search

aj3423 / protod

Decode protobuf without proto definition
http://168.138.55.177
MIT License
22 stars 3 forks source link

Have a question about decoding protobuf datas #4

Open aktayozan opened 7 months ago

aj3423 commented 7 months ago

Your data isn't proto, just out of curiosity, I did a quick analysis:

For the second data, it contains 5 segments, take the first segment for example:

  1. 2 fixed bytes: 2000
  2. segment total length: 05f3, it's the length from the beginning 2000 to the trailing c23e00
  3. some unknown bytes: 000000000d03000000
  4. the real protobuf data
  5. 3 trailing bytes: c23e00

image

analysis.txt

I wonder what protocol this is, especially the trailing c23e00, do you see any string like "grpc" or anything might related to protobuf in bumble?

aktayozan commented 7 months ago

Most of the requests are protobuf but i guess some of these responses are not protobuf. I captured raw requests with mitmproxy, because I don't know much about reverse engineering i couldn't figure what kind of data is this. If you share a contact details ( like a mail ) i can send raw datas ( you can view with mitmproxy web ).

aj3423 commented 7 months ago

plz attach the mitmproxy dump here if possible, delete some irrelevant rows if it's too large.

aj3423 commented 7 months ago

I've never seen such tcp protocol before, not sure if it's some existing protocol, 99% sure it's their own protocol. But a tcp packet is never a proto chunk, just extract the proto from it. Anyway, why are you so nervous about this..

aktayozan commented 7 months ago

Thanks for clarification, i don't want people to find these datas, because its not easy to bypass its ssl security and capture network requests