M0dBu5

Description

We intercepted a communication from a Modbus master to a slave on the RS485 bus as given below. Your goal is to craft a response packet as the slave with 73 (decimal) as slave data.

Master requirements are 05-02-00-00-00-01-85-BD.

Flag format: flag{XX-XX-XX-XX-XX-XX} or flag{XX-XX-XX-XX-XX-XX-XX}

Solution

According to the Modbus documentation, we can understand the given data:

• 05: Slave number
• 02: Function code, here it's Read Holding Register
• 00 00: Register number offset, counting from register 0
• 00 01: Number of registers read, incrementally from the offset
• 85 BD: Two CRC (Cyclic Redundancy Check) bytes

Similarly, the slave’s answer would be:

• 05-02-02-00-49-89-8E
• 05: Slave number
• 02: Function code
• 02: Byte per register, holding 2 bytes
• 00 49: Actual data, 73 in decimal
• 89 8E: Two CRC bytes

To calculate the CRC, you can use online tools like this or use the provided script:

def ModRTU_CRC(buf):
    crc = 0xFFFF   
 for byte in buf:
        crc ^= byte
        for _ in range(8):
            if crc & 0x0001:
                crc >>= 1
                crc ^= 0xA001
            else:
                crc >>= 1
    return crc
if __name__ == "__main__":
    user_input = input("Enter the buffer in the format xx-xx-xx-...: ")
    buf = [int(byte, 16) for byte in user_input.split('-')]
    crc = ModRTU_CRC(buf)
    print("crc: {:02X} {:02X}".format(crc & 0xFF, (crc >> 8) & 0xFF))

Flag

flag{05–02–02–00–49–89–8E}