如何确定二进制序列化的类型?

逆向工程 十六进制 协议
2021-06-24 02:01:40

我正在尝试分析游戏通过 WebSockets 发送到服务器的消息。我有一个简单的 WebSockets 代理,它位于中间并将所有消息打印到控制台。

我注意到每 5 秒有一个乒乓消息,看起来像这样:

服务器:00 00 00 客户端:01 00 00 00

带有数据本身的消息如下所示:

客户:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  3E E6 DC 00 00 00 00 00 00 00 2F 08 DC 31 CB 00  >жЬ......./.Ь1Л.
00000010  06 4C 6F 77 64 65 72 00 00 00 00 00 00 00 00 03  .Lowder.........
00000020  00 90 42 47 CD 82 07 4B 14 B5 9D 4B 74 14 30 59  .ђBGН‚.K.µќKt.0Y
00000030  C8 11 EA 68 73 40 C1 7E D6 63 69 6E 6F 6E 80 EC  И.кhs@Б~ЦcinonЂм
00000040  9A                                               љ

服务器:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  6F E6 DC 03 00 00 00 00 00 00 00 00 00 00 00 00  oжЬ.............
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 07 49 6E 76 61 6C 69 64 00 00 00  ......Invalid...
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00  .......я........
00000060  00 00 00 1B 00 04 72 61 6E 6B 00 00 00 05 6D 61  ......rank....ma
00000070  72 6B 73 00 00 00 03 65 6C 6F 03 40 92 C0 00 00  rks....elo.@’А..
00000080  00 00 00 00 0B 68 69 73 63 6F 72 65 52 61 6E 6B  .....hiscoreRank
00000090  02 00 00 04 B0 00 06 62 61 6E 6E 65 64 00 00 00  ....°..banned...
000000A0  09 62 61 6E 45 78 70 69 72 65 02 00 00 00 00 00  .banExpire......
000000B0  05 6D 75 74 65 64 00 00 00 0C 62 72 6F 6E 7A 65  .muted....bronze
000000C0  54 6F 6B 65 6E 73 01 00 00 00 0C 73 69 6C 76 65  Tokens.....silve
000000D0  72 54 6F 6B 65 6E 73 01 00 00 00 0A 67 6F 6C 64  rTokens.....gold
000000E0  54 6F 6B 65 6E 73 01 00 00 00 0D 68 77 65 65 6E  Tokens.....hween
000000F0  31 37 54 6F 6B 65 6E 73 01 00 00 00 06 62 61 6E  17Tokens.....ban
00000100  6E 65 72 00 00 00 0C 6F 6E 6C 69 6E 65 53 74 61  ner....onlineSta
00000110  74 75 73 00 03 00 05 6C 65 76 65 6C 02 00 00 00  tus....level....
00000120  00 00 0A 65 78 70 65 72 69 65 6E 63 65 03 00 00  ...experience...
00000130  00 00 00 00 00 00 00 08 70 72 65 73 74 69 67 65  ........prestige
00000140  00 00 00 0A 72 65 70 75 74 61 74 69 6F 6E 02 00  ....reputation..
00000150  00 00 00 00 0D 64 61 69 6C 79 50 6F 73 69 74 69  .....dailyPositi
00000160  6F 6E 02 00 00 00 00 00 0B 65 6C 6F 50 6F 73 69  on.......eloPosi
00000170  74 69 6F 6E 02 00 00 00 00 00 12 72 65 70 75 74  tion.......reput
00000180  61 74 69 6F 6E 50 6F 73 69 74 69 6F 6E 02 00 00  ationPosition...
00000190  00 00 00 07 64 61 69 6C 79 58 50 02 00 00 00 00  ....dailyXP.....
000001A0  00 09 75 6E 73 70 65 6E 74 58 50 02 00 00 00 00  ..unspentXP.....
000001B0  00 0B 77 65 72 65 77 6F 6C 66 44 4C 43 00 00 00  ..werewolfDLC...
000001C0  0A 76 61 6D 70 69 72 65 44 4C 43 00 00 00 09 73  .vampireDLC....s
000001D0  70 69 64 65 72 44 4C 43 00 00 00 12 77 69 6E 4F  piderDLC....winO
000001E0  66 54 68 65 44 61 79 43 6C 61 69 6D 65 64 00 00  fTheDayClaimed..
000001F0  00 0A 64 6F 64 67 65 54 69 6D 65 72 03 00 00 00  ..dodgeTimer....
00000200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
00000210  92 B0 51 DB C6 C4 42 75 BE 7F 61 5F 3F A4 A0 4B  ’°QЫЖДBuѕ.a_?¤ K
00000220  00 06 00 01 00 04 00 08 00 0C 00 14 00 32 00 00  .............2..
00000230  01 79 20 13 34 00                                .y .4.

我最初认为这是一个 protobuf 或 BSON,但我没有任何运气尝试解码这些消息,尽管我没有任何使用 protobuf 的经验。

客户端用 C++ 编写并使用 WebSocket++ 库。

如何分析这种二进制协议?我怎么知道消息是如何编码的?

1个回答

如果没有逆向工程,可能很难猜测这些数据是什么。但是,您可以收集许多数据包,然后比较/观察它们以确定归档数据的大小,保留哪些数据,哪些数据发生变化......

其它你可能感兴趣的问题
上一篇如何在Windows中获取线程起始地址? 下一篇无法使用 IDA Windbg 调试器调试进程:“无法初始化 WinDbg 引擎,错误:%1 不是有效的 Win32 应用程序”