This post outlines the decryption of the popular Whatsapp Crypt8 database file. To accomplish this we will need a few tools:

  • PC with either MAC or Windows installed. For this tutorial, I executed the steps on a Windows 7 system.
  • Cygwin(For Windows based system, With Mac you probably won’t need anything else).
  • Basic knowing of hexdump, openssl, gzip.
  • A rooted Android device.

Whatsapp stores the decryption key at location data/data/com.whatsapp/files/key on the phone. Extract this.

Whatsapp periodically backs up data on the SD-Card at sdcard/Whatsapp/Databases/msgstore.db.crypt8. Extract that.

Now, fire up the cygwin shell and run the following commands in the order mentioned below:

Firstly, extract the aes and the initialization vector,

#hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txt
#hexdump -e '2/1 "%02x"' key | cut -b 221-252 > iv.txt

Now strip down the 67 bytes header
#dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1

Decrypt and convert to gzip
#openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv iv.txt > msgstore.gz

Extract from Gzip
#gzip -cdq msgstore.gz > msgstore.db

And you are done. You can view the file now in Sqlite Browser.

Advertisements