decrypt12.py

"""
Example how to decrypt whatsapp msgstore backups with extension .crypt12.

Author: Willem Hengeveld <itsme@xs4all.nl>
"""
from Crypto.Cipher import AES
import zlib
import sys

datafile = keyfile = None

if len(sys.argv)==1:
    print("Usage: decrypt12.py <keyfile> <msgstore.db.crypt12>")
    print("  the key file is commonly found in /data/data/com.whatsapp/files/key")
    print("  the crypt file is commonly found in the directory: /data/media/0/WhatsApp/Databases/")
    exit(1)

for arg in sys.argv[1:]:
    if arg.find('crypt12')>0:
        datafile = arg
    elif arg.find('key')>0:
        keyfile = arg
    else:
        print("unknown arg", arg)

with open(keyfile, "rb") as fh:
   keydata = fh.read()
key = keydata[126:]

with open(datafile, "rb") as fh:
   filedata = fh.read()
iv = filedata[51:67]

aes = AES.new(key, mode=AES.MODE_GCM, nonce=iv)

with open("msg-decrypted.db", "wb") as fh:
    fh.write(zlib.decompress(aes.decrypt(filedata[67:-20])))

Hi, just used this program to decrypt my WhatsApp backup. It still works great. Thank you!

Two issues I ran in to and how to solve them:

• unknown arg key and error when using a keyfile that was simply named key. Solved by changing arg.find('key')>0 to arg.find('key')>=0.
• Error no attribute 'MODE_GCM' when using the default PyCrypto library (version 2.6.1 on my system). Solved by using a pipenv environment with the PyCryptodome library.

Hi! Can anyone help me. I have the crypt 12 files on my pc in a word file. How can i ever read these??