This is a fork of the whatsapp-web-reveng project.
I don't understand most of it, only the file I added (backend/whats-enc.py).
All this does is demonstrate how to decrypt the .enc encrypted media file at the heart of the "Saudis hack Bezos " story. They found an encrypted file they couldn't decrypt, so theorize that it contains malware/exploits.
However, such files can easily be decrypted, as this project shows. I use a video sent to my own phone with the URL of:
https://mmg-fna.whatsapp.net/d/f/AsnGB7gNh6Yw52MScbJyTRMo3NCmzMpesUIYyFmEZ0lR.enc
I found the mediakey on my phone to decrypt it as:
TKgNZsaEAvtTzNEgfDqd5UAdmnBNUcJtN7mxMKunAPw=
This is just example code. A better tool can be found here:
https://github.com/ddz/whatsapp-media-decrypt
These are the instructions for getting the environment working. I've only tried under WSL (Windows Linux) and macOS, but it should work generally.
- Python 2.7 with the following
pippackages installed:websocket-clientandgit+https://github.com/dpallot/simple-websocket-server.gitfor acting as WebSocket server and client.curve25519-donnaandpycryptofor the encryption stuff.pyqrcodefor QR code generation.protobuffor reading and writing the binary conversation format.
Just run pip install -r requirements.txt for all Python dependencies.
On macOS, installing protobuf breaks. I had to do this manually with:
pip install protobuf --ignore-installed
The code I added to this forked project is the file backend/whats-enc.py. Just
change to that directory and run it. It will download an .enc from WhatsApp and
decrypt it using a mediakey. The URL and mediakey came from a backup of my iPhone.
WhatsApp uses end-to-end encryption. Thus, when your friend sends an image or video to you on the phone, only the ends can encrypt/decrypt it.
The way this works is that your friend generates a new random mediakey to encrypt
the video, then does the encryption. Then, the video is uploaded to WhatsApp's servers.
WhatsApp can't decrypt the video, being in the middle and not the ends.
Your friend then sends you an encrypted message containing the URL for the video
and the mediakey to decrypt it. This message is also encrypted so Whatsapp can't
see it.
You then download the .enc file from the URL, then decrypt it using the mediakey.
If you have a forensics image of an iPhone, or even just a backup, then you can
grab the URL and mediakey. Remember, because of end-to-end encryption, WhatsApp
itself cannot decrypt the video, only the ends. But an image of the iPhone is
one of those ends.
I used Reincumbate iPhone Backup Extractor on Windows to both created a backup
of my iPhone, then extract the WhatsApp message database.
The database was in the path /Application Groups/net.whatsapp.WhatsApp.shared/chatstorage.sqlite.
If you don't use tools to extract files, you can instead just grab the file
directly yourself
I then opened that database in sqlitebrowser and went to the ZWAMEDIAITEM database. In that database,
the column ZMEDIAURL holds the URL and ZMEDIAKEY holds the media key.
The URL for one of the rows is the following:
https://mmg-fna.whatsapp.net/d/f/AsnGB7gNh6Yw52MScbJyTRMo3NCmzMpesUIYyFmEZ0lR.enc
The media key is in a protobuf format, a binary blob. The first field is the media key, the second field is the hash. Base64 encoding the media key gets:
TKgNZsaEAvtTzNEgfDqd5UAdmnBNUcJtN7mxMKunAPw=
Just run the program:
cd backend
python whats-enc.py
This generates the file:
rob.mp4
You can then load the video in your favorite app, like VNC.