1、起因
- 期初开始对https://cat-match.easygame2021.com/sheep/v1/game/game_over_ex/ 抓到的包,很好奇,MatchPlayInfo到底是个啥加密方式。
- 通过分析JS源码,找到一个叫做 Protbuf 的东西,头一次 接触,学了一下,如何用Python实现这个玩意,所以有了这篇文章,算是对学习protobuf的记录。
- 欢迎大佬批评指正。
{ "MatchPlayInfo" : "CAMiBQiKARAIIgUIiwEQCCIFCJABEAgiBQjRARAFIgUI0gEQBSIFCNMBEAUiBQi9ARAGIgUIvwEQBiIFCL4BEAYiBQijAhABIgUIpgIQASIFCKcCEAEiBQikAhABIgUIqAIQASIFCKUCEAEiBQibAhABIgUImAIQASIFCJoCEAEiBQiZAhABIgUIoQIQASIFCKICEAEiBQicAhABIgUInQIQASIFCJ8CEAEiBQieAhABIgUIoAIQASIFCJUCEAEiBQiJAhACIgUIigIQAiIFCIsCEAIiBQiMAhACIgUIjQIQAiIFCJQCEAIiBQiTAhACIgUIkgIQAiIFCJECEAIiBQiQAhACIgUIgAIQAiIFCIECEAIiBQiGAhACIgUIhQIQAiIFCIQCEAIiBQj5ARADIgUI+gEQAyIFCPsBEAMiBQj8ARADIgUI\/gEQAyIFCP8BEAMiBQjzARADIgUI9AEQAyIFCO0BEAMiBQjsARADIgUI6wEQAyIFCPIBEAMiBQjgARAEIgUI4QEQBCIFCOIBEAQiBQjmARAEIgUI3AEQBCIFCN0BEAQiBQjIARAFIgUIyQEQBSIFCNABEAUiBQjPARAFIgUI1AEQBSIFCMEBEAUiBQjAARAGIgUIswEQBiIFCLQBEAYiBAgwEA0iBAgxEA0iBAguEA0iBAgvEA0iBAglEA0iBAgmEA0iBAgiEA4iBAgjEA4iBAgkEA4iBAgXEA4iBAgYEA4iBAgZEA4iBQipARAHIgUIpwEQByIFCKgBEAciBAgGEA8iBAgFEA8iBAgJEA8iBAgIEA8iBAgHEA8iBAgLEA8iBQiWAhABIgUIhwIQAiIFCIgCEAIiBQiDAhACIgUI9QEQAyIFCPgBEAMiBQjxARADIgUI6gEQBCIFCNsBEAQiBQjfARAEIgUIlwIQASIFCI4CEAIiBQiPAhACIgUIggIQAiIFCPYBEAMiBQj9ARADIgUI9wEQAyIFCOcBEAQiBQjoARAEIgUI6QEQBCIFCNYBEAQiBQjeARAEIgUI5QEQBCIFCMIBEAUiBQjVARAFIgUIxwEQBSIFCLIBEAYiBQjuARADIgUI7wEQAyIFCPABEAMiBQjXARAEIgUI4wEQBCIFCOQBEAQiBQjYARAEIgUI2QEQBCIFCNoBEAQiBQjDARAFIgUIxAEQBSIFCMUBEAUiBQjGARAFIgUIygEQBSIFCM0BEAUiBQjLARAFIgUIzgEQBSIFCMwBEAUiBQi1ARAGIgUItgEQBiIFCLcBEAYiBQi4ARAGIgUIvAEQBiIFCLEBEAYiBQiwARAGIgUIuwEQBiIFCLoBEAYiBQivARAGIgUIrgEQBiIFCLkBEAYiBQiZARAHIgUImwEQByIFCKsBEAciBQiqARAHIgUInAEQByIFCJoBEAciBQieARAHIgUIoQEQByIFCJ8BEAciBQigARAHIgUIpAEQByIFCKYBEAciBQijARAHIgUIpQEQByIFCJgBEAciBQiMARAIIgUIjgEQCCIFCJUBEAgiBQiWARAIIgUIlAEQCCIFCJMBEAgiBQiFARAIIgUIgwEQCCIFCIcBEAgiBQiPARAIIgUIjQEQCCIFCIkBEAgiBQiCARAIIgUIrAEQBiIFCK0BEAYiBQidARAHIgUIlwEQByIFCKIBEAciBQiRARAIIgUIkgEQCCIECH8QCSIFCIEBEAkiBAh9EAkiBAgOEA8iBAgQEA8iBAgPEA8iBAh1EAkiBAh2EAkiBAh3EAkiBAh8EAkiBAhwEAkiBAhxEAkiBAh0EAkiBAh7EAkiBAhvEAkiBAhrEAoiBAhqEAoiBAhpEAoiBQiEARAIIgUIhgEQCCIFCIgBEAgiBAhiEAoiBAhhEAoiBAhnEAoiBQiAARAJIgQIfhAJIgQIeRAJIgQIeBAJIgQIehAJIgQIchAJIgQIcxAJIgQIbhAJIgQIbRAJIgQIZhAKIgQIYxAKIgQIbBAKIgQIZBAKIgQIZRAKIgQIXRAKIgQIVhALIgQIWhALIgQIWRALIgQITxALIgQISRALIgQIUhALIgQIWxAKIgQIXBAKIgQIXhAKIgQIQxAMIgQIRBAMIgQIPRAMIgQIVBALIgQIVRALIgQIUxALIgQIThALIgQITBALIgQITRALIgQIRxAMIgQIOxAMIgQIPBAMIgQINBANIgQIMxANIgQINRANIgQISBAMIgQIQhAMIgQIOhAMIgQIJxANIgQIMhANIgQIKRANIgQIKBANIgQIHRAOIgQIHBAOIgQIGxAOIgQIEhAPIgQIERAPIgQIDRAPIgQIXxAKIgQIaBAKIgQIYBAKIgQIWBALIgQIVxALIgQIURALIgQIUBALIgQISxALIgQIShALIgQIRhAMIgQIRRAMIgQIPxAMIgQIPhAMIgQINxAMIgQIQRAMIgQIQBAMIgQIORAMIgQIOBAMIgQINhANIgQILRANIgQILBANIgQIIBAOIgQIIRAOIgQIGhAOIgQIKhANIgQIKxANIgQIExAOIgQIHxAOIgQIFhAOIgQIHhAOIgQIBBAPIgQIFBAOIgQIFRAOIgQIAhAPIgQIAxAPIgQIARAPIgQIDBAPIgQIChAPIgQIABAB", "Version" : "0.0.1", "MapSeed2" : "1666910531", "skin" : 1, "rank_time" : 144, "rank_role" : 1, "rank_state" : 1, "rank_score" : 1}
2、protobuf 是什么
protobuf是google提供的一个 开源序列化框架 ,类似于XML,JSON这样的数据表示语言,其最大的特点是 基于二进制 ,因此比传统的XML 表示高效短小得多。虽然是二进制数据格式,但并没有因此变得复杂,开发人员通过按照一定的语法定义结构化的消息格式,然后送给命令行工具,工具将自动生成 相关的类,可以支持php、java、c++、python等语言环境。通过将这些类包含在项目中,可以很轻松的调用相关方法来完成业务消息的序列化与反 序列化工作。
protobuf在google中是一个比较核心的基础库,作为分布式运算涉及到大量的不同业务消息的传递,如何高效简洁的表示、操作这些业务消息在 google这样的大规模应用中是至关重要的。而protobuf这样的库正好是在效率、数据大小、易用性之间取得了很好的平衡。
简单看来 就是一个序列化和反序列化工具。
3、protobuf 怎么用
正向:
- 定义一个.proto文件的message结构体
- 通过proto库提供的工具 生成所需语言的代码
- 通过生成的代码 进行加解密
逆向:
- 通过blackboxprotobuf工具对密文解码
- 通过读源码分析对应的参数
- 构造message结构体
- 通过生成的代码加解密
4、逆向实操
step1
对密文的预处理
- 通过源码可以看到,MatchPlayInfo是序列化后通过base64编码的
var N ={ rank_score: 1, rank_state: t, rank_time: this.countdown, rank_role: o, skin: r, MatchPlayInfo: S.default.base64_encode(b) };
CAMiBQiKARAIIgUIiwEQCCIFCJABEAgiBQjRARAFIgUI0gEQBSIFCNMBEAUiBQi9ARAGIgUIvwEQBiIFCL4BEAYiBQijAhABIgUIpgIQASIFCKcCEAEiBQikAhABIgUIqAIQASIFCKUCEAEiBQibAhABIgUImAIQASIFCJoCEAEiBQiZAhABIgUIoQIQASIFCKICEAEiBQicAhABIgUInQIQASIFCJ8CEAEiBQieAhABIgUIoAIQASIFCJUCEAEiBQiJAhACIgUIigIQAiIFCIsCEAIiBQiMAhACIgUIjQIQAiIFCJQCEAIiBQiTAhACIgUIkgIQAiIFCJECEAIiBQiQAhACIgUIgAIQAiIFCIECEAIiBQiGAhACIgUIhQIQAiIFCIQCEAIiBQj5ARADIgUI+gEQAyIFCPsBEAMiBQj8ARADIgUI\/gEQAyIFCP8BEAMiBQjzARADIgUI9AEQAyIFCO0BEAMiBQjsARADIgUI6wEQAyIFCPIBEAMiBQjgARAEIgUI4QEQBCIFCOIBEAQiBQjmARAEIgUI3AEQBCIFCN0BEAQiBQjIARAFIgUIyQEQBSIFCNABEAUiBQjPARAFIgUI1AEQBSIFCMEBEAUiBQjAARAGIgUIswEQBiIFCLQBEAYiBAgwEA0iBAgxEA0iBAguEA0iBAgvEA0iBAglEA0iBAgmEA0iBAgiEA4iBAgjEA4iBAgkEA4iBAgXEA4iBAgYEA4iBAgZEA4iBQipARAHIgUIpwEQByIFCKgBEAciBAgGEA8iBAgFEA8iBAgJEA8iBAgIEA8iBAgHEA8iBAgLEA8iBQiWAhABIgUIhwIQAiIFCIgCEAIiBQiDAhACIgUI9QEQAyIFCPgBEAMiBQjxARADIgUI6gEQBCIFCNsBEAQiBQjfARAEIgUIlwIQASIFCI4CEAIiBQiPAhACIgUIggIQAiIFCPYBEAMiBQj9ARADIgUI9wEQAyIFCOcBEAQiBQjoARAEIgUI6QEQBCIFCNYBEAQiBQjeARAEIgUI5QEQBCIFCMIBEAUiBQjVARAFIgUIxwEQBSIFCLIBEAYiBQjuARADIgUI7wEQAyIFCPABEAMiBQjXARAEIgUI4wEQBCIFCOQBEAQiBQjYARAEIgUI2QEQBCIFCNoBEAQiBQjDARAFIgUIxAEQBSIFCMUBEAUiBQjGARAFIgUIygEQBSIFCM0BEAUiBQjLARAFIgUIzgEQBSIFCMwBEAUiBQi1ARAGIgUItgEQBiIFCLcBEAYiBQi4ARAGIgUIvAEQBiIFCLEBEAYiBQiwARAGIgUIuwEQBiIFCLoBEAYiBQivARAGIgUIrgEQBiIFCLkBEAYiBQiZARAHIgUImwEQByIFCKsBEAciBQiqARAHIgUInAEQByIFCJoBEAciBQieARAHIgUIoQEQByIFCJ8BEAciBQigARAHIgUIpAEQByIFCKYBEAciBQijARAHIgUIpQEQByIFCJgBEAciBQiMARAIIgUIjgEQCCIFCJUBEAgiBQiWARAIIgUIlAEQCCIFCJMBEAgiBQiFARAIIgUIgwEQCCIFCIcBEAgiBQiPARAIIgUIjQEQCCIFCIkBEAgiBQiCARAIIgUIrAEQBiIFCK0BEAYiBQidARAHIgUIlwEQByIFCKIBEAciBQiRARAIIgUIkgEQCCIECH8QCSIFCIEBEAkiBAh9EAkiBAgOEA8iBAgQEA8iBAgPEA8iBAh1EAkiBAh2EAkiBAh3EAkiBAh8EAkiBAhwEAkiBAhxEAkiBAh0EAkiBAh7EAkiBAhvEAkiBAhrEAoiBAhqEAoiBAhpEAoiBQiEARAIIgUIhgEQCCIFCIgBEAgiBAhiEAoiBAhhEAoiBAhnEAoiBQiAARAJIgQIfhAJIgQIeRAJIgQIeBAJIgQIehAJIgQIchAJIgQIcxAJIgQIbhAJIgQIbRAJIgQIZhAKIgQIYxAKIgQIbBAKIgQIZBAKIgQIZRAKIgQIXRAKIgQIVhALIgQIWhALIgQIWRALIgQITxALIgQISRALIgQIUhALIgQIWxAKIgQIXBAKIgQIXhAKIgQIQxAMIgQIRBAMIgQIPRAMIgQIVBALIgQIVRALIgQIUxALIgQIThALIgQITBALIgQITRALIgQIRxAMIgQIOxAMIgQIPBAMIgQINBANIgQIMxANIgQINRANIgQISBAMIgQIQhAMIgQIOhAMIgQIJxANIgQIMhANIgQIKRANIgQIKBANIgQIHRAOIgQIHBAOIgQIGxAOIgQIEhAPIgQIERAPIgQIDRAPIgQIXxAKIgQIaBAKIgQIYBAKIgQIWBALIgQIVxALIgQIURALIgQIUBALIgQISxALIgQIShALIgQIRhAMIgQIRRAMIgQIPxAMIgQIPhAMIgQINxAMIgQIQRAMIgQIQBAMIgQIORAMIgQIOBAMIgQINhANIgQILRANIgQILBANIgQIIBAOIgQIIRAOIgQIGhAOIgQIKhANIgQIKxANIgQIExAOIgQIHxAOIgQIFhAOIgQIHhAOIgQIBBAPIgQIFBAOIgQIFRAOIgQIAhAPIgQIAxAPIgQIARAPIgQIDBAPIgQIChAPIgQIABAB
import base64mydate = "CAMiBQiKARAIIgUIiwEQCCIFCJABEAgiBQjRARAFIgUI0gEQBSIFCNMBEAUiBQi9ARAGIgUIvwEQBiIFCL4BEAYiBQijAhABIgUIpgIQASIFCKcCEAEiBQikAhABIgUIqAIQASIFCKUCEAEiBQibAhABIgUImAIQASIFCJoCEAEiBQiZAhABIgUIoQIQASIFCKICEAEiBQicAhABIgUInQIQASIFCJ8CEAEiBQieAhABIgUIoAIQASIFCJUCEAEiBQiJAhACIgUIigIQAiIFCIsCEAIiBQiMAhACIgUIjQIQAiIFCJQCEAIiBQiTAhACIgUIkgIQAiIFCJECEAIiBQiQAhACIgUIgAIQAiIFCIECEAIiBQiGAhACIgUIhQIQAiIFCIQCEAIiBQj5ARADIgUI+gEQAyIFCPsBEAMiBQj8ARADIgUI\/gEQAyIFCP8BEAMiBQjzARADIgUI9AEQAyIFCO0BEAMiBQjsARADIgUI6wEQAyIFCPIBEAMiBQjgARAEIgUI4QEQBCIFCOIBEAQiBQjmARAEIgUI3AEQBCIFCN0BEAQiBQjIARAFIgUIyQEQBSIFCNABEAUiBQjPARAFIgUI1AEQBSIFCMEBEAUiBQjAARAGIgUIswEQBiIFCLQBEAYiBAgwEA0iBAgxEA0iBAguEA0iBAgvEA0iBAglEA0iBAgmEA0iBAgiEA4iBAgjEA4iBAgkEA4iBAgXEA4iBAgYEA4iBAgZEA4iBQipARAHIgUIpwEQByIFCKgBEAciBAgGEA8iBAgFEA8iBAgJEA8iBAgIEA8iBAgHEA8iBAgLEA8iBQiWAhABIgUIhwIQAiIFCIgCEAIiBQiDAhACIgUI9QEQAyIFCPgBEAMiBQjxARADIgUI6gEQBCIFCNsBEAQiBQjfARAEIgUIlwIQASIFCI4CEAIiBQiPAhACIgUIggIQAiIFCPYBEAMiBQj9ARADIgUI9wEQAyIFCOcBEAQiBQjoARAEIgUI6QEQBCIFCNYBEAQiBQjeARAEIgUI5QEQBCIFCMIBEAUiBQjVARAFIgUIxwEQBSIFCLIBEAYiBQjuARADIgUI7wEQAyIFCPABEAMiBQjXARAEIgUI4wEQBCIFCOQBEAQiBQjYARAEIgUI2QEQBCIFCNoBEAQiBQjDARAFIgUIxAEQBSIFCMUBEAUiBQjGARAFIgUIygEQBSIFCM0BEAUiBQjLARAFIgUIzgEQBSIFCMwBEAUiBQi1ARAGIgUItgEQBiIFCLcBEAYiBQi4ARAGIgUIvAEQBiIFCLEBEAYiBQiwARAGIgUIuwEQBiIFCLoBEAYiBQivARAGIgUIrgEQBiIFCLkBEAYiBQiZARAHIgUImwEQByIFCKsBEAciBQiqARAHIgUInAEQByIFCJoBEAciBQieARAHIgUIoQEQByIFCJ8BEAciBQigARAHIgUIpAEQByIFCKYBEAciBQijARAHIgUIpQEQByIFCJgBEAciBQiMARAIIgUIjgEQCCIFCJUBEAgiBQiWARAIIgUIlAEQCCIFCJMBEAgiBQiFARAIIgUIgwEQCCIFCIcBEAgiBQiPARAIIgUIjQEQCCIFCIkBEAgiBQiCARAIIgUIrAEQBiIFCK0BEAYiBQidARAHIgUIlwEQByIFCKIBEAciBQiRARAIIgUIkgEQCCIECH8QCSIFCIEBEAkiBAh9EAkiBAgOEA8iBAgQEA8iBAgPEA8iBAh1EAkiBAh2EAkiBAh3EAkiBAh8EAkiBAhwEAkiBAhxEAkiBAh0EAkiBAh7EAkiBAhvEAkiBAhrEAoiBAhqEAoiBAhpEAoiBQiEARAIIgUIhgEQCCIFCIgBEAgiBAhiEAoiBAhhEAoiBAhnEAoiBQiAARAJIgQIfhAJIgQIeRAJIgQIeBAJIgQIehAJIgQIchAJIgQIcxAJIgQIbhAJIgQIbRAJIgQIZhAKIgQIYxAKIgQIbBAKIgQIZBAKIgQIZRAKIgQIXRAKIgQIVhALIgQIWhALIgQIWRALIgQITxALIgQISRALIgQIUhALIgQIWxAKIgQIXBAKIgQIXhAKIgQIQxAMIgQIRBAMIgQIPRAMIgQIVBALIgQIVRALIgQIUxALIgQIThALIgQITBALIgQITRALIgQIRxAMIgQIOxAMIgQIPBAMIgQINBANIgQIMxANIgQINRANIgQISBAMIgQIQhAMIgQIOhAMIgQIJxANIgQIMhANIgQIKRANIgQIKBANIgQIHRAOIgQIHBAOIgQIGxAOIgQIEhAPIgQIERAPIgQIDRAPIgQIXxAKIgQIaBAKIgQIYBAKIgQIWBALIgQIVxALIgQIURALIgQIUBALIgQISxALIgQIShALIgQIRhAMIgQIRRAMIgQIPxAMIgQIPhAMIgQINxAMIgQIQRAMIgQIQBAMIgQIORAMIgQIOBAMIgQINhANIgQILRANIgQILBANIgQIIBAOIgQIIRAOIgQIGhAOIgQIKhANIgQIKxANIgQIExAOIgQIHxAOIgQIFhAOIgQIHhAOIgQIBBAPIgQIFBAOIgQIFRAOIgQIAhAPIgQIAxAPIgQIARAPIgQIDBAPIgQIChAPIgQIABAB"out_b = base64.b64decode(mydata)
得到的就是protobuf序列化后的结果
b'\x08\x03"\x05\x08\x8a\x01\x10\x08"\x05\x08\x8b\x01\x10\x08"\x05\x08\x90\x01\x10\x08"\x05\x08\xd1\x01\x10\x05"………………
step2
使用blackboxprotobuf 对密文反序列化
- 安装blackboxprotobuf , protobuf
pip install blackboxprotobuf protobuf
import blackboxprotobufdeserialize_data, message_type = blackboxprotobuf.protobuf_to_json(out_b)print(f"原始数据: {deserialize_data}")print(f"消息类型: {message_type}")
得到结果:
原始数据: {"1": "3","4": [ { "1": "138","2": "8"},{"1": "139","2": "8"},{"1": "144","2": "8"},…………]}
消息类型: {'1': {'type': 'int', 'name': ''}, '4': {'type': 'message', 'message_typedef': {'1': {'type': 'int', 'name': ''}, '2': {'type': 'int', 'name': ''}}, 'name': ''}}
step3
分析源码构造message的.proto文件
源码:
MatchPlayInfo部分
o.MatchPlayInfo = function () { function t(t) { if (this.stepInfoList = [], t) for (var e = Object.keys(t), o = 0; o < e.length; ++o) null != t[e[o]] && (this[e[o]] = t[e[o]]); } return t.prototype.gameType = 0, t.prototype.mapId = 0, t.prototype.mapSeed = 0, t.prototype.stepInfoList = r.emptyArray, t.create = function (e) { return new t(e); }, t.encode = function (t, e) { if (e || (e = a.create()), null != t.gameType && Object.hasOwnProperty.call(t, "gameType") && e.uint32(8).int32(t.gameType), null != t.mapId && Object.hasOwnProperty.call(t, "mapId") && e.uint32(16).int32(t.mapId), null != t.mapSeed && Object.hasOwnProperty.call(t, "mapSeed") && e.uint32(24).int32(t.mapSeed), null != t.stepInfoList && t.stepInfoList.length) for (var o = 0; o < t.stepInfoList.length; ++o) c.protocol.MatchStepInfo.encode(t.stepInfoList[o], e.uint32(34).fork()).ldelim(); return e; }, t.decode = function (t, e) { t instanceof i || (t = i.create(t)); for (var o = void 0 === e ? t.len : t.pos + e, n = new c.protocol.MatchPlayInfo(); t.pos < o;) { var a = t.uint32(); switch (a > 3) { case 1: n.gameType = t.int32(); break; case 2: n.mapId = t.int32(); break; case 3: n.mapSeed = t.int32(); break; case 4: n.stepInfoList && n.stepInfoList.length || (n.stepInfoList = []), n.stepInfoList.push(c.protocol.MatchStepInfo.decode(t, t.uint32())); break; default: t.skipType(7 & a); } } return n; }, t; }()
MatchStepInfo部分
o.MatchStepInfo = function () { function t(t) { if (t) for (var e = Object.keys(t), o = 0; o < e.length; ++o) null != t[e[o]] && (this[e[o]] = t[e[o]]); } return t.prototype.chessIndex = 0, t.prototype.timeTag = 0, t.create = function (e) { return new t(e); }, t.encode = function (t, e) { return e || (e = a.create()), null != t.chessIndex && Object.hasOwnProperty.call(t, "chessIndex") && e.uint32(8).int32(t.chessIndex), null != t.timeTag && Object.hasOwnProperty.call(t, "timeTag") && e.uint32(16).int32(t.timeTag), e; }, t.decode = function (t, e) { t instanceof i || (t = i.create(t)); for (var o = void 0 === e ? t.len : t.pos + e, n = new c.protocol.MatchStepInfo(); t.pos < o;) { var a = t.uint32(); switch (a > 3) { case 1: n.chessIndex = t.int32(); break; case 2: n.timeTag = t.int32(); break; default: t.skipType(7 & a); } } return n; }, t; }()
根据源码及解析结果构建.proto文件
syntax = 'proto3';message MatchPlayInfo{ int32 gameType = 1; int32 mapId = 2; int32 mapSeed = 3; repeated StepInfoList stepInfoList = 4;}message StepInfoList{ int32 chessIndex = 1; int32 timeTag = 2;}