Environment
- OS: Linux (Ubuntu 24.04)
- WeChat: 4.1.1.4 (xwechat,
/opt/wechat/wechat)
- wx-cli: v0.1.10 (npm global)
- ptrace_scope: 1 (requires sudo)
Steps
Output
检测微信数据目录...
找到数据目录: /home/hpc/Documents/xwechat_files/wxid_wbwrzb89cg0322_5ff1/db_storage
扫描加密密钥(需要 root 权限)...
WeChat PID: 4145
找到 15 个加密数据库
扫描进程内存...
找到 384 个可读写内存区域 (via /proc/<pid>/maps rw filter)
找到 19 个候选密钥
匹配到 0/19 个密钥
Expected
Keys matched against database salts, all_keys.json written to cache.
Actual
Found 19 hex patterns matching the expected format (x'<64hex><32hex>'), but none of the salts matched any of the 15 databases on disk. This suggests the key format or memory layout changed in WeChat 4.1.x.
Notes
- The
db_storage/all_keys.json file exists (generated by WeChat/WCDB itself) but contains wrapped keys that don't work directly with SQLCipher PRAGMA key.
- DB files are standard SQLCipher 4 format (first 16 bytes are salt, no plaintext SQLite header).
- WeChat version string from binary:
client_version=4067692804
Happy to provide any additional debug info.
Environment
/opt/wechat/wechat)Steps
Output
Expected
Keys matched against database salts,
all_keys.jsonwritten to cache.Actual
Found 19 hex patterns matching the expected format (
x'<64hex><32hex>'), but none of the salts matched any of the 15 databases on disk. This suggests the key format or memory layout changed in WeChat 4.1.x.Notes
db_storage/all_keys.jsonfile exists (generated by WeChat/WCDB itself) but contains wrapped keys that don't work directly with SQLCipher PRAGMA key.client_version=4067692804Happy to provide any additional debug info.