1

Request Header:

POST https://gfp.line.naver.jp/P3 HTTP/1.1
Host: gfp.line.naver.jp
Connection: keep-alive
Content-Length: 180
Origin: null
X-LAL: en
X-LCS: xxx==
X-LHM: POST
Content-Type: application/x-thrift
X-LST: 260000
Accept: application/x-thrift
X-Line-Application: CHROMEOS 1.4.1 Chrome_OS 1
User-Agent: x
X-LE: 2
DNT: 1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8

Response Header:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Line-HTTP,X-LS
Connection: keep-alive
Content-Length: 292
Content-Type: application/x-thrift;charset=UTF-8
X-LE: 2
X-Line-HTTP: P,HC,LP
X-LS: xxx

I get those headers from Fiddler running on Windows 10 Home,
What I've been research till now, this is the approximately closest thrift file, https://github.com/cslinmiso/LINE-instant-messenger-protocol/blob/master/line.thrift and I can only find the official compiler https://thrift.apache.org/download and some of the build information

My question, How to decode thrift stream if we have the thrift file and stream header+body?

P.S. My case is different with How can you reverse engineer a binary thrift file?, because I have the thrift file above,

Community
  • 1
  • 1
Newbie123
  • 123
  • 1
  • 2
  • 13
  • First, this is not possible given only the header info, and it will be an interesting task (at least) if the full message content would be available. Next, if you already have the IDL file (as you say), why do you need another one? Last not least, did you look/ask for an official API documentation? – JensG Jun 06 '16 at 00:52
  • @JensG I have the full raw data of request and response content, but only copy the header because i was sending sensitive data. It's pretty much encoded like seeing a binary .exe file using notepad when i see the content, I just want to know what is the decoded stream content which I can read and understand – Newbie123 Jun 06 '16 at 17:40
  • Here's some links that I just found. [The API documentation](https://media.readthedocs.org/pdf/line/latest/line.pdf) and [this SO question](http://stackoverflow.com/questions/14494444/is-there-an-api-for-line-by-naver). And [this web page](http://carpedm20.github.io/line/tutorial.html). BTW, you don't "get something from Fiddler", out of the blue, without having sent some request before. So what did you send and how did you compose that? The longer I think about this, the more I come to the impression that you are trying to do something the absolutely wrong way. – JensG Jun 07 '16 at 16:06

1 Answers1

1

If you have the IDL file, you can use the compiler to generate a client for it if you want to work with the data programatically.

If you just want to read the data, you might be able to use this utility:

https://github.com/pinterest/thrift-tools

If reading the response message "manually", your pseudo-code might look like this (I put this in the comments but it was formatted terribly)

readMessageBegin() // this is the message wrapper
readStructBegin()  // this is the 'response' struct
readFieldBegin()   // this will have field id '0' if successful, something else if it was an exception
// next you read the response value
readFieldEnd()     // end of response field
readStructEnd()    // end of response struct
readMessageEnd()   // end of message
BCG
  • 1,170
  • 8
  • 19
  • I have trouble installing thrift-tools on **windows**, it says `SyntaxError: invalid syntax` with `pip.exceptions.InstallationError: Command "python setup.py egg_info" failed with error code 1` **http://pastebin.com/tsbYqeDi** and how to generate the client? I have tried to run `thrift-0.9.3 --gen html line.thrift` but it says `[ERROR: x/PortableGit/LINE-instant-messenger-protocol/line.thrift:1002] (last token was 'from') Cannot use reserved language keyword: "from"` – Newbie123 Jun 06 '16 at 17:34
  • Ah, that `from` thing again. As a workaround you can try to modify the IDL. The token `from` has been added as reserved keyword just recently, the IDL file is probably older. Should work with being renamed to e.g. `from_`, unless `from` is a service function name. – JensG Jun 06 '16 at 21:50
  • @JensG, okay thank you, now, how to use the compiled file to decode the x-thrift message? i'm sorry, i have just started to learn thrift, so i know a very little about it – Newbie123 Jun 07 '16 at 05:11
  • 1
    Maybe [this example](https://github.com/flamholz/py-thrift-validation-example/blob/master/util/serialization.py) could help. Technically it's very simple. You set up transport & protocols. Create a new instance of whatever you want to deserialize. Now read it. That's all. The only caveat is the question: What is this outer object in there? That's why I said it will be an interesting task to find that out. Because it is not in the data. So if you don't know that piece, you have to decompose the data by hand and guess from the field IDs and types using the IDL that (hopefully) matches the data. – JensG Jun 07 '16 at 15:27
  • 1
    Here's a hint; the calls you would make are something like: readMessageBegin() /** this is the message wrapper **/ readStructBegin() /** this is the 'response' struct **/ readFieldBegin() /* this will have field id '0' if successful, something else if it was an exception */ /* next you read the response type */ readFieldEnd() /* end of response field */ readStructEnd() /* end of response struct */ readMessageEnd() /* end of message */ good luck :) – BCG Jun 07 '16 at 15:47