You can get a long way just using protoc --decode_raw For "bytes" you can try a few things - see if round-trips to utf-8 to see if it is a string: or try checking the contents to see if they are internally a valid protovuf message. "Packed" is a little trickier to detect robustly. On 13 Jun 2013 23:31, "Liang Huang" <huangliang...@gmail.com> wrote:
> Hi, > > I captured a block of communication data from a virus between it's server. > I don't have any ".proto" file about it. > > I tried to write a decoder based on the following information. > https://developers.google.com/protocol-buffers/docs/encoding#order > > I got a problem, I cannot identify data is a string or a embedded > messages, because they have a same wire-type. > > 2Length-delimitedstring, bytes, embedded messages, packed repeated fields > I doubt if I can reverse it just based on a block of data. Can I ??? > > Thanks, > > HL > > -- > You received this message because you are subscribed to the Google Groups > "Protocol Buffers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to protobuf+unsubscr...@googlegroups.com. > To post to this group, send email to protobuf@googlegroups.com. > Visit this group at http://groups.google.com/group/protobuf. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to protobuf+unsubscr...@googlegroups.com. To post to this group, send email to protobuf@googlegroups.com. Visit this group at http://groups.google.com/group/protobuf. For more options, visit https://groups.google.com/groups/opt_out.
