《[CISCN 2022 初赛]ez_usb》

一、USB流量分析
1.USB UART：简单的将USB用于接收和发射数据。
2.USB HID：这一类通信适用于交互式，相关的设备有：键盘和鼠标
3.USB Memory：数据传输存储

键盘协议相关知识

键盘数据包长度为8个字节

第一个字节：代表特殊按键
第二个字节：是保留位
第三个字节~第八个字节：第三个字节是普通按键，第四个字节到第八个字节处理多键同时按的data值和具体键位关系。

二、题目分析
1.下载附件并进行解压，发现一个ez_usb.pcapng

2.使用wireshark打开，找含有到HID DATA的数据包，使用筛选命令usb.addr==“2.4.1”，usb.addr==“2.8.1”，usb.addr==“2.10.1”’进行筛选并点击**’文件‘**导出特殊组，其它的比如2.4.0没有HID DATA直接忽略

3.利用wireshark文件夹中的tshark.exe，使用下面命令将HID DATA提取出来，分别生成了111.txt、222.txt和333.txt文件

>tshark -r D:\edgedownload\ez_usb_aa5a121ba13f7e82d2df13af34ac3123\2_4_1.pcapng -Y usb.capdata -T fields -e usb.capdata >111.txt

4.由于111.txt中的数据只有7个字节，不是键盘的数据包，所以直接放弃，剩下我们只需要看222.txt和333.txt每行的第三个字节，利用脚本进行转换。

mappings = {0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F", 0x0A: "G", 0x0B: "H", 0x0C: "I",0x0D: "J", 0x0E: "K", 0x0F: "L", 0x10: "M", 0x11: "N", 0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R",0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X", 0x1C: "Y", 0x1D: "Z", 0x1E: "1",0x1F: "2", 0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0",0x28: "n", 0x2a: "[DEL]", 0X2B: "    ", 0x2C: " ", 0x2D: "-", 0x2E: "=", 0x2F: "[", 0x30: "]", 0x31: "\\",0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: "."}
nums = []
keys = open('D:\\wireshark\\333.txt')for i in keys:i = i.strip()line = ""for j in range(0, len(i), 2):line += i[j:j + 2] + ":"line = line[:len(line) - 1]# print(line)if line[0] != '0' or line[1] != '0' or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or \line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0':continuenums.append(int(line[6:8], 16))keys.close()
output = ""
for n in nums:if n == 0:continueif n in mappings:output += mappings[n]else:output += '[unknown]'
print('output : ' + output)

5.获取信息
222.txt

output :     526172211A0700[unknown]C[unknown]F907300000D00000000000000C4527424943500300000002[unknown]A000000[unknown]02B9F9B0530778B5541D33080020000000666C61672[unknown]E[unknown]747874[unknown]B9B[unknown]A013242F3A[unknown]FC[unknown]000B092C229D6E994167C05[unknown]A7[unknown]8708B271F[unknown]FC[unknown]042AE3D251E65536[unknown]F9A[unknown]DA87C77406B67D0[unknown]E6316684766[unknown]A86E844D[unknown]C81AA2[unknown]C72C71348D10C4[unknown]C[DEL]3D7B[unknown]00400700

333.txt

output : 35C535765E50074A

6.发现52 61 72 21是rar文件头，将其中的[unknown]删除。再将C[DEL]删除，因为这里是按了del键删除C，最后将其转为flag.rar文件，解压后发现需要密码

7.将从333.txt获取的信息填入（小写）获取flag