PBTK : A Toolset For Reverse Engineering & Fuzzing Protobuf-Based Apps

PBTK is a tool that can be used for reverse engineering and fuzzing protobuf based application. Protobuf is a serialization format developed by Google and used in an increasing number of Android, web, desktop and more applications.

It consists of a language for declaring data structures, which is then compiled to code or another kind of structure depending on the target implementation.

It is a full-fledged set of scripts, accessible through an unified GUI, that provides two main features:

• Extracting Protobuf structures from programs, converting them back into readable .protos, supporting various implementations:
  • All the main Java runtimes (base, Lite, Nano, Micro, J2ME), with full Proguard support,
  • Binaries containing embedded reflection metadata (typically C++, sometimes Java and most other bindings),
  • Web applications using the JsProtoUrl runtime.
• Editing, replaying and fuzzing data sent to Protobuf network endpoints, through a handy graphical interface that allows you to edit live the fields for a Protobuf message and view the result.

Also Read – Haaukins : A Highly Accessible & Automated Virtualization Platform for Security Education

Installation

PBTK requires Python ≥ 3.5, PyQt 5, Python-Protobuf 3, and a handful of executable programs (chromium, jad, dex2jar…) for running extractor scripts.

Archlinux users can install directly through the package:

$ yaourt -S pbtk-git
$ pbtk

On most other distributions, you’ll want to run it directly:

# For Ubuntu/Debian testing derivates:
$ sudo apt install python3-pip git openjdk-9-jre

$ sudo pip3 install protobuf pyqt5 requests websocket-client

$ git clone https://github.com/marin-m/pbtk
$ cd pbtk
$ ./gui.py

Windows is also supported (with the same modules required). Once you run the GUI, it should warn you on what you are missing depending on what you try to do.

Command Line Usage

The GUI can be launched through the main script:

./gui.py

The following scripts can also be used standalone, without a GUI:

./extractors/jar_extract.py [-h] input_file [output_dir]
./extractors/from_binary.py [-h] input_file [output_dir]
./extractors/web_extract.py [-h] input_url [output_dir]

Typical Workflow

Let’s say you’re reverse engineering an Android application. You explored a bit the application with your favorite de-compiler, and figured it transports Protobuf as POST data over HTTPS in a typical way.

You open PBTK and are greeted in a meaningful manner:

The first step is getting your .protos into text format. If you’re targeting an Android app, dropping in an APK and waiting should do the magic work! (unless it’s a really exotic implementation)

This being done, you jump to ~/.pbtk/protos/<your APK name> (either through the command line, or the button on the bottom of the welcome screen to open your file browser, the way you prefer). All the app’s .protos are indeed here.

Back in your de-compiler, you stumbled upon the class that constructs data sent to the HTTPS endpoint that interests you. It serializes the Protobuf message by calling a class made of generated code.

This latter class should have a perfect match inside your .protos directory (i.e com.foo.bar.a.b will match com/foo/bar/a/b.proto). Either way, grepping its name should enable you to reference it.

That’s great: the next thing is going to Step 2, selecting your desired input .proto, and filling some information about your endpoint.

You may also give some sample raw Protobuf data, that was sent to this endpoint, captured through mitmproxy or Wireshark, and that you’ll paste in a hex-encoded form.

Step 3 is about the fun part of clicking buttons and seeing what happens! You have a tree view representing every field in the Protobuf structure (repeated fields are suffixed by “+”, required fields don’t have checkboxes).

Just hover a field to have focus. If the field is an integer type, use the mouse wheel to increment/decrement it. Enum information appears on hover too.

Here it is! You can determine the meaning of every field with that. If you extracted .protos out of minified code, you can rename fields according to what you notice they mean, by clicking their names.