This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=12494

vincego, posted Fri Sep 13, 2019 1:13 pm (50692)

---

Hello,

I'm not sure that I'm in the good forum to post that, but feel free to move it if it's not.

I'm starting to play with x32dbg and I want to extract a sqlite3 from the memory. For now, I'm stuck with the breakpoint (see screenshot).

What can be my approach to it? I've tried to dump the memory but no luck on it, can't find the SQLite occurrence or the header.

Thanks!

atom0s, posted Fri Sep 13, 2019 7:04 pm (50696)

---

Memory wise there is nothing to dump yet based on that screenshot. You are only breaking on the formatting of the string to build the path to the database. You need to step further into the function to where it is actually loading the database/decrypting it.

vincego, posted Sat Sep 14, 2019 4:30 am (50715)

---

Thanks, I have found a POPAD next to the process. Seems like to be the database. Memory dump returns tables names string without data. The top of the file starts by game\db\compact.sqlite3.

Am I at at the good place?

EDIT: find the instruction with the good header but how can I extract the database correctly? I mean when I dump the memory garbage come too and tool like volatility seems not to be able to extract the database.

atom0s, posted Sat Sep 14, 2019 7:47 pm (50727)

---

Generally for SQLite databases you'd want to find where the call is to load the database and decode it via a password. For that you'd want to look for calls to the SQLite API, the ones generally of interest are:

- sqlite3_open - Used to open the database file.
- sqlite3_activate_see - Used to set the SEE features on the db. (You are working with CryEngine given the x2game/xlcommon/etc. module names. So this is generally used on their databases.)
- sqlite3_key - Sets the decryption key used to decrypt the data of the file. (This is mainly what you're interested in finding to get the key.)

Once you have the key you can create a decrypted copy of the database manually using the SQLite API in your own program using the following calls along with the ones I mentioned above:
- sqlite3_backup_init - Used to backup the encrypted database to the decrypted one.
- sqlite3_backup_step - Used to backup the encrypted database to the decrypted one.
- sqlite3_backup_finish - Used to backup the encrypted database to the decrypted one.
- sqlite3_rekey - Used to remove the encryption key from the database when saving the new copy.

That will allow you to copy the encrypted database to a decrypted one.

vincego, posted Sat Sep 14, 2019 9:11 pm (50728)

---

Hmmm, I can't find anything with sqlite3_* patterns on the modules you have mentioned. I don't know if it's a problem but for now, I only attach the current process because otherwise, I have a winlicence error probably linked to Themida. The problem is that xdbg does not enter in my breakpoint so it only breaks on a memory exception (a fatal one because i'm not able to restart the debugger even with a range of ignored exceptions).

EDIT: will try with xAnalyzer to see if I can find more information.
EDIT2: is it possible that after the load they purge everything related to sqlite from the memory so I do not see anything?