Closed javivallejo closed 2 years ago
Are you decrypting a crypt14 database?
Yes, msgstore.db.crypt14
It is possible that the offsets written in the program are wrong. The offsets was able to decrypt crypt14 file, but I am not sure if WhatsApp changed them or not.
I don't have a crypt14 file currently. I will look into it when I have one.
If you want to try out yourself, you can modify the offsets as follow in extract.py lines 48-49, and see if it works for you.
iv = database[66:82]
db_ciphertext = database[99:]
I'm actually doing that. Doing a for loop and try to decompress db_ciphertext with database from [100:] to [300:].
Should I try with different iv
as well? What's the range you guess I should try for that?
I'm actually doing that. Doing a for loop and try to decompress db_ciphertext with database from [100:] to [300:]. Should I try with different
iv
as well? What's the range you guess I should try for that?
As mentioned previously, 66 for iv could be a good try.
When is your crypt14 file generated? I have no problem to decrypt the crypt14 file generated just now. Actually, I encountered the same problem in the middle of last year. I guess WhatsApp did change the offsets.
It was created today (on whatsapp android v.2.22.3.5, I'm on beta for android)
I managed to make it work with iv = database[67:83] db_ciphertext = database[189:]
Good to hear that. 189 is a strange offset and is not found in other related projects. Could it be different users may have different offsets in crypt14? I will add different common offsets for the program to try. And if all those offsets fail, it will try to brute-force the offsets out. Thanks for your report and effort!
I'm having tha same issue but for CRYPT15, I'm trying the bruteforce method but not sure how its going to go.... @KnugiHK any advice for possible offsets to try? or some ranges to brutefoce on?
I'm having tha same issue but for CRYPT15, I'm trying the bruteforce method but not sure how its going to go.... @KnugiHK any advice for possible offsets to try? or some ranges to brutefoce on?
If the format of Crypt15 file has not change much, the database should be located in (crypt15 file's first byte) + 2
byte of the crypt15 file. Therefore, you may try the every 16 bytes from 0 to (crypt15 file's first byte) + 2
for the IV. If it is not correct, you may want to try to brute-force the offset of both IV and database offset from 0 to 200 and increase the maximum offset if needed.
I found that my database file was already decrypted...
Would be cool to have a function that warns you about that and suggest to use sqlite to open the file directly.
(Wasted 2h cause internet is full of paytouse stuff and bad articles)
I'm getting the same error each time I try to use to decrypt.
zlib.error: Error -3 while decompressing data: incorrect header check
Seems it could decrypt it but when decompressing it fails. Do you know what could be the issue here?