Hacker News new | ask | show | jobs
by khakimov 4040 days ago
inside their dmg file: -rw-r--r-- 1 buddha staff 163840 Jul 21 2014 password_pro.sqlite

sqlite> .tables pwd sqlite> .schema pwd CREATE TABLE "pwd" ("password" TEXT NOT NULL ); sqlite> SELECT * FROM pwd; a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...

i don't know how they are using this pwd, but seems like a good starting point.
1 comments
Excavator 4039 days ago
Fun stuff. classes.dex in the apk has some interesting strings:

    select * from js_injection where name=?
    select * from pwd where hid>=? and hid<? order by hid

    CREATE TABLE IF NOT EXISTS local_ap_info ( hid integer primary key autoincrement, ssid text, bssid text, security_level text,
     pwd text, x_user text, x_pwd text, stat text, lati text, longi text, type text, html text, create_dt text, last_update_dt text)
	
    CREATE TABLE IF NOT EXISTS private_ap_info(ID integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,hid text,create_dt text,last_update_dt text,last_update_opr text,wkflg char(8))
	
    CREATE TABLE IF NOT EXISTS unlock_ap(id integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,uploaded integer(1))
Cleaned up your sqlite commands:

    sqlite> .tables
    pwd
    sqlite> .schema pwd
    CREATE TABLE "pwd" ("password" TEXT NOT NULL );
    sqlite> SELECT * FROM pwd;
    a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...
Looks like it may not be fully seeded on install?

Edit:

Getting a different result for the database in the apk:

    $ sqlite3 ap8.db 
    SQLite version 3.8.10.1 2015-05-09 12:14:55
    Enter ".help" for usage hints.
    sqlite> .tables
    android_metadata  ap_info           js_injection      pwd             
    sqlite> .schema pwd
    CREATE TABLE pwd(hid integer primary key autoincrement,pwd text);
    sqlite> select * from pwd;
    1|df5b74fb19b8b150bcf07bbb4e43456d
    2|a1b574f8cf46c461f1e15fa52e3b2110
    3|c8c28c03de3e02d7814d86b14dfcf1f5
    4|7635726149e6d0f0e8f3e9224b8109dc
Most "pwd" are 32 chars long, some are 64 chars, and a few are 96 chars for some odd reason.

ap_info, and js_injection tables are empty so you'd have to get at it after syncing to their servers.

link
verroq 4039 days ago
Dumped - http://pastebin.com/YnKkA4DA

This from the ap8.db from the Android download. I didn't want to install this piece of shit on a real phone, the source does update and get a newer version.

This was an easy CTF.

link
Mandatum 4039 days ago
They change depending on the auth type (WEP vs WPA vs WPA2-PSK vs WPA2-Enterprise). It'll be a day or two before someone manages to decrypt the DB. I'd have a crack at it if I had more time.
link
StavrosK 4039 days ago
My money's on AES256 ECB mode.
link
verroq 4039 days ago 

    aload 0    // this
    LDC "AES/CBC/NoPadding"
    invokestatic javax/crypto/Cipher.getInstance(java/lang/String) : javax/crypto/Cipher
    putfield com/snda/wifilocating/support/c.c : javax/crypto/Cipher
Nope.
link
StavrosK 4039 days ago
CBC sizes would go 32, 48, 64
link