如何验证 Firefox 是否真的通过 SPDY 发送 zlib 数据?

逆向工程 解压 https协议
2021-06-15 01:17:04

我最近发布了一个StackOverflow 悬赏,用于确定是 Wireshark、Firefox 还是错误的数据样本,根据最新的 Wireshark 无法解析它的事实来判断。这是问题的延续。

假设上面链接的赏金是正确的,这里是 Wireshark 无法解析的完整 SYN_STREAM SPDY 数据包:

800300010100015500000001000000004000783fe3c6a7c2003b01c4fe00000009000000073a6d6574686f6400000003474554000000053a70617468000000012f000000083a76657273696f6e00000008485454502f312e31000000053a686f73740000000d3139322e3136382e302e313734000000073a736368656d650000000568747470730000000a757365722d6167656e74000000414d6f7a696c6c612f352e30202857696e646f7773204e5420352e313b2072763a33302e3029204765636b6f2f32303130303130312046697265666f782f33302e30000000066163636570740000003f746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c2a2f2a3b713d302e380000000f6163636570742d6c616e67756167650000000e656e2d55532c656e3b713d302e3500000003646e740000000131000000ffff

根据 Wireshark 的说法,压缩的标头应以“783f”开头。不幸的是,我无法解压缩它:

$ python
Python 2.7.8 (default, Nov 10 2014, 08:19:18) 
[GCC 4.9.2 20141101 (Red Hat 4.9.2-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import zlib
>>> header = "783fe3c6a7c2003b01c4fe00000009000000073a6d6574686f6400000003474554000000053a70617468000000012f000000083a76657273696f6e00000008485454502f312e31000000053a686f73740000000d3139322e3136382e302e313734000000073a736368656d650000000568747470730000000a757365722d6167656e74000000414d6f7a696c6c612f352e30202857696e646f7773204e5420352e313b2072763a33302e3029204765636b6f2f32303130303130312046697265666f782f33302e30000000066163636570740000003f746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c2a2f2a3b713d302e380000000f6163636570742d6c616e67756167650000000e656e2d55532c656e3b713d302e3500000003646e740000000131000000ffff".decode('hex')
>>> zlib.decompress(header)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
zlib.error: Error 2 while decompressing data

它真的是zlib吗?我怎样才能证明呢?

1个回答

我设法通过指定解压缩字典在 Python 中解压缩它:

#!/usr/bin/python3

import zlib
import base64

header = ("783fe3c6a7c2003b01c4fe00000009000000073a6d6574686f"
"6400000003474554000000053a70617468000000012f000000083a76657273696f6e000000084"
"85454502f312e31000000053a686f73740000000d3139322e3136382e302e313734000000073a"
"736368656d650000000568747470730000000a757365722d6167656e74000000414d6f7a696c6"
"c612f352e30202857696e646f7773204e5420352e313b2072763a33302e3029204765636b6f2f"
"32303130303130312046697265666f782f33302e30000000066163636570740000003f7465787"
"42f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f"
"6e2f786d6c3b713d302e392c2a2f2a3b713d302e380000000f6163636570742d6c616e6775616"
"7650000000e656e2d55532c656e3b713d302e3500000003646e740000000131000000ffff")

zdict = base64.b16decode("000000076F7074696F6E730000000468656164000000"
"04706F7374000000037075740000000664656C65746500000005747261636500000006"
"6163636570740000000E6163636570742D636861727365740000000F6163636570742D"
"656E636F64696E670000000F6163636570742D6C616E67756167650000000D61636365"
"70742D72616E6765730000000361676500000005616C6C6F770000000D617574686F72"
"697A6174696F6E0000000D63616368652D636F6E74726F6C0000000A636F6E6E656374"
"696F6E0000000C636F6E74656E742D6261736500000010636F6E74656E742D656E636F"
"64696E6700000010636F6E74656E742D6C616E67756167650000000E636F6E74656E74"
"2D6C656E67746800000010636F6E74656E742D6C6F636174696F6E0000000B636F6E74"
"656E742D6D64350000000D636F6E74656E742D72616E67650000000C636F6E74656E74"
"2D74797065000000046461746500000004657461670000000665787065637400000007"
"657870697265730000000466726F6D00000004686F73740000000869662D6D61746368"
"0000001169662D6D6F6469666965642D73696E63650000000D69662D6E6F6E652D6D61"
"7463680000000869662D72616E67650000001369662D756E6D6F6469666965642D7369"
"6E63650000000D6C6173742D6D6F646966696564000000086C6F636174696F6E000000"
"0C6D61782D666F72776172647300000006707261676D610000001270726F78792D6175"
"7468656E7469636174650000001370726F78792D617574686F72697A6174696F6E0000"
"000572616E676500000007726566657265720000000B72657472792D61667465720000"
"000673657276657200000002746500000007747261696C6572000000117472616E7366"
"65722D656E636F64696E6700000007757067726164650000000A757365722D6167656E"
"74000000047661727900000003766961000000077761726E696E67000000107777772D"
"61757468656E746963617465000000066D6574686F6400000003676574000000067374"
"6174757300000006323030204F4B0000000776657273696F6E00000008485454502F31"
"2E310000000375726C000000067075626C69630000000A7365742D636F6F6B69650000"
"000A6B6565702D616C697665000000066F726967696E31303031303132303132303232"
"3035323036333030333032333033333034333035333036333037343032343035343036"
"3430373430383430393431303431313431323431333431343431353431363431373530"
"32353034353035323033204E6F6E2D417574686F726974617469766520496E666F726D"
"6174696F6E323034204E6F20436F6E74656E74333031204D6F766564205065726D616E"
"656E746C7934303020426164205265717565737434303120556E617574686F72697A65"
"6434303320466F7262696464656E343034204E6F7420466F756E6435303020496E7465"
"726E616C20536572766572204572726F72353031204E6F7420496D706C656D656E7465"
"64353033205365727669636520556E617661696C61626C654A616E20466562204D6172"
"20417072204D6179204A756E204A756C204175672053657074204F6374204E6F762044"
"65632030303A30303A3030204D6F6E2C205475652C205765642C205468752C20467269"
"2C205361742C2053756E2C20474D546368756E6B65642C746578742F68746D6C2C696D"
"6167652F706E672C696D6167652F6A70672C696D6167652F6769662C6170706C696361"
"74696F6E2F786D6C2C6170706C69636174696F6E2F7868746D6C2B786D6C2C74657874"
"2F706C61696E2C746578742F6A6176617363726970742C7075626C6963707269766174"
"656D61782D6167653D677A69702C6465666C6174652C73646368636861727365743D75"
"74662D38636861727365743D69736F2D383835392D312C7574662D2C2A2C656E713D30"
"2E")

header = base64.b16decode(header.upper())

z = zlib.decompressobj(zdict=zdict)
print(z.decompress(bytearray(header)))
其它你可能感兴趣的问题
上一篇OllyDbg 插件的冲突 下一篇如何检测IDA SDK中的地址变化?