How does WeChat store animated emojis (stickers)? - General Questions and Answers

Hi,
I hope this is the right section for app-specific questions (if not, please move the thread)...
My wife recently got into that sticker/emoji-collecting-thing on WeChat (god knows why) and she would like to use the WeChat stickers on other messengers like Whatsapp (or have access to the image files in general). There are millions of tutorials how to make your own animated stickers for WeChat, but unfortunately there is zero information how to get them out of WeChat... Apparently everything is stored in the folder "Phone\tencent\MicroMsg\--some-md5-like-number--\emoji". Therein are subfolders like "com.tencent.xin.emoticon.NAME", I guess for each sticker creator, and the image files themselves have cryptic filenames like "fd0476f63c51690b88dd17d9be63af1c" without any extension. The good news is that PNGs and JPGs are saved "natively" - such files can be easily recognized by any image viewer via the header. However, animated stickers (typically discernible by the much larger file size) are apparently stored in a kind of proprietary format. It's not GIF or any image format I know of (or rather tried it with), it's also not a common compressed container, and the hex editor doesn't reveal anything useful, just densely packed gibberish...
Is there any kind of documentation on how WeChat stores animated images and how they can be converted back into something useful like GIF?

I was wondering this as well. I did the same digging as the OP, with one thing to add. I took a look at one of the said files – this one is 13Kb and about 1kb from the beginning there is a 648-byte xml rdf metadata tag. It shows that whatever this thing is, it was made with Photoshop. I took out the id's and hashes:
Code:
<rdf:Description rdf:about="" xmlns:xmpMM="http ://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http ://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http ://ns.adobe.com/xap/1.0/" xmpMM:eek:riginalDocumentID="xmp.did:…" xmpMM:DocumentID="xmp.did:…" xmpMM:InstanceID="xmp.iid:…" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:…" stRef:documentID="adobe:docid:photoshop:…"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Looking for the same answer

It's been forever since this question was posted, but I still kinda want to know. I don't think anyone's figured out how. XD;;

Nope, I gave up and urged my wife to find a new hobby

Drats, the stickers are so adorable tho... iiOTL

The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously)
Python:
imei = '358035085174146'
key = hashlib.md5(imei).hexdigest()[0:16]
cipher = AES.new(key, AES.MODE_ECB)
result[0:1024] = cipher.encrypt(buffer[0:1024])
As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file.
On Windows, the decompilation code can be found at
Code:
C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll
, while on Android it can be found at
Code:
libwechatcommon.so
Particularly on Android, the Java class located in
Code:
com.tencent.mm.plugin.gif.MMWXGFJNI
contains the java -> native implementation, with functions such as
Code:
nativePic2Wxam()
As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys.
The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents.
Code:
public static native byte[] nativeWxamToGif(byte[] bArr);
In fact, now that I think about it, I'd like to try it myself now and see what happens lol.
Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard

BBRecon said:
The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously)
Python:
imei = '358035085174146'
key = hashlib.md5(imei).hexdigest()[0:16]
cipher = AES.new(key, AES.MODE_ECB)
result[0:1024] = cipher.encrypt(buffer[0:1024])
As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file.
On Windows, the decompilation code can be found at
Code:
C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll
, while on Android it can be found at
Code:
libwechatcommon.so
Particularly on Android, the Java class located in
Code:
com.tencent.mm.plugin.gif.MMWXGFJNI
contains the java -> native implementation, with functions such as
Code:
nativePic2Wxam()
As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys.
The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents.
Code:
public static native byte[] nativeWxamToGif(byte[] bArr);
In fact, now that I think about it, I'd like to try it myself now and see what happens lol.
Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard
Click to expand...
Click to collapse
I'm using nativeWxamToGif(), but I keep getting a return value of null. Do you know if it is still supposed to work? I tried the libwechatcommon.so in wechat versions 7 and 8 and still no luck.
My decryption code is almost the same as the encryption code. The only difference is that I strip off the trailing 0-pad and then reuse the imei-generated (using my own imei) key to decrypt.
Were you able to use nativePic2Wxam? The signature is too complex so it's too hard for me to guess what parameters to pass in.
Code:
private static native int nativePic2Wxam(String paramString1, String paramString2, int paramInt1, int paramInt2, int paramInt3, int paramInt4, int paramInt5);
Since I don't know how to use nativePic2Wxam, I'm just blindly trusting you that I should be able to decrypt one of the wxgf into wxam and then use nativeWxamToGif() to convert it to a gif. But I'm not sure why my gifs are always null.
I think I do have the libwechatcommon.so lib working because I am able to use other simple functions such as the following:
Code:
public static native int nativeRewindBuffer(long paramLong);
public static native int nativeUninit(long paramLong);
Does nativeWxamToGif() return null if the input byte array is invalid wxam or something?

Related

SQL CE 3.5 - First App

I'm working on developing my first WM 6 App using SQL CE 3.5 . I'm sure there are other apps out there that do what mine does, but I'm just wanting the experience of developing it.
I'm working on a fairly simple app to track gas mileage and such. But, for some reason, whenever I debug it, the app can't seem to find the database file. I get an error saying: "The database file cannot be found. Check the path to the database. [ Data Source = .\GasTrackerDB.sdf ]"
I can browse with file explorer on the device and find the database in the same directory as the deployed application, so I'm not really sure where to go from here..
I'm doing everything through the IDE, so all of the code is generated for me to connect to the database.
Anybody experienced enough to help me troubleshoot this stupid problem?
i have been looking for an app that does the same thing as the one you are working on.
when it is finished please pm me. i wish i knew more programing, if i did i would help you.
Try
Code:
string database = string.Format(@"{0}\GasTrackerDB.sdf", GetApplicationPath());
public static string GetApplicationPath()
{
string path = System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().GetName().CodeBase);
return path;
}
I did figure it out after messing around with it. I think it has to do with the way VS2008 deploys the app on the emulator...
When I hard-code the path to the database file, it works. So, my app will just have to be installed on the local device and not the SD card
Don't hard-code the path! The method GetApplicationPath() returns the application path. This is also important when installing on OS with different language.
heliosdev said:
Don't hard-code the path! The method GetApplicationPath() returns the application path. This is also important when installing on OS with different language.
Click to expand...
Click to collapse
How is that possible when the Connection String was generated by the IDE? Here's what the .xsd says:
Code:
<Connection ConnectionStringObject="Data Source=\program files\gastracker\GasTrackerDB.sdf" IsAppSettingsProperty="false" Modifier="Assembly" Name="GasTrackerDBConnectionString" ParameterPrefix="@" Provider="Microsoft.SqlServerCe.Client.3.5" />
On application start create the connection string "Data Source = " + database (like post #3)
This connection string can then be passed wherever you need to connect to the database.
That's the problem.. the IDE created all the stuff for the connection string and I don't know enough about it to create everything needed manually.
How do you connect to the db? What are you calling for retrieving data from db? How do you insert data to the db? All these actions need an object which somehow knows the connectionstring. And this string can/must be changed.
Hmm.. That doesn't seem to be a valid function name. I'm using .NET CF 3.5 .I'll keep looking.
Well, I wrote my own function to get the execution path, but I still can't figure out how to modify the connection string at runtime.
This crap is ridiculous. I don't understand why it doesn't "just work" when I let the IDE do everything...
Well, I FINALLY made it work.. i ended up going through the xsd file and changing all the code that creates queries. I had to replace every instance of:
Code:
CType(Me._commandCollection(0), Global.System.Data.SqlServerCe.SqlCeCommand).Connection = New Global.System.Data.SqlServerCe.SqlCeConnection("Data Source=.\GasTrackerDB.sdf;")
With:
Code:
CType(Me._commandCollection(0), Global.System.Data.SqlServerCe.SqlCeCommand).Connection = New Global.System.Data.SqlServerCe.SqlCeConnection("Data Source=" & GetAppPath() & "\GasTrackerDB.sdf;")
That had to be done for every one of my queries created through the designer. Thankfully I only had 5!
Great! Keep in mind that changes in generated code can get lost when the ide is recreating the code. Just keep an eye on it when doing changes in this area!
heliosdev said:
Great! Keep in mind that changes in generated code can get lost when the ide is recreating the code. Just keep an eye on it when doing changes in this area!
Click to expand...
Click to collapse
Yeah, I already ran into that one If it gets to be too much of a pain, I'll see if I can create some sort of compile time script to do a find and replace.. But I haven't spent enough time going back and fixing it yet
go to
http://www.connectionstrings.com/
They have everything you need to build your connection string. From my experience, it's okay to let the IDE build everything EXCEPT the connection string....

[Q] project resource

There are many json files containing the information {"color": "red"}. I want to create a listBox of colors of these files,data must be read. The most simple (which I wrote):
Code:
int i = 1;
while (i < 300)
{
var file = Application.GetResourceStream(new Uri("files/color"+i+".json", UriKind.Relative));
i++;
if (file == null)
{
Debug.WriteLine("file not found");
break;
}
DataContractJsonSerializer ser = new DataContractJsonSerializer(typeof(Color));
Color example = (Color)ser.ReadObject(file.Stream);
}
I have not found how to work with directories of the project so just go over everything.
I read about IsolatedStorageFile, this store is used as a sandbox for the application. How to install the application can put files there?
This is a simple example I used just to find out, in fact, much more data.
P.S. Sorry for my bad english
Quick tip: you should be using the "using" keyword, or manually cleaning up your stream.
That said, there's no official way to write to the isolated storage on program installation. Unofficially, you can use the XAP deployer hack (read about it on the dev&hacking sub-forum) if you really want to do this, although it almost certainly won't survive market ingestion (if you want to publish it).
The best official way is to check, when the program starts up, whether it has populated its isostore. If not, it uses the GetResourceStream to read from its install folder and write to the isostore.
If that's not enough info or doesn't answer your question, please try to be more precise.
evgen_wp said:
There are many json files containing the information {"color": "red"}. I want to create a listBox of colors of these files,data must be read. The most simple (which I wrote):
Code:
int i = 1;
while (i < 300)
{
var file = Application.GetResourceStream(new Uri("files/color"+i+".json", UriKind.Relative));
i++;
if (file == null)
{
Debug.WriteLine("file not found");
break;
}
DataContractJsonSerializer ser = new DataContractJsonSerializer(typeof(Color));
Color example = (Color)ser.ReadObject(file.Stream);
}
I have not found how to work with directories of the project so just go over everything.
I read about IsolatedStorageFile, this store is used as a sandbox for the application. How to install the application can put files there?
This is a simple example I used just to find out, in fact, much more data.
P.S. Sorry for my bad english
Click to expand...
Click to collapse
Indeed, clearly, is better.
thank you
Every time you hit the page will load data from files. It's slow. Probably better to use the database. What do you suggest?
an additional question: how to view the contents of the folder in the install folder
Loading the app's IsolatedStorageSettings.ApplicationSettings data (which is a simple text file in the data folder) is quite fast; I really doubt you'll notice it. Just save their once the fact that you imported the files from the install folder to the isostore. I just about guarantee that any kind of database access will take much longer, at least for the initial hit. Reading a short plain-text file and parsing it should take maybe a few miliseconds, at worst.
As for viewing folder contents, technically this can be done using native code, but it can't be done with the official API (I get the feeling you want to publish this app, so that matters). However, that shouldn't matter, really - you know what files are in the install folder and its subfolders, because you put them there. If you want to know how to use GetResourceStream on sub-folders of the install folder, that's easy; your code as listed above should work. Note that the files must be build action "content" and not "resource". You can still access "resource" files but the URI is different.

Link contact adress to Nokia Drive

I use my7rom on my Omnia 7.
Is there anyway to link a contacts adress to Nokia Drive instead of Maps (stock wp7 app). It would be much more practical if Nokia Drive opened a navigation session instead.
Anyone up for the challenge? A reg-tweak perhaps?
// Manneman
Skickat från Windows Phone 7.8
There's two parts here. The first is identifying the correct "filetype" or URI scheme that is used for navigation. That shouldn't be too hard; a little digging in HKCU should reveal it. We already know about ones like callto: and http: and I'm actually (slowly) working on an app to allow people to easily change them. The second part is finding the correct command to load that address or route in the Nokia Maps app. If the app supports pinning routes or destinations to Start, this is probably possible. If not, it may not be possible in the app. Most apps aren't designed to accept command-line parameters, so even if you make them the default handler for a given filetype or URI scheme, they ignore the value you send them and just start as though launched from Start.
GoodDayToDie said:
If the app supports pinning routes or destinations to Start, this is probably possible.
Click to expand...
Click to collapse
Nokia Drive supports pinning to start so it should be possible. Unfortunately I can't tell you exact command line parameters 'cause my Lumia 900 still "in jail"
Let me see if I have a copy of the Nokia Drive XAP handy. I'll need to decompile it to figure out the correct parameters for launching it with the intent of navigating to a specific location. Note also that this might not be possible directly - for example, the app might store a list of locations internally, and the tiles only provide an index into that list rather than providing the location directly - but that just requires another layer of indirection.
In that case, you create an app that gets registered as the navigation handler, and in response to a navigation request, it writes the requested location into the Nokia Drive app and then chain-launches Nokia Drive with the index of the newly written location. That's just an example of one way that this might go wrong, but overall, the odds are actually pretty good. Obviously, all of this will require, at a minimum, write access to the HKCR hive in the registry.
Ah, guys! You are so kind helping me out. I´m really certain alot of members in the WP7 section would love for this to work!
// Manneman
GoodDayToDie said:
I'll need to decompile it to figure out the correct parameters for launching it with the intent of navigating to a specific location
Click to expand...
Click to collapse
GoodDayToDie, you may try much simpler solution. Just create assembly (dll) to show startup parameters in message box, and replace main Nokia Drive dll (but pin some location first).
That's actually harder than it sounds; even if the app is sideloaded (which would mean I already have the DLL) my fake would have to mimic the internal structure of the real app to a degree (namespaces, class names, default actions, etc.). That's not hard, but decompiling .NET is pretty trivial too.
AFAIR, Nokia Drive is obfuscated (but I'm not 100% sure). Also, you don't need to duplicate all names and structures; just a stuff mentioned in WMAppManifest (I hope so). BTW, I forgot: I still have unlocked handset; if I'll found time, will try today later.
Update: tried but without of luck What I did:
- installed Nokia Drive first;
- downloaded map and pinned current location;
- created fake app with same app guid and namespace name ("Drive"), and performed app update (that operation completely override whole solution but NokiaDrive tile still pinned to the start screen);
- tried a few different page names (_default.xaml, QuickStartPage.xaml, DestinationPickerPage.xaml, FavoritesPage.xaml) with code
Code:
protected override void OnNavigatedTo(System.Windows.Navigation.NavigationEventArgs e)
{
MessageBox.Show("Hello from fake dll");
if (e.NavigationMode == System.Windows.Navigation.NavigationMode.New)
{
string[] keys = NavigationContext.QueryString.Keys.ToArray();
string[] values = NavigationContext.QueryString.Values.ToArray();
string param = "";
for (int i = 0; i < keys.Length; i++)
{
param += keys[i] + " -> " + values[i] + "\n";
}
MessageBox.Show("parameters: " + param);
}
}
But result always the same: app doesn't start from the pinned tile
Update 2: Finally, I did it
The trick is:
- do the same as I've described above (you should have pinned tile from ND);
- add following code to the start page:
Code:
public MainPage()
{
InitializeComponent();
var appTile = ShellTile.ActiveTiles.Last();
if (appTile != null)
{
//MessageBox.Show(appTile.NavigationUri.OriginalString);
EmailComposeTask emailTask = new EmailComposeTask();
emailTask.Subject = "NokiaDrive pinned parameters";
emailTask.Body = appTile.NavigationUri.OriginalString;
try
{
emailTask.Show();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButton.OK);
}
}
}
- run app as usual (not from tile);
We allset - all params are sent to our email (I'm too lazy to manually copy all stuff )
Here we are (start parameters; bold values are changed for privacy reason ):
/_default?destination.name=200 SomeName Street&destination.latitude=49.5255378801376&destination.longitude=-72.4296837244183&destination.address.street=SomeName Street&destination.address.houseno=200&destination.address.district=&destination.address.county=&destination.address.city=SomeCity&destination.address.state=&destination.address.country=USA&destination.address.postcode=05720&destination.hashCode=371767793destination.address.statecode=MA&pinnedFrom=Favorites
P.S. Just found: Navigon also has ability to pin address to the start tile So, if you find the way to modify map protocol (or how it calls), it will be a really nice hack! BTW, could you remind me: do we have ability to launch assembly by GUID (on the full-/policy-unlocked phones)? If "yes", it's possible to write a real nice "proxy" app to handle map requests
I don't know about launching assemblies directly, but it's certainly possible to launch apps by GUID. It doesn't even require anything more than dev-unlock in fact (although of course you can only launch apps that you could launch anyhow). So yes, a proxy app is totally possible. That's actually what I'm working on (started as a project to make a Kindle ebook file loader, that would pur .mobi/.prc file in the Kindle app's folder and then launch the app).
GoodDayToDie, could you please, take a look to the registry, for default map protocol handler and figure out how to change that stuff? I'm pretty busy these days (and probably will be extremely busy couple of next months) but we can cooperate and create this app...
I'll investigate, but you're not the only one busy. If you've noticed a lack of software from me recently, it's due to the nex job I got some months back; I love it, but it leaves me with a lot less time for phone hacking if I want to still have a life outside of that.
With that said, this actually ties into the work I'm already doing with things like filetype handling and default browser switching. I can send you my HKCRlib, at a minimum; it's a library that simplifies interacting with HKCR, including creating backups of important values when they change, and reverting the backups.
GoodDayToDie, truly, I'm not much interested (personally) in that hack 'cause I can't use it for my Lumia 900. So it's only for the community needs but because of lack of time, I believe, we may put it on hold.

Zune Backup Format

Pre-thought: Zune Backups are located C:\Users\???\AppData\Local\Microsoft\Windows Phone Update\
The Zune Backup format seems to be following (under PhoneGUID\RestorePoint\BackupInstanceGUID\Data):
Each Data.X.dat.hash is a SHA-1 hash of Data.X.dat, and the Manifest.xml.hash is as well of Manifest.xml. I believe the entire contents of the files are AES encrypted and they certainly contain RUU IMGFS SLDR etc. At least we have a starting point. I'm doing to take all .DATs combine them and tinker with maybe trying to find a working filesystem out of it. Feel free to comment, constructively and without criticism. I wouldn't recommend copy /b *.dat dump.bin as that would 'accidently' combine say Data.1148.dat, Data.1149.dat, Data.115.dat, Data.1150.dat OUT OF ORDER. I'd rather write a small script to rename files prepending them all to 0000-padding. (Programmers will know)
*Edit* A quickie script grabbed online (slight mod)
<?php
error_reporting(-1);
//What? Quick CLI-tool to rename the file extensions of multiple files (in working directory) matching the pattern.
//Author? ZuZi
//Date? 2013/02/14
//Revised for quick scripting by Yuji Saeki
if($argv[1] && $argv[2]){
foreach (glob("*.$argv[1]") as $filename) {
$newfilename = explode(".", $filename);
$newfilename = $newfilename[0] . "." . str_pad($newfilename[1], 4, "0", STR_PAD_LEFT) . "." . $newfilename[2];
echo ("Renaming $filename to $newfilename\n");
rename("$filename", "$newfilename");
}
}else
usage: *.dat DumpName\n\n");
?>
Then you can copy /b *.dat Dump.bin for example.
*Edit*
Offset 0x00000000 word points to encryption type (ChainingMode) while adding 0x10 will point to encryption algorithm SHA1. Trying to work out AES block right now, and of course other bytes in that 'header' block (0).
Maybe if someone who has an unlocked phone (waiting for goldcard tools to arrive) can look at filesystem driver for WP?
If anyone wants to do anything I'd recommend starting with a very fresh phone, smaller backups around 500MB and below then. My current backup is about 7GB. >_>; Well lucky me for 32GB DDR3 2,400 eh?
*Edit*
Haven't determined much anything else but I did notice one thing. Hard Reset to immediate backup with no modification, twice, dumps differed significantly in content, I believe a salt or password used in the encryption algorithms is generated on an install basis. If anyone can reverse engineer UpdateWS(?) or whatever it is that sends backups to PC from Phone we might could figure out how it determines a password.

Question Merge camera and screenshot folders

I'm 3 days into owning my first Pixel phone so I don't know much about them.
It seems from looking online that screenshots and photos used to be merged into the DCIM folder. It also seems that people hated this arrangement, so on the P7P (and maybe other phones) the two folders are now separate.
Me? I'd prefer to have them combined. When looking for an image, I just want to look in one folder, not two.
With that said, is there some way to merge the screenshots into the regular camera folder? Again, if I'm looking for an image I'd prefer to look in one place not two.
Thanks in advance!
That's not possible for the native Android screenshot capability without root (and a modified framework). Below are snippets from AOSP...
The screenshots path is hardcoded in SystemUI
Java:
private static final String SCREENSHOTS_PATH = Environment.DIRECTORY_PICTURES
+ File.separator + Environment.DIRECTORY_SCREENSHOTS;
And the framework environment values are
Java:
public static String DIRECTORY_PICTURES = "Pictures";
public static String DIRECTORY_SCREENSHOTS = "Screenshots";
(effectively, "Pictures/Screenshots" in the shared storage path)

Categories

Resources