This post is only for people who knows and use Yowsup and or its derivatives.Please do not send email/ comment asking how to use it for getting whats app on desktop. Just search it you will find it.
I was looking into an interesting project MissVenom which use classic MITM to sniff the registration traffic to get the whatsapp password. If you wondering why I need a password for whatsapp, you shouldn’t be here. Unfortunately MissVenom will not working with new and future versions of android whatsapp (because they have implemented server cert validation which makes ssl mitm to fail.). So I de-compiled whatsapp and started analyzing smali. I must say whatsapp devs spent some huge time or money to obfuscate the code Its pretty tough job.I thought I just have to figure out the place where they deserialize the magic ‘pw’ files and reverse the algorithm. When i looked into the actual algorithm its is pretty much complex with multiple encryption, and its very hard to figure out the seeds. Then i figured out a simple way why cant i just output the decrypted password and live with it. For this you need a rooted device to install the modified apk in case you want to switch back to the original whatsapp.
So I used a very useful smali library IGLogger to simplify my life.so i edited the whatsapp smali, added a logcat out with password bytes.Then I recompiled apk and installed on to my device and watch logcat . When you start whatsapp you will get a log cat entry like
01-25 17:58:41.745: A/!!! IGLogger: com.whatsapp.g9 - byte in Hex:(27170): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
in the new version I have changed logcat TAG to WhatsPwd so the logcat will be like
F/WhatsPwd( 9900): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
the ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’ you are seeing is your password in hex bytes, in order to use in yowsup u will need to encode it in base64 you could use Online Tool . provide it to your client you are good to go.
- Whats app wont allow multiple session so you will have to kill whatsapp running in you phone to use your other client.
- Use any backup tool to backup your data before you do anything. I highly recommend titanium backup.
Steps to install modified apk without loosing data
- Backup your app and data using titanium backup
- uninstall whatsapp
- install modified apk
- do not open the whatsapp. go to titanium backup and restore whatsapp backup we created on step 1 . Make sure you “Restore Data” and DO NOT RESTORE APP
- start app and watch logcat
- once you got the password you can restore the app if you don’t want your password in your log cat whenever you start whats app.