Closed rom1504 closed 1 year ago
solved by using frida. I think the problem is sometimes the imei comes from some other device number (like the one from another previous device)
I recommend using frida -U -n Wechat -l wechatdbpass.js
https://github.com/ellermister/wechat-clean/blob/main/wechatdbpass.js
see basic instructions for frida at https://blog.greycode.top/posts/android-wechat-bak/
in english:
You can also obtain the access password through Frida. If you have a python environment on your computer, it is recommended to use this method, because this method can directly obtain the password without having to try the spliced passwords one by one, and it is absolutely correct. First, install the Frida package on your computer using the following command:
copy $ pip install frida $ pip install frida-tools Then use adb to view the mobile phone architecture:
copy $ adb shell getprop ro.product.cpu.abi
arm64-v8a
What you get is arm64-v8a, then go to https://github.com/frida/frida/releases page to download the corresponding frida-server-
copy $ adb push frida-server-<版本号>-android-arm /data/local/tmp Then run frida-server on your phone:
copy $ adb shell $ su $ cd /data/local/tmp $ chmod 777 frida-server-<版本号>-android-arm $ ./frida-server-<版本号>-android-arm After running, do not close the terminal interface. In addition, start a terminal and enter:
copy $ adb forward tcp:27042 tcp:27042 $ adb forward tcp:27043 tcp:27043 $ frida-ps -U If the terminal outputs some processes, it means that the environment has been set up successfully. After the setup is successful, run the following Python script on your computer:
ah interesting actually the method to compute from the imei and uin actually also produced the same password I think the above frida method is useful anyway because it provides the passwords for the other DBs as well (which have different passwords apparently)
what was missing here are these 2 lines: c.execute("PRAGMA cipher_use_hmac = off;") c.execute("PRAGMA kdf_iter = 4000;")
without those, it doesn't work
they are not strictly needed but I think we should also add c.execute("PRAGMA cipher_page_size = 1024;") c.execute("PRAGMA cipher_hmac_algorithm = HMAC_SHA1;") c.execute("PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;")
as recommended in other places, for example https://blog.greycode.top/posts/android-wechat-bak/
opening a PR
https://github.com/chg-hou/EnMicroMsg.db-Password-Cracker also worked but only the python version and after changing the prefix, will PR that there
always good to have several alternatives
so actually the new db params were not needed, I just needed to update sqlcipher properly (eg uninstall libsqlcipher0 and libsqlcipher-dev ubuntu package and install https://github.com/sqlcipher/sqlcipher/releases via make + make install )
So everything works fine. Maybe one last thing to note here : most of the resources are now in the data folder instead of sdcard folder
Is this working for wechat8?
The decryption is failing for me, I wonder if something might have changed