python二进制协议结构信息分析

关键词：电路板，协议，二进制，逆向

协议设计的三要素，即协议语法，语义和时序。参考《协议规范挖掘综述》

 

1.         搜索固定字段，频繁序列

分割数据流，解决帧的定界问题。

 

2.         数据挖掘，特征序列，类型标识符

字符串模式匹配，BF算法，KMP算法等

统计筛选，所有可能的特征序列。



3.   关联规则

Apriori算法发现规则

报文结构字段分析脚本：

import sys
import re
import string

from datetime import date,datetime

commands_array = []
commands_uniq = {}
dict_cache = []

def Needleman_Wunsch(str1,str2):
if str1=='' or str2=='':
return  ''
#字符串长度
m=len(str1)
n=len(str2)
#初始化
lcs=[[i*(-2)] for i in range(0,m+1)]
lcs[0]=[j*(-2) for j in range(0,n+1)]
#
for i in range(m):
for j in range(n):
lcs[i+1].append(
max(
lcs[i][j]+(1 if str1[i] == str2[j] else -1),
lcs[i][j+1]-2,
lcs[i+1][j]-2,
)
)

i=m-1
j=n-1
common_substr1 = u''
common_substr2 = u''
common_substr1 = u"%s%s" % (str1[i], common_substr1)
common_substr2 = u"%s%s" % (str2[j], common_substr2)
#回溯
while True:
if i == 0 and j == 0:
break
if str1[i] == str2[j]:
if lcs[i-1][j-1]+1>lcs[i-1][j]-2 and lcs[i-1][j-1]+1>lcs[i][j-1]-2:
i = i - 1
j = j -1
common_substr1 = u"%s%s" % (str1[i], common_substr1)
common_substr2 = u"%s%s" % (str2[j], common_substr2)

else:
if lcs[i][j+1] > lcs[i+1][j]:
i = i-1
common_substr1 = u"%s%s" % (str1[i], common_substr1)
common_substr2 = u"%s%s" % ('-', common_substr2)

else:
j = j-1
common_substr1 = u"%s%s" % ('-', common_substr1)
common_substr2 = u"%s%s" % (str2[j], common_substr2)

else:
if lcs[i-1][j-1]+1>lcs[i-1][j]-2 and lcs[i-1][j-1]+1>lcs[i][j-1]-2:
i = i - 1
j = j -1
common_substr1 = u"%s%s" % (str1[i], common_substr1)
common_substr2 = u"%s%s" % (str2[j], common_substr2)

else:
if lcs[i][j+1] > lcs[i+1][j]:
i = i-1
common_substr1 = u"%s%s" % (str1[i], common_substr1)
common_substr2 = u"%s%s" % ('-', common_substr2)

else:
j = j-1
common_substr1 = u"%s%s" % ('-', common_substr1)
common_substr2 = u"%s%s" % (str2[j], common_substr2)
#print common_substr1
#print common_substr2

global dict_cache
global commands_uniq

if len(common_substr1) < len(common_substr2):
len1 = len(common_substr1)
else:
len1 = len(common_substr2)
for k in range(0, len1):
if common_substr1[k] != common_substr2[k] :
if common_substr1[k] == ' ' or common_substr2[k] == ' ':
common_substr1 = common_substr1[:k] + ' ' + common_substr1[k+1:]
else:
common_substr1 = common_substr1[:k] + '-' + common_substr1[k+1:]

x = common_substr1
if x not in dict_cache:
dict_cache.append(x)
commands_uniq[x] = "1"
else:
if x in commands_uniq.keys():
counter1 = string.atoi(commands_uniq[x])
counter1 += 1
commands_uniq[x] = '%d'%counter1

def analyzefeature(datalist):
global  commands_uniq
print " datalist length: " + '%d'%len(datalist)
for j in range(0, len(datalist)-2):
command1 = re.sub(r'\s+', ' ', datalist[j])
command1 = command1.strip()
#print  command1
command2 = re.sub(r'\s+', ' ', datalist[j+1])
command2 = command2.strip()
Needleman_Wunsch(command1, command2)

command3 = re.sub(r'\s+', ' ', datalist[j+2])
command3 = command3.strip()
Needleman_Wunsch(command1, command3)

print " \n longest match -- \n "
for d,x in commands_uniq.items():
print d, "counts: ", x

return 0

datalist  保存协议的二进制帧数据。 

分析的结果示例：

datalist length: 73

longest match --

1B C1 -2 06 -4 0- -4 04 04 54 -- -- D- -- -- counts: 20
1B C1 92 06 34 04 04 04 54 D4 F8 counts: 120
1B C1 -- 0- -4 -- -- -- -- -- -- -- -D -- -4 -- -- -- counts: 2

参考

面向比特流数据的无人机测控协议逆向解析_曾令元.caj