KnugiHK
commented
2 years ago Are you decrypting a crypt14 database?
Closed javivallejo closed 2 years ago
KnugiHK
commented
2 years ago Are you decrypting a crypt14 database?
javivallejo
commented
2 years ago Yes, msgstore.db.crypt14
KnugiHK
commented
2 years ago It is possible that the offsets written in the program are wrong. The offsets was able to decrypt crypt14 file, but I am not sure if WhatsApp changed them or not.
I don't have a crypt14 file currently. I will look into it when I have one.
KnugiHK
commented
2 years ago If you want to try out yourself, you can modify the offsets as follow in extract.py lines 48-49, and see if it works for you.
iv = database[66:82]
db_ciphertext = database[99:]I'm actually doing that. Doing a for loop and try to decompress db_ciphertext with database from [100:] to [300:].
Should I try with different iv as well? What's the range you guess I should try for that?
KnugiHK
commented
2 years ago I'm actually doing that. Doing a for loop and try to decompress db_ciphertext with database from [100:] to [300:]. Should I try with different
ivas well? What's the range you guess I should try for that?
As mentioned previously, 66 for iv could be a good try.
KnugiHK
commented
2 years ago When is your crypt14 file generated? I have no problem to decrypt the crypt14 file generated just now. Actually, I encountered the same problem in the middle of last year. I guess WhatsApp did change the offsets.
javivallejo
commented
2 years ago It was created today (on whatsapp android v.2.22.3.5, I'm on beta for android)
javivallejo
commented
2 years ago I managed to make it work with iv = database[67:83] db_ciphertext = database[189:]
KnugiHK
commented
2 years ago Good to hear that. 189 is a strange offset and is not found in other related projects. Could it be different users may have different offsets in crypt14? I will add different common offsets for the program to try. And if all those offsets fail, it will try to brute-force the offsets out. Thanks for your report and effort!
gekigek99
commented
1 year ago I'm having tha same issue but for CRYPT15, I'm trying the bruteforce method but not sure how its going to go.... @KnugiHK any advice for possible offsets to try? or some ranges to brutefoce on?
KnugiHK
commented
1 year ago I'm having tha same issue but for CRYPT15, I'm trying the bruteforce method but not sure how its going to go.... @KnugiHK any advice for possible offsets to try? or some ranges to brutefoce on?
If the format of Crypt15 file has not change much, the database should be located in (crypt15 file's first byte) + 2 byte of the crypt15 file. Therefore, you may try the every 16 bytes from 0 to (crypt15 file's first byte) + 2 for the IV. If it is not correct, you may want to try to brute-force the offset of both IV and database offset from 0 to 200 and increase the maximum offset if needed.
gekigek99
commented
1 year ago I found that my database file was already decrypted...
Would be cool to have a function that warns you about that and suggest to use sqlite to open the file directly.
(Wasted 2h cause internet is full of paytouse stuff and bad articles)
I'm getting the same error each time I try to use to decrypt.
zlib.error: Error -3 while decompressing data: incorrect header checkSeems it could decrypt it but when decompressing it fails. Do you know what could be the issue here?