIZE); //计算分页的Hash var hash_mac_compute = hmac_sha1.ComputeHash(going_to_hashed, 0, going_to_hashed.Length); var hash_mac_cached = db_file_bytes.Skip((page_no * DEFAULT_PAGESIZE) + DEFAULT_PAGESIZE - reserved + IV_SIZE).Take(hash_mac_compute.Length).ToArray(); //对比两个Hash if (!hash_mac_compute.SequenceEqual(hash_mac_cached)) { Console.WriteLine("Hash错误..."); return decrypted_file_bytes.ToArray(); } else { Console.WriteLine($"解密第[{page_no + 1}]页"); if (page_no == 0) { var header_bytes = Encoding.ASCII.GetBytes(SQLITE_HEADER); header_bytes.CopyTo(decryped_page_bytes, 0); } var encrypted_content = db_file_bytes.Skip((page_no * DEFAULT_PAGESIZE) + offset).Take(DEFAULT_PAGESIZE - reserved - offset).ToArray(); var iv = db_file_bytes.Skip((page_no * DEFAULT_PAGESIZE) + (DEFAULT_PAGESIZE - reserved)).Take(16).ToArray(); var decrypted_content = DecryptionHelper.AESDecrypt(encrypted_content, key, iv); decrypted_content.CopyTo(decryped_page_bytes, offset); var reserved_bytes = db_file_bytes.Skip((page_no * DEFAULT_PAGESIZE) + DEFAULT_PAGESIZE - reserved).Take(reserved).ToArray(); reserved_bytes.CopyTo(decryped_page_bytes, DEFAULT_PAGESIZE - reserved); } page_no++; offset = 0; foreach (var item in decryped_page_bytes) { decrypted_file_bytes.Add(item); } }*/ tofileStream.Close(); tofileStream.Dispose(); } public static byte[] AESDecrypt(byte[] content, byte[] key, byte[] iv) { Aes rijndaelCipher = Aes.Create(); rijndaelCipher.Mode = CipherMode.CBC; rijndaelCipher.Padding = PaddingMode.None; rijndaelCipher.KeySize = 256; rijndaelCipher.BlockSize = 128; rijndaelCipher.Key = key; rijndaelCipher.IV = iv; ICryptoTransform transform = rijndaelCipher.CreateDecryptor(); byte[] plain_bytes = transform.TransformFinalBlock(content, 0, content.Length); return plain_bytes; } private static string BytesToHex(byte[] bytes) { return BitConverter.ToString(bytes, 0).Replace("-", string.Empty).ToLower().ToUpper(); } private readonly static List ImgHeader = new List() { new byte[] { 0xFF, 0xD8 },//JPG new byte[] { 0x89, 0x50 },//PNG new byte[] { 0x42, 0x4D },//BMP new byte[] { 0x47, 0x49 },//GIF new byte[] { 0x49, 0x49 },//TIF new byte[] { 0x4D, 0x4D },//TIF }; public static byte[] DecImage(string source) { //读取数据 byte[] fileBytes = File.ReadAllBytes(source); //算差异转换 foreach (byte[] b in ImgHeader) { byte t = (byte)(fileBytes[0] ^ b[0]); byte[] decData = fileBytes.Select(b => (byte)(b ^ t)).ToArray(); if (b[1] != decData[1]) continue; else { return decData; } } return new byte[0]; } public static string CheckFileType(byte[] data) { if (data[0] == 0xFF && data[1] == 0xD8) return ".jpg"; else if (data[0] == 0x89 && data[1] == 0x50) return ".png"; else if (data[0] == 0x42 && data[1] == 0X4D) return ".bmp"; else if (data[0] == 0x47 && data[1] == 0x49) return ".gif"; else if (data[0] == 0x49 && data[1] == 0x49) return ".tif"; else if (data[0] == 0x4D && data[1] == 0x4D) return ".tif"; else return ".dat"; } public static string SaveDecImage(byte[] fileRaw,string source,string to_dir,string type) { FileInfo fileInfo = new FileInfo(source); string fileName = fileInfo.Name.Substring(0, fileInfo.Name.Length - 4); string saveFilePath = Path.Combine(to_dir, fileName + type); using (FileStream fileStream = File.OpenWrite(saveFilePath)) { fileStream.Write(fileRaw, 0, fileRaw.Length); fileStream.Flush(); } return saveFilePath; } public static void DecryUserData(byte[] key, string source, string to,CreateWorkViewModel viewModel) { string dbPath = source; string decPath = to; if (!Directory.Exists(decPath)) Directory.CreateDirectory(decPath); string[] filePath = Directory.GetFiles(dbPath); foreach (string file in filePath) { FileInfo info = new FileInfo(file); viewModel.LabelStatus = "正在解密" + info.Name; string to_file = Path.Combine(decPath, info.Name); DecryptDB(file,to_file, key); } } } }