macOS arm64 / WeChat 4.1.10: init gets task port but extracts 0 database keys

[linyufly]

Summary

On macOS arm64 with WeChat 4.1.10, wx-cli can get the WeChat task port after ad-hoc signing, but the memory scan finds 0 candidate keys. wx init then writes an empty all_keys.json, and wx sessions fails with 无法解密 session.db.

This looks like a key scanner compatibility issue for the current macOS WeChat layout rather than a macOS permission issue, because task_for_pid succeeds after re-signing.

Environment

• wx-cli: wx 0.3.0
• macOS: 26.5.1 (25F80)
• Architecture: arm64
• WeChat: 4.1.10
• WeChat CFBundleVersion: 268880
• WeChat bundle id: com.tencent.xinWeChat
• Data dir: ~/Library/Containers/com.tencent.xinWeChat/Data/Documents/xwechat_files/<wxid>/db_storage

Signing / permission state

After reinstalling the official App Store-style WeChat, signature was:

CodeDirectory v=20500 ... flags=0x10000(runtime) ...
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
TeamIdentifier=5A4RE8SF68

With official signing, running sudo wx init --force from local GUI Terminal found WeChat but failed at task_for_pid:

WeChat PID: 65239
错误: task_for_pid 失败 (kr=5)

Then I followed the documented ad-hoc signing route. After signing, verification showed:

CodeDirectory v=20400 ... flags=0x2(adhoc) ...
Signature=adhoc
TeamIdentifier=not set

Reproduction steps

1. Open WeChat and make sure it is fully logged in.
2. Ad-hoc sign WeChat according to the macOS permission guide.
3. Run:

sudo wx init --force
wx sessions

Actual output

$ sudo wx init --force
检测微信数据目录...
找到数据目录: ~/Library/Containers/com.tencent.xinWeChat/Data/Documents/xwechat_files/<wxid>/db_storage
扫描加密密钥（需要 root 权限）...
WeChat PID: 67445
Got task port: 4875
扫描数据库文件...
找到 24 个加密数据库
扫描进程内存寻找密钥...
找到 0 个候选密钥
匹配到 0/0 个密钥
成功提取 0 个数据库密钥
密钥已保存: ~/.wx-cli/all_keys.json
配置已保存: ~/.wx-cli/config.json
初始化完成，可以使用 wx sessions / wx history 等命令了

$ wx sessions
启动 wx-daemon...
错误: 无法解密 session.db

Daemon log also shows:

[daemon] 密钥数量: 0

And ~/.wx-cli/all_keys.json is empty / 2 bytes:

2 ~/.wx-cli/all_keys.json

Expected behavior

After Got task port, wx init --force should find at least one valid database key and wx sessions should be able to decrypt session.db.

Notes

The macOS permission/codesign part appears to be resolved, because Got task port is printed. The remaining failure appears to be that the key scanner cannot find a candidate key in WeChat 4.1.10's memory layout.

[AlexCHONG8]

Also affected on WeChat 4.1.80 (CFBundleVersion 4066646608, build 4.1.80.268880-classic), macOS arm64, wx-cli 0.3.0.

Same exact symptoms as the OP:

• task_for_pid succeeds after ad-hoc re-sign (Got task port: <port> printed)
• Re-sign verified flags=0x2(adhoc), Signature=adhoc, TeamIdentifier=not set
• wx init --force finds 18 encrypted DBs and 0 candidate keys
• ~/.wx-cli/all_keys.json ends up empty (2 bytes)
• Daemon log: [daemon] 密钥数量: 0
• wx sessions → 错误: 无法解密 session.db

Two extra details that may help debugging:

1. WeChat bundle is Chinese-named at /Applications/微信.app, not /Applications/WeChat.app as the error message suggests. wx-cli does find the data dir correctly under com.tencent.xinWeChat, so this is cosmetic, but it tripped me up when reading the docs.

2. WeChat process is NOT restarted between force re-scans. I tried sudo wx init twice and sudo wx init --force after actively using WeChat (opened a chat, scrolled history, sent a self-message), PID stayed at 73333 the whole time, and every scan still produced 0 candidate keys. So the key is never reaching memory on 4.1.x — it's not just a lazy-load timing issue.

Happy to test any patches. Thanks for maintaining this — it would be hugely useful if it worked again.