3
HITCTF 2020 蓝牙原始数据解析
source link: https://xuanxuanblingbling.github.io/wireless/ble/2020/12/09/hitctfmisc/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
HITCTF 2020 蓝牙原始数据解析
发表于 2020-12-09
| 分类于 Wireless/BLE
给出了非常长的01串,并告知这是用ubertooth抓到的原始数据,其中含有蓝牙的广播报文,请解析报文。
- 附件:sniff.pcap
- 提示flag格式如下:
flag1=HITCTF2020{hex(payload).lower()}
flag2=HITCTF2020{(bluetooth device name + crc code).lower().replace_all('/( \+")/',"")
根据BLE的前导码,以及crc校验确定有效数据包,其中:
- BLE的前导码有两种:
01010101和10101010 - crc校验可以使用
pwntools的pwnlib.util.crc.crc_24_ble
from pwn import *
rawbit = '100000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011001011100010011101111010100101010110010111110000101011011011100000010010001010111001011111001010110010000100010100100101001111000100101011010010101100010001011110100001011110001101101001100010101101010001010000101101000110001111100010100110010110100001110111001101001101010001011011010101100011010010011110111111001101000111001010100011100001010000010111110000110000110100011101011101111000010011111100111011001001111011010111000110111011100110010001000101100101111100101010111111001011011100001100011110101101000100000010101010010101000011001100000100010000110101110001101100110101000111110010000111011010010110000011100000100100110100000010111101010010000110001010011100111011111011000001111100011111110011100101111011110100001101000001111011101010111010010110101010110001010000011110001010000100110110000010011110000000111110101011101110000101101011010010111011000011110000100100001001011011100010100010010011100111111001111101001011010010110110000101010110001001011110011100000011100000010011100111100000001010000001001000000010110111100111110101010001010110000101010111111011101000101111001110101101000110111011001100110001100000110101001110000000101011001000111001110010000100011111011110101010011111001110001111110000000000110000010001100100011010011110010101100011010010110010011100001000011100001100011001010010000110000110011100111100010001011101000000000010010000100111011010100110101000010000000010110001110000101001010010010100100011100000000100111011101011100110010001001001000111010000100010100000000110011110101010010011001011010111011011100001000100101010100011001110011001010111101110010111010101001001101000110001110011011011110111010111001110011000010010010001010001000010011001010101100011011100001100001100110001000011101010111000101011000010011010101001000001101011100011101111010110100111001111011101001011001010101101111000100101100010101100010101011001110110111000001010111000111001100100101110100001010000101110001110010010010001111011100010011011111110001010101100001111011011010001111000000101001101011000110100000110001001101100011001010011011100000101111000011100011100001110010011111010011010100101110111111100100011101011001000010010000001000110100110101110101010010111010101010000110001111101000010010001111100110100000101011110111000011000011001100011100001101100010101110010010110110010111100011010100011011101101100101111000010101010000010101010111010101110111110100101101100000111010001001010110011010111101110010110101001001010011000011100101000000111011001011100101110100101101111110101010000010000111001001110010011010101110101101101000001011110010011011101100011001100100000001101001100101010110110000100001100101101001011101001111000011111110111100010101111111011101010101011010110111110110010001011100010000001010000100101100001100011000101000100000110101110100011011111100001001000000100010101001101100111010010110111001100111011010100110010011100000010010110010111101101010111011001110101001101100000010011000010000111100000001000000100000001010000011000000110000000100100000011000010001101001001110111010001011001111000011100100100010010011100001111110001100100110110110111011100000110010101000110100101010100110100110000001110000011111111010000101000001010101101011010001001101000001001111001011010101010010000101011111011100100000000100001001100100000010000001101111010011101100100011001011000100101001111010110001111001010110010101110100011110000011011110011101001010101001111001101100000100110100000000101001100000010110000001000000110001110101110011100000100100010000010101100010001010101010000110010111001001100101001110110100101111100101110110100101110111110011011110110100101000001011010111000110011100010001000100001100111000010111111011000111100000111011111010000100111100011000100110010101010101001100100011001001110110101100010100011010101000100110001110011011001101000100001110110011110011001100010001000000110010100111111110000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011'
def find_all(sub,s):
index_list = []
index = s.find(sub)
while index != -1:
index_list.append(index)
index = s.find(sub,index+1)
if len(index_list) > 0:
return index_list
else:
return -1
def print_hex(a):
c= ''
for i in range(len(a)/8):
c += chr(int(a[i*8:(i+1)*8][::-1],2))
return c.encode("hex")
def find_ble_package(pre,data):
index = find_all(pre,data)
for i in index:
prehead = print_hex(data[i:i+40])
head = print_hex(data[i+40:i+48])
l = print_hex(data[i+48:i+56])
l0 = int(str(l),16)&0x3f ; l1 = l0*8
d = print_hex(data[i+56:i+56+l1])
crc = print_hex(data[i+56+l1:i+56+l1+24])
crc_data = head + l + d
check_crc = hex(pwnlib.util.crc.crc_24_ble(crc_data.decode("hex")))
if(check_crc[2:4] == crc[4:6]):
print "--------------------------------------------"
print "package : " + prehead + head + l + d + crc
print "head : " + prehead
print "PDU head : " + head
print "PDU len : " + l
print "PDU data : " + d
print "crc : " + crc
print "crc_check: "+ (check_crc[2:])
print "--------------------------------------------"
find_ble_package('01010101',rawbit)
find_ble_package('10101010',rawbit)
确定后只有一个有效数据包:
package : aad6be898e40210d6314c1bad80f0944657369676e6572204d6f7573650319c2030201050303121862c95d
head : aad6be898e
PDU head : 40
PDU len : 21
PDU data : 0d6314c1bad80f0944657369676e6572204d6f7573650319c20302010503031218
crc : 62c95d
crc_check: 5dc962
HITCTF2020{humaninterfacedevice5dc962}
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK