Step-by-Step Guide to Extract and Decrypt PC WeChat Database Using OllyDbg and C++

In digital forensics, extracting data from the PC version of WeChat requires the 32‑byte encryption key, which differs from the Android 7‑byte password. The key can be obtained by attaching OllyDbg 2.01 (Chinese version) to the WeChat.exe process, searching for the string DBFactory::encryptDB , and locating the second occurrence of the message "encryptDB %s DBKey can’t be null".

After setting a breakpoint at the address containing the TEST EDX,EDX instruction (e.g., 0F9712BA), running the program until the login completes reveals the 32‑byte key in the EDX register. The key is displayed as a 64‑character hexadecimal string such as 53E9BFB23B724195A2BC6EB5BFEB0610DC2164756B9B4279BA32157639A40BB1 .

With the key in hand, a C++ console application is created in Visual Studio 2019. The project is configured to include the OpenSSL headers (e.g., c:\openssl-1.0.2r\include ) and link against the OpenSSL libraries ( libeay32.lib and ssleay32.lib ). The source code uses OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1 to derive the AES‑256 key and optional HMAC‑SHA1 key, then decrypts each page of the SQLite file, verifies the HMAC (if present), and writes the decrypted pages to a new file prefixed with dec_ .

using namespace std;
#include <Windows.h>
#include <iostream>
#include <openssl/rand.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/hmac.h>
#undef _UNICODE
#define SQLITE_FILE_HEADER "SQLite format 3"
#define IV_SIZE 16
#define HMAC_SHA1_SIZE 20
#define KEY_SIZE 32
#define SL3SIGNLEN 20
#ifndef ANDROID_WECHAT
#define DEFAULT_PAGESIZE 4096
#define DEFAULT_ITER 64000
#else
#define NO_USE_HMAC_SHA1
#define DEFAULT_PAGESIZE 1024
#define DEFAULT_ITER 4000
#endif
unsigned char pass[] = { 0x53,0xE9,0xBF,0xB2,0x3B,0x72,0x41,0x95,0xA2,0xBC,0x6E,0xB5,0xBF,0xEB,0x06,0x10,0xDC,0x21,0x64,0x75,0x6B,0x9B,0x42,0x79,0xBA,0x32,0x15,0x76,0x39,0xA4,0x0B,0xB1 };
char dbfilename[50];
int Decryptdb();
int main(int argc, char* argv[])
{
    if (argc >= 2)
        strcpy_s(dbfilename, argv[1]);
    else {
        cout << "请输入文件名:" << endl;
        cin >> dbfilename;
    }
    Decryptdb();
    return 0;
}
/* ... remaining decryption logic ... */

After building the executable, run it with the target WeChat database file (e.g., dewechat ChatMsg.db ). The program outputs a decrypted file ( dec_ChatMsg.db ) that can be opened with any SQLite viewer.

The guide emphasizes that the process is semi‑automatic; obtaining the password via OllyDbg is the most manual step, while the decryption code handles the rest.