专业的建网站公司地址青岛网站制作
什么是Protobuf?
\qquad Protobuf(Protocol Buffer)是 Google 开发的一套数据存储传输协议,作用就是将数据进行序列化后再传输,Protobuf 编码是二进制的,它不是可读的,也不容易手动修改,因此它增加了分析或修改数据的难度。同时Protobuf 能够把数据压缩得很小,从而提高传输效率。通俗的理解就是Protobuf跟json序列化是类似的,只不过实现的方法不同而已。
安装Protobuf
\qquad 点击下载对应的版本,然后解压,并加入环境变量。
序列化与反序列化
\qquad Protobuf序列化需要开发人员在 .proto 文件中自定义消息格式,使用protobuf 编译器(protoc)选择需要的语言生成消息处理文件,也可以在 官网一键生成,用生成的文件就能进行序列化与反序列化。
\qquad 下面将举例说明如何通过js逆向来进行反序列化,目标网址:aHR0cHM6Ly93d3cueGlhb2hvbmdzaHUuY29tL2V4cGxvcmUvNjRkYzg2OGEwMDAwMDAwMDBhMDFiZDgz。
\qquad 打开目标网址,F12抓包,collect接口的请求参数是base64编码的,
解码后的数据是这样的,
춐]
6discovery-undefined0.0.00:
xhs-pc-webB3.5.2pm5bc331f43e6e73244d2b51c2999b1e02HyYjdqDYqjyF8yYjdqDYq2I24qyKAfI4WlxWh7idWx1y1vK28SqduD0888yW2yWj8DDiqd0qy"
61c3e3e9000000001000d0df*264dc868a000000000a01bd83p:B
$2cd55f67-ae5a-446a-9571-cb81e171d8360J167Xຊִx˅1BJ
$9bab7cd2-3eae-4469-9553-06cc2e5c8492oMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36<https://www.xiaohongshu.com/explore/64dc868a000000000a01bd83"/explore/:noteId*Lhttps://www.xiaohongshu.com/explore/64e19dc2000000000103c666?m_source=pinpaiZ"
64dc868a000000000a01bd83rlink
可以看出有一些乱码在里面,这个时候其实还无法判断是否用了protobuf序列化,一些网站可以查看协议头的content-type,如下图所示就是使用protobuf。
但是目标网站对序列化结果进行了base64编码,所以协议头的content-type跟正常的请求是一样的。
这种情况就得通过动态调试来看看这到底是什么玩意,查看调用堆栈,定位到可疑代码,在此处打上断点。
单步跟进去,图示位置打上断点。
单步跟进,来到关键位置,到这里特征就很明显了,”proto“、”serializeBinary“等关键字就是protobuf的显著特征。
接下来就可以根据源码中的规律来自定义proto文件,在此之前需要了解一下proto文件的语法格式以及数据类型,篇幅有限大佬们可以查看别的教程,本文只侧重逆向部分。
编写.proto文件
\qquad 如下图所示,目标网站的消息格式是一个Tracker消息里有很多的子消息,有APP、Mobile、Device等。
我们可以根据这个写出最外层的proto,
syntax = "proto3";
package xhs;
message Tracker {repeated APP app = 1;repeated Mobile mobile = 2;repeated Device device = 3;repeated User user = 4;repeated Network network = 5;repeated Page page = 6;repeated Event event = 7;repeated Browser browser = 9;repeated NoteTarget noteTarget = 11;repeated NoteCommentTarget noteCommentTarget = 12;repeated TagTarget tagTarget = 13;repeated UserTarget userTarget = 14;repeated MallBannerTarget mallBannerTarget = 15;repeated MallGoodsTarget mallGoodsTarget = 16;repeated MallVendorTarget mallVendorTarget = 17;repeated MallCouponTarget mallCouponTarget = 18;repeated SearchTarget searchTarget = 30;repeated BrandingUserTarget brandingUserTarget = 40;repeated BrowserTarget browserTarget = 51;repeated ChannelTabTarget channelTabTarget = 100;repeated MessageTarget messageTarget = 151;repeated AdsTarget adsTarget = 152;repeated HeyTarget heyTarget = 153;repeated DebugTarget debugTarget = 154;repeated ActivityTarget activityTarget = 157;repeated LiveTarget liveTarget = 164;repeated CircleTarget circleTarget = 167;repeated GrowthPetTaskTarget growthPetTaskTarget = 195;repeated HideType hideType = 197;repeated WebTarget webTarget = 219;}
然后单步进入proto.App.serializeBinaryToWriter,写出App的proto。
message APP {enum NameTracker {DEFAULT_1 = 0;IOST = 1;ANDRT = 2;RNT = 3;MPT = 4;WAPT = 5;WXMPT = 6;BDMPT = 7;TTMPT = 8;QQMPT = 9;APMPT = 10;MINI_ANDRT = 11;}NameTracker nameTracker = 1;string AppVersion = 2;string TrackerVersion = 3;string SessionId = 4;string AppMarket = 5;enum Platform {DEFAULT_13 = 0;IOS = 1;ANDROID = 2;REACTNATIVE = 3;MOBILEBROWSER = 4;WECHATBROWSER = 5;WECHATMINIPROGRAM = 6;PC = 7;IOSBROWSER = 8;ANDROIDBROWSER = 9;FLUTTER = 10;};Platform platform = 6;string ArtifactName = 7;string ArtifactVersion = 8;enum AppMode {app_mode = 0;};AppMode appMode = 9;string LaunchId = 10;string MpScene = 11;string AppStartMode = 12;string BuildVersion = 13;int32 EventSeqIdInSession = 14;bool DarkMode = 15;string StartupId = 16;enum Orientation {DEFAULT_60 = 0;PORTRAIT = 1;LANDSCAPE = 2;LANDSCAPE_SPLIT = 3;PORTRAIT_SPLIT = 4;PORTRAIT_SPLIT_MAGIC = 5;LANDSCAPE_SPLIT_MAGIC = 6;LANDSCAPE_MAGIC = 7;PORTRAIT_MAGIC = 8;};Orientation orientation = 17;string BuildId = 1001;string Package = 1002;string AppName = 1003;string SdkName = 1004;string SdkVersion = 1005;enum Environment {DEFAULT_64 = 0;ENVIRONMENT_DEVELOP = 1;ENVIRONMENT_RELEASE = 2;};Environment environment = 1006;int64 ColdStartId = 1007;bool IsTeenagerMode = 1008;string DeviceType = 1009;}enum 数据类型就是提前为字段预设定一些值,可以通过关键字搜索在源码中找到预设的值。
依葫芦画瓢就能写出完整的.proto文件,这个时候我们就可以生成任何语言的消息处理文件,以python为例,写好之后执行命令”protoc --python_out=. ./collect.proto“就会生成一个py文件,测试一下反序列化,
import base64
from utils import collect_pb2
a = 'jgXsthBdCjYIBRITZGlzY292ZXJ5LXVuZGVmaW5lZBoFMC4wLjAwBzoKeGhzLXBjLXdlYkIFMy41LjJwgwESABptCiA1YmMzMzFmNDNlNmU3MzI0NGQyYjUxYzI5OTliMWUwMooBSHlZamRxRFlxanlGOHlZamRxRFlxMkkyNHF5S0FmSTRXbHhXaDdpZFd4MXkxdksyOFNxZHVEMDg4OHlXMnlXajhERGlxZDBxeSIaChg2MWMzZTNlOTAwMDAwMDAwMTAwMGQwZGYqAggEMh0I+xcSGDY0ZGM4NjhhMDAwMDAwMDAwYTAxYmQ4MzpECiRjMThhYzliYS1mY2JiLTQ3YTYtOTMwOC1hMTM4MGVmZTQ1YzIgATAfSgMxMzFY4NOG49T0gAN4z8UBiALs1eGxojFKtQIKJDliYWI3Y2QyLTNlYWUtNDQ2OS05NTUzLTA2Y2MyZTVjODQ5MhJvTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNS4wLjAuMCBTYWZhcmkvNTM3LjM2GjxodHRwczovL3d3dy54aWFvaG9uZ3NodS5jb20vZXhwbG9yZS82NGRjODY4YTAwMDAwMDAwMGEwMWJkODMiEC9leHBsb3JlLzpub3RlSWQqTGh0dHBzOi8vd3d3LnhpYW9ob25nc2h1LmNvbS9leHBsb3JlLzY0ZTE5ZGMyMDAwMDAwMDAwMTAzYzY2Nj9tX3NvdXJjZT1waW5wYWlaIgoYNjRkYzg2OGEwMDAwMDAwMDBhMDFiZDgzEAFyBGxpbms='
b = base64.urlsafe_b64decode(a)
tracker = collect_pb2.Tracker()
tracker.ParseFromString(b[4::])
print(tracker)
此时已经可以成功的反序列化了,需要特殊说明的是base解码的时候必须要用urlsafe_b64decode方法,因为原始数据里面有url,解码后的字节数据去掉了前面4个字节,因为在编码的时候在前面加了四个无用字节。
很多教程会说用fd抓包下载bin,然后命令行 protoc --decode_raw < 1.bin执行,解析protobuf数据结构,根据这个结构写proto,这种方法只适合大佬用,对于刚接触protobuf的人来说如果看到这种教程就会掉入无底深坑。
本文只用来交流学习,关键信息均已脱敏,如有侵权请联系删除。
欢迎大家进扣群交流学习:OTQwNDQ3ODg5