Reverse Engineering Toolset And Fuzzing Protobuf-based Apps
Protobuf is a serialization format developed by Google and used in an increasing number of Android, web, desktop and more applications. It consists of a language for declaring data structures, which is then compiled to code or another kind of structure depending on the target implementation.
pbtk (Protobuf toolkit) is a full-fledged set of scripts, accessible through an unified GUI, that provides two main features:
Extracting Protobuf structures from programs, converting them back into readable .protos, supporting various implementations:
- All the main Java runtimes (base, Lite, Nano, Micro, J2ME), with full Proguard support,
- Binaries containing embedded reflection metadata (typically C++, sometimes Java and most other bindings),
- Web applications using the JsProtoUrl runtime.
Editing, replaying and fuzzing data sent to Protobuf network endpoints, through a handy graphical interface that allows you to edit live the fields for a Protobuf message and view the result.
PBTK requires Python ≥ 3.6, PyQt 5, Python-Protobuf 3, and a handful of executable programs (chromium, jad, dex2jar...) for running extractor scripts.
Archlinux users can install directly through the package:
$ yaourt -S pbtk-git
On most other distributions, you'll want to run it directly:
# For Ubuntu/Debian testing derivates:
$ sudo apt install python3-pip git openjdk-9-jre
$ sudo pip3 install protobuf pyqt5 requests websocket-client
$ git clone https://github.com/marin-m/pbtk
$ cd pbtk
Windows is also supported (with the same modules required). Once you run the GUI, it should warn you on what you are missing depending on what you try to do.
Command line usageThe GUI can be lanched through the main script:
The following scripts can also be used standalone, without a GUI:
./extractors/jar_extract.py [-h] input_file [output_dir]
./extractors/from_binary.py [-h] input_file [output_dir]
./extractors/web_extract.py [-h] input_url [output_dir]