在macOS上dump WeChat聊天记录

需求:
找到微信消息备份的加密算法并实现解密手段

目前疑似在MMChatLogProtoHandler 里 ,待调试
因为此类拥有-[MMChatLogProtoHandler initWithKey:AndShouldCRC:] key似乎来自设备。这一方法在backuplogic相关代码里有所调用,嫌疑最大

3 Likes

尝试cycript调试

Last login: Sun May 28 04:49:44 on ttys000
[~] cycript -p WeChat                                                          
dlopen(/usr/local/bin/Cycript.lib/libcycript-sys.dylib, 5): no suitable image found.  Did find:
	file system sandbox blocked open() of '/usr/local/bin/Cycript.lib/libcycript-sys.dylib'
*** _assert(status == 0):../Inject.cpp(143):InjectLibrary

解决方案: 利用restore_symbol 和codesign --remove-signature打套combo
正常附加调试

在上文所述方法出下断,提取到加密Key @"你猜猜看我的key是啥"
使用加密Key初始化 对象并尝试直接调用-[MMChatLogProtoHandler decryptData:]解密Backup.db.未成功。
故直接搜索字符常量 Backup.db,依次向上查看交叉引用链,定位到-[MMChatBackupIndexDB createDataBase]
从此方法中可以找到一处可疑调用


此处获取service_key的方法特征与前述-[MMChatLogProtoHandler initWithKey:AndShouldCRC:]的调用处一致,可判定为同一份key

搜索initWithPath:withEncryptKey: 可定位到WCDataBase类,故手动初始化对象

通过观察WCDataBase的头文件可以搜索到一方法
-[WCDataBase getTable:withClass:]
搜索该方法调用方,以-[MMChatBackupIndexDB p_getName2IDTable]为例:

尝试该调用后输出正确结果,证明目前方法正确

最后通过搜索二进制内的pragma字符串常量可得知微信使用的是sqlcipher, 从上文的分析过程可得知cipherpagesize和key。
即可正常解密

TODO: 研究server key的算法以离线解密

解密消息索引和媒体

OSX版的居然没加壳, WIN版的加了VMP

楼主解开的数据库是备份文件中的Backup.db?不知对BAK_0_TEXT和BAK_0_MEDIA有没有研究?

本来为了Dump聊天记录的那个人不存在了。所以后续也就没做了

不过我个人感觉那个是protocolbuffer

老哥,我想请问下能确定微信的BAK_0_TEXT和BAK_0_MEDIA的加密方式吗?

小姐姐不存在了后续我就没看了。好像是Protobuf。sql里存着索引。提取出来反序列化成对应的对象
好像

兄弟 我的需求和你类似,想问问你是不是msg_0.db里面存的是序列化后的字符串?如果要取到完整的聊天数据 是不是还需要通过hook的方式 在初始化界面的时候 存在新的db?

Backup.db,BAK_0_TEXT,BAK_0_MEDIA哪个存的是备份的聊天记录?很想把电脑里面备份的已经不是好友的一个聊天记录恢复出来,不太懂微信的调试

TEXT我记得是

Hi! Do you maybe know in the meantime someone who could open and decipher a wechat PC backup set (backup.db etc)? We are really needing help in this… thanks and best wishes

If you have access to the related WeChat account, you can do it quite easily. If not, the key is fetched from the server on a per-account basis AFAICT

Hi!. So it means that it’s not really possible to open then offline?? However, in this case, we have access to the related Wechat account. We have PC backups (these 5 wechat files) at different time points with definitevely all information in. However, when opening in wechat restore, the contacts, we want to restore, are not shown anymore, because Wechat omit those automatically, which are deleted on the phone. We didn’t know that when we deleted them and would need to recover them, because some important business things in there… Thus, I was looking for a possibility to open or at least dump them to get some information out of them…many thanks and best wishes

你好,我已经打开Backup.db 但聊天的记录应该是在BAK_0_TEXT里 想问BAK_0_TEXT怎么打开 最好能具体说说 谢谢

我上面写了,db里应该只是个索引。后续我没研究了

In very old WeChat clients the chat record are not actually deleted even if you “swipe and delete” the chat with a personnal in the client. In later revisions, once you delete that chat , your chat history is gone