Keychain数据库
背景
iOS逆向调试,后来遇到了:Keychain数据库
去整理相关内容
Keychain数据库
- Keychain数据库
Keychain
=中文:钥匙链
- 是什么:Apple中(iOS/Mac)用来保存加密等相关安全方面的数据的
- iOS中的Keychain数据库
- 位置:
/var/Keychains/keychain-2.db
- 内部格式:
SQLite3
- 如何打开:
- Mac中的工具:
DB Browser for SQLite
- 效果
- 效果
- Mac中的工具:
- 读写Keychain数据库的相关函数
- 写入
- SecItemAdd
- 读取
- SecItemCopyMatching
- 更新
- SecItemUpdate
- 删除
- SecItemDelete
- 写入
- 相关文档
- 位置:
举例
Keychain读写相关
WhatsApp中,就有很多代码,与Keychain读写相关:
- 【未解决】iOS逆向WhatsApp:-[WASignalCoordinator regenerateKeyStore]
- 【未解决】iOS逆向WhatsApp:-[WASignalKeyStore saveToKeychainIdentityKeypairData:registrationIdData:]
- 保存写入IdentityKeypairData、registrationIdData等值到Keychain数据库
- 其中会调用到SecItemAdd、SecItemUpdate等函数
int __cdecl -[WASignalKeyStore saveToKeychainIdentityKeypairData:registrationIdData:]( WASignalKeyStore *self, SEL a2, id inputIdentityKeypairData, id inputRegistrationIdData) { ... if ( SecItemAdd_2494(baseKeychainQueryToAdd, addResult) ) { ... saveResult = SecItemUpdate(newDictToAdd, addResult1); ...
SecItem相关代码输入和输出结果
【未解决】iOS逆向WhatsApp:-[WASignalKeyStore fetchFromKeychainIdentityKeypairData:registrationIdData:]
中:
代码:
IDA伪代码:
queryRet1 = SecItemCopyMatching_24A0((CFDictionaryRef)baseKeychainQuery2, result);
Xcode汇编代码:
0x10ba8d3cc <+168>: bl 0x10bb064a0 ; symbol stub for: SecItemCopyMatching
0x10ba8d3d0 <+172>: mov x28, x0
此时输入参数:
(lldb) reg r x0 x1
x0 = 0x00000002816ee300
x1 = 0x000000016b2da558
(lldb) po 0x00000002816ee300
{
acct = Axolotl;
agrp = "group.net.whatsapp.WhatsApp.shared";
class = genp;
"r_Attributes" = 1;
svce = Axolotl;
}
(lldb) x/2gx 0x000000016b2da558
0x16b2da558: 0x0000000000000000 0x00000002827ddd70
相关字段含义解释:
- 要去获取的Class类是:kSecClassGenericPassword
- 获取其中的属性
- kSecAttrService
- kSecAttrAccount
- kSecAttrAccessGroup
- 获取其中的属性
-》
- class = genp
- class = 要访问的类
- 值:genp=GENeric Password = kSecClassGenericPassword
- class = 要访问的类
- 访问该类的这3个属性
- acct = Axolotl;
- acct = ACCounT = kSecAttrAccount
- 值:Axolotl
- acct = ACCounT = kSecAttrAccount
- agrp = "group.net.whatsapp.WhatsApp.shared"
- agrp = Acces GRouP = kSecAttrAccessGroup
- 值:group.net.whatsapp.WhatsApp.shared
- agrp = Acces GRouP = kSecAttrAccessGroup
- svce = Axolotl
- svce=SerViCE = kSecAttrService
- 值:Axolotl
- svce=SerViCE = kSecAttrService
- acct = Axolotl;
- 后续新增的:
- "r_Attributes" = 1;
- 返回属性值 = dict字典
- "r_Data" = 1;
- 返回Data数据=NSData
- "r_Attributes" = 1;
运行后,输出结果:
(lldb) reg r x0
x0 = 0x0000000000000000
(lldb) x/2gx 0x000000016b2da558
0x16b2da558: 0x00000002803a1800 0x00000002827ddd70
(lldb) po 0x00000002803a1800
{
accc = "<SecAccessControlRef: cku>";
acct = Axolotl;
agrp = "group.net.whatsapp.WhatsApp.shared";
cdat = "2023-10-19 03:12:17 +0000";
gena = {length = 4, bytes = 0x45534916};
mdat = "2023-10-19 03:12:17 +0000";
musr = {length = 0, bytes = 0x};
pdmn = cku;
persistref = {length = 0, bytes = 0x};
sha1 = {length = 20, bytes = 0xf77dab924958c4e14725ca4be09ee78d1a1e48c3};
svce = Axolotl;
sync = 0;
tomb = 0;
}
其中:之前我们所要找的数据就是:
gena = {length = 4, bytes = 0x45534916};
- 中的:
- 16进制:的
0x45534916
== 10进制的:1163086102
- 16进制:的
- 中的:
对应Keychain数据中genp表中gena的值:
保存的值,不是明文,而是SHA1加密后的值
附录
/var/Keychains目录中的内容
/var/Keychains
目录中的内容- ssh命令行查看效果
iPhone7-1331:/var/Keychains root# ls -lh total 45M drwxrwxr-x 29 _securityd wheel 928 Aug 22 2022 Analytics/ -rw------- 1 _securityd wheel 2 Nov 23 08:08 SOSAccountSettings.pb drwx--x--x 6 _securityd wheel 192 Nov 28 09:27 SupplementalsAssets/ -rw------- 1 _securityd wheel 24K Oct 17 08:25 TrustStore.sqlite3 -rw------- 1 _securityd wheel 28K Oct 13 04:51 caissuercache.sqlite3 -rw------- 1 _securityd wheel 0 Jan 23 2022 com.apple.security.exception_reset_counter.plist -rw-r--r-- 1 root wheel 80K Aug 17 2022 com.apple.security.keychain-defaultContext.TrustedPeersHelper.db -rw-r--r-- 1 root wheel 32K Nov 21 10:21 com.apple.security.keychain-defaultContext.TrustedPeersHelper.db-shm -rw-r--r-- 1 root wheel 2.6M Nov 27 22:21 com.apple.security.keychain-defaultContext.TrustedPeersHelper.db-wal drwx--x--x 5 _securityd wheel 160 Nov 28 12:07 crls/ -rw------- 1 root wheel 17M Nov 28 10:51 keychain-2.db -rw------- 1 _securityd wheel 32K Nov 21 10:21 keychain-2.db-shm -rw------- 1 _securityd wheel 1.1M Nov 28 10:54 keychain-2.db-wal -rw------- 1 _securityd wheel 17M Nov 28 08:19 keychain-2.db_orig -r-------- 1 root wheel 1.2M Nov 27 13:44 keychain-ota-backup.plist -rw------- 1 _securityd wheel 116K Nov 21 21:04 ocspcache.sqlite3 -rw------- 1 _securityd wheel 32K Nov 21 10:21 ocspcache.sqlite3-shm -rw------- 1 _securityd wheel 2.2M Nov 28 11:48 ocspcache.sqlite3-wal -rw------- 1 _securityd wheel 272K Oct 10 21:16 pinningrules.sqlite3
- 爱思助手查看效果
- ssh命令行查看效果