3

I'm using a MITM technic to study some apps apis but im not able to restore the original data from the multipart gzip request

does anyone know how can i recover the content of this package?

POST /logging_client_events HTTP/1.1
Accept-Language: pt-BR, en-US
Content-Type: multipart/form-data; boundary=3TtLStKljJgtMAosyN-hY6JtpuUqhC
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 1129

--3TtLStKljJgtMAosyN-hY6JtpuUqhC
Content-Disposition: form-data; name="access_token"

567067343352427|f249176f09e26ce54212b472dbab8fa8
--3TtLStKljJgtMAosyN-hY6JtpuUqhC
Content-Disposition: form-data; name="format"

json
--3TtLStKljJgtMAosyN-hY6JtpuUqhC
Content-Disposition: form-data; name="cmsg"; filename="ae3ada0b-866d-4b0c-b0af-e0c66df71808_5_regular.batch.gz"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

eRÛ®0üòG6¾GÊUhm/9Ö!@0Ð¥ù÷Ú¤Q¢VH\fvf׳ܪ×ê(÷cCu¬¤ÒTi.8µ¨uõ V2Ç(=é«m¦Ü»ÐôË¥   m¸FCç88A¥8ÊÖÄñÄ+¡Zë°6³¤Kì¾w¥ôSJ@DíqÜK"æ­¡uTfeÂâÐ?4PGò$G=qZÔg ÕÌP5ËVLóÿ¾Ç.Mx^:2Ö
çfþ1¾ØÏ
®ùþ7ÖPf5²b2ôm<Ê$]ëê?Ñ¥-£kúíOye8BÀê:HDQsgPÑúZÝNL*¥eÚî®ëie»t³ÜRç©â¨­u
['̹{QÎ`êøq«z¸ássðs\sýÓ
].ãÆSEùAð²³±ý¹`Îl_á¯yÊ~·j;ý3§UfJ&Û³yؾ\÷ÕøõoLv  Wæã4B@óÁÏØFÒ}ù+rí°Ûv¥fïP*Xîh´BÉwêÿ­Þï?î

======================UPDATE===============

I uploaded 3 sample packages in this format so if anyone knows how to solve the problem can try https://gofile.io/?c=fNakzX

Rafael Lima
  • 3,079
  • 3
  • 41
  • 105
  • If you only have this text then i'm afraid you won't be able to recover the data. If you have the actual bytes then cut everything under the last header and decompress. – t.m.adam Aug 27 '19 at 05:36
  • @t.m.adam, i do have the actual bytes but still i cant decompress. i uploaded 3 sample packages so you can try see if you can help – Rafael Lima Aug 27 '19 at 15:01
  • 1
    I can't decompress it either, sorry. GZ files start with 0x1f8b, while your data start with 0x3f53 / 0x3f54. They have a similar question [here](https://stackoverflow.com/questions/47614735/reverse-engineering-http-request), I couldn't make it work but it may be helpful. – t.m.adam Aug 27 '19 at 16:38
  • It's content-disposition, it's a binary file, who told you it's gziped? The extension doesn't mean a thing. – deathangel908 Sep 04 '19 at 19:45

1 Answers1

0

The content you uploaded contains a lot of question marks as ASCII '\x3f' (all three versions of it). I am pretty sure these represent the original data at all bytes which were unprintable characters. In changing the original bytes to question marks, the information was lost completely.

The description of your question contains at least a version which is not peppered with question marks, but since this is a real text representation of the binary data, I am also pretty sure that there are some (relevant) characters missing and/or that some of the characters aren't correctly transformable back to the original binary.

If you do not have any other version of your input, I'm afraid your task cannot be accomplished, sorry.

Alfe
  • 56,346
  • 20
  • 107
  • 159
  • i didn't understand clearly your statements but i generate more input if necessary... i'm doing it with a proxy intecepting the requests between my phone and the apps server. So in order to generate the 3 sample files i simple asked the proxy to save the request then deleted the non relevant fields the proxy automaticly append. i dont think any lost or convertion was done during it – Rafael Lima Sep 02 '19 at 21:21
  • If you can generate more input, you should do so and try to store it in a binary format. If you manage to present us the hexdump or provide the binary via some external website, it might be possible to determine how to uncompress the data. But if your only way of storing it is "as text", then I fear every time some unprintable characters are lost to the encoding and translation. – Alfe Sep 03 '19 at 07:07
  • Btw, the header of what we can read in your post is `filename="ae3ada0b-866d-4b0c-b0af-e0c66df71808_5_regular.batch.gz"`, and the suffix `.gz` indicates strongly that the data most likely is compressed using gzip. You need to get hold of the binary data and pass it through a gzip decompressor (e. g. `zcat` on Unix systems or of course any gzip-library like Python's `gzip`). – Alfe Sep 03 '19 at 07:14