解析没有 .proto 文件的协议缓冲区 [英] Parsing Protocol-Buffers without .proto file

问题描述

作为安全项目的一部分，我正在对 Android 应用进行逆向工程.我的第一步是发现应用程序和服务器之间交换的协议.我发现正在使用的协议是协议缓冲区.鉴于 protobuf 的性质，需要原始 .proto 文件才能对 protobuf 编码的消息进行反序列化.由于我没有那个，我使用了 protod 反汇编 Android 应用程序并恢复使用的任何 .proto 文件.

I am reverse-engineering an Android app as part of a security project. My first step is to discover the protocol exchanged between the app and server. I have found that the protocol being used is protocol buffers. Given the nature of protobuf, the original .proto file is needed to be able to unserialize the protobuf-encoded message. Since I don't have that, I used protod to disassemble the Android app and recover out any .proto files used.

我的 Android 应用程序的形式是一堆 .smali 和 .so 文件.针对 .so 文件运行 protod 只会产生一个 .proto 文件——google/protobuf/descriptor.proto.

I have the Android app in a form where it is a bunch of .smali and .so files. Running protod against the .so files yields only one .proto file -- google/protobuf/descriptor.proto.

我的印象是协议缓冲区的用户编写他们自己的 .proto 文件，这些文件可能引用 google/protobuf/descriptor.proto，但根据 protod google/protobuf/descriptor.proto 是应用程序使用的唯一原型文件.这真的可能吗，google/protobuf/descriptor.proto 是否足以让我反序列化应用程序和服务器之间的消息?

I was under the impression that users of protocol buffers write their own .proto files, which might reference google/protobuf/descriptor.proto, but according to protod google/protobuf/descriptor.proto is the only protofile used by the app. Could this actually be possible and google/protobuf/descriptor.proto is enough for me to unserialize the messages between the app and server?

推荐答案

当您编写 .proto 文件时，您可以将选项 optimize_for 设置为 LITE_RUNTIME(请参阅此处)，这将省略来自生成的代码以减少二进制文件的大小.我相信这是移动开发的常见做法，因为代码大小在该环境中是一种稀缺资源.这可以解释为什么您只找到一个 .proto 文件.应用程序实际上不太可能使用 descriptor.proto 传输任何数据，因为这主要是协议缓冲区库的实现细节.

When you write a .proto file you can set an option optimize_for to LITE_RUNTIME (see here) and this will omit the descriptors from the generated code to reduce the size of the binary. I believe this is a common practice for mobile development since code size is a scarce resource in that environment. This may explain why you found only a single .proto file. It is unlikely that the app is actually transferring any data using descriptor.proto since that is mostly an implementation detail of the protocol buffers library.

如果您找不到任何其他描述符，最好的办法可能是尝试在没有它们的情况下解释协议缓冲区.您可以在此处了解协议缓冲区有线格式.一个简单的入门方法是创建一个不包含字段的 proto2 消息类型，并尝试将数据解析为该类型.然后，您可以使用反射 API 检查消息中所谓的未知字段"，并尝试找出它们代表什么.

If you cannot find any other descriptors, your best bet might be to try to interpret the protocol buffers without them. You can read about the protocol buffers wire format here. An easy way to get started would be to create a proto2 message type containing no fields and attempt to parse the data as that type. You can then use the reflection API to examine what are known as the "unknown fields" in the message and try to figure out what they represent.

这篇关于解析没有 .proto 文件的协议缓冲区的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！