Whatsapp db decrypt...
 
Notifications
Clear all

Whatsapp db decrypting failure although key file is obtained

6 Posts
5 Users
0 Likes
3,770 Views
(@nsumer)
Posts: 20
Eminent Member
Topic starter
 

Hello all,
I am working on a case. Physical image of the mobile phone is available, there are whatsapp backup files on the sdcard. But whatsapp is not installed after factory reset. So whatsapp key file is not available.

What I did is that I got warrant from the court in order to use suspect's SIM card to activate whatsapp. I installed whatsapp in Nox emulator, inserted SIM into my phone, run whatsapp in the emulator, activated whatsapp using SMS which came to my phone. Everything was fine. I located the whatsapp key file and exported to my pc from Nox emulator.
Next step was the decrypting whatsapp backup file (crypt12) using the obtained key file.

I tried the Andriller to decrypt the last backup file using that key file. Andriller failed by saying following

"WhatsAppCrypt msgstore.db.crypt12 Error -3 while decompressing data incorrect header check"

Then I found the following python script, it failed too by saying

"Key file mismatch or crypt12 file is corrupt"

After that I decided to use whatsapp itself inside the emulator.I copied whatsapp backup file in the appropriate directory inside the emulator. I uninstalled and installed whatsapp, activated it using SMS code. Whatsapp located the backup and loaded it. Chats are decrypted correctly.

The job is done. But I want to ask a question just in order to get rid of my curiosity.
Why are Andriller and python script not successful? What can be wrong with the key file or crypt12 backup file?
Backup files are from 2016. I suspected that key or crypt12 file formats could have changed. But I could not verify that because old whatsapp versions (released in early 2017) did not run inside the emulator by complaining wrong date time.

Regards.

#!C\python\Python37\python.exe

from Crypto.Cipher import AES
import os
import sys
import zlib

def keyfile(kf)
global t1, key
if os.path.isfile(kf) == False
quit('The specified input key file does not exist.')
elif os.path.getsize(kf) != 158
quit('The specified input key file is invalid.')
with open(kf, 'rb') as keyfile
keyfile.seek(30)
t1 = keyfile.read(32)
keyfile.seek(126)
key = keyfile.read(32)
return True

def decrypt12(cf, of)
global t2, iv
if os.path.isfile(cf) == False
quit('The specified input crypt12 file does not exist.')
tf = cf+'.tmp'
with open(cf, 'rb') as crypt12
crypt12.seek(3)
t2 = crypt12.read(32)
if t1 != t2
quit('Key file mismatch or crypt12 file is corrupt.')
crypt12.seek(51)
iv = crypt12.read(16)
crypt12.seek(67)
primer(tf, crypt12, 20)
cipher = AES.new(key, AES.MODE_GCM, iv)
sqlite = zlib.decompress(cipher.decrypt(open(tf, 'rb').read()))
with open(of, 'wb') as msgstore
msgstore.write(sqlite)
msgstore.close()
os.remove(tf)
return True

def primer(tf, crypt12, sb)
with open(tf, 'wb') as header
header.write(crypt12.read())
header.close()
with open(tf, 'rb+') as footer
footer.seek(-sb, os.SEEK_END)
footer.truncate()
footer.close()

def validate(ms)
with open(ms, 'rb') as msgstore
if msgstore.read(6).decode('ascii').lower() != 'sqlite'
os.remove(ms)
msg = 'Decryption of crypt12 file has failed.'
else
msg = 'Decryption of crypt12 file was successful.'
msgstore.close()
quit(msg)

def main()
if len(sys.argv) > 2 and len(sys.argv) < 5
if len(sys.argv) == 3
outfile = 'msgstore.db'
else
outfile = sys.argv[3]
if keyfile(sys.argv[1]) and decrypt12(sys.argv[2], outfile)
validate(outfile)
else
print('\nWhatsApp Crypt12 Database Decrypter' + '\n')
print('\tUsage python '+str(sys.argv[0])+' key msgstore.db.crypt12 msgstore.db\n')

if __name__ == "__main__"
main()

 
Posted : 02/11/2019 12:43 am
(@droopy)
Posts: 136
Estimable Member
 

Key file is generated based on SIM information and some hardware parameters. After you install normal whatsapp and re-register, the new key should be created as uses timestamp.

Probably your emulator environment was not correctly setup.

 
Posted : 03/11/2019 1:37 pm
(@nsumer)
Posts: 20
Eminent Member
Topic starter
 

I do not think so. Because WhatsApp running inside the emulator is able to decrypt backup file. It must use the same key.

 
Posted : 03/11/2019 2:16 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

if you have key you acquired physical image of the phone maybe key has changed reinstall big update or etc recover key artifact from physical image

 
Posted : 04/11/2019 9:55 am
(@tobiasj)
Posts: 22
Eminent Member
 

I believe we have seen this as well where WhatsApp, for inexplicable reasons, changes/updates the key so that the key obtained from the extraction is not the current key for the backup. That's likely why it worked in your emulator as you essentially recreated the key but why the original key obtained was no longer valid is a bit of a mystery for sure.

 
Posted : 04/11/2019 12:15 pm
(@marko_kruz)
Posts: 1
New Member
 

I have the same question. I use nox emulator to install whatsapp, load my whatsapp account using the code I receive by SMS message and once the database is installed and I can see all my messages, I restart nox emulator as root to get the key file and the crypt 14 database, I copy them to my PC and using whatsapp viewer I get the error message "Decryption failed. Error during unzipping (inflate). In 99% this means you tried to use an invalid key". Do someone knows if the key file is somehow changed when it is copied to a windows directory?

 
Posted : 27/02/2023 7:07 pm
Share: