I'm currently trying to extract the raw payload from an ICMP packet.
I've managed to trim it down to the format I like (without the first 5 characters on each line and without the ....... stuff).
Original format:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......thing.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
Scripts:
awk '{x="";x=substr($0,5,50);gsub(/ +/,"",x);print x}' nontrimmed.txt > raw.txt
tr -d "\n" < raw,txt > newraw.txt
Result:
cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect
However, I'd like to get a specific number of bytes every x characters - i.e this:
ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00
00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5
63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00
09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00
94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67
55 54 09 00 03 d3 e3 cf 5f e7
Would become this:
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
Instead of this:
cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect
But for multiple different ones of the same format:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......flag.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b c...[P......_ux.
0030 00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7 ............;.}.
0040 30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa 0..S...:..L|....
0050 54 86 4d 24 19 58 c5 a9 b1 4d T.M$.X...M
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf c...>......VL...
0030 42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67 B"*R.u......+..g
0040 74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8 tZ.p..'5!....^..
0050 56 f9 05 05 3d 3e 80 3f 68 23 V...=>.?h#
Any ideas? Thanks!
Is this what you're trying to do?
$ awk -v OFS= '{$1=$NF=""; x=x $0} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
The above was run against your "Original format" input file:
$ cat file
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......thing.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
If your input file can contain multiple records then:
$ awk -v OFS= '{$1=$NF=""; $0=$0; x=x $0} !NF{print substr(x,85); x=""} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
e3cf5f75780b000104e803000004e80300003bc17db7300bce531e99d23a1b834c7cbecdeffa54864d241958c5a9b14d
dd564c0011bf42222a528675010ae29090f52becd067745a177005b6273521cf98fba25e82a856f905053d3e803f6823
That second script was run against the block of 3 records under "But for multiple different ones of the same format:" at the end of your question but you didn't provide the expected output for it so idk if that's the expected output or not:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......flag.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b c...[P......_ux.
0030 00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7 ............;.}.
0040 30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa 0..S...:..L|....
0050 54 86 4d 24 19 58 c5 a9 b1 4d T.M$.X...M
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf c...>......VL...
0030 42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67 B"*R.u......+..g
0040 74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8 tZ.p..'5!....^..
0050 56 f9 05 05 3d 3e 80 3f 68 23 V...=>.?h#
Related
All values are in hexadecimal number system. On Pentium in protected mode, registers have the following value: LDTR = 06000000, GDTR = 08000000, CR3 = 10000000, DS = 14, CS = 0034 CR0 = 00000001.
If the instruction (e.g. MOV AL, [2A66] accesses the logical address 2A66, what physical address does it access? At what address is the segment descriptor located? Current memory status, looking at absolute addresses is:
........
06000000 CD 20 FF 9F 00 9A EE FE 1D F0 4F 03 22 05 8A 03
06000010 22 05 17 03 22 93 0D 04 01 01 01 00 02 FF FF FF
.........
08000000 CA 20 FF 9F 00 9A E3 FE 1D F2 4F 08 23 05 8A 07
08000010 26 05 19 03 22 05 0D 04 01 02 01 00 02 FF FA FF
.........
10000020 3A 56 21 40 2A 38 42 18 2A 56 42 40 8E 48 42 18
10000030 2A 36 42 40 9A 48 42 18 7A 56 42 20 8E 48 42 18
10000040 23 60 42 40 4E A8 42 18 5A 56 42 40 8E 48 42 18
.........
40426860 C6 06 23 99 00 80 3E 1D 96 00 74 03 E9 99 00 E8
40426870 A6 01 E8 FF 03 75 19 80 3E C4 98 00 34 00 AD 0A
40426880 13 96 00 BA E9 89 75 03 E9 17 01 C6 06 1F 99 01
40426890 B8 00 6C BE 08 98 BB 21
.........
C6011D70 C6 06 23 99 00 80 3E 1D 96 00 74 03 E9 99 00 E8
C6011D80 A6 01 E8 FF 03 75 19 80 3E C4 98 00 34 00 AD 0A
C6011D90 13 96 00 BA E9 89 75 03 E9 17 01 C6 06 1F 99 01
Could you give me some guidelines what is the problem here and what I need to know to solve it? Operating systems and registry is new to me, so I don't know what I'm supposed to do here. I don't know even where should I start.
I am trying to use mitmproxy to look at the traffic from my win32 schannel tls client. But when I try to use mitmproxy the following messages throw an "Bad HTTP request line" error with a leading 0 in the binary dump that does not exsist in the data that my client sends (I have checked with a little python server).
"CONNECT www.example.com:443 HTTP/1.0\r\n\r\n"
"HTTP/1.0 200 Connection established\r\n\r\n"
Send Tls Client Hello:
16 03 03 00 AC 01 00 00 A8 03 03 5F 80 1A 2D F6 2A 59 DE 18
69 F0 BB 3C 2D 2B 11 90 F8 8C A7 F9 D7 96 CD DC 32 88 02 22
11 90 6A 00 00 2A C0 2C C0 2B C0 30 C0 2F 00 9F 00 9E C0 24
C0 23 C0 28 C0 27 C0 0A C0 09 C0 14 C0 13 00 9D 00 9C 00 3D
00 3C 00 35 00 2F 00 0A 01 00 00 55 00 00 00 14 00 12 00 00
0F 77 77 77 2E 65 78 61 6D 70 6C 65 2E 63 6F 6D 00 0A 00 08
00 06 00 1D 00 17 00 18 00 0B 00 02 01 00 00 0D 00 1A 00 18
08 04 08 05 08 06 04 01 05 01 02 01 04 03 05 03 02 03 02 02
06 01 06 03 00 23 00 00 00 17 00 00 FF 01 00 01 00
Bad HTTP request line: b"\x00\x16\x03\x03\x00\xac\x01\x00\x00\xa8\x03\x03_\x80\x17\xbd\x1f\xf3\x8fO\xddy\xfb\xaaR\x1c\xeb\xe0sdD\xb7}|\xeb\xbes\xdf$3\xb6\xd9\ry\x00\x00*\xc0,\xc0+\xc00\xc0/\x00\x9f\x00\x9e\xc0$\xc0#\xc0(\xc0'\xc0"
Now my question: Is this just a lack of understanding in how proxys and tls work or an error from mitmproxy?
Number in HEX is: 3EB8 EDFE 19FE
I know it means 16.131 in DEC, but I don't know how it's encoded.
I checked if it's BCD, IEE 754 or integer, but none of those worked.
EDIT: It's from Parkin Elmer Clarus 400 chromatograph. This data contains time in minutes.
EDIT2: Here is part of parsed data, I only have one example:
Peak Component Time Area ISTD Resp ISTD Component glycerol
# Name [min] [uV*sec] Ratio Name Amount
4 glicerol 3,823 52377,25 0,316 butanotriol 0,0159
5 butanotriol 5,267 165539,60 1,000 ----------
suma mono 16,131 2086652,93 0,489 mono C19 0,4887
And here are corespodning parts of raw data:
67 6C 69 63 65 72 6F 6C FF FF FF FF 00 00 00 04 glicerol˙˙˙˙....
00 00 00 00 00 00 00 00 00 00 00 00 86 95 E6 F4 ............†•ćô
3F 40 7E AD 2D CE E1 7C 3F 90 47 23 62 CD D1 20 ?#~.-Îá|?.G#bÍŃ
3F 24 AB 9A DF CC 8E 91 3F D4 3F F2 F7 93 40 52
3F C9 6F 26 00 00 00 00 00 00 00 00 74 CB ED 69
40 0A 5A BC 13 46 09 AC 41 54 1A F3 A6 C3 FE 05
C0 A1 AB 83 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 3B
00 00 0F 6D 00 00 0F D3 00 4A 28 80 00 7D BD 1A
00 4A 7E 4C 26 4A 16 A5 40 73 80 A7 00 00 00 00
40 73 C0 00 4B 83 8C 12 40 74 42 C7 CB 2C BB 1F
41 04 35 1C EA 62 D1 6A 40 DE 7D C4 00 00 00 00
00 00 00 07 00 00 00 80 00 00 00 67 00 00 00 81
00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 00
00 00 00 0B 62 75 74 61 6E 6F 74 72 69 6F 6C 00 ....butanotriol.
FF FF FF FF FF FF FF FF 00 00 00 01 00 00 00 00 ˙˙˙˙˙˙˙˙........
00 00 00 00 8A 95 47 69 3F 5A 10 F0 00 00 00 00 ....Š•Gi?Z.đ....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3F F0 00 00 00 00 00 00 3F F0 00 00 00 00 00 00 ?đ......?đ......
00 00 00 00 A0 E8 FC 91 40 12 27 A5 BD 8C D6 B0
41 50 62 7A 34 5A FA AA 40 9C 49 2B 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 16 7C 00 00 16 E8 00 00 16 ED
00 4D 8C D8 03 B4 0E 0F 03 9D 5F AA C2 8F 5C 29
40 7C C8 F5 71 CB 11 FD 40 7D 53 58 56 D6 7F A3
40 7D 5A 4B EA 10 78 82 41 41 1C 1A 6D 3D 44 F7
41 1F E5 8C 00 00 00 01 00 00 00 02 00 00 00 6E
00 00 00 64 00 00 00 6F 00 00 00 00 00 00 00 72
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF
FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00
88 30 F9 69 3F 96 12 04 84 DC 1A D0 40 01 F0 DF
47 2F E1 08 3F 96 C8 38 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CD CA D9 96 40 1A F5 01 D4 4E 32 45 C1 78 D2 E7
74 5D 17 46 40 F0 7E 09 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 16 ED 00 00 16 F6 00 00 16 FA 03 9D 5F AA
03 F4 EA 71 03 E0 F9 FB 56 D6 7F A3 40 7D 5A 4B
88 CF 98 C1 40 7D 65 32 7A 5F 43 F9 40 7D 6A EC
E1 92 F1 30 41 21 24 D6 52 75 CC 80 41 21 20 40
00 00 00 01 00 00 00 02 00 00 00 6E 00 00 00 64
00 00 00 6F 00 00 00 00 00 00 00 72 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
73 75 6D 61 20 6D 6F 6E 6F 00 00 00 00 00 00 02 suma mono.......
00 00 00 01 51 EB 85 1F 40 8E 3E B8 ED FE 19 FE ....Që….#Ž>¸íţ.ţ
41 3F D6 FC F1 41 FD 57 41 18 42 2A 4A C8 FD 16 A?ÖüńAýWA.B*JČý.
41 3B 96 32 3C 2C 44 95 41 13 F2 D1 FF FF FF FF A;–2<,D•A.ňŃ˙˙˙˙
00 00 00 1E 00 00 00 02 69 85 75 9B 3F 94 89 17 ........i…u›?”‰.
08 08 4F F0 3F DF 47 16 39 EC E5 8C 3F 73 DB DD ..Ođ?ßG.9ěĺŚ?sŰÝ
08 08 4F EF 3F DF 47 16 08 08 4F F0 3F DF 47 16 ..Oď?ßG...Ođ?ßG.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
I'm trying to change key and key settings but always getting same error.
List of my commands:
-----Authenticate
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
Command: 0A 00
Response: AF 8B 95 99 DC C7 71 F4 DB
RndB: 8B 95 99 DC C7 71 F4 DB
Decrypted RndB:3E 48 AA 0B D6 1F 2E EA
Shifted:48 AA 0B D6 1F 2E EA 3E
RnbA: 5A AC 38 6E 0E 0B 80 F4
RnbAB:5A AC 38 6E 0E 0B 80 F4 48 AA 0B D6 1F 2E EA 3E
Encrypted RndAB:F7 69 E9 95 DF A2 3E A0 5D 5F 47 A9 6A 15 40 AD
Command: AF F7 69 E9 95 DF A2 3E A0 5D 5F 47 A9 6A 15 40 AD
Response: 00 1F 59 B1 E0 AC FC BD 3E
newRnbA:1F 59 B1 E0 AC FC BD 3E
decrypted newRnbA: AC 38 6E 0E 0B 80 F4 5A
Session key: D9 1C AD FD 8D 2A 61 41 DA 5F 54 3C 7C EF 5D 37 D9 1C AD FD 8D 2A 61 41
-----ChangeKeySettings
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
Session key: D9 1C AD FD 8D 2A 61 41 DA 5F 54 3C 7C EF 5D 37 D9 1C AD FD 8D 2A 61 41
New Key Setting
Crc: A9 09
Decrypted data: 0F 09 A9 00 00 00 00 00
Encrypted data: 68 31 80 24 AE 26 43 B5
Command: 54 68 31 80 24 AE 26 43 B5
Response: 1E 90 00
-----ChangeKey
Old Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
New key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80
CRC: 89 FF
Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 FF 89 00 00 00 00 00 00
CryptogramEcn: 95 6D E0 F8 8F 26 83 96 E6 5D 1C 88 9E 9D EA 89 9E 8D A5 61 19 F7 90 48
Command: C4 00 95 6D E0 F8 8F 26 83 96 E6 5D 1C 88 9E 9D EA 89 9E 8D A5 61 19 F7 90 48
Response: 1E 90 00
Encription method is: 2K3DES
Q1: is my crc16 is right?
Q2: is my encryption is right?
Q3: If yes, what is wrong?
I'm hoping on fast help.
Thank you
I have a pcap file that contains the sendAuthenticationInfo message.
I try to parse the sccp layer from this packet using tshark
I tried the following:
tshark.exe -r filter.pcap -T fields -e sccp > parse.bin
I know what the result should be from parsing manually in wireshark, the result I get is much shorter and different from expected.
Original packet:
d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00
00 00 00 01 01 00 00 00 f0 52 7a 57 9a d7 00 00
ba 00 00 00 ba 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 08 00 45 00 00 ac 00 00 00 00 10 84
ab cc 7f 00 00 01 7f 00 00 01 0b 58 0b 59 00 00
48 23 01 f3 c7 60 00 03 00 8c 00 00 1f 7a 00 01
00 00 00 00 00 03 01 00 01 01 00 00 00 7c 02 10
00 72 00 00 04 3a 00 00 02 4e 03 02 00 04 09 80
03 0e 19 0b 12 06 00 11 04 79 52 14 02 10 07 0b
12 07 00 12 04 44 87 92 97 01 08 44 62 42 48 04
00 00 00 01 6b 1e 28 1c 06 07 00 11 86 05 01 01
01 a0 11 60 0f 80 02 07 80 a1 09 06 07 04 00 00
01 00 0e 03 6c 1a a1 18 02 01 01 02 01 38 30 10
80 08 24 05 01 77 03 84 35 f8 02 01 01 83 01 00
00 00
expected result:
09 80 03 0e 19 0b 12 06 00 11 04 79 52 14 02 10
07 0b 12 07 00 12 04 44 87 92 97 01 08 44 62 42
48 04 00 00 00 01 6b 1e 28 1c 06 07 00 11 86 05
01 01 01 a0 11 60 0f 80 02 07 80 a1 09 06 07 04
00 00 01 00 0e 03 6c 1a a1 18 02 01 01 02 01 38
30 10 80 08 24 05 01 77 03 84 35 f8 02 01 01 83
01 00
result I got:
73 63 63 70 0d 0a