HITCTF 2020 蓝牙原始数据解析

发表于 | 分类于 |

给出了非常长的01串,并告知这是用ubertooth抓到的原始数据,其中含有蓝牙的广播报文,请解析报文。

flag1=HITCTF2020{hex(payload).lower()}
flag2=HITCTF2020{(bluetooth device name + crc code).lower().replace_all('/( \+")/',"")

根据BLE的前导码,以及crc校验确定有效数据包,其中:

  1. BLE的前导码有两种:0101010110101010
  2. crc校验可以使用pwntoolspwnlib.util.crc.crc_24_ble
from pwn import *
rawbit = '100000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011001011100010011101111010100101010110010111110000101011011011100000010010001010111001011111001010110010000100010100100101001111000100101011010010101100010001011110100001011110001101101001100010101101010001010000101101000110001111100010100110010110100001110111001101001101010001011011010101100011010010011110111111001101000111001010100011100001010000010111110000110000110100011101011101111000010011111100111011001001111011010111000110111011100110010001000101100101111100101010111111001011011100001100011110101101000100000010101010010101000011001100000100010000110101110001101100110101000111110010000111011010010110000011100000100100110100000010111101010010000110001010011100111011111011000001111100011111110011100101111011110100001101000001111011101010111010010110101010110001010000011110001010000100110110000010011110000000111110101011101110000101101011010010111011000011110000100100001001011011100010100010010011100111111001111101001011010010110110000101010110001001011110011100000011100000010011100111100000001010000001001000000010110111100111110101010001010110000101010111111011101000101111001110101101000110111011001100110001100000110101001110000000101011001000111001110010000100011111011110101010011111001110001111110000000000110000010001100100011010011110010101100011010010110010011100001000011100001100011001010010000110000110011100111100010001011101000000000010010000100111011010100110101000010000000010110001110000101001010010010100100011100000000100111011101011100110010001001001000111010000100010100000000110011110101010010011001011010111011011100001000100101010100011001110011001010111101110010111010101001001101000110001110011011011110111010111001110011000010010010001010001000010011001010101100011011100001100001100110001000011101010111000101011000010011010101001000001101011100011101111010110100111001111011101001011001010101101111000100101100010101100010101011001110110111000001010111000111001100100101110100001010000101110001110010010010001111011100010011011111110001010101100001111011011010001111000000101001101011000110100000110001001101100011001010011011100000101111000011100011100001110010011111010011010100101110111111100100011101011001000010010000001000110100110101110101010010111010101010000110001111101000010010001111100110100000101011110111000011000011001100011100001101100010101110010010110110010111100011010100011011101101100101111000010101010000010101010111010101110111110100101101100000111010001001010110011010111101110010110101001001010011000011100101000000111011001011100101110100101101111110101010000010000111001001110010011010101110101101101000001011110010011011101100011001100100000001101001100101010110110000100001100101101001011101001111000011111110111100010101111111011101010101011010110111110110010001011100010000001010000100101100001100011000101000100000110101110100011011111100001001000000100010101001101100111010010110111001100111011010100110010011100000010010110010111101101010111011001110101001101100000010011000010000111100000001000000100000001010000011000000110000000100100000011000010001101001001110111010001011001111000011100100100010010011100001111110001100100110110110111011100000110010101000110100101010100110100110000001110000011111111010000101000001010101101011010001001101000001001111001011010101010010000101011111011100100000000100001001100100000010000001101111010011101100100011001011000100101001111010110001111001010110010101110100011110000011011110011101001010101001111001101100000100110100000000101001100000010110000001000000110001110101110011100000100100010000010101100010001010101010000110010111001001100101001110110100101111100101110110100101110111110011011110110100101000001011010111000110011100010001000100001100111000010111111011000111100000111011111010000100111100011000100110010101010101001100100011001001110110101100010100011010101000100110001110011011001101000100001110110011110011001100010001000000110010100111111110000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011'

def find_all(sub,s):
    	index_list = []
	index = s.find(sub)
	while index != -1:
		index_list.append(index)
		index = s.find(sub,index+1)
	if len(index_list) > 0:
		return index_list
	else:
		return -1

def print_hex(a):
    c= ''
    for i in range(len(a)/8):
        c += chr(int(a[i*8:(i+1)*8][::-1],2))
    return c.encode("hex")

def find_ble_package(pre,data):
    index = find_all(pre,data)
    for i in index:
        prehead = print_hex(data[i:i+40])
        head = print_hex(data[i+40:i+48])
        l = print_hex(data[i+48:i+56])
        l0 = int(str(l),16)&0x3f ; l1 = l0*8
        d = print_hex(data[i+56:i+56+l1])
        crc = print_hex(data[i+56+l1:i+56+l1+24])
        crc_data = head + l + d
        check_crc = hex(pwnlib.util.crc.crc_24_ble(crc_data.decode("hex")))

        if(check_crc[2:4] == crc[4:6]):
            print "--------------------------------------------"
            print "package  : " + prehead + head + l + d + crc
            print "head     : " + prehead
            print "PDU head : " + head
            print "PDU len  : " + l
            print "PDU data : " + d
            print "crc      : " + crc
            print "crc_check: "+ (check_crc[2:])
    print "--------------------------------------------"

find_ble_package('01010101',rawbit)
find_ble_package('10101010',rawbit)

确定后只有一个有效数据包:

package  : aad6be898e40210d6314c1bad80f0944657369676e6572204d6f7573650319c2030201050303121862c95d
head     : aad6be898e
PDU head : 40
PDU len  : 21
PDU data : 0d6314c1bad80f0944657369676e6572204d6f7573650319c20302010503031218
crc      : 62c95d
crc_check: 5dc962

HITCTF2020{humaninterfacedevice5dc962}