BurpExtension-WhatsApp-Decryption-CheckPoint icon indicating copy to clipboard operation
BurpExtension-WhatsApp-Decryption-CheckPoint copied to clipboard

Published 20 hours ago verified publisher icon romanzaikin

Does it still work?

Open marcinguy opened this issue 5 years ago • 1 comments

Hi,

Looking for an update from the Author or creditable answers.

Whatsapp Web Client changed JS several times since I looked in to it.

Getting Pub, Priv key is quite hard, but possible. It seems it changes (QR code) and the Priv, Pub key every ca. 10 secs.

I am pretty sure I managed to get the right key (Priv and Pub) as well as secret (Ref Object)

Than I paste base64 encoded message I sent to one of my contacts (websocket -> to server endpoint /ws). It has a format of:

ID,<binary>

In the parser.py This goes through: https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L91

However, got a mismatch here: https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L109

As I said I am quite confident I had 32 ints each good Priv and Pub key and secret (Ref Obj).

Is this still working?

Thanks,

marcinguy avatar Aug 16 '19 14:08 marcinguy

I got Priv and Pub key from JS. As I said they seem to be correct since the assert goes through:

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L80

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L82

Hmac on secret string is also valid

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L91

So aes_key and mac_key should be correct.

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L96

But the encrypted message hmac fails:

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint/blob/90247f2a84e49cc09c526b8d587fc5eb93be8752/helper/parser.py#L109

So does the decryption ....

I verified WhatsApp Web Client and "core" JS parts seem to be the same and matching your Python code.

As asked in original issue, anybody has ideas what is happening here?

Thanks,

marcinguy avatar Aug 19 '19 12:08 marcinguy