问题
I am trying to decode the post data sent to graph.instagram.com by the Android instagram app. The question is simillar to the one found here:
Reverse Engineer HTTP request
It seems that either the iPhone app handles this differently to the Android app or something has changed since that question was asked. I've captured the traffic using Burp and it seems the main data is now sent to IG as a .gz file:
POST /logging_client_events HTTP/1.1
X-IG-Connection-Type: WIFI
X-IG-Capabilities: 3brTAw==
X-IG-App-ID: 567067343352427
User-Agent: Instagram 24.0.0.11.201 Android (23/6.0; 240dpi; 480x854; LENOVO/Lenovo; Lenovo A2016a40; A2016a40; mt6735; en_GB)
Accept-Language: en-GB, en-US
Content-Type: multipart/form-data; boundary=EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Accept-Encoding: gzip, deflate
Host: graph.instagram.com
X-FB-HTTP-Engine: Liger
Connection: close
Content-Length: 4206
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Content-Disposition: form-data; name="access_token"
567067343352427|f249176f09e26ce54212b472dbab8fa8
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Content-Disposition: form-data; name="format"
json
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Content-Disposition: form-data; name="cmsg"; filename="a24cc6f3-23f1-438f-aecb-3f201d312c90_1.batch.gz"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
í][sÚHý/<ÇÞ¾ª»]µÎÈÎâZ‰M›H[[*!HHÀ"0—©ùïûµ„mƒ2v‚�ÎTRCß/ç|§ïú½VÄÿ«�áµp<’Ní¬Æ-�,A¥œ0"j•×m<?ÂNü‡ñ)A|Ú³$ëÃY~IŽ ¶À¹ß&Q\%GÛ(–�=a´‹NÕ‰dqû$Ʋ’�Ðn‡B”n˜'Ù2øŽ˜E\ÉhXÅ ‹"«KOÀCDÙ= ã¨}B»PàÅ$RâÌÊÀúÿ¢Ñ°›ô‚¨Gƒ¢¬G[p£H°PѸ2L¥$¡âmÊCÅ"ò ÚDçqnK×~8ÆüœÄ½YNtK„Ó°vöŸßkÃ0�Á'Ó°7 ó`4é…Ã$
n“xw‚$OªŠ@¬iRÆОĄóSiqpÏG�Y¦}º1DÑ¡²dƒG¼˜N Ÿßky0蘖…±Dq‚1—J p�âŒa]í°
÷È-¦@AgÊ¢¢t©�(Ï$ŒÉ°LGƒX×7^^ÿëÕ*l©Y=áþv5÷¾fE›\êéXÔólõ•\μւw>ei„ŠòË4$7Ú?÷•ÿïyÒùz3ö«[õô*÷Ó‹¥×tæ�OW©Ÿ~IœfÄ\;Kò7šYæÚ7™ÛúÌ�¦Gœæs싹۬/œæ5k4Ôýw½¨Ý,úY”)Ô&Ó¬�è´/°Ó¬/Ý4ZºÍÏ�æ¥Ü™Æ×9qÓkÔ°ÏWŽ}Í»ö€9«Næ§uÒ«ÔI=ä¥ýÄùt½tí/ ¤Gv6ðs¿ïÚ×Ôµ¯ò†}™5Z/ÿOnâØ=î~ºÊtÞN³ŸøÍÏIê‘lØÎ/QçëUm˜Ô‡èïΣÙ0êa4ÐõmowGY6š€¤é¬Ðþåo蟲“Eí}
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Content-Disposition: form-data; name="sent_time"
1512267283.408
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO
Content-Disposition: form-data; name="cmethod"
deflate
--EuG_-5FMs7IwTX7eBzBDIJ9VEteYsO--
For some reason I am unable to paste the 'gibberish' below binary fully and it cuts off after a few lines.
Any idea how this is encoded? it's supposed to be .gz but the output from Burp doesn't look anything like it. Is there anyway I can save the file so I can inspect it? Burp, nor fiddler seem to support anything like that.
回答1:
To decompress it use inflater that omit header check
Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(File.read("*.batch.gz"))
In the ruby doc we might read this
Zlib::Inflate.new(window_bits = Zlib::MAX_WBITS)
Creates a new inflate stream for decompression. window_bits sets the size of the history buffer and can have the following values:
0 - Have inflate use the window size from the zlib header of the compressed stream.
(8..15) - Overrides the window size of the inflate header in the compressed stream. The window size must be greater than or equal to the window size of the compressed stream.
Greater than 15 Add 32 - to window_bits to enable zlib and gzip decoding with automatic header detection, or add 16 to decode only the gzip format (a Zlib::DataError will be raised for a non-gzip stream).
(-8..-15) - Enables raw deflate mode which will not generate a check value, and will not look for any check values for comparison at the end of the stream.
This is for use with other formats that use the deflate compressed data format such as zip which provide their own check values.
https://ruby-doc.org/stdlib-2.6.3/libdoc/zlib/rdoc/Zlib/Inflate.html
来源:https://stackoverflow.com/questions/47614735/reverse-engineering-http-request