New Token in warequest.py #133

Closed
wants to merge 1 commit into
from

Projects

None yet

9 participants

@JayFoxRox

Using the WhatsApp 2.9.4.0 Windows Phone Token which was found (reverse engineered) by Jannik Vogel and shirioko.

Fixes #125 and #119

Find more information here: venomous0x/WhatsAPI#337 (comment)

@JayFoxRox JayFoxRox closed this Jun 6, 2013
@JayFoxRox JayFoxRox reopened this Jun 6, 2013
@mainlyer

Hello, and what's is the id field of the query string? IMEI, MAC....

Thank you,
Mainlyer.

@shirioko

md5 of reversed imei or mac

@stv0g
stv0g commented Jun 12, 2013

Are you sure shiroko? I think v2/exist requests are broken for some weeks now. They changed the way..?

@shirioko

exist request has been broken for quite a while now
venomous0x/WhatsAPI#283 (comment)
and it also appears to be platform specific.
WP7 for example generates a new identity after factory reset which means it uses some GUID generated by the OS.
Can't fully confirm this though, the RecoveryToken is generated by its infamous WhatsAppNative DLL and reverse engineering it would probably take the another few weeks of sleepless nights with @JayFoxRox

@mainlyer

Thank you so much, but is something that need to clarify!! The id parameters is as important as token.

Another thing is the famous GetBuildHash() managed function. According to the code, depends if the caller is in WhatsApp.dll or in WhatsAppCommon.dll assemblies. Is a particular hash of the .rsrc section of every assemblies treated as PE binaries.

For example, GetBuildHash() function will return in WP7 (2.9.4.0 versions):

"21a31a2d9dbdc9a8ce324ef2df918064fd26e30a" if the calling assembly is WhatsApp.dll
"b32a995213f1dd6006e15818c672b715d5d24828" if the calling assembly is WhatsAppCommon.dll

Best regards,
mainlyer.

@JayFoxRox

GetBuildHash() is only being called from WhatsAppCommon.dll - however, the running assembly is "WhatsApp". Meaning WhatsApp.dll is being checked.
"21a31a2d9dbdc9a8ce324ef2df918064fd26e30a" is part of the new token - check out my findings in the issue I linked in this pull request.

@stv0g
stv0g commented Jun 13, 2013

I dont think that they use the GetBuildHash() to generate the identifier.

If so, the v2/exist request should be useless. Requesting a new password on a new phone or upgraded WhatsApp client will fail due to a changed BuildHash..

@shirioko

The identifier is generated by RecToken class located in WhatsAppNative.dll

// WhatsApp.Settings
public static byte[] RecoveryToken
{
    get
    {
        lock (Settings.recTokenLock)
        {
            if (Settings.recoveryToken == null)
            {
                NativeInterfaces.Initialize();
                IRecToken recToken = new RecToken() as IRecToken;
                try
                {
                    Settings.recoveryToken = recToken.GetToken().Get();
                }
                finally
                {
                }
            }
        }
        return Settings.recoveryToken;
    }
}

and

namespace WhatsAppNative
{
    [ClassInterface, Guid("f990f7de-fd2c-46f1-ab07-50e20b9a1ebc")]
    [ComImport]
    public class RecToken
    {
        [MethodImpl(4096)]
        public extern RecToken();
    }
}
@JayFoxRox

RecToken is somewhat more complicated than the Misc_GetToken function.

What appears to happen is that you can have a salt (which pointer should be at this+0x14 and the length at this+0x18).
GetToken will work with many function pointers so reverse engineering would be best on an actual windows phone with my hacked DLL or a debugger for native DLL. Hash seems to be 20 bytes - so probably based on SHA1.
There must be a file involved in GetToken though [probably opened in a function which is loaded using a function pointer] - you can probably figure it out by watching the filesystem somehow.
Not sure about decode and encode functions.

These should be the function pointers for the interface if anyone is interested:

.data:0007A2B3 DCB 0
.data:0007A2B4 DCD IRecToken_GetToken
.data:0007A2B8 DCD IRecToken_SetSalt
.data:0007A2BC DCD IRecToken_Encode
.data:0007A2C0 DCD IRecToken_Decode
.data:0007A2C4 off_7A2C4 DCD GUID_IRecToken ; DATA XREF: sub_15CD0+28�o
.data:0007A2C4 ; .text:off_15D2C�o
.data:0007A2C8 DCB 0

Not working on it though - I just wanted to have a quick look.

However, this should probably get its own issue - this pull request is just about the new registration token.

@mainlyer

Hello again, I requested a registration code and I received the SMS, with a new not registered ever phone number and with an existing one. I wrote the code in C# and I sent the id reversing the phone number and calculating its MD5 hash.

using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using System.Text;

public static class WhatsAppReg
{
    private const string WhatsAppToken = "Od52pFozHNWF9XbTN5lrqDtnsiZGL2G3l9yw1GiQ" + "21a31a2d9dbdc9a8ce324ef2df918064fd26e30a";
    private const string WhatsAppUserAgent = "WhatsApp/2.9.4 WP7/7.10.8858 Device/HTC-HTC-H0002";

    public static string RequestCode(string cc, string phone, string lc, string lg)
    {
        string id = string.Join(string.Empty, MD5.Create().ComputeHash(Encoding.ASCII.GetBytes(phone.Reverse().ToArray())).Select(item => item.ToString("x2")).ToArray());
        string token = string.Join(string.Empty, MD5.Create().ComputeHash(Encoding.ASCII.GetBytes(string.Concat(WhatsAppToken, phone))).Select(item => item.ToString("x2")).ToArray());
        string uri = string.Format("https://v.whatsapp.net/v2/code?cc={0}&in={1}&to={0}{1}&lc={2}&lg={3}&mcc=000&mnc=000&method=sms&id={4}&token={5}", cc, phone, lc, lg, id, token);
        return GetResponse(uri);
    }

    public static string RegisterCode(string cc, string phone, string code)
    {
        string id = string.Join(string.Empty, MD5.Create().ComputeHash(Encoding.ASCII.GetBytes(phone.Reverse().ToArray())).Select(item => item.ToString("x2")).ToArray());
        string uri = string.Format("https://v.whatsapp.net/v2/register?cc={0}&in={1}&id={2}&code={3}", cc, phone, id, code);
        return GetResponse(uri);
    }

    private static string GetResponse(string uri)
    {
        var request = HttpWebRequest.CreateHttp(new Uri(uri));
        request.KeepAlive = false;
        request.Date = DateTime.Now;
        request.UserAgent = WhatsAppUserAgent;
        request.Accept = "text/json";
        using (var reader = new StreamReader(request.GetResponse().GetResponseStream()))
        {
            return reader.ReadLine();
        }
    }
}

Regards,
mainlyer.

@shirioko

Nice.

Can you open a pull request to my repository?
https://github.com/shirioko/WhatsAPINet

This will also solve https://github.com/perezdidac/WhatsAPINet/issues/42

@mainlyer

Hello sirioko! I can't open a pull request, it seems to be disabled. Let me know when I can.

Many thanks,
mainlyer.

@shirioko

You need to fork my repository first

This was referenced Jun 20, 2013
@brittson
brittson commented Jul 4, 2013

@mainlyer what is lc and lg?

@mainlyer
mainlyer commented Jul 7, 2013

Hello brittson, lc is your locale and lg is your language.

Regards,
mainlyer.

@brittson
brittson commented Jul 9, 2013

@mainlyer thanks

@brittson

@mainlyer hi c# code is not working from today, worked yesterday

@shirioko shirioko referenced this pull request in venomous0x/WhatsAPI Jul 12, 2013
Closed

How to obtain a Whatsapp password? #403

@techmaniack

[status] => fail
[reason] => old_version

@lahmacuns

Register does not work :( Old version error. @shirioko

@devloic
devloic commented Jul 23, 2013

check venomous0x/WhatsAPI#423 (comment), there is all the info to update yowsup-cli so it creates the right token , uses the right user agent , id, and passes additional parameters like mnc and mcc .... Make changes in Registration/v2/coderequest.py and Common/Http/warequest.py .

@lahmacuns

we have made changes on warequest.py.

I wrote these: UserAgents = [
("WhatsApp/2.10.750 Android/4.2.1 Device/GalaxyS3",
"30820332308202f0a00302010202044c2536a4300b06072a8648ce3804030500307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b53616e746120436c61726131163014060355040a130d576861747341707020496e632e31143012060355040b130b456e67696e656572696e67311430120603550403130b427269616e204163746f6e301e170d3130303632353233303731365a170d3434303231353233303731365a307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b53616e746120436c61726131163014060355040a130d576861747341707020496e632e31143012060355040b130b456e67696e656572696e67311430120603550403130b427269616e204163746f6e308201b83082012c06072a8648ce3804013082011f02818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c70215009760508f15230bccb292b982a2eb840bf0581cf502818100f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a0381850002818100d1198b4b81687bcf246d41a8a725f0a989a51bce326e84c828e1f556648bd71da487054d6de70fff4b49432b6862aa48fc2a93161b2c15a2ff5e671672dfb576e9d12aaff7369b9a99d04fb29d2bbbb2a503ee41b1ff37887064f41fe2805609063500a8e547349282d15981cdb58a08bede51dd7e9867295b3dfb45ffc6b259300b06072a8648ce3804030500032f00302c021400a602a7477acf841077237be090df436582ca2f0214350ce0268d07e71e55774ab4eacd4d071cd1efad"+"022e923a364bfacff3a80de3f950b1e0{phone}"),
]

OK = 200

how am I gonna change yowsup-cli and coderequest.py, I did not get it.

can you please help?

@devloic @shirioko

@CODeRUS
Contributor
CODeRUS commented Jul 23, 2013

check my repository:
https://github.com/CODeRUS/yowsup

@tgalal tgalal added a commit that closed this pull request Aug 9, 2013
@tgalal Updated user agent
Fixes #150 yowsup-cli fail to register
Fixes #144 registration fails with old version for new phone.
Fixes #133 New Token in warequest.py
716efa7
@tgalal tgalal closed this in 716efa7 Aug 9, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment