Introduction⌗

In the evening, my girlfriend was organizing her overtime records from the past few months, grumbling while checking our chat history. As for why she was checking our chat history, it was mainly because she had been lazy before and hadn’t kept records. Every day after work, she would just send me a message saying “off work”.

I thought, there’s a pattern here! If I could export our chat history and analyze it a bit, I could generate her overtime records!

The Problem⌗

With the idea in mind, a problem arose: WeChat’s chat data is encrypted, so how could I get the key? After some searching, I found a relevant technical blog: “Exporting Years of WeChat Chat History, I Used Visualization to Analyze My Own Catchphrases”¹. Following the trail, I found an open-source project called kekeimiku/dumpkey².

After downloading it and following the instructions, I executed the corresponding commands, but they kept failing. The result was as follows:

./ptrsx-dumper test --pid $(pgrep WeChat |head -1) --path "WeChat+0x4C58BC0->0->8->8->16->32->8->8->64->8->0->0" -n 32
Error: OpenProcess(5)

After trying several times with the same result, I wondered if the tool had become ineffective. So I found another, more low-level technical document: “Creating the Strongest WeChat Forensic Tool for macOS”³.

Following the steps in this article one by one, unexpectedly, I encountered an error in the very first step:

lldb -p $(pgrep WeChat)
(lldb) process attach --pid 24786
error: attach failed: attach failed (Not allowed to attach to process.  Look in the console messages (Console.app), near the debugserver entries, when the attach failed.  The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.)

After another round of searching, I found the root cause: because my macOS SIP (System Integrity Protection) was enabled, I couldn’t perform this type of debugging operation to capture process memory information!

So I entered Recovery mode and disabled SIP. After that, I could finally access the data normally! I also tried the kekeimiku/dumpkey open-source tool again and found that it could now successfully retrieve the key for the chat database!

Exporting the Data⌗

I needed to download DB Browser for SQLite⁴. After downloading and installing it, I anxiously tried to open the chat database with this software, but the program crashed immediately and couldn’t open the database at all. I tried on two different macOS machines with the same result—what a nightmare!

Later, I thought about trying the Windows version. Fortunately, I have a Windows machine that I usually use to run Kubernetes clusters. After installing it on Windows, sure enough, the chat database opened normally. Unlike the macOS client, the Windows installation had two icons: DB Browser (SQLite) and DB Browser (SQLCipher). I had to use the second program to properly open WeChat’s chat database!

Well, I could only open WeChat’s chat databases one by one on Windows and export them as JSON for code analysis. Of course, CSV export is also supported, but I felt that reading might be problematic, especially with punctuation marks and other special characters!

Conclusion⌗

From this point, things became easier. It was just a matter of filtering the chat data, extracting chats containing the keyword “off work”, and then extracting the sending time and message content for the next round of precise filtering.

After extracting only the conversations containing the keyword “off work”, I filtered by sending time, only extracting chat records sent more than one hour after normal working hours, because overtime within one hour after work doesn’t count as overtime for them!

Then I subtracted the normal working hours from these sending times to calculate the overtime duration, and finally exported the data table. Done!

Now I can make another unreasonable request to my girlfriend…

I hope this is helpful, Happy hacking…