Login broken

[zstars]

Login seems to be broken once again. Might be the somewhat frequent two-magic-bytes change, or something more shady.

[Pkaisers]

Yes, login seems to be broken once again.

[spookyman]

yep - i can ack that ! login brogen

tx PHP Notice: Undefined property: WhatsProt::$challengeArray in /home/me/test/WhatsAPI/src/php/whatsprot.class.php on line 119

[dd12345772]

Yup, getting the same - the last successful login I had was about 11 hours ago. (22:00 CAT 30 Oct)

[GabrielBinato]

I have a same problem =[

tx stream:features tx tx /stream:features

tx

tx dXNlcm5hbWU9IjU1MTg5NjMxNTk2NiIscmVhbG09InMud2hhdHNhcHAubmV0Iixub25jZT0iIixjbm9uY2U9ImRmZDViMDI5LTEwYTAtNDE5Zi1hN2UxLWFmOWU3MzU4ZWE0MSIsbmM9MDAwMDAwMDEscW9wPWF1dGgsZGlnZXN0LXVyaT0ieG1wcC9zLndoYXRzYXBwLm5ldCIscmVzcG9uc2U9N2ZjMWI0ZGMyNDlhYTUzYTc2YWE5ZGRmNjgyYWExMGQsY2hhcnNldD11dGYtOA==

[ralphmyw]

ya, same issue in here.

[wreh]

same error here as well, I was using it perfectly till yesterday...

[spookyman]

any idea on how to fix this issue ?

[dd12345772]

I've looked at issue 36 (https://github.com/venomous0x/WhatsAPI/issues/36) which seemed to be a similar issue, but not sure if it is exactly the same. I've tried to see if there is something there to help with the current issue, but can't seem to make any progress.

Anybody else have any ideas?

[dleivag]

If the issue is like that, the solution should be just find the new two misterious bytes, but, it has to be any way to do it automaticaly because smartphone clients are still working normaly.. maybe whassup servers send the new two bytes in the login response ? I'm just thinking....

El 31/10/12 10:13, dd12345772 escribió:

I've looked at issue 36 (venomous0x/WhatsAPI#36 https://github.com/venomous0x/WhatsAPI/issues/36) which seemed to be a similar issue, but not sure if it is exactly the same. I've tried to see if there is something there to help with the current issue, but can't seem to make any progress.

Anybody else have any ideas?

— Reply to this email directly or view it on GitHub https://github.com/venomous0x/WhatsAPI/issues/126#issuecomment-9937534.

[jean151515]

With the last update on my iPhone the protocol seems to be changed. It made me think that the old protocol will be someday deprecated, is it possible ?

[spookyman]

well maybe it's a algorythm depending on unixtimecode (another idea!?)

can someone give me the place in the php code where i find the magic byte setting ?

[dleivag]

Bad news. A friend has told me that two days ago he had to update whatsup client to make it works because a message was shown telling that "Whatsup needs to be update", and he had to update it to use it. This would mean that maybe there are significant changes in the protocol...

El 31/10/12 10:29, spookyman escribió:

well maybe it's a algorythm depending on unixtimecode (another idea!?)

can someone give me the place in the php code where i find the magic byte setting ?

— Reply to this email directly or view it on GitHub https://github.com/venomous0x/WhatsAPI/issues/126#issuecomment-9938007.

[spookyman]

i didn't get an update the last days and it still works on my mobile

(using Android ICS)

[dleivag]

that's great, he had scary me.

El 31/10/12 10:35, spookyman escribió:

i didn't get an update the last days and it still works on my mobile

— Reply to this email directly or view it on GitHub https://github.com/venomous0x/WhatsAPI/issues/126#issuecomment-9938171.

[dd12345772]

The bytes are in protocol.class.php line 349 – think that is the place

From: spookyman [mailto:notifications@github.com] Sent: 31 October 2012 11:29 AM To: venomous0x/WhatsAPI Cc: dd12345772 Subject: Re: [WhatsAPI] Login broken (#126)

well maybe it's a algorythm depending on unixtimecode (another idea!?)

can someone give me the place in the php code where i find the magic byte setting ?

— Reply to this email directly or view it on GitHub https://github.com/venomous0x/WhatsAPI/issues/126#issuecomment-9938007 .

https://github.com/notifications/beacon/XhXHY7t7kGQDcUWgKV66hvRh19RFqluPFZYdaVfVyfTFAHXWo7iPW6qkp7TCjIuN.gif

[jean151515]

The protocol had changed more then a month ago but the old one was still working till yesterday. The strange part is that i dont seem to get any bytes from the server

[ivanbill]

http://imgur.com/9QnHu Maybe someone can use this. I just sniff whatsapp in youwave

[jean151515]

KingKong1 is it still working on your device?

[mobilipia]

@jean151515 Kindly Upload the entire packet capture. I want to compare with what have done on my droid.

[jean151515]

@mobilipia i am not able to do that right now because am at work and i dont have the proper tools. i'll upload them when i get home.

[spookyman]

the problem in "sniffing" will be the ssl protocol - so you just get encrypted packets ...

[jean151515]

@spookyman the old protocol was plain text, there was no need to decrypt it. Just for the record: the trick i found to decrypt the ssl packets (for registration process and contact checker) was to evasdrop a whatsapp installed on my old Nokia. The Symbian OS asks the user if you accept a unverified certificate wich made things easier. The iPhone just blocks it without notice.

[kingk110]

please any solution for the problem because need a solution urgently

[spookyman]

i guess if i root my android i'D be able to install fake certifikates, too (maybe an interesting thing - hu) and fake a https server on the other side - so you could get the first packets

[jb425]

$this->_output .= "\x01\x02\x00\x00";

but then there is another error

[jean151515]

where did u add it ?

[spookyman]

nah, getting the same error @jb425

[spookyman]

src/php/protocol.class.php line #339 but it doesn't work @jean151515

it has to be the right magicbyte

[dleivag]

I can't do it now (at work too) . But, maybe we could try a bruteforce, changing the magincbyte. That way we can know if it is a magicbyte problem or not.

El 31/10/12 11:15, spookyman escribió:

src/php/protocol.class.php line #339 but it doesn't work @jean151515 https://github.com/jean151515

it has to be the right magicbyte

— Reply to this email directly or view it on GitHub https://github.com/venomous0x/WhatsAPI/issues/126#issuecomment-9939328.

[zstars]

According to certain "research", the magic bytes (which are two, let's call them i and j) do NOT seem to be in the range (i = 0..40; j = 0..40). It's a bad sign, because so far all magic-bytes (to my knowledge) have been rather low.

My information is not fully reliable though, someone might want to verify.

[spookyman]

what about the last both x00 and x19 ?

[zstars]

@spookyman No idea about those, have they ever changed?

[spookyman]

actually, i don't know - but why shouldn't they matter ?

[beldar]

Anyone else sniffed some traffic?

[spookyman]

if i set to x01 x01 x01 x19 ill gett this error:

rx stream:error rx rx /stream:error

[spookyman]

rx xml-not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"></xml-not-well-formed

[spookyman]

just to be sure: changing the wa version in hatsprot.class.php doesn't help either.

# any idea fpr a mitm attack for the wa protocol ? @jean151515 suggestet to use an old nokia which asks to accept an insecure ssl cert. maybe that could be the way - or maybe with an rootet android ?

[kerby82]

A not updated whatsapp on my ancient iphone 3g is still working so I guess they did not change protocol. Is that possible that they are checking the user agent variable in the HTTP request?

[zstars]

Not exactly a MITM attack, but just an idea, if someone had a non-updated iPhone (with a version old enough so as not to encrypt packets), it might be easy to sniff traffic by setting up a public wifi network, and sniffing the packets through airmon-ng or similar.

[spookyman]

another thought to the last magbic byte:

i found the following in the "php/decode.php"

$dic[19] = "basee64"; $dic[41] = "DIGEST-MD5"; $dic[42] = "DIGEST-MD5-1";

no matter what nr. you are using - except for 19 you get the error "xml-not-well-formed" so i "GUESS" that 19 is still correct for the last part !

[spookyman]

@kerby82 are you able to deliver me a full sniff (wireshark f.e.) of the iphone starting (incl. whatsapp starting) ?

[mobilipia]

@kerby82 Please send the packet capture to me. I can reverse engineer. Start the capture before whatsapp is started.

[Zanooda]

Well, maybe this helps: After decompiling WhatsApp for Windows Phone 7 I found a place in code where it sends WAUTH-1 instead of DIGEST-MD5-1 as authentication method to the server.

[Currito]

That's what I've found: The dictionary has changed:

• the position 132 ('resource' tag) is now in the position 165 (+33 new tags from 0)
• the position 138 ('s.whatsapp.net' tag) is now in the position 171 (+0 new tags from 132)
• the position 160 ('to' tag) is now in the position 200. (+7 new tags from 138)

[jean151515]

if needed, i have some old versions of Whatsapp for Android. For those who would like to investigate it

WhatsApp_Messenger_2.7.2334.apk WhatsApp_Messenger_2.7.2635.apk WhatsApp_Messenger_2.7.5561.apk WhatsApp_Messenger_2.7.6004.apk WhatsApp_Messenger_2.7.6230.apk WhatsApp_Messenger_2.7.6847.apk WhatsApp_Messenger_2.7.7811.apk WhatsApp_Messenger_2.7.8402.apk WhatsApp_Messenger_2.7.9033.apk WhatsApp_Messenger_2.8.988.apk

I remember that some have the old protocol that was working the last time i tested it, but when starting it indicates that it was an old version and need to be updated

[spookyman]

im interested in what @Currito says ... i didn't play around with the decoding yet ... so some more information would be great@ currito

[Zanooda]

Extracted dictionary from WP7-app:

        strArrays[5] = "account";
        strArrays[6] = "ack";
        strArrays[7] = "action";
        strArrays[8] = "active";
        strArrays[9] = "add";
        strArrays[10] = "after";
        strArrays[11] = "ib";
        strArrays[12] = "all";
        strArrays[13] = "allow";
        strArrays[14] = "apple";
        strArrays[15] = "audio";
        strArrays[16] = "auth";
        strArrays[17] = "author";
        strArrays[18] = "available";
        strArrays[19] = "bad-protocol";
        strArrays[20] = "bad-request";
        strArrays[21] = "before";
        strArrays[22] = "Bell.caf";
        strArrays[23] = "body";
        strArrays[24] = "Boing.caf";
        strArrays[25] = "cancel";
        strArrays[26] = "category";
        strArrays[27] = "challenge";
        strArrays[28] = "chat";
        strArrays[29] = "clean";
        strArrays[30] = "code";
        strArrays[31] = "composing";
        strArrays[32] = "config";
        strArrays[33] = "conflict";
        strArrays[34] = "contacts";
        strArrays[35] = "count";
        strArrays[36] = "create";
        strArrays[37] = "creation";
        strArrays[38] = "default";
        strArrays[39] = "delay";
        strArrays[40] = "delete";
        strArrays[41] = "delivered";
        strArrays[42] = "deny";
        strArrays[43] = "digest";
        strArrays[44] = "DIGEST-MD5-1";
        strArrays[45] = "DIGEST-MD5-2";
        strArrays[46] = "dirty";
        strArrays[47] = "elapsed";
        strArrays[48] = "broadcast";
        strArrays[49] = "enable";
        strArrays[50] = "encoding";
        strArrays[51] = "duplicate";
        strArrays[52] = "error";
        strArrays[53] = "event";
        strArrays[54] = "expiration";
        strArrays[55] = "expired";
        strArrays[56] = "fail";
        strArrays[57] = "failure";
        strArrays[58] = "false";
        strArrays[59] = "favorites";
        strArrays[60] = "feature";
        strArrays[61] = "features";
        strArrays[62] = "field";
        strArrays[63] = "first";
        strArrays[64] = "free";
        strArrays[65] = "from";
        strArrays[66] = "g.us";
        strArrays[67] = "get";
        strArrays[68] = "Glass.caf";
        strArrays[69] = "google";
        strArrays[70] = "group";
        strArrays[71] = "groups";
        strArrays[72] = "g_notify";
        strArrays[73] = "g_sound";
        strArrays[74] = "Harp.caf";
        strArrays[75] = "http://etherx.jabber.org/streams";
        strArrays[76] = "http://jabber.org/protocol/chatstates";
        strArrays[77] = "id";
        strArrays[78] = "image";
        strArrays[79] = "img";
        strArrays[80] = "inactive";
        strArrays[81] = "index";
        strArrays[82] = "internal-server-error";
        strArrays[83] = "invalid-mechanism";
        strArrays[84] = "ip";
        strArrays[85] = "iq";
        strArrays[86] = "item";
        strArrays[87] = "item-not-found";
        strArrays[88] = "user-not-found";
        strArrays[89] = "jabber:iq:last";
        strArrays[90] = "jabber:iq:privacy";
        strArrays[91] = "jabber:x:delay";
        strArrays[92] = "jabber:x:event";
        strArrays[93] = "jid";
        strArrays[94] = "jid-malformed";
        strArrays[95] = "kind";
        strArrays[96] = "last";
        strArrays[97] = "latitude";
        strArrays[98] = "lc";
        strArrays[99] = "leave";
        strArrays[100] = "leave-all";
        strArrays[101] = "lg";
        strArrays[102] = "list";
        strArrays[103] = "location";
        strArrays[104] = "longitude";
        strArrays[105] = "max";
        strArrays[106] = "max_groups";
        strArrays[107] = "max_participants";
        strArrays[108] = "max_subject";
        strArrays[109] = "mechanism";
        strArrays[110] = "media";
        strArrays[111] = "message";
        strArrays[112] = "message_acks";
        strArrays[113] = "method";
        strArrays[114] = "microsoft";
        strArrays[115] = "missing";
        strArrays[116] = "modify";
        strArrays[117] = "mute";
        strArrays[118] = "name";
        strArrays[119] = "nokia";
        strArrays[120] = "none";
        strArrays[121] = "not-acceptable";
        strArrays[122] = "not-allowed";
        strArrays[123] = "not-authorized";
        strArrays[124] = "notification";
        strArrays[125] = "notify";
        strArrays[126] = "off";
        strArrays[127] = "offline";
        strArrays[128] = "order";
        strArrays[129] = "owner";
        strArrays[130] = "owning";
        strArrays[131] = "paid";
        strArrays[132] = "participant";
        strArrays[133] = "participants";
        strArrays[134] = "participating";
        strArrays[135] = "password";
        strArrays[136] = "paused";
        strArrays[137] = "picture";
        strArrays[138] = "pin";
        strArrays[139] = "ping";
        strArrays[140] = "platform";
        strArrays[141] = "pop_mean_time";
        strArrays[142] = "pop_plus_minus";
        strArrays[143] = "port";
        strArrays[144] = "presence";
        strArrays[145] = "preview";
        strArrays[146] = "probe";
        strArrays[147] = "proceed";
        strArrays[148] = "prop";
        strArrays[149] = "props";
        strArrays[150] = "p_o";
        strArrays[151] = "p_t";
        strArrays[152] = "query";
        strArrays[153] = "raw";
        strArrays[154] = "reason";
        strArrays[155] = "receipt";
        strArrays[156] = "receipt_acks";
        strArrays[157] = "received";
        strArrays[158] = "registration";
        strArrays[159] = "relay";
        strArrays[160] = "remote-server-timeout";
        strArrays[161] = "remove";
        strArrays[162] = "Replaced by new connection";
        strArrays[163] = "request";
        strArrays[164] = "required";
        strArrays[165] = "resource";
        strArrays[166] = "resource-constraint";
        strArrays[167] = "response";
        strArrays[168] = "result";
        strArrays[169] = "retry";
        strArrays[170] = "rim";
        strArrays[171] = "s.whatsapp.net";
        strArrays[172] = "s.us";
        strArrays[173] = "seconds";
        strArrays[174] = "server";
        strArrays[175] = "server-error";
        strArrays[176] = "service-unavailable";
        strArrays[177] = "set";
        strArrays[178] = "show";
        strArrays[179] = "sid";
        strArrays[180] = "silent";
        strArrays[181] = "sound";
        strArrays[182] = "stamp";
        strArrays[183] = "unsubscribe";
        strArrays[184] = "stat";
        strArrays[185] = "status";
        strArrays[186] = "stream:error";
        strArrays[187] = "stream:features";
        strArrays[188] = "subject";
        strArrays[189] = "subscribe";
        strArrays[190] = "success";
        strArrays[191] = "sync";
        strArrays[192] = "system-shutdown";
        strArrays[193] = "s_o";
        strArrays[194] = "s_t";
        strArrays[195] = "t";
        strArrays[196] = "text";
        strArrays[197] = "timeout";
        strArrays[198] = "TimePassing.caf";
        strArrays[199] = "timestamp";
        strArrays[200] = "to";
        strArrays[201] = "Tri-tone.caf";
        strArrays[202] = "true";
        strArrays[203] = "type";
        strArrays[204] = "unavailable";
        strArrays[205] = "uri";
        strArrays[206] = "url";
        strArrays[207] = "urn:ietf:params:xml:ns:xmpp-sasl";
        strArrays[208] = "urn:ietf:params:xml:ns:xmpp-stanzas";
        strArrays[209] = "urn:ietf:params:xml:ns:xmpp-streams";
        strArrays[210] = "urn:xmpp:delay";
        strArrays[211] = "urn:xmpp:ping";
        strArrays[212] = "urn:xmpp:receipts";
        strArrays[213] = "urn:xmpp:whatsapp";
        strArrays[214] = "urn:xmpp:whatsapp:account";
        strArrays[215] = "urn:xmpp:whatsapp:dirty";
        strArrays[216] = "urn:xmpp:whatsapp:mms";
        strArrays[217] = "urn:xmpp:whatsapp:push";
        strArrays[218] = "user";
        strArrays[219] = "username";
        strArrays[220] = "value";
        strArrays[221] = "vcard";
        strArrays[222] = "version";
        strArrays[223] = "video";
        strArrays[224] = "w";
        strArrays[225] = "w:g";
        strArrays[226] = "w:p";
        strArrays[227] = "w:p:r";
        strArrays[228] = "w:profile:picture";
        strArrays[229] = "wait";
        strArrays[230] = "x";
        strArrays[231] = "xml-not-well-formed";
        strArrays[232] = "xmlns";
        strArrays[233] = "xmlns:stream";
        strArrays[234] = "Xylophone.caf";
        strArrays[235] = "1";
        strArrays[236] = "WAUTH-1";

[beldar]

Tested with this dictionary and no luck, I think the magic bytes are still kicking...

[Zanooda]

After reading the decompiled WP7-app I found some references to RC4-encryption. I think it was not using this form of encryption before. It is also now using WAUTH-1 as "mechanism"-type and an auth-blob when logging in. This auth-blob is generated from nonce + a UNIX-timestamp, afterwards it gets encoded via RC4. So I guess we cannot use static magic bytes anymore and have to read them from the stream coming from server. I don't want to post decompiled source here because I am afraid of possible legal trouble with authorities (wasn't decompiling illegal?), but I can give you a hint where to find those places in source.

[beldar]

@Zanooda they were using RC4 before, for more info: http://pastebin.com/g9UPuviz (line 45+)