ddz / whatsapp-media-decrypt, Hacker News

A recent high-profile forensic investigation reported that “due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader [.enc file] to determine if it contained any malicious code in addition to the delivered video. ”

This project demonstrates how to decrypt encrypted media files downloaded from WhatsApp.

Installation .

 $ go get github.com/ddz/whatsapp-media- decrypt 
 
 
     Usage    Usage: ./whatsapp-media-decrypt -o FILE - t TYPE ENCFILE HEXMEDIAKEY  Options:   -o FILE     write decrypted output to FILE   -t TYPE     media TYPE (1=image, 2=video, 3=audio, 4=doc) 
 
 
   Example  
 
 
 Extract media key from iOS ChatStorage.sqlite 
 
 The media key is stored within a protobuf message that is stored hex-encoded in the 

	

			
	

			


		
			
			
					
			


 ZMEDIAKEY 
 column.  
 
 $ sqlite ChatStorage.sqlite SQLite version 3. 31. 2  -  - 13 : : 59 Enter ".help" for usage hints. sqlite> select ZMEDIAURL, ZVCARDSTRING, hex (ZMEDIAKEY) from ZWAMEDIAITEM where Z_PK=; https://mmg-fna.whatsapp.net/d/f/Atzc5Drr8l7ngis8GmUTMI6vMQNjOU9zGQ2SYRkjwq. enc | video / mp4 | 0A  (A) (B) (DA0CD) (E6DFDE) (F1E2BCE) (C) (C) (BA) A  A) (A1F5AEB2E) (F) (FA) (B) (BB) F  (C) (D8F7F2A) (B) (A5F)  sqlite> .quit 
 
 
  

 Extract media key from Android msgstore.db  

 The media key is stored hex-encoded in the  media_key  column. 

	

			
	

			


		
			
			
					
			
		





 
 $ sqlite msgstore.db SQLite version 3. 31. 2  -  - 13 : : 59 Enter ".help" for usage hints. sqlite> select message_url, mime_type, hex (media_key) from message_media where message_row_id=; https://mmg-fna.whatsapp.net/d/f/AnUpYQ738 rgUBOQRhuwCyNqo_9KGATdmLUq-ghYEx-D9 .enc | video / mp4 |  (F9C1B3BB5E) (D9A) (A5E0ED3D) ABFECA  (D) (C2B) (E) (C) sqlite> .quit 
 
 
  
 Download Encrypted Media File 


 $ curl -O https: //mmg-fna.whatsapp .net / d / f / Atzc5Drr8l7ngis8GmUTMI6vMQNjOU9zGQ2SYRkjwq 46. enc   % Total% Received% Xferd Average Speed ​​Time Time Time Current                                  Dload Upload Total Spent Left Speed  (k) (k 0 0) k 0 -: -: - -: -: - -: -: -  k 
 
 
  
 
  whatapp-media-decrypt -o Atzc5Drr8l7ngis8GmUTMI6vMQNjOU9zGQ2SYRkjwq 46 .mp4 -t 2 ./ Atzc5Drr8l7ngis8GmUTMI6vMQNjOU9zGQ2SYRkjwq  enc 0A  (A) (B) (DA0CD) (E6DFDE) (F1E2BCE) (C) (C) BA  (A) (A1F5AEB2E) (F) FA  B  (BB) (F) (C) (D8F7F2A) (B) (A5F)  
 
 
 

  FAQ 

 
  
 No. WhatsApp's encryption is end-to-end, which ensures that only the sender and recipient can read the message and especially not any servers (or attackers!) in-between them. This uses a cryptographic key stored on one of the endpoints to decrypt a media attachment in the Same way that the WhatsApp app does to display it on the screen. 
 
  
 Does this mean my WhatsApp media files are not encrypted at rest? 
 
 No. WhatsApp uses  iOS Data Protection  to encrypt user data files (including 

ChatStorage.sqlite

 using the device-specific and unrecoverable hardware UID key as well as a key derived from the user's passcode. It may not be decrypted without physical access to the specific iOS device that created the file as well as knowledge of the user's passcode.  
   Can you help me decrypt someone's WhatsApp? 
 
 No. 
 
 
   References  
 Engelke, Lucas.  go-whatsapp  
 
 Graham, Robert.  How to decrypt WhatsApp end-to-end media files  
 
 Marczak, Bill. " Some Directions for Further Investigation in the Bezos Hack Case  "
 
 Sigalor.  WhatsApp Web Reverse Engineered  
 

	

			
	

			

		
	
		




 WhatsApp.  WhatsApp Encryption Overview  
           Read More