How to decrypt Whatsapp Database File?

15,504

Solution 1

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;


public class Crypto {

    public FileInputStream mIn;
    public FileOutputStream mOut;
    public Crypto(String fileIn, String fileOut) {
        try {
                mIn = new FileInputStream(new File(fileIn));
                mOut = new FileOutputStream(new File(fileOut));
                decryptAES(mIn, mOut);
        } catch (Exception e) {
                e.printStackTrace();
        }
    }

    public static void decryptAES(InputStream in, FileOutputStream out) throws Exception {
        final String string = "346a23652a46392b4d73257c67317e352e3372482177652c";
        byte[] hexAsBytes = DatatypeConverter.parseHexBinary(string);

        SecretKeySpec keySpec = new SecretKeySpec(hexAsBytes, "AES");
        Cipher cipher = Cipher.getInstance("AES"); 

        cipher.init(Cipher.DECRYPT_MODE, keySpec);

        in = new CipherInputStream(in, cipher);
        byte[] buffer = new byte[24]; 
        int bytesRead;
        while ((bytesRead = in.read(buffer)) != -1)
        {
            out.write(buffer, 0, bytesRead);
        }

    }


    public static void main(String[] args){    
        Crypto c = new Crypto("C:\\msgstore.db.crypt", "D:\\WhatsappDb");
        System.out.println("Decrypting Done");
    }
}

Solution 2

An updated answer for .crypt12 files:

These are compressed, and then encrypted using AES in GCM mode

Here is some python code showing how:

"""
Example how to decrypt whatsapp msgstore backups with extension .crypt12.
Author: Willem Hengeveld <[email protected]>
"""
from Crypto.Cipher import AES
import zlib
import sys

datafile = keyfile = None

if len(sys.argv)==1:
    print("Usage: decrypt12.py <keyfile> <msgstore.db.crypt12>")
    print("  the key file is commonly found in /data/data/com.whatsapp/files/key")
    print("  the crypt file is commonly found in the directory: /data/media/0/WhatsApp/Databases/")
    exit(1)

for arg in sys.argv[1:]:
    if arg.find('crypt12')>0:
        datafile = arg
    elif arg.find('key')>0:
        keyfile = arg
    else:
        print("unknown arg", arg)

with open(keyfile, "rb") as fh:
   keydata = fh.read()
key = keydata[126:]

with open(datafile, "rb") as fh:
   filedata = fh.read()
iv = filedata[51:67]

aes = AES.new(key, mode=AES.MODE_GCM, nonce=iv)

with open("msg-decrypted.db", "wb") as fh:
    fh.write(zlib.decompress(aes.decrypt(filedata[67:-20])))
Share:
15,504
ali.turan
Author by

ali.turan

Updated on June 04, 2022

Comments

  • ali.turan
    ali.turan about 2 years

    I was trying to decrypt Whatsapp database file (msgstore.db.crypt) with java.

    I found some python code and tried to do same thing with java. Probably its not that hard thing to do but I had some problems with handling decryption key.

    But finally did it. So I wanted to share the code for people who need it.

  • Elliott Frisch
    Elliott Frisch over 10 years
    Why not pass the keySpec to the decrypt routine? That way you only have to instantiate it once for decrypting multiple files.
  • Scary Wombat
    Scary Wombat over 10 years
    System.out.println("Decrypting Done"); - not if it throws an exception.
  • Scary Wombat
    Scary Wombat over 10 years
    also why such s small buffer? Any reason for 24 bytes?
  • ali.turan
    ali.turan over 10 years
    Humm yea you are right its not if it throws an exception but its just a basic type of it. You can easly edit it how u want i think. And nope there is not any spesific reason to use small buffer. I believe using bigger one wont be a problem.
  • Noman
    Noman over 10 years
    @Sir.WaLeK... What is DatatypeConverter ??
  • Sreekumar P
    Sreekumar P over 10 years
    Whatsapp updated their encryption. Now is the file name is "msgstore.db.crypt5" rather than "msgstore.db.crypt".. Is there any new solution for this ?
  • ali.turan
    ali.turan over 10 years
    ah yes i realised that few days ago. But it wont be a problem i think.
  • Tushar Agarwal
    Tushar Agarwal about 10 years
    use "1e39f369e90db33aa73b442bbbb6b0b9" instead of "346a23652a46392b4d73257c67317e352e3372482177652c"
  • ali.turan
    ali.turan about 10 years
    Did they change the key kode ?
  • fikr4n
    fikr4n about 8 years
    What's the difference with crypt8?
  • Robert Siemer
    Robert Siemer about 6 years
    Do you know how to encrypt (i.e. create a .crypt12 file)? What are the header and footer in the encrypted file!?