The fundamentalsIf you want to change the history of a chat to display a received/sent image over another, it's a breeze. It is enough to go to replace the original file in memory with the fake one. For most of the Android phones, these files are located in the root directory of the system (storage/sdcard0 or storage/emulated/0 for example), folder WhatsApp /Media/WhatsApp Images/ or Sent. Image names are composed of the prefix IMG, the date of arrival and a sequential daily number. Simply delete the image that does not want to show and paste the new file by renaming it as the old. At this point, WhatsApp will show the new image when we go to browse the chat.
This simple trick is affordable for everyone, just the simple File Explorer or some other file manager.
The problem comes if you want to change the thumbnail that appears blurred in the chat before the image is loaded from memory. You may think that this preview is generated by the program according to the saved image, but it does not. And so to the interesting part of this guide.
I will not be responsible for any illegal use of this procedure, as illustrated for the sole purpose of research.
In theoryPreviews of the images are not saved in the phone as a file of any kind, so do not go looking for them somewhere in the system or in the cache. These are saved as text in the chat history, exactly as if they were normal messages.
WhatsApp periodically saves a backup of conversations in a SQLite database and encrypts it within his system folder. In this database, in 'messages' table, all the sent and received messages are in chronological order. Each one is described by various fields, such as id, time of arrival and content. For images we also have the url on whatsapp server, size, hash and obviously the preview.
If you use a program like SQLite Database Browser to explore the database, you can see everything and make sure all the fields are clearly legible except thumb_image, and RAW_DATA that is as interesting to us.
This field is not saved as INTEGER or STRING object, but as a BLOB, a hateful particular data type that is used to store small media files in database. There are few software that can natively read this type of data directly from the database, indeed, i know of only one, Oracle SQL Developer. Except that it does not support the SQLite database, so if you really want to go snooping, you must convert or play around with plugins.
At this point, the plan is simple: take the RAW_DATA of an image that we want, maybe a specially sent, and going to replace that of the message we want to change.
- Computer, preferably linux, with Python 2.7 installed
- WhatsApp Xtract
- File manager you want, like Root Explorer
- WhatsApp Tri-Crypt
- My Script for the replacement
- Possibly a backup of WhatsApp media
ProcedureWith the file manager go to the system folder WhatsApp / Database and delete, or even better rename, all the files of old backups.
Open WhatsApp and make a new history backuo from the chat setup
Open WhatsApp Tri-Crypt and select Decrypt WhatsApp Database, you will get a new decrypted file
Transfer the file to your computer and start WhatsApp Xtarct to convert the database into an readable html file. It may take a few minutes depending on the size of the chat, and the same to open the file.
The file appears as a list of messages divided by conversation and in chronological order.
For the demonstration I'm going to change the chat with a friend of mine who is building a bad case for a raspberry pi, I will replace the pictures of the inside of the box with that of blue fan
The reason why we have converted the database, is to be able to read the IDs of the messages, which are necessary to start the replace sript
In the execution folder, the program generates two files that represent the previews, use them as feedback. on error, delete the database and try again.
To see for themselves the success of the trick, just rerun the script or convert the database again in html
The worst is over!
Now take the database file and put it back into the phone instead of those created by whatsapp (to be kept for safety), re-encrypt file using Tri-Cript, and then uninstall and reinstall WhatsApp to allow it to charge the database chat again.