3.9 KiB
MsgLib.db readability and wrapper-path precheck
Date: 2026-07-10
Question
Why are the copied MsgLib.db files not directly readable as SQLite, and what is the safest next path for extracting contact/group display names and richer message metadata?
Evidence checked
- Existing ignored metadata:
runs/offline-evidence-intake/zyl-qqfile-20260709/metadata/schema-inspection-summary.jsonruns/offline-evidence-intake/zyl-qqfile-20260709/metadata/archive-list.txt
- New ignored C24 metadata:
runs/offline-evidence-intake/zyl-qqfile-20260709/metadata/c24-msglib-format-precheck.jsonruns/offline-evidence-intake/zyl-qqfile-20260709/metadata/c24-wrapper-string-precheck.json
- Read-only extracted wrapper candidates under ignored:
runs/offline-evidence-intake/zyl-qqfile-20260709/extracted/c24-wrapper-candidates/
No raw DB bytes, decrypted messages, or personal values are committed in this note.
Findings
- The three inspected
MsgLib.dbcopies do not start with SQLite magic and contain no SQLite header within the first 1 MiB sample. - The inspected DB samples have high entropy and the same non-SQLite prefix shape across iSphere and IMPP account copies. This strongly suggests a consistent encrypted/wrapped DB format rather than a random corrupt copy.
- The archive contains standard SQLite libraries, DB abstraction libraries, and a repair tool next to
MsgLib.db:System.Data.SQLite.dllUtilities.Lib.DBSQLite.dllUtilities.Lib.SQLiteInteraction.dllUtilities.Lib.SQLiteInteractionBase.dllUtilities.Lib.DBBase.dllUtilities.Lib.DBModel.dllHYHC.IMPP.DAL.dllRepairDatabase.exe
- String-only static scanning of wrapper candidates shows that
HYHC.IMPP.DAL.dllandRepairDatabase.exereference message/group DB behavior and candidate table/method names, including:tblMsgGroupPersonMsgImportOldDataBaseGetGroupMessaeByIDGetGroupRecentMsgUpdateGroupNameSelectMsgGroupNameSelectRecentGroupNameSaveGroupInfomationgroupJidset_MemberJidset_MsgGroupNameset_MemberNameget_naturalname
Utilities.Lib.SQLiteInteraction.dllexposesSQLiteConnectionStringBuilderplusget_Passwordandset_Password.Utilities.Lib.DBModel.dllexposes configuration concepts such asIConStrDecryption,PasswordPropertyName, andDecryptionPropertyName.smcrypto-*andBouncyCastle.Crypto.dllare present, but C24 does not prove they are the actualMsgLib.dbwrapper. They are supporting crypto candidates only.
Decision
Do not treat MsgLib.db as ordinary SQLite.
The best current hypothesis is:
MsgLib.dbis an encrypted or wrapped SQLite database opened through the client DB abstraction layer, likely involvingUtilities.Lib.SQLiteInteraction*,Utilities.Lib.DBModel, andHYHC.IMPP.DAL.
The next safe implementation path is not direct DB reads. It is static wrapper analysis first:
- Inspect .NET metadata/IL for the DB wrapper assemblies.
- Identify how connection strings/password/decryption are supplied.
- Identify table names and model classes for message, contact, group, member, and display-name fields.
- Only after that, attempt a read-only schema extraction on copied DB files under ignored paths.
Next slice
C25 should perform a read-only static .NET wrapper analysis over the extracted candidate assemblies. It should produce table/model/source mappings only, not execute the client and not write to the original DB.
Suggested C25 focus:
HYHC.IMPP.DAL.dllUtilities.Lib.SQLiteInteraction.dllUtilities.Lib.DBModel.dllUtilities.Lib.DBSQLite.dllRepairDatabase.exe
Expected output:
- candidate table names;
- candidate model/property names for contact/group/message metadata;
- likely connection-string/password/decryption flow;
- decision whether C26 can attempt a copied-DB read-only schema extraction.