Emoji Decryption: ideas needed

[ppwwyyxx]

Background:

In get_emoji_by_md5, the id of the emoji is known. The corresponding emoji file with that id can be found in resource/emoji. However, the file is not a regular image file and is encrypted with unknown methods. Only the static thumbnail/cover files in resource/emoji are unencrypted - as a result, many animated stickers will become static in the rendered HTML.

Progress so far:

Only the first 1024B of the file is encrypted. I attempted to recover the image without knowing its first 1KB (by reading PNG format spec) and got limited success.

By comparing the original emoji file (obtained from older dumps) and encrypted file, we know that:

• the first 1024B of the file is encrypted
• the encryption result is different between userA on phoneA and userB on phoneB
• If emoji A and B on the same phone+user has the same prefix, their encrypted prefix is also the same.

Note: most emojis have a "encrypturl" and "aeskey" field in database. They can be used like this:

openssl enc -d -aes-128-cbc -in ./encrypturl.download  -K <aeskey>  -out decrypted.file -iv <aeskey>

and they are not useful to decrypt emojis in resource/emoji.

Future task to do:

• It would be good to figure out how they are encrypted. Thoughts or help on reverse-engineering is greatly appreciated.
• It decryption is too hard, it might be possible to recover the half-encrypted image.

[ppwwyyxx]

done in 641af7a3cd362d6f6b2fa3b39dd82efc9887ed04 after some reverse engineering.