Join Us!

Whatsapp db decrypt...
 
Notifications
Clear all

Whatsapp db decrypting failure although key file is obtained  

  RSS
nsumer
(@nsumer)
New Member

Hello all,
I am working on a case. Physical image of the mobile phone is available, there are whatsapp backup files on the sdcard. But whatsapp is not installed after factory reset. So whatsapp key file is not available.

What I did is that I got warrant from the court in order to use suspect's SIM card to activate whatsapp. I installed whatsapp in Nox emulator, inserted SIM into my phone, run whatsapp in the emulator, activated whatsapp using SMS which came to my phone. Everything was fine. I located the whatsapp key file and exported to my pc from Nox emulator.
Next step was the decrypting whatsapp backup file (crypt12) using the obtained key file.

I tried the Andriller to decrypt the last backup file using that key file. Andriller failed by saying following

"WhatsAppCrypt msgstore.db.crypt12 Error -3 while decompressing data incorrect header check"

Then I found the following python script, it failed too by saying

"Key file mismatch or crypt12 file is corrupt"

After that I decided to use whatsapp itself inside the emulator.I copied whatsapp backup file in the appropriate directory inside the emulator. I uninstalled and installed whatsapp, activated it using SMS code. Whatsapp located the backup and loaded it. Chats are decrypted correctly.

The job is done. But I want to ask a question just in order to get rid of my curiosity.
Why are Andriller and python script not successful? What can be wrong with the key file or crypt12 backup file?
Backup files are from 2016. I suspected that key or crypt12 file formats could have changed. But I could not verify that because old whatsapp versions (released in early 2017) did not run inside the emulator by complaining wrong date time.

Regards.

#!C\python\Python37\python.exe

from Crypto.Cipher import AES
import os
import sys
import zlib

def keyfile(kf)
global t1, key
if os.path.isfile(kf) == False
quit('The specified input key file does not exist.')
elif os.path.getsize(kf) != 158
quit('The specified input key file is invalid.')
with open(kf, 'rb') as keyfile
keyfile.seek(30)
t1 = keyfile.read(32)
keyfile.seek(126)
key = keyfile.read(32)
return True

def decrypt12(cf, of)
global t2, iv
if os.path.isfile(cf) == False
quit('The specified input crypt12 file does not exist.')
tf = cf+'.tmp'
with open(cf, 'rb') as crypt12
crypt12.seek(3)
t2 = crypt12.read(32)
if t1 != t2
quit('Key file mismatch or crypt12 file is corrupt.')
crypt12.seek(51)
iv = crypt12.read(16)
crypt12.seek(67)
primer(tf, crypt12, 20)
cipher = AES.new(key, AES.MODE_GCM, iv)
sqlite = zlib.decompress(cipher.decrypt(open(tf, 'rb').read()))
with open(of, 'wb') as msgstore
msgstore.write(sqlite)
msgstore.close()
os.remove(tf)
return True

def primer(tf, crypt12, sb)
with open(tf, 'wb') as header
header.write(crypt12.read())
header.close()
with open(tf, 'rb+') as footer
footer.seek(-sb, os.SEEK_END)
footer.truncate()
footer.close()

def validate(ms)
with open(ms, 'rb') as msgstore
if msgstore.read(6).decode('ascii').lower() != 'sqlite'
os.remove(ms)
msg = 'Decryption of crypt12 file has failed.'
else
msg = 'Decryption of crypt12 file was successful.'
msgstore.close()
quit(msg)

def main()
if len(sys.argv) > 2 and len(sys.argv) < 5
if len(sys.argv) == 3
outfile = 'msgstore.db'
else
outfile = sys.argv[3]
if keyfile(sys.argv[1]) and decrypt12(sys.argv[2], outfile)
validate(outfile)
else
print('\nWhatsApp Crypt12 Database Decrypter' + '\n')
print('\tUsage python '+str(sys.argv[0])+' key msgstore.db.crypt12 msgstore.db\n')

if __name__ == "__main__"
main()

Quote
Posted : 02/11/2019 12:43 am
droopy
(@droopy)
Active Member

Key file is generated based on SIM information and some hardware parameters. After you install normal whatsapp and re-register, the new key should be created as uses timestamp.

Probably your emulator environment was not correctly setup.

ReplyQuote
Posted : 03/11/2019 1:37 pm
nsumer
(@nsumer)
New Member

I do not think so. Because WhatsApp running inside the emulator is able to decrypt backup file. It must use the same key.

ReplyQuote
Posted : 03/11/2019 2:16 pm
nightworker
(@nightworker)
Active Member

if you have key you acquired physical image of the phone maybe key has changed reinstall big update or etc recover key artifact from physical image

ReplyQuote
Posted : 04/11/2019 9:55 am
TobiasJ
(@tobiasj)
New Member

I believe we have seen this as well where WhatsApp, for inexplicable reasons, changes/updates the key so that the key obtained from the extraction is not the current key for the backup. That's likely why it worked in your emulator as you essentially recreated the key but why the original key obtained was no longer valid is a bit of a mystery for sure.

ReplyQuote
Posted : 04/11/2019 12:15 pm
Share: