Android微信數據導出

当前位置：首页 > Android > 正文

Oct132015

作者：网络手抄本发布：2015-10-13 09:09 分类：Android 阅读：489 views 抢沙发

在Nexus 5(Android 4.4)+WeChat 5.4，和Nexus 5(Android 5.0)+Wechat 6.0上測試可用。

獲取加密的sqlite3數據庫`EnMicroMsg.db`

如果已經root過，可以下載/data/data/com.tencent.mm/MicroMsg/*/EnMicroMsg.db。

若沒有root，則/data/data/com.tencent.mm下多數目錄都不可讀，可以使用下面的方法：

開啓“開發人員選項”，選上“USB偵錯”
電腦上執行adb backup -noapk com.tencent.mm
在手機上彈出對話框提示是否允許備份
不要設置密碼，點備份，電腦會收到backup.ab
解壓backup.ab：dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
解壓backup.tar得到數據庫apps/com.tencent.mm/r/MicroMsg/*/EnMicroMsg.db

獲取用於生成密鑰的信息

uin：訪問/data/data/com.tencent.mm/MicroMsg/*/system_config_prefs.xml，獲取其中name="default_uin" value="([0-9]+)"的value字段值uin。也可以打開wx.qq.com網頁版，查找.wx.qq.com域的cookie，其中wxuin字段的值就是uin。也可以用backup.tar裏的apps/com.tencent.mm/sp/system_config_prefs.xml。
IMEI：在撥號盤輸入*#06#獲取IMEI，或者開啓“USB偵錯”後使用adb shell dumpsys iphonesubinfo得到15個十進制數字組成的imei。網上查到有些機型可能使用不同於IMEI的其他字段用於生成密鑰。

使用sqlcipher解密

把上面兩步得到的imei和uin拼接起來計算MD5。執行echo -n "$imei$uin" | md5sum | cut -c -7獲取sqlcipher使用的加密密鑰，下面用abcdefg指代。

執行sqlcipher EnMicroMsg.db，輸入：

<span class="line">1</span>
<span class="line">2</span>
<span class="line">3</span>
<span class="line">4</span>
<span class="line">5</span>

1

2

3

4

5

<span class="line"><span class="operator"><span class="keyword">PRAGMA</span> <span class="keyword">key</span>=<span class="string">'abcdefg'</span>;</span></span>
<span class="line"><span class="operator"><span class="keyword">PRAGMA</span> cipher_use_hmac = <span class="keyword">off</span>;</span></span>
<span class="line">ATTACH DATABASE "decrypted_database.db" AS decrypted_database KEY "";</span>
<span class="line"><span class="operator"><span class="keyword">SELECT</span> sqlcipher_export(<span class="string">"decrypted_database"</span>);</span></span>
<span class="line">DETACH DATABASE decrypted_database;</span>

PRAGMA key='abcdefg';

PRAGMA cipher_use_hmac = off;

ATTACH DATABASE "decrypted_database.db" AS decrypted_database KEY "";

SELECT sqlcipher_export("decrypted_database");

DETACH DATABASE decrypted_database;

解密得到可用sqlite3打開的decrypted_database.db。

注意，sqlcipher不同版本使用的加密方式不同，我嘗試使用3.8.4.3版本打開數據庫文件，得到如下錯誤信息：

<span class="line">1</span>
<span class="line">2</span>
<span class="line">3</span>

1

2

3

<span class="line">sqlite&gt; PRAGMA <span class="keyword">key</span>=<span class="comment">'abcdefg';</span></span>
<span class="line">sqlite&gt; .schema</span>
<span class="line"><span class="keyword">Error</span>: file <span class="keyword">is</span> encrypted <span class="keyword">or</span> <span class="keyword">is</span> <span class="keyword">not</span> a database</span>

sqlite> PRAGMA key='abcdefg';

sqlite> .schema

Error: file is encrypted or is not a database

目前發現2.1.1版本的sqlcipher可以解密。可以下載https://github.com/CovenantEyes/sqlcipher-windows/releases提供的2.1.1的Windows用exe，用wine運行，或者在https://launchpad.net/ubuntu/+source/sqlcipher/2.1.1-2/+build/4642377上下載libsqlcipher0_2.1.1-2_amd64.deb和sqlcipher_2.1.1-2_amd64.deb，執行：

<span class="line">1</span>
<span class="line">2</span>
<span class="line">3</span>
<span class="line">4</span>
<span class="line">5</span>
<span class="line">6</span>
<span class="line">7</span>

1

2

3

4

5

6

7

<span class="line"><span class="comment"># /tmp/sqlcipher_2.1.1-2_amd64.deb</span></span>
<span class="line"><span class="comment"># /tmp/libsqlcipher0_2.1.1-2_amd64.deb</span></span>
<span class="line"><span class="built_in">cd</span> /tmp</span>
<span class="line"><span class="comment"># get /tmp/usr/bin/sqlcipher</span></span>
<span class="line">ar x sqlcipher_2.<span class="number">1.1</span>-<span class="number">2</span>_amd64.deb &amp;&amp; tar xf data.tar.gz --no-overwrite-dir</span>
<span class="line"><span class="comment"># get /tmp/usr/lib/x86_64-linux-gnu/libsqlcipher.so.0.8.6</span></span>
<span class="line">ar x libsqlcipher0_2.<span class="number">1.1</span>-<span class="number">2</span>_amd64.deb &amp;&amp; tar xf data.tar.gz --no-overwrite-dir</span>

# /tmp/sqlcipher_2.1.1-2_amd64.deb

# /tmp/libsqlcipher0_2.1.1-2_amd64.deb

cd /tmp

# get /tmp/usr/bin/sqlcipher

ar x sqlcipher_2.1.1-2_amd64.deb && tar xf data.tar.gz --no-overwrite-dir

# get /tmp/usr/lib/x86_64-linux-gnu/libsqlcipher.so.0.8.6

ar x libsqlcipher0_2.1.1-2_amd64.deb && tar xf data.tar.gz --no-overwrite-dir

解壓後執行：

<span class="line">1</span>

1	<span class="line">1</span>

<span class="line"><span class="built_in">cd</span> /tmp/usr &amp;&amp; LD_LIBRARY_PATH=lib/x86_64-linux-gnu bin/sqlcipher /tmp/EnMicroMsg.db</span>

1	<span class="line"><span class="built_in">cd</span> /tmp/usr && LD_LIBRARY_PATH=lib/x86_64-linux-gnu bin/sqlcipher /tmp/EnMicroMsg.db</span>

解析`message`表並導出消息

message表儲存消息。目前瞭解到從fmessage_conversation、rcontact和chatroom表中可以得到一些聯繫人和聊天室的信息。

暫時使用一個比較粗糙的Ruby腳本導出信息，需要先gem install sqlite3：

<span class="line">1</span>
<span class="line">2</span>
<span class="line">3</span>
<span class="line">4</span>
<span class="line">5</span>
<span class="line">6</span>
<span class="line">7</span>
<span class="line">8</span>
<span class="line">9</span>
<span class="line">10</span>
<span class="line">11</span>
<span class="line">12</span>
<span class="line">13</span>
<span class="line">14</span>
<span class="line">15</span>
<span class="line">16</span>
<span class="line">17</span>
<span class="line">18</span>
<span class="line">19</span>
<span class="line">20</span>
<span class="line">21</span>
<span class="line">22</span>
<span class="line">23</span>
<span class="line">24</span>
<span class="line">25</span>
<span class="line">26</span>
<span class="line">27</span>
<span class="line">28</span>
<span class="line">29</span>
<span class="line">30</span>
<span class="line">31</span>
<span class="line">32</span>
<span class="line">33</span>
<span class="line">34</span>
<span class="line">35</span>
<span class="line">36</span>
<span class="line">37</span>
<span class="line">38</span>
<span class="line">39</span>

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

<span class="line"><span class="keyword">require</span> <span class="string">'sqlite3'</span></span>

<span class="line"><span class="keyword">begin</span></span>
<span class="line">  talker2name = {}</span>
<span class="line">  username2name = {}</span>

<span class="line">  db = <span class="constant">SQLite3::Database</span>.open <span class="string">'/tmp/decrypted_database.db'</span></span>
<span class="line">  db.results_as_hash = <span class="keyword">true</span></span>
<span class="line">  db.execute(<span class="string">'SELECT talker,displayName FROM fmessage_conversation'</span>).each {|row|</span>
<span class="line">    talker2name[row[<span class="string">'talker'</span>]] = row[<span class="string">'displayName'</span>]</span>
<span class="line">  }</span>
<span class="line">  db.execute(<span class="string">'SELECT username,nickname FROM rcontact'</span>).each {|row|</span>
<span class="line">    username = row[<span class="string">'username'</span>]</span>
<span class="line">    nickname = row[<span class="string">'nickname'</span>]</span>
<span class="line">    <span class="keyword">if</span> nickname != <span class="string">''</span></span>
<span class="line">      <span class="keyword">if</span> username =~ <span class="regexp">/@chatroom$/</span></span>
<span class="line">        talker2name[username] = nickname == <span class="string">''</span> ? username <span class="symbol">:</span> nickname</span>
<span class="line">      <span class="keyword">else</span></span>
<span class="line">        username2name[username] = nickname == <span class="string">''</span> ? username <span class="symbol">:</span> nickname</span>
<span class="line">      <span class="keyword">end</span></span>
<span class="line">    <span class="keyword">end</span></span>
<span class="line">  }</span>

<span class="line">  db.execute(<span class="string">'SELECT createTime,talker,content FROM message'</span>).each {|row|</span>
<span class="line">    time,talker,content = row.values_at <span class="string">'createTime'</span>,<span class="string">'talker'</span>,<span class="string">'content'</span></span>
<span class="line">    <span class="keyword">next</span> <span class="keyword">unless</span> content</span>
<span class="line">    <span class="keyword">if</span> talker =~ <span class="regexp">/@chatroom$/</span></span>
<span class="line">      content.sub!(<span class="regexp">/^(\w+):\n/</span>) {|x| <span class="string">"<span class="subst">#{username2name.fetch(<span class="variable">$1</span>,'xx')}</span>: "</span> }</span>
<span class="line">    <span class="keyword">end</span></span>
<span class="line">    <span class="comment">#next if content =~ /^~SEMI_XML~|&lt;/</span></span>
<span class="line">    <span class="keyword">next</span> <span class="keyword">if</span> content =~ <span class="regexp">/^~SEMI_XML~/</span></span>
<span class="line">    name = talker2name.fetch talker, talker</span>
<span class="line">    puts <span class="string">"<span class="subst">#{<span class="constant">Time</span>.at(time/<span class="number">1000</span>).strftime('%FT%R')}</span>\t<span class="subst">#{name}</span>\t<span class="subst">#{content}</span>"</span></span>
<span class="line">  }</span>
<span class="line"><span class="keyword">rescue</span> <span class="constant">SQLite3::Exception</span> =&gt; e</span>
<span class="line">  puts e</span>
<span class="line"><span class="keyword">ensure</span></span>
<span class="line">  db.close <span class="keyword">if</span> db</span>
<span class="line"><span class="keyword">end</span></span>

require 'sqlite3'

begin

talker2name = {}

username2name = {}

db = SQLite3::Database.open '/tmp/decrypted_database.db'

db.results_as_hash = true

db.execute('SELECT talker,displayName FROM fmessage_conversation').each {|row|

talker2name[row['talker']] = row['displayName']

}

db.execute('SELECT username,nickname FROM rcontact').each {|row|

username = row['username']

nickname = row['nickname']

if nickname != ''

if username =~ /@chatroom$/

talker2name[username] = nickname == '' ? username : nickname

else

username2name[username] = nickname == '' ? username : nickname

end

}

db.execute('SELECT createTime,talker,content FROM message').each {|row|

time,talker,content = row.values_at 'createTime','talker','content'

next unless content

if talker =~ /@chatroom$/

content.sub!(/^(\w+):\n/) {|x| "#{username2name.fetch($1,'xx')}: " }

end

#next if content =~ /^~SEMI_XML~|</

next if content =~ /^~SEMI_XML~/

name = talker2name.fetch talker, talker

puts "#{Time.at(time/1000).strftime('%FT%R')}\t#{name}\t#{content}"

}

rescue SQLite3::Exception => e

puts e

ensure

db.close if db

end

Refenrences

来自：http://maskray.me/blog/2014-10-14-wechat-export

本文固定链接: http://web.wqz.me/318.html | 网络手抄本

该日志由网络手抄本于2015年10月13日发表在 Android 分类下，你可以发表评论，并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Android微信數據導出 | 网络手抄本
关键字: Android, 微信

【上一篇】科学上网的方案教程
【下一篇】把XP底下的輸入法加到Windows 7