Extracting WhatsApp passwords - Modded apk [Android only]

[mgp25]

OUTDATED: Try this instead #983

I have modified the WhatsApp apk in order to extract the password. Password will show up in hex bytes in logcat.

• WhatsApp 2.11.333 version
• WA-2.11.333.apk (download)
• SHA1: 4618BE1775FEBE9960B2DAD07C19437888C38279

Important: Follow steps!

1 .Backup your app and data

2. Uninstall WhatsApp
3. Install modded apk
4. Do NOT open WhatsApp. Now restore WhatsApp backup we created on step 1. Make sure you “Restore Data” and DO NOT RESTORE APP
5. Start app, and see logcat.
6. Search in log for: WhatsApp pw (hex bytes)

Remember: Password is in hex bytes, you will need to base64 encode it. You can use this site.

Once you got the password, you can safely restore the app.

__ More info: Titanium Backup ★ root - Others may work too, be sure to ONLY restore data in step 4.

aLogcat __ How do i did it? Debugging the apk, so i just edited the smali files. In each version classes changes because of Pro Guard. In this one was zw file.

Using IGLogger

In this file i added 2 simple lines:

    const-string v3, "WhatsApp pw (hex bytes)"

    invoke-static {v3, v0}, Liglogger;->d(Ljava/lang/String;[B)I

__ How to decrypt pw file

The code from issue 234 in yowsup still working for decrypting pw file and generate identity. See here (Python)

Also the java code for decrypting pw file is:

Where byte[]s is s1, string id is the me file (string) and byte[] data the pw file

  public static byte[] s1 = { -62, -103, 30, -62, -101, 29, 12, -62, -72, -61, -73, 85, 100, 88, -62, -104, -62, -110, 3, -62, -117, 69, -62, -105, 62, 120, -61, -122, -61, -107 };

  public static byte[] decode(byte[] s, String id, byte[] data) throws Exception {
    byte[] b1 = new byte[4];
    byte[] b2 = new byte[16];
    byte[] ekey = new byte[data.length - 22];
    System.arraycopy(data, 2, b1, 0, 4);
    System.arraycopy(data, 6, b2, 0, 16);
    System.arraycopy(data, 22, ekey, 0, ekey.length);
    byte[] idbytes = id.getBytes();
    byte[] t = new byte[s.length + idbytes.length];
    System.arraycopy(s, 0, t, 0, s.length);
    System.arraycopy(idbytes, 0, t, s.length, idbytes.length);
    byte[] enck = PKBF2.foo1(t, b1, 16, 16);
    SecretKeySpec keyspec = new SecretKeySpec(enck, "AES");
    Cipher cipher = Cipher.getInstance("AES/OFB/NoPadding");
    IvParameterSpec ispec = new IvParameterSpec(b2);
    cipher.init(2, keyspec, ispec);
    byte[] out = cipher.doFinal(ekey);
    return out;
  }

Q: Where is the php code to decrypt pw file? A: Sorry php lovers, i didn't get the time to write the php code for it.

__ Is there anyway to extract the password for iPhone users?

Yes, i made a script for that and explained everything. See issue #871 __ How to get the real identity (Only Android users)?

You have to set classes MD5 data and your classesMD5 (you used to register your phone). Credit for this code to @pastoso

[The code needs to be updated] - You can compare it with yowsup issue code.

As it needs the binary data, you can base64 from the binary as the latest token.php does. In this example all data is hex encoded.

    $waString = "53160F52030A44C28310C282C29AC28DC28C463A2169295741";
    $noMediaHash = "";
    $waPrefix = "636F6D2E7768617473617070";
    $signature = "30820332308202F0A00302010202044C2536A4300B06072A8648CE3804030500307C310B3009060355040613025553311330110603550408130A43616C69666F726E6961311430120603550407130B53616E746120436C61726131163014060355040A130D576861747341707020496E632E31143012060355040B130B456E67696E656572696E67311430120603550403130B427269616E204163746F6E301E170D3130303632353233303731365A170D3434303231353233303731365A307C310B3009060355040613025553311330110603550408130A43616C69666F726E6961311430120603550407130B53616E746120436C61726131163014060355040A130D576861747341707020496E632E31143012060355040B130B456E67696E656572696E67311430120603550403130B427269616E204163746F6E308201B83082012C06072A8648CE3804013082011F02818100FD7F53811D75122952DF4A9C2EECE4E7F611B7523CEF4400C31E3F80B6512669455D402251FB593D8D58FABFC5F5BA30F6CB9B556CD7813B801D346FF26660B76B9950A5A49F9FE8047B1022C24FBBA9D7FEB7C61BF83B57E7C6A8A6150F04FB83F6D3C51EC3023554135A169132F675F3AE2B61D72AEFF22203199DD14801C70215009760508F15230BCCB292B982A2EB840BF0581CF502818100F7E1A085D69B3DDECBBCAB5C36B857B97994AFBBFA3AEA82F9574C0B3D0782675159578EBAD4594FE67107108180B449167123E84C281613B7CF09328CC8A6E13C167A8B547C8D28E0A3AE1E2BB3A675916EA37F0BFA213562F1FB627A01243BCCA4F1BEA8519089A883DFE15AE59F06928B665E807B552564014C3BFECF492A0381850002818100D1198B4B81687BCF246D41A8A725F0A989A51BCE326E84C828E1F556648BD71DA487054D6DE70FFF4B49432B6862AA48FC2A93161B2C15A2FF5E671672DFB576E9D12AAFF7369B9A99D04FB29D2BBBB2A503EE41B1FF37887064F41FE2805609063500A8E547349282D15981CDB58A08BEDE51DD7E9867295B3DFB45FFC6B259300B06072A8648CE3804030500032F00302C021400A602A7477ACF841077237BE090DF436582CA2F0214350CE0268D07E71E55774AB4EACD4D071CD1EFAD";
    $classesMd5 = "";

    $id = hex2bin($waString) . $country . $phone;
    $salt = substr(hex2bin($noMediaHash),2,4);
    $key = pbkdf2('sha1', $id, $salt, 16, 16, true);
    $iv = substr(hex2bin($noMediaHash),6,16);
    $data = substr(hex2bin($noMediaHash),22);
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'nofb', '');
    mcrypt_generic_init($td, $key, $iv);
    $aes_secret = mcrypt_generic($td, $data);
    mcrypt_module_close($td);

How to get classes MD5 data? Get classes.dex from WhatsApp.apk and you can use @shirioko 's tool to get it (Mdash64) Curiosity Do you know how WhatsApp checks connectivity?

Easy, it tries to download this: http://hb.whatsapp.net/hb.txt

[CODeRUS]

@mgp25 can you explain $country format in identity code?

[mgp25]

@CODeRUS example: +34 123456789 I don't remember if it takes '+34' or '34' in newer versions. I will upload some sample code i extracted from latest versions, might be helpful.

[CODeRUS]

ah. means it actually just cc + phone, thanks. will test this algo in C++ soon (just for fun yet)

[Lawgrin]

@mgp25 Hi man, i've tried this now and i dont seem to get the password out I backed up the folder on the device called "\Phone\WhatsApp" looked like the data to me. i then uninstalled the app and installed your apk. then replaced the "\Phone\WhatsApp"folder and then launched you app with it logcat running (in eclipse - verbose) and nothing

[mgp25]

As this is an outdated version i have to update the modded apk to .378. Maybe doing it this weekend or when i have free time. But its explained anyway above :)

@Lawgrin you can decrypt also your password using the link (python code) i mention above too. Or the java code.

[Lawgrin]

@mgp25 I have tried the python code (was my first time looking at python) and i got an output that does not make exact sense. i saw that there were changes required and TBCH i got lost in the discussion with all the different tangents that went off.

Also I'm not to keen on rooting the device to get the pw and me files out >.<

[mgp25]

@Lawgrin Then you have to wait to the new apk, in this weekend probably ill update it. Too much stuff to be done.

[Lawgrin]

@mgp25 I'm kwl to wait. You are doing some Kick ass work here. Thanks man. Shout if you need testing, can only really do it when im at work gmt+2. You have my skypeID

[mgp25]

@Lawgrin yes, i will need some testers before posting it here. Send mail with your contact and we'll keep in touch for update this.

[karim090]

@mgp25 yo puedo testear tambien, estoy usando la api para un conmutador de whatsapp para mis clientes, asi pueden comenzar a comunicarse por whatsapp con mi pequeño emprendimiento

[CircleCurve]

When I used modded apk today , I cannot get the Whatsapp PW at alogcat . I have already backuped the original whatsapp of using Titanium Backup ★ root . The Whatsapp'version is 2.11.378 . i hesitated that different version's conflict with 3.3.3 so I download a modded apk from website which is 3.3.3 . It's a pity that don't show any whatsapp ps even if i change the version :(

Sorry for my bad english :(

[mgp25]

@CircleCurve contact me via mail.

[CircleCurve]

@mgp25 contacted :)

[peliculap]

Hi, guys. You all right?

I was following everything until now, but I could not to extract the password, too... the same thing that CircleCurve tried, with the same results...

Can I help some way? I really need my password... :-(

Thanks...

[mgp25]

@peliculap try this #983

[peliculap]

Woooowww... Thank you, MGP25! +1! You're really great!! :+1:

[CODeRUS]

@mgp25 in your https://mgp25.com/wa/http_requests.txt there is sim_mcc and sim_mnc, but it was just mnc and mcc params for ages. was it changed?

[mgp25]

@CODeRUS Yup, it was recently changed.

[CODeRUS]

@mgp25 i sent you email about no_routes issue, please check it asap.

[r30r30]

Thank you, MGP25

[yankee42]

Thanks, MGP25. That worked perfectly. I flattered you for that. Claim it if you want to: https://flattr.com/thing/3766845

[losuper]

Hi everyone, i'm trying to decrypt the pw file using the java method to decode written upside but i don't know how to acces to the PKBF2.foo1(t, b1, 16, 16); method.

Anyone knows how? Thank you

[shishirtanwar]

I am also going for JAVA method since others are not working for me. But I can't access the class 'PKBF2' for this PKBF2.foo1(t, b1, 16, 16);

I would be great help if someone could provide the source code for this class.

Thanks in Advance!

[mgp25]

Fake, dont download what @kingcraig have posted

[shirioko]

* poof * It's gone

[AzizYosofi]

Can not access the PKBF2.foo1(t, b1, 16, 16) any way to do that

[CODeRUS]

lolwhat, mwahahahaha!

[rezanadimi72]

first first first your mobile should be rooted just use from password extactor!!!! first whatspp login. open password extratctor and click extract. finish!! apk download from http://www.mediafire.com/download/i25i4p6fbw34kkp/Password_Extractor.apk

[WHAnonymous]

Better use this: https://www.mgp25.com/downloads/pw.apk

@rezanadimi72 Better use original sources

[janke184]

Hi!

Where is Class PKBF2 and foo1 method?

Regards

[WHAnonymous]

@janke184 everything is explained here: https://github.com/WHAnonymous/Chat-API

[davivenan]

My friends first of all you are very good at programming, but I do not know anything, sorry. but I'm really in need of help from you, I create whatsapp channels for company campaigns here in Brazil. but I do this manually with sincard, could anyone help me to create whatsapp numbers without sms code? another detail, someone knows how to create whatsapp channels and how to get away from whatsapp server ip tracking? skype: davivenan1