2

I am trying to understand a protobuf encoded message. the message is given below, it is apparently a 64 byte long hash value, but I cannot understand the encoding process

0000  12 01 40 30 37 62 65 37 36 30 34 32 33 35 32 37 
0010  33 30 64 64 63 37 38 35 39 39 38 39 34 66 31 31 
0020  37 65 30 37 34 35 36 61 37 64 30 37 66 62 36 31
0030  64 39 38 32 31 62 32 36 61 38 33 34 61 34 30 66 
0040  64 62 38

The 16-bit hexadecimal value on the left is just the offset, it's not part of the data.

The first byte says the following is a byte or string wire type and the second byte says only one byte in the byte or string array. Then the third byte 0x40 it must be the length of the field i.e 64. I cannot understand how it was decoded. I don't have the proto file used to encode the message.

unwind
  • 391,730
  • 64
  • 469
  • 606
CodeWeed
  • 971
  • 2
  • 21
  • 40
  • I think you're going to need to have a look at the protobuf source code. Assuming of course that protobuf encoding is not a 1-way function (in all probability it is, since the proto file is the other half of the algorithm) – Richard Hodges May 21 '15 at 11:05
  • The [encoding is documented](https://developers.google.com/protocol-buffers/docs/encoding) so it should be possible to reverse engineer it from there. I got a headache trying to evaluate the varints mentally. – unwind May 21 '15 at 11:11
  • @RichardHodges I don't have the proto file used to encode this message – CodeWeed May 21 '15 at 11:26
  • @unwind I have looked at it... and still trying to make sense of it. – CodeWeed May 21 '15 at 11:27
  • @CodeWeed can you decode it with a dummy proto-generated message and then just look in the extras? – Richard Hodges May 21 '15 at 12:22
  • 1
    The "protoc" tool has a mode where it will take an encoded input **without** a schema, and display a best guess decoding "raw" or "decode" or something. Have you tries that? Otherwise, just go through mabuakky, or using any reader API, to inspect the fields. One question leaps to mind: has the author included a prefix *before* the actual protobuf payload (for framing purposes) - if so, the first byte(s) might not be part of the message. – Marc Gravell May 21 '15 at 12:37
  • I don't think that is protobuf encoded, BTW: the last 64 bytes as payload makes sense, and the 0x40 before that indicating "length 64" makes sense, but in protobuf the value before the length prefix (0x40) is a field-header, and 0x01 is **not** a valid field-header (it was be field number zero, which is illegal) – Marc Gravell May 21 '15 at 12:43
  • try `protoc --decode_raw < your_message.bin` – sb32134 Nov 30 '15 at 11:31
  • Possible duplicate of [raw decoder for protobufs format](https://stackoverflow.com/questions/7343867/raw-decoder-for-protobufs-format) – Raedwald Dec 12 '17 at 17:01

0 Answers0