SQLiteManager works, wechat-dump does not

[msftsecurityteam]

Hi, as the issue is titled, I am running a Samsung S20 on Android 11, and the hardcoded 1234567890ABCDEF + UIN from system_config_prefs.xml generates a key "877f804" however I get the error "file is encrypted or is not a database" when running the decrypt-db.py script. If I use this same key with the SQLiteManager, it works.

[gregoiregentil]

I don't want to still your thread but could you please describe precisely which steps you are doing and on which platform/version. I see strange things too and I'm trying to decrypt my database.

Also, regarding your issue, there are some reports of problem of sqlcipher on some Linux Ubuntu system. Are you on Ubuntu?

[ppwwyyxx]

One possibility is that wechat upgraded their sqlcipher compat version at some version. We set it to 1 here:

wechat-dump/decrypt-db.py

Line 142 in 6b50191

c.execute("PRAGMA cipher_compatibility = 1;")

maybe worth trying other versions

[ellermister]

I can open the EnMicroMsg.db using sqlite database browser （Version2.1 - SQLCipher Version）.

but cannot decrypt the data by decrypt_db_with_password.py, the error is
database disk image is malformed

The output_db.db file is 2.7M, and the original file has 800M.

password is correct
system is Ubuntu or debian
uin is a negative number
wechat version 8.0.2

decrypt_db_with_password.py param

    c.execute("PRAGMA key = '" + key + "';")
    c.execute("PRAGMA cipher_compatibility = 1;")
    c.execute("PRAGMA cipher_use_hmac = OFF;")
    c.execute("PRAGMA cipher_page_size = 1024;")
    c.execute("PRAGMA kdf_iter = 4000;")

@gregoiregentil
@ppwwyyxx

It's my file that is missing, it's normal to copy it again