WhatsApp Crypt14 Database Decrypter Decrypts WhatsApp files, given the key file. The output result is a SQLite database that you can read. This is the only thing this script does. Those who are looking for a complete suite for WhatsApp foresincs, check out whapa Version is here! Since the file format keeps changing, I decided to completely reimplement the script. It should be much more efficient and "future proof" now, as it tries to automatically find the various offsets instead of just failing, does not create a temp file and does not load the encrypted DB in memory. It still needs improvements, but it is ready for release Where do I get the key? On rooted Android, you can read /data/data/ Is it not our job to tell you how to get the key file. Support will not given for this. Last tested version don't expect this to be updated Stable Beta Not working / crash / etc Please open an issue and attach Output of the program both with and without force Hexdump of keyfile without the last 32 bytes Hexdump of first 512 bytes of encrypted DB Please also report if your offsets are too far +-5 from the default ones, which are t1 offset 15 IV offset 67 Data offset 190 or 191 Changing the defaults makes the program more efficient. To do / planned Code reorganization single file or more files? Code refactoring Better parse unknown fields of DB and marriage key of keyfile Not planned / wontfix Support for encrypting supporting older encryption formats Usage [-h] [-f] [keyfile] [encrypted] [decrypted] Decrypts WhatsApp files positional arguments keyfile The WhatsApp keyfile encrypted The encrypted crypt14 database decrypted The decrypted database options -h, -help show this help message and exit -f, -force Skip safety checks If decrypt fails and you use -force, the program will 99% just spit more errors and crash. However, trying does not cost anything. Requirements Python developed with pycriptodome Use python -m pip install -r Or python -m pip install pycryptodome Credits Authors TripCode & ElDavoo & DjEdu28Displayand read chat logs from the WhatsApp mobile application on a personal computer. The utility accesses the Android and extracts logs from crypt5, crypt7, crypt8, and crypt12 versions of the database. Creating a local offline copy of a chat is possible. WhatsApp Viewer 1.9 is free to download from our software library. The WhatsApp backup conversation files are now saved with the .crypt12 extension. From crypt9, they seem to be using a modified version of Spongy Castle – a cryptography API library for the findings below are based on reverse engineering work done on WhatCrypt and Omni-Crypt. I would like to highlight that IGLogger proved to be a very useful tool when it came to smali code debugging. Extract Key File To decrypt the crypt12 files, you will first need the key file. The key file stores the encryption key, K. WhatsApp stores the key file in a secure location /data/data/ If your phone is rooted, extracting this file is easy. I will not go through the steps again, as it’s already mentioned in the crypt8 decryption article. If your phone is not rooted, refer to instructions from WhatCrypt and Omni-Crypt for details on extracting the key file. The idea is to install an older version of WhatsApp, where Android ADB backup was still working and extract the key file from the backup. Extract crypt12 Backup File Pull the encrypted WhatsApp messages file from your phone using ADB. $ adb pull /sdcard/WhatsApp/Databases/ Decryption Keys This section is just for your information and you can skip this section. The encryption method being used is AES with a key K length of 256 bits and an initialisation vector IV size of 128 bits. The 256-bit AES key is saved from offset 0x7E till 0x9D in the file. Offsets start from 0x00. You can extract the AES key with hexdump and assign the value to variable $k. $ k=$hexdump -ve '2/1 "%02x"' key cut -b 253-316 The $k variable will hold a 64-digit hexadecimal value in ASCII that is actually 256 bits in length. The IV or the initialisation vector is saved from offset 0x33 till 0x42 in the crypt12 file. The IV value will be different for every crypt12 file. $ iv=$hexdump -n 67 -ve '2/1 "%02x"' cut -b 103-134 The K and IV extraction method is similar to what we have done for crypt8 files before. Strip Header / Footer in crypt12 File Again, this section is just for your information and you can skip this section. Before we start the decryption process, we will need to strip the 67 byte header and 20 byte footer from the crypt12 file. $ dd if= of= ibs=67 skip=1$ truncate -s -20 The above dd command will strip the the first 67 bytes from the crypt12 file and save it to a file with extension The truncate command will strip the last 20 bytes from the crypt12 file. As the WhatsApp AES cryptography API library seems to be a modified version, we will no longer be able to use openssl to decrypt the crypt12 file. I have yet to determine what has been modified. To decrypt crypt12 files, I have written a simple Java program that will use the modified cryptography API library instead. For the cryptography API library, I have extracted the modified Spongy Castle cryptography class files from the Omni-Crypt APK file using dex2jar. You can find the Java program and crypto library over here at GitLab. The Java program will create 3 output files – encrypted file with header and footer stripped. – decrypted file in zlib format. – decrypted sqlite3 database file. Below is how you can compile and run the Java program. 12345678910111213141516171819202122232425262728293031323334353637383940 $ git clone cd whatsapp-crypt12/$ javac -classpath "lib/ cp ../ .$ cp ../ .$ java -cp "lib/ crypt12KXXXXXXXXXXIVYYYYcreating encrypted file with header/footer stripped zlib output file sqlite3 output file ls -ltotal 136724-rw-r-r- 1 ibrahim staff 4339 Oct 9 1605 1 ibrahim staff 5459 Oct 9 1605 1 ibrahim staff 158 Oct 9 1605 keydrwxr-xr-x 2 ibrahim staff 4096 Oct 9 1605 lib-rw-r-r- 1 ibrahim staff 1089 Oct 9 1605 LICENSE-rw-r-r- 1 ibrahim staff 62692352 Oct 9 1606 1 ibrahim staff 25757610 Oct 9 1605 1 ibrahim staff 25757523 Oct 9 1605 1 ibrahim staff 25757507 Oct 9 1606 1 ibrahim staff 1376 Oct 9 1605 file * compiled Java class data, version Java C source, ASCII textkey Java serialization data, version 5lib SQLite database, user version raw G3 data, zlib compressed data Final Words To use the Java decryption tool, you will need to use OpenJDK. Oracle require JCE Provider libraries to be signed. OpenJDK does not have this requirement. If you try running the Java program on Oracle JDK, you will most likely get the following exception. Exception in thread "main" JCE cannot authenticate the provider SC There are some workarounds to bypass the error, but it has not worked for me so far. Decryption failed when using the modified cryptography API library from WhatsApp and WhatCrypt. Only Omni-Crypt library is working. I have yet to determine the reason for this. If you have any further information on this, leave a = { interested_inunix, linux, android, open_source, reverse_engineering; codingc, shell, php, python, java, javascript, nodejs, react; plays_onxbox, ps4; linux_desktop_usertrue; } Navigateto outside WhatsApp Databases Folder and paste msgstore.db.crypt12 File. Note: Paste the Backup File to the Root of SD Card or Device Storage. 6.Next, connect your Phone to computer. 7. On your computer, navigate to Phone > Card/Device and copy msgstore.db.crypt12 file to Desktop. The above file (msgstore.db.crypt12) contains the Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? 1 branch 0 tags Code Use Git or checkout with SVN using the web URL. Open with GitHub Desktop Download ZIP Latest commit Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time Crypt12 Decrypt Decrypt Whatsapp crypt12 sqlite database files Crypt12 algorithm AES GCM mode encryption using 128 bit block size and 16 bytes IV nonce key file must be 158 byte long only last 32bytes represent the key crypt12 file includes 67 byte header and 20 byte trailer which needs to be removed the resulted plain bytes need to be decompressed in order to obtain the final SQLite .db file for more information you can check A Systems Approach to Cyber Security Proceedings of the 2nd Singapore Cyber-Security R&D Conference SG-CRC 2017 Usage example Ensure you have the key file key and crypt12 file in the same directory with the go entrypoint. You can use the existing key and msgstore files in the repo for testing. Run using GO Or run Windows executable Otherwise use the necessery arguments go run -h Usage of -crypt12file string crypt12 file path default " -keyfile string decryption key file path default "key" -outputfile string decrypted output file path default " Build go get go build crypt12-decrypt -> built with go version
I want to decrypt in my non-rooted android phone. I tried multiple steps using adb but nothing worked run-as adb backup How can I do so? Is there any way to backup full android to a file on laptop and extract key from it? Please suggest.
Iam doing WhatsApp DB Extraction task for an experiment based demo application for my team. I have searched on this forum and have found a helpful link Here. It logs as success but the result file is not accessible by Sqlite browser Below is Some code I usedAnswer The DB.Crypt file will be decrypt only if it finds its encryption key, which was left hidden on your phone memory. By time the key value changes, and the Crypt file also. So, if your file is recent, and was in your own mobile only, and it can be verify by the mobile number (sim) your ph .
whatsapp database msgstore db crypt12
