2013년 9월 12일 목요일

LINE(라인) protocol analysis [2] : HTTP(S) data


* 2014.08.02 update *

If you need a python code right away, then please keep in touch with https://github.com/carpedm20/LINE



Now, I decide to analyze the LINE protocol in more detail.

4. HTTP(S) Analysis



There are two particular headers, one is 'X-Line-Application' and the other is 'X-Line-Access'.

The first header, 'X-Line-Application', specify the kind of mobile phone, which is not that interesting one ;(

However, the second header 'X-Line-Access' seems like a session key and part of the key is encrypted by Base64.

I'll talk about this later :)

Anyway, after I decode the encrypted data, I can get 'iat: 1378973334524' (string data) and '��" [���<Z� � 5wxwO�' (byte[] data)

The format of POST data seems like 'bson' string which is used in LOCO protocol but it isn't.

To find out how the application deals with the session key and what kind of data type is used for POST data, I used .NET Reflector again and find out some interesting functions like send_sendMessage(int seq, Message message).


As you can see in this picture, there is a string "sendMessage" which also can be found in the POST data.

Therefore, I guess that this sendMessage function makes the POST data. 

I also figure out that WriteMessageBegin() and WriteMessageEnd() are the functions for Thrift platform.

I keep read some posts and decompiled codes to find out how Thrift works, but I can't figure out the exact structure of Thrift HTTP protocol.

  1. ## VERSION of Thrift protocol ##
  2. # TBinaryProtocol.VERSION_1 | type
  3. data = '\x80\x01\x00\x01'
  5. ## Function ##
  6. # \x00\x00\x00\x0b : sendMessage
  7. # \x00\x00\x00\x0f : fetchOperations, for read message
  8. data += '\x00\x00\x00\x0b' # length of function
  9. data += 'sendMessage'
  11. ## Message information for static message ##
    ## (not include sticker information) ##
  12. data += '\x00\x00\x00\x00'
  13. data += '\x08\x00\x01\x00'
  14. data += '\x00\x00\x00\x0c'
  15. data += '\x00\x02\x0b\x00'

  17. # \x01\x00\x00\x00 : from
  18. # \x02\x00\x00\x00 : to
  19. data += '\x02\x00\x00\x00' # to
  20. data += '????' # chat id to send message
  21. data += '\x0b\x00\x0a' # ChatId footer
  23. ## User input : not included in Thift protocol ##
  24. message = raw_input(">> ")
  26. ## Length of message ##
  27. #data += '\x00\x00\x00\x10' # \x06 : length
  28. data += struct.pack('>I',len(message))
  30. ## Message ##
  31. #for i in range(16):
  32. #    data += chr(49 + i) # 65 : A, 49 : 1
  33. data += message
  35. ## Message footer ##
  36. #data += '\x0a\x02\x00\x0e\x00\x00\x00'
  37. data += '\x02\x00\x0e\x00\x00\x00'

The bellow picture is the structure of Thrift packet based on the packet analysis that I took. (which may include some errors)

And the bellow code is a short python code which can be used to send message to someone (not me).

  1. #!/usr/bin/python
  2. # -*- coding: utf-8 -*-
  3. __author__ = 'carpedm20'
  4. import urllib2
  5. import struct
  7. url = 'http://gm.line.naver.jp/S3'
  8. headers = { 'POST' : '/S3',
  9.     'X-Line-Application' : 'WINPHONE.1.7.0.71.WindowsPhone.7.10.7720',
  10.     'Referer' : 'file:///Applications/Install/A18DAAA9-9A1C-4064-91DD-794644CD88E7/Install/',
  11.     'Accept-Encoding' : 'identity',
  12.     'Content-Type' : 'application/x-thrift',
  13.     'Accept' : 'application/x-thrift',
  14.     'X-Line-Access' : '????';
  15.     'Connection' : 'Keep-Alive',
  16.     'User-Agent' : 'WindowsPhone 1.7.0.71',
  17.     'HOST' : 'gm.line.naver.jp',
  18.     'Cache-Control' : 'no-cache'}
  20. def send():
  21.     data = '\x80\x01\x00\x01\x00\x00\x00\x0b'
  22.     data += 'sendMessage'
  23.     data += '\x00\x00\x00\x00\x08\x00\x01\x00\x00\x00\x00\x0c\x00\x02\x0b\x00\x02\x00\x00\x00'
  24.     data += '????' # chat id to send message
  25.     data += '\x0b\x00\x0a'
  27.     message = raw_input(">> ")
  29.     data += struct.pack('>I',len(message))
  30.     data += message
  31.     data += '\x02\x00\x0e\x00\x00\x00'
  33.     request = urllib2.Request(url, data, headers)
  34.     response = urllib2.urlopen(request)
  36.     print "[*] Result "
  38.     data = response.read()
  39.     for d in data:
  40.         print "%#x" % ord(d),
  41.     print
  43. def read():
  44.     data = '\x80\x01\x00\x01' # TBinaryProtocol.VERSION_1 | type
  45.     data += '\x00\x00\x00\x0f'
  47.     data += 'fetchOperations'
  48.     data += '\x00\x00\x00\x00\x0a'
  49.     data += '\x00\x02\x00\x00\x00\x00\x00\x00\x00\xf9\x08\x00\x03\x00\x00\x00\x14\x00'
  51.     request = urllib2.Request(url, data, headers)
  52.     response = urllib2.urlopen(request)
  54.     print "[*] Result "
  55.    
  56.     data = response.read()
  57.     for d in data:
  58.         print "%#x" % ord(d),
  59.     print
  60.     print data
  62. while 1:
  63.     send()

I can also figure out how to send an emoticon message through LINE.

I wish I can send some emoticons, which I have to buy to use them, but it doesn't worked with an error message "current user does not have this sticker" :(

ps. you can send some charged emoticons in LOCO protocol for nothing :)


Next : LINE protocol analysis [3] : session key

라벨: , ,

댓글 2개:

  1. Unknown2015년 1월 26일 오후 8:31

    Thanks for your great article about how LINE works.
    Besides, I'd like to ask a question that how to send image message. I've tried to use node.js to implement LINE API. However, when I want to send Image message, no matter I set the encoding of buffer to `binary` or `hex`, it still cannot show up the `contentPreview`. Do you know how to solve it or what the encoding is? Thanks a lot :)

    답글삭제
  2. Unknown2017년 5월 23일 오후 7:58

    I still confusion about S4 and S3. is they are different?

    답글삭제

피드 구독하기: 댓글 (Atom)