{"id":13483263,"url":"https://github.com/nalzok/wechat-decipher-macos","last_synced_at":"2025-12-30T00:04:42.198Z","repository":{"id":45190475,"uuid":"328989866","full_name":"nalzok/wechat-decipher-macos","owner":"nalzok","description":"DTrace scripts to extract chat history from WeChat on macOS","archived":false,"fork":false,"pushed_at":"2021-05-06T15:59:08.000Z","size":21,"stargazers_count":257,"open_issues_count":3,"forks_count":40,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-10-30T17:47:42.866Z","etag":null,"topics":["macos","wechat"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nalzok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-12T13:07:33.000Z","updated_at":"2024-10-21T07:52:58.000Z","dependencies_parsed_at":"2022-07-19T14:47:39.451Z","dependency_job_id":null,"html_url":"https://github.com/nalzok/wechat-decipher-macos","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalzok%2Fwechat-decipher-macos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalzok%2Fwechat-decipher-macos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalzok%2Fwechat-decipher-macos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalzok%2Fwechat-decipher-macos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nalzok","download_url":"https://codeload.github.com/nalzok/wechat-decipher-macos/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245863056,"owners_count":20684779,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","wechat"],"created_at":"2024-07-31T17:01:09.485Z","updated_at":"2025-12-30T00:04:42.189Z","avatar_url":"https://github.com/nalzok.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","Rich Text Format"],"sub_categories":[],"readme":"# WeChat Deciphers for macOS\n\nThis project is grouped into three directories\n\n+ The directory `macos/` holds DTrace scripts for messing with WeChat.app on macOS.\n    + `eavesdropper.d` prints the conversation in real-time. It effectively shows database transactions on the fly.\n    + `dbcracker.d` reveals locations of the encrypted SQLite3 databases and their credentials. *Since it can only capture secrets when WeChat.app opens these files, you need to perform a login while the script is running.* Simply copy \u0026 paste the script output to invoke [SQLCipher](https://github.com/sqlcipher/sqlcipher) and supply the respective `PRAGMA`s.\n+ In `pcbakchat/` you can find scripts to parse WeChat's backup files.\n    + `gather.d` gathers several pieces of intel required to decrypt the backup.\n+ In `devel/` resides utilities for further reverse engineering. They are intended for hackers only, and the end-users of this project are not expected to use them.\n    + `xlogger.d` prints the log messages going to `/Users/$USER/Library/Containers/com.tencent.xinWeChat/Data/Library/Caches/com.tencent.xinWeChat/2.0b4.0.9/log/*.xlog`. I made this script [destructive](http://dtrace.org/guide/chp-actsub.html#chp-actsub-4) to overwrite the global variable [`gs_level`](https://github.com/Tencent/mars/blob/master/mars/comm/xlogger/xloggerbase.c#L93).\n    + `protobuf_config.py` describes the protobuf format used by the backup files for [protobuf-inspector](https://github.com/mildsunrise/protobuf-inspector).\n    + `__handlers__/` contains some handlers to be used with `frida-trace`.\n    + `init.js` contains the helper function for `frida-trace`.\n\n## Dependencies\n\nSince `dtrace(1)` is pre-installed on macOS, no dependencies are required to run the scripts. However, you may need to [disable SIP](https://apple.stackexchange.com/questions/208762/now-that-el-capitan-is-rootless-is-there-any-way-to-get-dtrace-working) if you haven't done that yet. In addition, you'll need [SQLCipher](https://github.com/sqlcipher/sqlcipher) to inspect the databases discovered by `dbcracker.d`.\n\nFor some scripts in `devel`, you will also need [Frida](https://frida.re) and a (preferably jailbroken) iOS device.\n\n## Usage\n\nFor DTrace scripts, launch WeChat and run\n\n```bash\nsudo $DECIPHER_SCRIPT -p $(pgrep -f '^/Applications/WeChat.app/Contents/MacOS/WeChat')\n```\n\nreplace `$DECIPHER_SCRIPT` with `macos/dbcracker.d`, `macos/eavesdropper.d`, `pcbakchat/gather.d`, or `devel/xlogger.d`.\n\nThe stuff in `pcbakchat/` is a little involved. See `usage.md` for more details.\n\n## Will Tencent ban my WeChat account?\n\nHopefully not. Most processing is done offline on the macOS client, and the overhead of DTrace should be negligible, so there is little chance they will catch you.\n\n## Version Information\n\nThe production of these scripts involved an excess amount of guesswork and wishful thinking, but at least it works on my machine :)\n\n```\nDevice Type: MacBookPro14,1\nSystem Version: Version 10.14.6 (Build 18G8022)\nSystem Language: en\nWeChat Version: [2021-04-02 17:49:14] v3.0.1.16 (17837) #36bbf5f7d2\nWeChat Language: en\nHistoric Version: [2021-03-29 20:23:50] v3.0.0.16 (17816) #2a4801bee9\nNetwork Status: Reachable via WiFi or Ethernet\nDisplay: *(1440x900)/Retina\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnalzok%2Fwechat-decipher-macos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnalzok%2Fwechat-decipher-macos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnalzok%2Fwechat-decipher-macos/lists"}