Open aldennisa15 opened 3 years ago
in a .crypt14
file ... [.py
hacks in decrypt12
function shown below in square brackets]
... t2 is at offset 14 [so change to crypt12.seek(14) t2 = crypt12.read(32)
]
... iv is at offset 66 [change to crypt12.seek(66) iv = crypt12.read(16)
]
... encrypted content starts at offset 99, (I haven't yet worked out the correct amount of footer to remove, but removing 0 seems to result in a successful decryption so far) [change to crypt12.seek(99) primer(tf, crypt12, 0)
]
I've also noticed that the 16 bytes at offset 62 to 77 in the key
file also appear in the .cryptX
file, just like the t
bytes at offset 30 to 61 do.
In a .crypt12
file they are at offset 35 to 50.
In a .crypt14
file they are at offset 48 to 63.
In my code I've called these x1
and x2
and do the same equality check as happens for t1
and t2
.
In addition, in the .crypt14
file, bytes at 86 to 94 look to contain the WA version number, so in my case 2.21.8.17
- presumably the version that wrote the .crypt14
file. I suspect that when the version number rolls over to more digits (e.g. 2.21.10.10
) then the offset to the start of the encrypted content (currently 99 in my backup files) might well change?
https://github.com/andreas-mausch/whatsapp-viewer/commit/7035b9c505f5582df70e5a2d33bcac9acd5719cc
This contains a C++ implementation of .crypt14 decrypt
Take also a look here: https://github.com/andreas-mausch/whatsapp-viewer/issues/114#issuecomment-835267643 So you are right, no implementation change, just offsets.
@aldennisa15 Do you need to get the key file again from wa's data folder?
@ElDavoo I didn't, I'm using the same key
file that worked for .crypt12
files previously.
@aldennisa15 can you make a patch please? I can't manage to patch it on my own for some reason.
I'm stupid lol, I made a pull request https://github.com/EliteAndroidApps/WhatsApp-Crypt12-Decrypter/pull/13
@aldennisa15 not working anymore with latest dump.
IV now starts at byte 67, but don't know about the rest.
I found the offsets. Since the project seems dead, i'll keep updating offsets in my fork.
hey guys, amazing work. in your opinion is it doable to convert an unencrypted msgstore.db back to an encrypted crypt12 file ? can it be even done in a way for whatsapp to recognize it and restore the messages from it? please let me know and many thanks
@courious875 have you tried putting the unencrypted backup in the Databases folder?
@ElDavoo yes and it's working like a charm. as a side-challenge I was trying to re-encrypt .db databases back into .crypt12 format, but no luck so far. WhatsApp would not recognize them, no matter what I tried. In my opinion the header and footer are the problem, as they seem to be very unique that provide very precise info to the WhatsApp server what makes it to be recognized as its own. I can't seem to be able to find anything new on the subject on GitHub or else.
@ElDavoo as a side-challenge I was trying to re-encrypt .db databases back into .crypt12 format, but no luck so far.
This is being worked on here
@ElDavoo Many thanks, I can see that you guys made quite a progress ! Nice work !
After years of successfully using
WhatsApp-Crypt12-Decrypter
to access MY chat data, this week it stopped working :-(WhatsApp on my phone looks to have updated to v2.21.8.17 and is now generating local backups with a
.crypt14
extension instead of.crypt12
.Unsurprisingly,
WhatsApp-Crypt12-Decrypter
chokes on this with the errorKey file mismatch or crypt12 file is corrupt.
However, armed with
hexdump
and a bit cunning, I've worked out how to tweak the python so that it successfully decodes.crypt14
files.Details to follow shortly and/or a fork etc for anyone else interested.