Skip to content

_APPL_DB_HEADER invalid offset for header? #20

New issue
New issue
Open
Open
_APPL_DB_HEADER invalid offset for header?#20
@AndrewSB

Description

@AndrewSB
AndrewSB
opened on Jun 24, 2021

Hey! I'm trying to use this to dump my own internet passwords, I'm running into a crash while parsing the _APPL_DB_HEADER. here's my invocation, and the output:

./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a ~/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,080 - INFO - 

ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker

2021-06-24 08:36:09,081 - INFO - Runtime Command: ./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain: /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain MD5: 56c8eaa212f0f26f5b4616d2b96ff739
2021-06-24 08:36:09,081 - INFO - Keychain 256: f2824d498f1eaa89385a03c11f14bb4bd5c1a923fdb39d7eac6ed916588437a0
2021-06-24 08:36:09,081 - INFO - Dump Start: 2021-06-24 08:36:09.080976
Traceback (most recent call last):
  File "./chainbreaker.py", line 1277, in <module>
    unlock_file=args.unlock_file)
  File "./chainbreaker.py", line 71, in __init__
    self.filepath = filepath
  File "./chainbreaker.py", line 568, in filepath
    self._read_keychain_to_buffer()
  File "./chainbreaker.py", line 169, in _read_keychain_to_buffer
    self.schema_info, self.table_list = self._get_schema_info(self.header.SchemaOffset)
  File "./chainbreaker.py", line 205, in _get_schema_info
    schema_info = _APPL_DB_SCHEMA(self.kc_buffer[offset:offset + _APPL_DB_SCHEMA.STRUCT.size])
  File "/Users/asb/Developer/chainbreaker/schema.py", line 332, in __init__
    (self.SchemaSize, self.TableCount) = _APPL_DB_SCHEMA.STRUCT.unpack(buffer)
struct.error: unpack requires a string argument of length 8

the offset being used to index into the self.kc_buffer is massive, and it looks like the buffer passed into _APPL_DB_SCHEMA.STRUCT.unpack(buffer) is empty.

I'm running macOS 11.2.3 (20D91), is this something you've run into before? could you help me debug this?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions