对BytesExtra实际结构的猜想

Question

对BytesExtra实际结构的猜想

TsXor opened this issue 2 months ago · comments

使用protodeep可以得到一个初步的schema：

syntax = "proto3";


message Schema {

  message field1_type {
    int64 field1 = 1;
    int64 field2 = 2;
  }

  repeated field1_type field1 = 1;

  message field3_type {
    int64 field1 = 1;
    string field2 = 2;
  }

  repeated field3_type field3 = 3;
}

基于实际数据做一些猜测，可以得到如下schema：

syntax = "proto3";

message BytesExtra {
  message FlagAttr { int64 enum_code = 1; int64 value = 2; }
  message StringAttr { int64 enum_code = 1; string value = 2; }
  repeated FlagAttr flags = 1;
  repeated StringAttr strings = 3;
}

即ExtraBytes可能由“属性”构成，每个“属性”包含一个枚举标志和其实际值。例如，enum_code为1代表属性为微信号。

TsXor · Answer 1 · Thu Jun 06 2024 22:21:40 GMT+0800 (China Standard Time)

POC：

from typing import Any
from bytes_extra_pb2 import BytesExtra

def parse_extra(extra: bytes):
    deser = BytesExtra(); deser.ParseFromString(extra)
    attrs = dict[str, Any]()
    for s in deser.flags: attrs[s.enum_code] = s.value
    for f in deser.strings: attrs[f.enum_code] = f.value
    return attrs

解析结果：

{
    1: 'wxid_wf3i4qvi1fs422',
    2: 'ed888b05f5e43d187e82f7b3e3d43955',
    3: 'wxid_uapoh6oefocv22\\FileStorage\\MsgAttach\\bc44fe438e271901567ead7e4b94eb23\\Thumb\\2024-06\\1a08016ec909b67ed62ece884a511cb6_t.dat',
    4: 'wxid_uapoh6oefocv22\\FileStorage\\MsgAttach\\bc44fe438e271901567ead7e4b94eb23\\Image\\2024-06\\ae982b5a092b000771e86f9170eef736.dat',
    5: 1,
    6: 0,
    7: '<msgsource>\n    <alnode>\n        <fr>2</fr>\n    </alnode>\n    <sec_msg_node>\n        <uuid>cfbbfac92959371dcc1a01dcc894a638_</uuid>\n        <risk-file-flag />\n        <risk-file-md5-list />\n        <alnode>\n            <fr>1</fr>\n        </alnode>\n    </sec_msg_node>\n    <imgmsg_pd cdnmidimgurl_size="372253" cdnmidimgurl_pd_pri="30" cdnmidimgurl_pd="0" />\n    <silence>1</silence>\n    <membercount>437</membercount>\n    <signature>V1_SCc9hsGK|v1_Vaz8G5n5</signature>\n    <tmp_node>\n        <publisher-id />\n    </tmp_node>\n</msgsource>\n',
    16: 1,
}

xaoyaoo · Answer 2 · Fri Jun 07 2024 18:15:33 GMT+0800 (China Standard Time)

非常感谢更加详细的数据，如果方便的话，可以提交一个pr吗？
pywxdump/dbpreprocess/parsingMSG.py

def get_BytesExtra(self, BytesExtra): 
         if BytesExtra is None or not isinstance(BytesExtra, bytes): 
             return None 
         try: 
             deserialize_data, message_type = blackboxprotobuf.decode_message(BytesExtra) 
             return deserialize_data 
         except Exception as e: 
             return None

让他的返回值更加详细