CN104869170A - Decryption method for encrypted data file of UC browser - Google Patents

Decryption method for encrypted data file of UC browser Download PDF

Info

Publication number
CN104869170A
CN104869170A CN201510290861.2A CN201510290861A CN104869170A CN 104869170 A CN104869170 A CN 104869170A CN 201510290861 A CN201510290861 A CN 201510290861A CN 104869170 A CN104869170 A CN 104869170A
Authority
CN
China
Prior art keywords
browser
data file
address
data
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510290861.2A
Other languages
Chinese (zh)
Other versions
CN104869170B (en
Inventor
梁效宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SICHUAN SALVATIONDATA INFORMATION SAFETY TECHNOLOGY Co Ltd
Original Assignee
SICHUAN SALVATIONDATA INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SICHUAN SALVATIONDATA INFORMATION SAFETY TECHNOLOGY Co Ltd filed Critical SICHUAN SALVATIONDATA INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority to CN201510290861.2A priority Critical patent/CN104869170B/en
Publication of CN104869170A publication Critical patent/CN104869170A/en
Application granted granted Critical
Publication of CN104869170B publication Critical patent/CN104869170B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Telephone Function (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a decryption method for an encrypted data file of a UC browser, which belongs to the field of mobile phone forensics. The method comprises the following steps of S1. triggering an event through a series of operations, including UC browser event click, address access, request response, response acceptance, connection establishment and URL (Uniform Resource Locator) acceptance; S2. calling a function for storing a URL address and analyzing a key and an encryption mode at a key storage address field, wherein the key has eight bytes, including 0x7e, 0x93, 0x73, 0xf1, 0x65, 0xc6, 0xd7 and 0x86, and the encryption mode is a cyclic XOR mode; and S3. carrying out cyclic XOR operation on the eight bytes obtained in the S2 and data stored at the URL address. The decryption method has the following beneficial effects that information, such as a browser bookmark and a browsing history, in the browser data can be analyzed, so that integrity of the mobile phone forensics data is increased.

Description

For the decryption method of UC browser data file encryption
Technical field
The invention belongs to Mobile Phone Forensics field, be specifically related to a kind of decryption method for UC browser data file encryption.
Background technology
In recent years, smart mobile phone is due to features such as its wireless access the Internet, PDA (palmtop PC), explorative operating system, hommization, the powerful and speed of service are fast, develop very rapid, estimate according to " 2013-2017 China's smart mobile phone industry market requirement forecasting and investment strategy planning application are reported ", 2012 the first three quarters, global smart phone user sum has breached 1,000,000,000 high pointes.700,000,000 families and the customer volume of 2011 the first three quarters is only had an appointment.Can find out, the potentiality in smart mobile phone market are inestimable, and wherein, intelligent operating system-the Android exclusively released by Google becomes outstanding person wherein, according to CNET, display during survey institute Strategy Analytics reports at the third season in 2014, Android is sure to occupy first of Mobile operating system market with the occupation rate of market of 83.6%, can find out, smart mobile phone collects evidence especially Android mobile phone evidence obtaining for the importance in evidence obtaining field.
Android mobile phone is collected evidence, extraction mainly for its app application data and photo, video, audio frequency etc. recovers, wherein Android APP application data is mainly stored in mobile phone with forms such as sqlite database file, plist file, xml file and some texts, the APP data file of correspondence is taken out by ADB debugging acid and can carry out analysis evidence obtaining to it.
UC browser is as the maximum mobile phone browser of global use amount; and Android system is as the highest intelligent mobile phone system of nowadays occupation rate of market; Android UC browser client group's is huge self-evident; the browser bookmark of traditional browser, historical viewings record are mainly with plaintext record; core data file such as the files such as browser bookmark, historical viewings record of Android UC browser have then carried out encryption to data; although to privacy of user more protection, the difficulty of electronic evidence-collecting industry can be too increased but then on the one hand.
Summary of the invention
The present invention is directed to the deficiencies in the prior art, provide a kind of analytic method of UC browser data file encryption, effectively can solve the problem that UC browser core data file encryption can not carry out data extraction.
For overcoming the above problems, the technical solution used in the present invention is as follows: a kind of decryption method for UC browser data file encryption, comprises the following steps:
S1 passes through UC browser click event, reference address, request response, acceptance response, connects, accepts URL sequence of operations trigger event;
S2 calls the function storing URL network address, and parses key and cipher mode at key storage address field, and key is: 0x7e, 0x93,0x73,0xf1,0x65,0xc6,0xd7 and 0,x86 eight bytes; Cipher mode is: circulation XOR;
S3. the byte of eight described in S2 and the data being stored in URL address place are carried out circulation XOR;
S4. the operation result described in S3 is stored;
S5. be decrypted for the encryption key described in S2 and cipher mode.
As preferably, the concrete grammar of S5 is as follows:
S51. interim memory address is created;
S52. data file to be decrypted is opened, stored in the interim memory address described in S51;
S53. circulation XOR is carried out by 8 bytes parsed and the data stored in interim memory address;
S54. S53 circulation XOR result is stored;
S55. the operation result that S54 stores is write back the original storage address of data file to be decrypted.
As preferably, described S52 data file to be decrypted is browser bookmark history.init.
As preferably, described S52 data file to be decrypted is historical viewings record bookmarks.
Beneficial effect of the present invention is as follows: the present invention parses key and the cipher mode of encrypted file data by the mode of dis-assembling, and deciphers accordingly for the result parsed.Successfully can parse the information such as the browser bookmark that stores in bookmark.init and history in Android UC browser data and historical viewings record, thus increase the integrality of Mobile Phone Forensics data.
Accompanying drawing explanation
Fig. 1 is main-process stream schematic diagram of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, the present invention is described in further details.
Analyze and find, Android mobile phone " data/data/com.UCMobile/UCMobile/userdata " bookmarks.init under catalogue, history.init file have recorded UC browser bookmark and history access record respectively, but all stored by cipher mode, and there is no disclosed decryption method, will the decryption method of these two data files be provided herein.
For a decryption method for Android browser data file encryption, comprise the following steps:
S1 passes through UC browser click event, reference address, request response, acceptance response, connects, accepts URL sequence of operations trigger event;
S2 calls the function storing URL network address, and parses key and cipher mode at key storage address field, and key is: 0x7e, 0x93,0x73,0xf1,0x65,0xc6,0xd7 and 0,x86 eight bytes; Cipher mode is: circulation XOR;
S3. the byte of eight described in S2 and the data being stored in URL address place are carried out circulation XOR;
S4. the operation result described in S3 is stored;
S5. be decrypted for the encryption key described in S2 and cipher mode.
The concrete grammar of S5 is as follows:
S51. interim memory address is created;
S52. data file to be decrypted is opened, stored in the interim memory address described in S51;
S53. circulation XOR is carried out by 8 bytes parsed and the data stored in interim memory address;
S54. S53 circulation XOR result is stored;
S55. the operation result that S54 stores is write back the original storage address of data file to be decrypted.
Described S52 data file to be decrypted is history.init or bookmarks data file.
Embodiment:
Use instrument: IDA Pro6.1 software, adb.exe software, testing mobile phone one (being provided with UC browser)
A. mobile phone is connected computer by data wire, and obtain root authority;
B. treat debugging file by computer end control desk to authorize and can perform authority, by the android_server file copy under IDA Pro software catalog under mobile phone/data/local/tmp catalogue, authorize and can perform authority, now input the Android debugging server that instruction adb shell/data/local/tmp/android_server can start IDA Pro, and monitor 23946 ports, open port repeat by instruction adb forward tcp:23946tcp:23946;
C. dis-assembling debugging can be carried out after treating debugging file path configurations;
D. call the function storing URL network address at 0x40083F4B place, address, and parse key and cipher mode in address 0x40083F6C to 0x40083F74 section, key is: 0x7e, 0x93,0x73,0xf1,0x65,0xc6,0xd7 and 0,x86 eight bytes; Cipher mode is: circulation XOR;
E. history.init and bookmarks data file is decrypted;
Concrete grammar is as follows:
S51. interim memory address is created;
S52. data file to be decrypted is opened, stored in the interim memory address described in S51;
S53. circulation XOR is carried out by 8 bytes parsed and the data stored in interim memory address;
S54. S53 circulation XOR result is stored;
S55. the operation result that S54 stores is write back the original storage address of data file to be decrypted.
Associated core code:
Unsigned int ucpassword [8]=ucCode; The key array of // definition 8 bytes
int n=0;
for(int i=0;i<length;i++)
{
Unsigned int tempbuffer=(unsigned int) (* (buffer+i)); // create interim
Memory address tempbuffer, obtains former data
N=i%8; The key byte of // control and participate in XOR
Tempbuffer=tempbuffer^ucpassword [n]; // carry out XOR and saving result
* (buffer+i)=(unsigned char) tempbuffer; // result after XOR is write back the memory address of former data file
}
In above-mentioned code, buffer refers to the space address storing former data file.
Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's implementation method of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.

Claims (4)

1. for a decryption method for UC browser data file encryption, it is characterized in that, comprise the following steps:
S1 passes through UC browser click event, reference address, request response, acceptance response, connects, accepts URL sequence of operations trigger event;
S2 calls the function storing URL network address, and parses key and cipher mode at key storage address field, and key is: 0x7e, 0x93,0x73,0xf1,0x65,0xc6,0xd7 and 0,x86 eight bytes; Cipher mode is: circulation XOR;
S3. the byte of eight described in S2 and the data being stored in URL address place are carried out circulation XOR;
S4. the operation result described in S3 is stored;
S5. be decrypted for the encryption key described in S2 and cipher mode.
2. method according to claim 1, is characterized in that, the concrete grammar of S5 is as follows:
S51. interim memory address is created;
S52. data file to be decrypted is opened, stored in the interim memory address described in S51;
S53. circulation XOR is carried out by 8 bytes parsed and the data stored in interim memory address;
S54. S53 circulation XOR result is stored;
S55. the operation result that S54 stores is write back the original storage address of data file to be decrypted.
3. method according to claim 2, is characterized in that, described S52 data file to be decrypted is browser bookmark history.init.
4. according to the method in claim 2 or 3, it is characterized in that, described S52 data file to be decrypted is historical viewings record bookmarks.
CN201510290861.2A 2015-05-29 2015-05-29 For the decryption method of UC browser data file encryptions Active CN104869170B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510290861.2A CN104869170B (en) 2015-05-29 2015-05-29 For the decryption method of UC browser data file encryptions

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510290861.2A CN104869170B (en) 2015-05-29 2015-05-29 For the decryption method of UC browser data file encryptions

Publications (2)

Publication Number Publication Date
CN104869170A true CN104869170A (en) 2015-08-26
CN104869170B CN104869170B (en) 2018-11-13

Family

ID=53914687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510290861.2A Active CN104869170B (en) 2015-05-29 2015-05-29 For the decryption method of UC browser data file encryptions

Country Status (1)

Country Link
CN (1) CN104869170B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106201925A (en) * 2016-07-01 2016-12-07 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk
CN109871707A (en) * 2017-12-04 2019-06-11 广州市动景计算机科技有限公司 Method for secret protection and device calculate equipment and storage medium
CN113742752A (en) * 2021-09-13 2021-12-03 杭州安恒信息技术股份有限公司 Unified authentication method and device for interface docking, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100058474A1 (en) * 2008-08-29 2010-03-04 Avg Technologies Cz, S.R.O. System and method for the detection of malware
CN102750495A (en) * 2012-06-07 2012-10-24 北京锐安科技有限公司 System for cracking and restoring iPhone encrypted backup files
CN103324481A (en) * 2013-06-26 2013-09-25 网宿科技股份有限公司 Compiling method and compiling system for obfuscating codes by means of assembly
CN103491077A (en) * 2013-09-09 2014-01-01 无锡华御信息技术有限公司 Method and system for recall Trojan horse control site network behavior function reconstruction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100058474A1 (en) * 2008-08-29 2010-03-04 Avg Technologies Cz, S.R.O. System and method for the detection of malware
CN102750495A (en) * 2012-06-07 2012-10-24 北京锐安科技有限公司 System for cracking and restoring iPhone encrypted backup files
CN103324481A (en) * 2013-06-26 2013-09-25 网宿科技股份有限公司 Compiling method and compiling system for obfuscating codes by means of assembly
CN103491077A (en) * 2013-09-09 2014-01-01 无锡华御信息技术有限公司 Method and system for recall Trojan horse control site network behavior function reconstruction

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
623059008: "JS位异或运算制作加密解密(自己设定密钥)", 《HTTP://JINGYAN.BAIDU.COM/ARTICLE/CBCEDE0737E7E702F50B4D65.HTML》 *
HEROWUKING: "IDA PRO 6.1远程调试Android", 《HTTP://WWW.360DOC.COM/CONTENT/15/0111/21/12129652_439973882.SHTML》 *
艾欧平: "反汇编与逆向分析在电子取证中的应用", 《警察技术》 *
陶姿邑: "浏览器取证技术", 《计算机系统应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106201925A (en) * 2016-07-01 2016-12-07 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk
CN106201925B (en) * 2016-07-01 2019-03-22 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk
CN109871707A (en) * 2017-12-04 2019-06-11 广州市动景计算机科技有限公司 Method for secret protection and device calculate equipment and storage medium
CN113742752A (en) * 2021-09-13 2021-12-03 杭州安恒信息技术股份有限公司 Unified authentication method and device for interface docking, computer equipment and storage medium
CN113742752B (en) * 2021-09-13 2024-03-26 杭州安恒信息技术股份有限公司 Unified authentication method, device, computer equipment and storage medium for interface docking

Also Published As

Publication number Publication date
CN104869170B (en) 2018-11-13

Similar Documents

Publication Publication Date Title
CN111783124B (en) Data processing method, device and server based on privacy protection
US8874932B2 (en) Method for order invariant correlated encrypting of data and SQL queries for maintaining data privacy and securely resolving customer defects
JP5839967B2 (en) Malware analysis system
TW201331779A (en) Program analysis/verification service providing system, method for controlling system, control program, control program for causing computer to operate, program analysis/verification device and program analysis/verification tool management device
CN101635622A (en) Method, system and equipment for encrypting and decrypting web page
US20220263810A1 (en) System and method for transferring data
CN104144081A (en) General application log management method, device and system
Nishikawa et al. Implementation of bitsliced AES encryption on CUDA-enabled GPU
CN105022936A (en) Class file encryption and decryption method and class file encryption and decryption device
CN107124281A (en) A kind of data security method and related system
CN115051798B (en) Random number generation method and device, electronic equipment and storage medium
CN108040045B (en) Access flow file generation method and device, server and storage medium
CN105893107A (en) Method for acquiring logged-on user password from memory mirroring documents of 64-bit Windows operation system
CN107516045A (en) Document protection method and device
CN109960942A (en) Database data encipher-decipher method and its system based on database connection pool
CN104869170A (en) Decryption method for encrypted data file of UC browser
CN109241707A (en) Application program obscures method, apparatus and server
CN112286815A (en) Interface test script generation method and related equipment thereof
Park et al. A methodology for the decryption of encrypted smartphone backup data on android platform: A case study on the latest samsung smartphone backup system
WO2022028255A1 (en) Data extraction method and system for mobile phone enterprise wechat, and storage medium
Park et al. How to decrypt PIN-Based encrypted backup data of Samsung smartphones
JP2015106914A (en) Malware communication analyzer and malware communication analysis method
CN108307244A (en) Barrage time limit of speech control method, storage medium, electronic equipment and system
CN109343971B (en) Browser data transmission method and device based on cache technology
Zhang et al. Research on security mechanism and forensics of SQLite database

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 641000 Sichuan province Neijiang City Songshan Road No. 183

Applicant after: SICHUAN XLY INFORMATION SAFETY TECHNOLOGY CO., LTD.

Address before: 641000 Sichuan province Neijiang City Songshan Road No. 183

Applicant before: Sichuan SalvationData Information Safety Technology Co., Ltd.

CB02 Change of applicant information
CB03 Change of inventor or designer information

Inventor after: Liang Xiaoning

Inventor after: Yang Xianmin

Inventor after: Zhao Fei

Inventor before: Liang Xiaoning

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant