对BytesExtra实际结构的猜想
TsXor opened this issue · comments
使用protodeep可以得到一个初步的schema:
syntax = "proto3";
message Schema {
message field1_type {
int64 field1 = 1;
int64 field2 = 2;
}
repeated field1_type field1 = 1;
message field3_type {
int64 field1 = 1;
string field2 = 2;
}
repeated field3_type field3 = 3;
}
基于实际数据做一些猜测,可以得到如下schema:
syntax = "proto3";
message BytesExtra {
message FlagAttr { int64 enum_code = 1; int64 value = 2; }
message StringAttr { int64 enum_code = 1; string value = 2; }
repeated FlagAttr flags = 1;
repeated StringAttr strings = 3;
}
即ExtraBytes
可能由“属性”构成,每个“属性”包含一个枚举标志和其实际值。例如,enum_code
为1
代表属性为微信号。
POC:
from typing import Any
from bytes_extra_pb2 import BytesExtra
def parse_extra(extra: bytes):
deser = BytesExtra(); deser.ParseFromString(extra)
attrs = dict[str, Any]()
for s in deser.flags: attrs[s.enum_code] = s.value
for f in deser.strings: attrs[f.enum_code] = f.value
return attrs
解析结果:
{
1: 'wxid_wf3i4qvi1fs422',
2: 'ed888b05f5e43d187e82f7b3e3d43955',
3: 'wxid_uapoh6oefocv22\\FileStorage\\MsgAttach\\bc44fe438e271901567ead7e4b94eb23\\Thumb\\2024-06\\1a08016ec909b67ed62ece884a511cb6_t.dat',
4: 'wxid_uapoh6oefocv22\\FileStorage\\MsgAttach\\bc44fe438e271901567ead7e4b94eb23\\Image\\2024-06\\ae982b5a092b000771e86f9170eef736.dat',
5: 1,
6: 0,
7: '<msgsource>\n <alnode>\n <fr>2</fr>\n </alnode>\n <sec_msg_node>\n <uuid>cfbbfac92959371dcc1a01dcc894a638_</uuid>\n <risk-file-flag />\n <risk-file-md5-list />\n <alnode>\n <fr>1</fr>\n </alnode>\n </sec_msg_node>\n <imgmsg_pd cdnmidimgurl_size="372253" cdnmidimgurl_pd_pri="30" cdnmidimgurl_pd="0" />\n <silence>1</silence>\n <membercount>437</membercount>\n <signature>V1_SCc9hsGK|v1_Vaz8G5n5</signature>\n <tmp_node>\n <publisher-id />\n </tmp_node>\n</msgsource>\n',
16: 1,
}
非常感谢更加详细的数据,如果方便的话,可以提交一个pr吗?
pywxdump/dbpreprocess/parsingMSG.py
def get_BytesExtra(self, BytesExtra):
if BytesExtra is None or not isinstance(BytesExtra, bytes):
return None
try:
deserialize_data, message_type = blackboxprotobuf.decode_message(BytesExtra)
return deserialize_data
except Exception as e:
return None
让他的返回值更加详细