I intercepted an HTTP request on Charles originating from iPhone to Instagram and here are the headers
POST /logging_client_events HTTP/1.1
Host: graph.instagram.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: keep-alive
Accept: */*
User-Agent: Instagram 10.0.1 (iPhone8,1; iOS 10_1_1; en_IN; en-IN; en; scale=2.00; 750x1334) AppleWebKit/420+
Accept-Language: en-IN;q=1.0, hi-IN;q=0.9,
Content-Length: 1601
Accept-Encoding: gzip, deflate
There is a Post data as well in the request that is compressed. My question is how can I uncompress the Post data? Perhaps any method in NSData that can decompress?
EDIT: Here is the complete HTTP request
POST /logging_client_events HTTP/1.1
Host: graph.instagram.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: keep-alive
Accept: */*
User-Agent: Instagram 10.3.0 (iPhone8,1; iOS 10_1_1; en_IN; en-IN; scale=2.00; gamut=normal; 750x1334) AppleWebKit/420+
Accept-Language: en-IN;q=1, hi-IN;q=0.9
Content-Length: 4585
Accept-Encoding: gzip, deflate
message=eNrtXG1v4kgS%2FiunfLqTAupXtzvSfiAxZInOZsmQEPt0sowxYGNj1jZDYLX326%2FaMBNICJMsZCajTUZRwO6XqvJT1c%2FTtuePE286dcP%2BydkJJgwRxgUjumCYnZyezMrjCD4VYRKcnGGmU0GIQKiKGEWUnZa9PweZ6o6qtIr%2B8U%2BmIYGEwP%2BCbv3gc%2BgH6%2BHPBdcb51rFuJCNCmsYuKJf6EZFq%2BlMN2pGDV0I6DLwkjBeuJs9Gb1gBqnXK3rDqFfAPKMi8UWtYvCaIKyGOZM16JkHeR6mk1Wf8xqqo4sGhuYNvcIouaicn2ukQhr8HLzQ5LlGlYFe4Z2c%2FeePkyTtz2JwUTkExyee8vdkHvTy1B8Hheunk0ngF65XFEEyLR6HRJOkyhETQp6eBPdFBoP%2BcTIdwxCE6IxSHWvs5M8%2FT5%2BbKBy6vwducD9N81kW7Bxdl4xvDD7M0tkUehZBXrhgZOjFysgCGrgQBD8Og4kys4zGhhGnT8xSg06DDCaEDqUpYZq7gyDou7NB6GZBP8jD4eRg8zmjz9h%2FgJm59zk40DJJBZI7LMvSOE5nhxq3CmSRpnERTh9ZujoFneJwEjzYnAVB7IIxCzdMptkK1bss1zHBSGxYXvYBT8NC9ThDu%2ByMQ7CpnMFPZ8pYaFX220of1vOQlJT3PU2ygAVSoCDQexj7cuB5PoGBklkB1j8ayXOfzjjycjdZlC3LNp%2FDYP605ySYPz4U5u6Xo%2BD3kUMnNKy%2Fy9BxRDgl6L0GjhCKtPcYOCw1LHWpi3cbOU0I%2Bh4jxwXXpIDL%2Bl4jR%2BHL%2B0xWiTSJEf3ekQsneeENMy9x02zoTULfzWe9b0WRYUQ2gpinswwYVjpwPX8VxyezJS5YiNXf8P6ZMH9JPqYLKAyA8cdE7KG1SwhCmoHrFUSpVmE65hXJiKzUmDwX9QuBGoZWzroekmANuCb0pPCLMMLu1jTghz8OJ0NYXMeBMj9YXC29bn9m311jP7kJW2Ez%2FPfF1dy%2Bi%2FMeaYyb0VQ0k3h5Rxozu3vP%2B5dx5GOJ%2FKQReeRWnUf%2B5DaGPkvn7orA76B%2FKTOny9RY95YxXFrLOrIMe2EZTTIw6siM6sSM%2FLnZsZG5rBPLqN2bRkM3oyazDHPZMuDYr3NiR7W5Y9jEurSxZViRc2mFrc7VuHXZntvLm3tzeTuyl6NRq9tcOJGN7ChO7ATmjBqh1akRK7LnLaMxhvMwvjW2E5s1w3nYv7udOhdNrRn53InaBNou7K4zbnXgcxfGTG4jJ2kvra6JreUNjNskZqe9AHsX1rIG47eXpe1GfW5%2BupLgu%2FIb4ihnzSjFg%2FYvvyhWrrjQ3AXUFbNcIaX8DsE%2FjHsBJoXcxQo79U%2BdQ8nr57AfpK4fxLHrzYp0GkPy92bDAWB52%2BiV1niwe831FYT9kTcZ7jZdSkz2sf3TjXGUlAgH4dYxlbLFYqomvOhce%2F0wrfk%2BZE4n8EeTNE6Hi18%2FGb%2FVngY4Dn2vWCX52uDYm038kTvLvV6801hJgVNsqoe1yxCw30bpJNBPMXRL85WMw1X1LZyEBaSWux48gZOYy6rATEisqbKn3H%2Fq9Zd%2BE8BL2QlxGFAirlP40TQQjT1IXHWlJ31XtT45G3hxHjx0VQUJqrfqrWFRFZqmC45AnGJNf2i1crdspUtcZYKXhjGuYfqCoE1n%2BQiMLOC6rE7BylAUCtK7AsigdG1Wz57XHwYwc5HNwHAvDrLi67dcefb1246aCZpZZdKuS1eO605mSU%2BJaii5sQf67snRzJt%2FNfdM7MnBfpgp2ToLXciSwU7XBCZiExuDMIMppx7gfu0CrCqzWKVXPishujMP1XpXLk299F7Ns4J2Fvw%2BUwq1nBaOpgXo1P4sW12MM03yPcZngRerjipVcj8Le8E%2B%2FS2FBgDbcORrd0j%2B0IfxZnmQVfo5qTwY%2Fj%2By05nHM09LgHgxHO8voKSFubrcJWz32F%2Fq8UnhxqnXD%2Fo7bdYZQZs2f%2BmyDt90lBbpTgs3x15F9wwyF2LAOWFSSp0gjT40g5WiGAFUONpj78N2Rz%2Fsu%2Bk02EEkaFVyjW9JgFfsczy9ojvCwqqUUV2KvcX1hRf3lUQ0CwYA9tEumxgVQtP32nQ0zjkHLrnOtcEs%2FpKGO5noptlfUDMJinmajU9eSkLl42HWcGJaWRtQ%2BaMh%2FojkHpPlQ3w5FpQ8z%2FLpj1OWXFAJRIXoj2k%2BfkWED6L5iRdOVqxmD0Kh%2FGl4u%2F7lJffw07ivVpysgDEKf7SzoKy4HRjcV1MDVd%2BXx%2BWmsbIujstKnu%2ByR6dsfw4PehvjQCUocf4XBdA%2BcPEqSDQh5VupH5iDalIyio6qfiB%2BkhMuIAmRjqi7Nc0u9bPF3JWK%2BaYamlixP3FiP5aoR4q4FyolUUctw6SgYEirY3Jr6egrxQDqxxhjM7qhoIIWpjGcm3S%2BMKMhKB%2BTKRUBimhhdYb3ZtSmLaOf2F2lgGrcItdjk0CbaBRb3Zt767IRgWpatDo3S%2BvyOjSN25G1HHOrcwuqyEdWtxFZl%2FW51QFldGkqu6eg1Ea9pJEHd9dTm1qD%2Fq9XIxtsVuoHPmPn04YaSurUvFRKChTU0kocpXK61siM%2Bgkoqhj%2BhjAfKn14zrfFlXyl%2BnkxWFdL4HS1Q78LrJJpfw2sL1PoquNq%2BjMCpIEzqm5eYCY1rn8I8J9ZgL9qw2i9dn2zdEqdvg6Nz1v7gNRduHwp8p6i%2FAOL3wuLB%2BgdXuVcl1sc5TC9owuNcK2U%2FRTUn%2FZKvfMCewWMLI9mL0NIMkkFCDRo9gJ5dhT6o1Up4tv3OF9Nf%2FYtLQQxSoSG9OOyH0AKXF%2FEKcKYcndzlh9BflirYzNraQMpMSHD60vr7jH5sbnTGUJmQmYvx3Oze4PtTj80gciYBLK0cx1bSXthL60I%2Fo1tYlKr40Sm0ZxDJcGQ%2FcRW5KdTh6rgjFQGty6b34P8PPXt06vJzwj0fKr2WhfJYP30gNrb29CBfpokwaSvzoBW%2FxZkCSF4r3pYPZ1CYIXgjAssHvagnjVl656RFw%2FTLCxGyVengix3H46%2BsXtQucgL%2FKOQBpQTTfBX%2BYd%2FuH8gsrWXXD8oA1AWQem8yj%2By7Z%2FarXQzbzJ%2B1r9XFX6tyiRQDXG0wg%2FsWpdclBtzmKoHpx5XfinfQEuIKpFcZ%2FhnEL5bmoRwXRMCwbKlCZ2QD1n8t5DFL9AjCtEaouJjK%2BcDs%2B8Cs%2FvByghUsoPASvaBdePxk%2BNhVehch%2FVYEPiCBIywMcsPgKrPAIZzuKRwTknsGgUJ%2FQiqFpDoxtjstplFmthOGqHT8e%2FtTmNkR6OxgoDVuQZJPeROtxG2jPHcAahanThRnxUdb3Vux3b3BjnGVWR2AeCdm%2B8A1R2%2BXfyYXUcB0lwAzfwJNOIGUcBVrHON6QgopA5Vln0oyJ9YQR6XJ3C12vKPPY8PxL4dYl8lKgGSsLSS4%2B0mIoAGI7S8QY8Zpk%2F3EzVMDng%2BT1fPkyB%2B%2FJc2wAd1KzyfppM8zSAFY68XxErkfw6y%2FKD3OfQqIUKQNzB6%2FThhmqkHqsrHC4P5NM3UNRkOD4SGXqVUbD1fduh2g0YkxuWDQAA89VbSqzbGvx1lxgEZ2ptAI1x7nrqjcDiK4bd4DhpHoT56lYNZVPsJWPoG9UFV9QCqDiuE2uAB1v7B4f8OHH4f59GrwBw0chDnYXs5j65qKxXiyKRHI5rOOdQqwojmbk3zHcHa%2F8p6LHXMuMGtzpibUXthTR6D9Ta0uzazI8VynLGdXIV2p4nUPgiwHdS6tACw1xGwHYBQY%2BR04XPHiR3DX9qJAqpJHWNIACwwd3PRMtrcSerfBKsDx31ykzcnt9jrtsHXq5G1PA%2FNxFZAXDqJuu%2FcgLma1Insewf%2B2pHPLaPGzNX9adZS96ujIbbAt1Zpsx0O7tCbsR5ZRYKgIy5t6gU5QAyQHqxID%2FtON1FlVTABMx%2BSXPzHJBfGnHDJOOLsfSTXPVTmBQAQaH8NP1kJLq9CVelNVdWXQ%2BokbSUxVHIxc9kGMI8XZqKSq87MLlT6y%2Fa93W1je3kFssOcW0lz6VzeLCDhIAmdEFYPkBW175ZcICXU5iMcv4EVq%2F3GyaVrkqMjSgoGDeQ6u7g4ZnI9T8HK%2F0%2BASibJz7BybXMwiBaVYLxAAutU%2F1jYfuaF7Rksqzdn1OszvsqDMqFyN1N3wrOnObnGsvjWywvr3usnnv97egIq8kvOrv7vBjf4vMqVPPgdoPbn%2FwGSB1Nz&compressed=1&access_token=124024574287414%7C84a456d620314b6e92a16d8ff1c792dc&format=json
TL;DR: use the following command line to decode such
message
s:While replacing
<message>
with the post parameter.Full details:
This request uses several encoders one on top of another, but all encoders used are easily recognisable by an experienced researcher and probably experienced web developer.
By the characters appearing in the message POST argument, it's easy to identify the format is base64 encoding. However, percent characters (
%
) stand out as they're not part of the base64 character set. After further review it is easy to see a percent sign is always followed by only a few selection of characters (%2B
,%2F
). These are url encoded characters (specifically '+' and '/', respectively), both part of the base64 character set.Thus, that string should be urldecoded and then base64 decoded, and we end up getting a more cryptic string as a result, but luckily no errors:
The string consists of both printable and non-printable characters, but the first two characters,
x\xda
(or\x78\xda
) have an important meaning as they're markers for a zlib compressed stream.For example, running that one-line with your message would look exactly like that:
Final result is: