ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue Sep 17, 2019 10:41 pm

All times are UTC




Post new topic  Reply to topic  [ 5 posts ] 
Author Message
 Post subject: x32dbg and data extract
PostPosted: Fri Sep 13, 2019 1:13 pm 

Joined: Wed Sep 11, 2019 2:28 am
Posts: 3
Hello,

I'm not sure that I'm in the good forum to post that, but feel free to move it if it's not.

I'm starting to play with x32dbg and I want to extract a sqlite3 from the memory. For now, I'm stuck with the breakpoint (see screenshot).

What can be my approach to it? I've tried to dump the memory but no luck on it, can't find the SQLite occurrence or the header.

Thanks!


Attachments:
img.jpg [295.55 KiB]
Not downloaded yet
Top
   
PostPosted: Fri Sep 13, 2019 7:04 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 134
Memory wise there is nothing to dump yet based on that screenshot. You are only breaking on the formatting of the string to build the path to the database. You need to step further into the function to where it is actually loading the database/decrypting it.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Sat Sep 14, 2019 4:30 am 

Joined: Wed Sep 11, 2019 2:28 am
Posts: 3
Thanks, I have found a POPAD next to the process. Seems like to be the database. Memory dump returns tables names string without data. The top of the file starts by game\db\compact.sqlite3.

Am I at at the good place?

EDIT: find the instruction with the good header but how can I extract the database correctly? I mean when I dump the memory garbage come too and tool like volatility seems not to be able to extract the database.


Attachments:
db.jpg [425.71 KiB]
Not downloaded yet
Top
   
PostPosted: Sat Sep 14, 2019 7:47 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 134
Generally for SQLite databases you'd want to find where the call is to load the database and decode it via a password. For that you'd want to look for calls to the SQLite API, the ones generally of interest are:

- sqlite3_open - Used to open the database file.
- sqlite3_activate_see - Used to set the SEE features on the db. (You are working with CryEngine given the x2game/xlcommon/etc. module names. So this is generally used on their databases.)
- sqlite3_key - Sets the decryption key used to decrypt the data of the file. (This is mainly what you're interested in finding to get the key.)

Once you have the key you can create a decrypted copy of the database manually using the SQLite API in your own program using the following calls along with the ones I mentioned above:
- sqlite3_backup_init - Used to backup the encrypted database to the decrypted one.
- sqlite3_backup_step - Used to backup the encrypted database to the decrypted one.
- sqlite3_backup_finish - Used to backup the encrypted database to the decrypted one.
- sqlite3_rekey - Used to remove the encryption key from the database when saving the new copy.

That will allow you to copy the encrypted database to a decrypted one.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Sat Sep 14, 2019 9:11 pm 

Joined: Wed Sep 11, 2019 2:28 am
Posts: 3
Hmmm, I can't find anything with sqlite3_* patterns on the modules you have mentioned. I don't know if it's a problem but for now, I only attach the current process because otherwise, I have a winlicence error probably linked to Themida. The problem is that xdbg does not enter in my breakpoint so it only breaks on a memory exception (a fatal one because i'm not able to restart the debugger even with a range of ignored exceptions).

EDIT: will try with xAnalyzer to see if I can find more information.
EDIT2: is it possible that after the load they purge everything related to sqlite from the memory so I do not see anything?


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 5 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited