feat(image_key): implement Linux V2 AES key derivation via /proc/mem + brute-force fallback#110
Open
RoseCamel wants to merge 1 commit into
Open
feat(image_key): implement Linux V2 AES key derivation via /proc/mem + brute-force fallback#110RoseCamel wants to merge 1 commit into
RoseCamel wants to merge 1 commit into
Conversation
Two-path strategy, symmetric with macOS implementation: Primary path — process memory extraction: - Auto-detect WeChat PID via /proc/<pid>/comm - Scan readable memory regions for base64-encoded UIN in 'uin=' URL parameters - Derive AES key: md5(str(uin) + normalize(wxid)).hex()[:16] - Derive XOR key: uin & 0xff - Verify against V2 template ciphertexts from attach directory Fallback — brute-force enumeration: - Extract 4-hex-char wxid suffix from db_dir path - Option 1 (with XOR hint): enumerate 2^24 space using uin & 0xff == xor_key + md5 suffix match, full AES template verify - Option 2 (no XOR hint): enumerate 10000..50_000_000 range, filter by md5 suffix, verify AES key against templates Reuses existing shared infrastructure: - verify_aes_key(), find_v2_template_ciphertexts(), derive_xor_key_from_v2_dat() - normalize_wxid(), wxid_from_db_dir(), same_wxid() 8 tests pass including known-value key derivation verification. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fills the last remaining platform gap in the
image_keymodule — Linux V2.datimage AES key extraction.Approach
Two-path strategy, symmetric with the existing macOS implementation:
Primary: process memory extraction
/proc/<pid>/commuin=<base64>URL parameters (where UIN appears base64-encoded in WeChat's network request URLs)md5(str(uin) + normalize(wxid)).hex()[:16](16 ASCII bytes, same formula as macOS)uin & 0xffFallback: brute-force enumeration
When
/proc/<pid>/memis unreadable (noCAP_SYS_PTRACE):xwechat_files/<wxid_XXXX>directory name.dattail voting, same as macOS): enumerate 2^24 space —uin & 0xff == xor_key+md5(str(uin))[:4] == suffix— verify each candidate against AES templatesChanges
src/attachment/image_key/linux.rs: 438-line implementation replacing the 6-line stubsrc/attachment/image_key/mod.rs: one-line fix to call::from_current_config()constructorVerification
cargo check— compiles cleanlycargo test image_key— 8/8 tests pass, including known-value key derivation verificationCargo.toml)verify_aes_key(),find_v2_template_ciphertexts(),derive_xor_key_from_v2_dat(),normalize_wxid()Notes for reviewer
The implementation deliberately mirrors the macOS provider's structure — same caching pattern, same
derive_key_for_paths→find_via_*→bruteforce_*flow, sameImageKeyProvidertrait impl shape. This keeps the three platform providers easy to compare and maintain in parallel.