Sunday, 8th March 2026
Good news, re: last blog, WCDB (WeChat's SQLCipher wrapper) caches derived raw keys in process memory as x'<64hex_enc_key><32hex_salt>', and we can scan the memory to find the keys, and match the keys to databases by salt, and decrypts them.
Right now I have a working prototype, currentlt still working on imrpoving the usability of the tool.