Disable SIP
# in recovery mode, restart and hold cmd + R
csrutil disable
Attach process
# sudo lldb -p $(pgrep WeChat)
sudo lldb -p $(pgrep cryptowl)
Password:
(lldb) process attach --pid 4673
Process 4673 stopped
set break point
(lldb) br set -n sqlite3_key
Breakpoint 1: 2 locations.
(lldb) br set -n sqlite3_key_v2
Breakpoint 2: 2 locations.
(lldb) c
Process 4673 resuming
Break point
(lldb) c
Process 4673 resuming
Process 4673 stopped
* thread #22, name = 'DartWorker', stop reason = breakpoint 2.1
frame #0: 0x000000010110dc57 SQLCipher`sqlite3_key_v2(db=0x00007fc61e13d1b0, zDb=0x0000000000000000, pKey=0x00007fc61e4947d0, nKey=67) at sqlite3.c:107795:70
107792 }
107793
107794 SQLITE_API int sqlite3_key_v2(sqlite3 *db, const char *zDb, const void *pKey, int nKey) {
-> 107795 sqlcipher_log(SQLCIPHER_LOG_DEBUG, "sqlite3_key_v2: db=%p zDb=%s", db, zDb);
107796 /* attach key if db and pKey are not null and nKey is > 0 */
107797 if(db && pKey && nKey) {
107798 int db_index = sqlcipher_find_db_index(db, zDb);
Target 0: (cryptowl) stopped.
read the key:
(lldb) x/s 0x00007fc61e4947d0
0x7fc61e4947d0: "x'86fd7b5c2b51ecc7c204c05eae1ec58fc8a78c165cf9e39cc5ee448317c3a8db'"