How To Decrypt WeChat EnMicroMsg.db Database?

简介: 原文地址:http://articles.forensicfocus.com/2014/10/01/decrypt-wechat-enmicromsgdb-database/WeChat is a smartphone application where us...

原文地址:http://articles.forensicfocus.com/2014/10/01/decrypt-wechat-enmicromsgdb-database/

WeChat is a smartphone application where users can chat with their friends, share pictures, videos and audio chats. Users can also make free video calls and voice calls with their friends as long as they have Internet connection.

Recently, we received a request from the law enforcement agency to extract WeChat chat messages from an Android mobile phone.

Although this mobile phone model is supported by XRY (a mobile phone forensics tool), but it could not extract the WeChat chat messages. Only Whatsapp, and other text messages were successfully extracted.

We have also conducted keyword search using EnCase, but to no avail. Although we can see the chat messages directly from the mobile phone display, EnCase still cannot find the keyword that we searched for.

Figure 1: The encrypted data in EnMicroMsg.db

However, during the analysis in EnCase, we found a .DB file named, EnMicroMsg.db in the WeChat application folder. This file size is about 3.7MB.

This curiosity leads us to conduct a research on the Internet and we found that the file is an encrypted SQLite database file for WeChat chat messages.

 

EnMicroMsg.db and SQLCipher

EnMicroMsg.db is an encrypted SQLite database file that contains the WeChat chat messages. This file is encrypted using SQLCipher, an open source extension for SQLite database that provides transparent 256-bit AES encryption of database files.

Figure 2: Parameters to decrypt EnMicroMsg.db file

Below are the parameters needed to encrypt and decrypt the data in the EnMicroMsg.db file.

  • PRAGMA key = KEY;
  • PRAGMA cipher_use_hmac = off;
  • PRAGMA cipher_page_size = 1024;
  • PRAGMA kdf_iter = 4000;

The simple explanations for these parameters are described below:

  • PRAGMA key – Set the key to use with the database.
  • PRAGMA cipher_use_hmac – Disable the usage of per-page HMAC checks for backwards compatibility with SQLCipher 1.1.x on a specific database.
  • PRAGMA cipher_page_size – Alter the page size used for the database from the default of 1024 bytes to improve performance for some query types.
  • PRAGMA kdf_iter – Change the number of iterations used with PBKDF2 key derivation.

Kindly go to SQLCipher API page for a better understanding about these parameters and their usage in SQLCipher.

KEY to decrypt EnMicroMsg.db

KEY is the most important parameter to decrypt the EnMicroMsg.db file. This KEY is generated from the MD5 hash, combination of IMEI and UIN (a unique identifier of the WeChat user). However, only the first 7-characters of the MD5 hash will be used as the KEY to decrypt it.

Figure 3: The process to generate the KEY

IMEI is the 15-digits unique number that you can usually get at the back of the mobile phone. Or you can enter *#06# to get the mobile phone IMEI number.

UIN is the unique identifier that you can get from the system_config_prefs.xml file in the WeChat application folder.

Figure 4: Example to generate the KEY

In short, the KEY generation can be summarized as follows:

KEY = MD5( IMEI + UIN )[ 0:7 ]

For an example, the IMEI number for the mobile phone is, 357725678854269 and the UIN number which you get fromsystem_config_prefs.xml file is, -1881034049.

  • IMEI: 357725678854269
  • UIN: -1881034049

So the MD5 hash value for these IMEI and UIN is, 4bc36a03296a8b4fc63e5bb8e74db2a2

Therefore the KEY to decrypt EnMicroMsg.db is, 4bc36a0.

Python script, fmd_wechatdecipher.py

To make it easier for you to decrypt this file, we have wrote a Python script, fmd_wechatdecipher.py, which you can use it in your lab.

This script runs on Python and you need to install an additional package, pysqlcipher. Pysqlcipher will allows you to use SQLCipher function in Python.

Figure 5: Input and Output for fmd_wechatdecipher.py script

Before you can use this script, there are several things that you need to know about fmd_wechatdecipher.py.

This script requires two input files and one input from the user.

The Input Files are:

  • EnMicroMsg.db – The WeChat database file that contains the encrypted chat messages.
  • system_config_prefs.xml – The WeChat file that contains the UIN number.

The Input that you need to enter:

  • IMEI – The 15-digits IMEI number of the mobile phone

And the Output Files after you executed the script:

  • EnMicroMsg-decrypted.db – Decrypted database file that contains WeChat chat messages.
  • EnMicroMsg-decrypted.log – Log file that contains all information to decrypt the file such as IMEI, UIN, and KEY. It also includes with the MD5 and SHA1 hash values for EnMicroMsg-decrypted.db file.

How to use the script?

In order to use this script, you must put all the Input Files in the same folder with the Python script.

When the script prompts you to enter the IMEI number, just enter the correct IMEI number and it will generate the KEY and decryptEnMicroMsg.db file automatically.

Figure 6: The decrypted data stored in EnMicroMsg-decrypted.db

Once the process is done, you will see two files are generated, EnMicroMsg-decrypted.db and EnMicroMsg-decrypted.log, in the same folder.

All the encrypted WeChat chat messages have been decrypted and are stored in the EnMicroMsg-decrypted.db file. You can extract the chat messages by using your favourite SQLite Browser to analyze this file.

References

目录
相关文章
|
数据库 数据库管理 Python
微信破解,解密?How To Decrypt WeChat EnMicroMsg.db Database?
20元现金领取地址:http://jdb.jiudingcapital.com/phone.html内部邀请码:C8E245J (不写邀请码,没有现金送) 国内私募机构九鼎控股打造,九鼎投资是在全国股份转让系统挂牌的公众公司,股票代码为430719,为“中国PE第一股”,市值超1000亿元。
1967 0
|
7月前
|
SQL Oracle 关系型数据库
WARNING: Too Many Parse Errors With error=911 When Running a JDBC Application Connected to an Oracle 19c database
WARNING: Too Many Parse Errors With error=911 When Running a JDBC Application Connected to an Oracle 19c database (
96 2
|
7月前
|
Oracle 关系型数据库
19c 开启Oracle Database Vault
19c 开启Oracle Database Vault
168 1
|
7月前
|
SQL Oracle 关系型数据库
Connect to Autonomous Database Using Oracle Database Tools
Connect to Autonomous Database Using Oracle Database Tools
64 1
|
6月前
|
Oracle 关系型数据库 Linux
Requirements for Installing Oracle Database/Client 19c on OL8 or RHEL8 64-bit (x86-64) (Doc ID 2668780.1)
Requirements for Installing Oracle Database/Client 19c on OL8 or RHEL8 64-bit (x86-64) (Doc ID 2668780.1)
54 0
|
7月前
|
人工智能 Oracle 关系型数据库
一篇文章弄懂Oracle和PostgreSQL的Database Link
一篇文章弄懂Oracle和PostgreSQL的Database Link
|
7月前
|
SQL Oracle 安全
Oracle Database Vault Access Control Components
Oracle Database Vault Access Control Components
58 0
|
7月前
|
Oracle 安全 关系型数据库
What Is Oracle Database Vault?
The Oracle Database Vault security controls protect application data from unauthorized access, and helps you to comply with privacy and regulatory requirements. You can deploy controls to block privileged account access to application data and control sensitive operations inside the database using
42 0
|
7月前
|
Oracle 关系型数据库 Linux
服务器Centos7 静默安装Oracle Database 12.2
服务器Centos7 静默安装Oracle Database 12.2
288 0
|
7月前
|
Oracle 关系型数据库 数据库
windows Oracle Database 19c 卸载教程
打开任务管理器 ctrl+Shift+Esc可以快速打开任务管理器,找到oracle所有服务然后停止。 停止数据库服务 在开始卸载之前,确保数据库服务已经停止。你可以使用以下命令停止数据库服务: net stop OracleServiceORCL Universal Installer 卸载Oracle数据库程序 一般情况运行Oracle自带的卸载程序,如使用Universal Installer 工具卸载。 点击开始菜单找到Oracle,然后点击Oracle安装产品,再点击Universal Installer。 点击之后稍等一会然后会进入进入下图界面,点击卸载产品。 选中要删除的Orac
677 1