There is a program. It has a database running SQLite. The base is password protected. I see only 2 ways to find it out:
- Brutfors (but the results of his work yet, and not the fact that there will be the next few years :))
- Catch it at the time of connection. But how to do it, I do not know. I tried through process explorer to pull out all the thongs from the process and slip them into brute force. This did not yield any results, but perhaps this is because I missed the very moment of connecting to the database. But how to catch him this moment I do not know.
Or maybe you have other ideas?
UPD:
Connected to the process by the debugger in Visual Studio. At that moment, when the connection to the database should start, I paused. I see something like the following
740A4697 mov dword ptr [ebp-18h],ebx 740A469A mov dword ptr [ebp-14h],4 740A46A1 mov dword ptr [ebp-10h],ebx 740A46A4 lea eax,[ebp-1Ch] 740A46A7 push eax 740A46A8 push 1 740A46AA push 740915C0h 740A46AF push dword ptr ds:[740C57D4h] 740A46B5 push dword ptr ds:[740C57D0h] 740A46BB call dword ptr ds:[740C6440h] 740A46C1 cmp eax,8 740A46C4 je 740A46A4 740A46C6 mov ecx,dword ptr [ebp-8] 740A46C9 xor ecx,ebp 740A46CB mov eax,esi 740A46CD pop ebx 740A46CE call 740BD40D 740A46D3 leave 740A46D4 ret 4 740A46D7 int 3 Moving through the steps. I don't see anything like method calls here. Tell me what to do next.
UPD2:
I do not know what the application is written on, but it connects managed libraries (mono, unity and some more) and in the plugins folder there are also mono libraries and sqlite3.dll libraries. I don't know yet what to do with this information. Maybe there is an opportunity to connect to the sqlite3.dll library and how to track the access to it?
UPD3:
Another very strange thing happens. When the window focus is lost, loading from the database stops (as if paused). Is this a defense against debugging?
