[英]Checksum/CRC reverse engineering of Microsoft NDIS packet
I am trying to decode a 42-byte packet which seems to include 2-byte CRC / checksum field我正在尝试解码似乎包含 2 字节 CRC / 校验和字段的 42 字节数据包
This is a Microsoft NDIS packet (type IPX) which is sent in HLK (WHQL) tests这是在 HLK (WHQL) 测试中发送的 Microsoft NDIS 数据包(IPX 类型)
I have decoded most parts of the NDIS header but I can't seem to figure out the CRC/Checksum algorithm我已经解码了 NDIS 标头的大部分内容,但我似乎无法弄清楚 CRC/校验和算法
Sample of a 45-byte packet (just to explain the decoded fields):一个 45 字节数据包的示例(只是为了解释解码的字段):
char packet_bytes[] = {
0x02, 0xe4, 0x55, 0xee, 0x12, 0x56, 0x02, 0x93,
0x19, 0x40, 0x89, 0x00, 0x00, 0x1f, 0xaa, 0xaa,
0x03, 0x00, 0x00, 0x00, 0x81, 0x37, 0x4e, 0x44,
0x49, 0x53, 0x01, 0x49, 0x03, 0x00, 0x98, 0xd4,
0x58, 0x55, 0x25, 0xf5, 0x39, 0x00, 0x14, 0x00,
0x00, 0x00, 0x49, 0x4a, 0x4b
};
Raw: 02e455ee1256029319408900001faaaa0300000081374e4449530149030098d4585525f5390014000000494a4b
Decoded fields:解码字段:
802.2 ethernet header: (Wireshark decoding)
02e455ee1256 : Destination
029319408900 : Source
001f : Length
Logical_link Control: (Wireshark decoding)
aa : DSAP
aa : SSAP
03 : Control
000000 : Organization
8137 : Type (Netware IPX/SPX)
NDIS header: (my estimation for NDIS decoded fields)
4e444953 : NDIS ascii String ("NDIS")
01 : Unknown
49 : payload counter start (first byte of payload, with increasing value afterwards)
0300 : Payload length ( = 0003)
98d4 : test identification number (equal on all packets of the same test)
5855 : Assumed to be checksum
25f53900 : Packet counter ( = 0039f525, Increases gradually per packet)
14000000 : Payload offset ( = 00000014), offset from start of NDIS header to start of payload
494a4b : Payload (3 bytes of increasing counter 49,4a,4b)
To try to understand the checksum algorithm with minimal packet bytes, I've captured the minimal packets size (42 bytes)为了尝试以最少的数据包字节理解校验和算法,我捕获了最小数据包大小(42 字节)
Those packets include the headers above but without payload at all这些数据包包括上面的标头,但根本没有有效负载
And tried to reverse eng them using reveng CRC decoder which fail to find any known CRC algorithm并尝试使用无法找到任何已知 CRC 算法的reveng CRC 解码器来反转它们
Sample 42-byte packets:示例 42 字节数据包:
02e455ee1256029319408900001caaaa0300000081374e444953016b000098d495262502000014000000
02e455ee1256029319408900001caaaa0300000081374e44495301a2000098d481ef3802000014000000
02e455ee1256029319408900001caaaa0300000081374e4449530152000098d47f3f3b02000014000000
02e455ee1256029319408900001caaaa0300000081374e44495301d0000098d476c14302000014000000
02e455ee1256029319408900001caaaa0300000081374e44495301f7000098d4539a6602000014000000
02e455ee1256029319408900001caaaa0300000081374e44495301b6000098d444db7502000014000000
02e455ee1256029319408900001caaaa0300000081374e44495301a6000098d431eb8802000014000000
02e455ee1256029319408900001caaaa0300000081374e444953016a000098d40627b402000014000000
Reverse eng the CRC:反向工程 CRC:
reveng.exe -w 16 -s 02e455ee1256029319408900001caaaa0300000081374e444953016b000098d495262502000014000000 02e455ee1256029319408900001caaaa0300000081374e44495301a2000098d481ef3802000014000000 02e455ee1256029319408900001caaaa0300000081374e4449530152000098d47f3f3b02000014000000 02e455ee1256029319408900001caaaa0300000081374e44495301d0000098d476c14302000014000000 02e455ee1256029319408900001caaaa0300000081374e44495301f7000098d4539a6602000014000000 02e455ee1256029319408900001caaaa0300000081374e44495301b6000098d444db7502000014000000 02e455ee1256029319408900001caaaa0300000081374e44495301a6000098d431eb8802000014000000 02e455ee1256029319408900001caaaa0300000081374e444953016a000098d40627b402000014000000
reveng.exe: no models found
Tried reverse eng only the NDIS header part:仅尝试反向工程 NDIS 标头部分:
4e444953016b000098d495262502000014000000
4e44495301a2000098d481ef3802000014000000
4e4449530152000098d47f3f3b02000014000000
4e44495301d0000098d476c14302000014000000
4e44495301f7000098d4539a6602000014000000
4e44495301b6000098d444db7502000014000000
4e44495301a6000098d431eb8802000014000000
4e444953016a000098d40627b402000014000000
reveng.exe -w 16 -s 4e444953016b000098d495262502000014000000 4e44495301a2000098d481ef3802000014000000 4e4449530152000098d47f3f3b02000014000000 4e44495301d0000098d476c14302000014000000 4e44495301f7000098d4539a6602000014000000 4e44495301b6000098d444db7502000014000000 4e44495301a6000098d431eb8802000014000000 4e444953016a000098d40627b402000014000000
reveng.exe: no models found
Any help would be appreciated.任何帮助,将不胜感激。
This seems to be the Internet Checksum , described in RFC 1071 , calculated over the NDIS header part of the packet.这似乎是RFC 1071中描述的Internet 校验和,通过数据包的NDIS 标头部分计算得出。
In short, you need to add up all of the header contents (except the 16-bit checksum field itself) as 16-bit values, then add the carries (if any) to the least significant 16 bits of the result (thus forming the one's complement sum), and finally, calculate one's complement of this one's complement sum by inverting all bits.简而言之,您需要将所有标头内容(除了 16 位校验和字段本身)作为 16 位值相加,然后将进位(如果有)添加到结果的最低有效 16 位(从而形成一个补码和),最后,通过反转所有位来计算这个补码和的一个补码。
For the example packet you listed, the manual calculation steps would be the following.对于您列出的示例数据包,手动计算步骤如下。
02e455ee1256029319408900001faaaa0300000081374e4449530149030098d4585525f5390014000000494a4b
4e4449530149030098d4585525f5390014000000
4e44
4953
0149
0300
98d4
5855
25f5
3900
1400
0000
4e44
4953
0149
0300
98d4
0000
25f5
3900
1400
0000
1A7A9
A7A9
and the arithmetic carry is 1
.A7A9
并且算术进位是1
。 So, add these together (as 16-bit words), to form the so-called one's complement sum: 0001
+ A7A9
= A7AA
~ A7AA
= 5855
4e44
4953
0149
0300
98d4
5855
25f5
3900
1400
0000
If you only want to check the checksum, do the following.如果您只想检查校验和,请执行以下操作。
4e44
4953
0149
0300
98d4
5855
25f5
3900
1400
0000
1FFFE
0001
+ FFFE
= FFFF
If all the bits of the result are 1
(ie, if the result is FFFF
), the check is successful.如果结果的所有位都是
1
(即,如果结果是FFFF
),则检查成功。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.