ASK Me Again (dawgCTF 2025)

You’re given an SDR capture (ask.iq) containing an Amplitude‑Shift Keying (ASK)–modulated signal. Recover the binary stream, convert to ASCII and extract the flag.

Hint:

  • The file name ask.iq → ASK modulation.

  • “Isn’t binary a great way to represent ASCII characters?” → it’s just on/off keyed bits.

1. File Format & I/Q Reconstruction

  1. Determine sample format Try reading as 16‑bit signed integers—result: even number of samples, so it’s interleaved I/Q:

    import numpy as np

raw = np.fromfile('ask.iq', dtype=np.int16)
assert len(raw) % 2 == 0, "Expected interleaved I/Q pairs"

  2. De‑interleave & normalize

    i = raw[0::2].astype(np.float32)
q = raw[1::2].astype(np.float32)
# Normalize 16‑bit signed to ±1.0
iq = (i + 1j*q) / 32768.0

At this point, iq is a complex baseband signal where amplitude encodes our bits.

2. Envelope Detection

ASK = on/off carrier. Extract the instantaneous amplitude:

env = np.abs(iq)

A quick peek at its min/max confirms two plateaus—carrier‑off (0) vs carrier‑on (≈1.38).

3. Threshold Slicing

Slice that analog envelope into a raw 0/1 stream:

thresh = (env.max() + env.min()) / 2
bits_raw = env > thresh    # boolean array: True=1, False=0

Note: Without smoothing, you’ll see tiny 1–4 sample “blips” around every transition.

4. Suppress Jitter

To clean up those edge blips, apply a short moving average:

window = np.ones(100) / 100
env_sm = np.convolve(env, window, mode='same')
bits = env_sm > ((env_sm.max() + env_sm.min()) / 2)

From here on we work with bits, a much cleaner boolean stream.

5. Calculating Samples‑Per‑Bit = 480

  • SDR capture rate: 48 000 samples/sec

  • Suspected baud rate: ~100 bits/sec (common low‑speed ASK)

  • $\text{samples per bit (SPB)} = \frac{48,000}{100} = 480$

We hard‑code:

SPB = 480

6. Symbol Slicing & Majority Vote

Fold each block of 480 samples into one bit:

nbits = len(bits) // SPB
symbols = bits[:nbits*SPB].reshape(nbits, SPB)
decoded_bits = (symbols.mean(axis=1) > 0.5).astype(int)

Now decoded_bits is a clean array of 0/1 values—one per transmitted bit.

7. Pack into ASCII Bytes

  1. Truncate to a whole number of bytes:

    nbytes = len(decoded_bits) // 8
decoded_bits = decoded_bits[:nbytes*8]

  2. Group & convert (MSB first):

    chars = []
for i in range(nbytes):
    byte = decoded_bits[i*8:(i+1)*8]
    val  = int(''.join(str(b) for b in byte), 2)
    chars.append(chr(val))
message = ''.join(chars)
print("Flag:", message)

9. Full, Self‑Contained Script

Save this as decode_ask.py:

import numpy as np

def main():
    # 1) Read raw I/Q as int16
    raw = np.fromfile('ask.iq', dtype=np.int16)
    if len(raw) % 2 != 0:
        raise RuntimeError("Odd number of IQ samples")

    # 2) De‑interleave & normalize
    i = raw[0::2].astype(np.float32)
    q = raw[1::2].astype(np.float32)
    iq = (i + 1j*q) / 32768.0

    # 3) Envelope detect
    env = np.abs(iq)

    # 4) Smooth (optional)
    window = np.ones(100) / 100
    env = np.convolve(env, window, mode='same')

    # 5) Threshold slice
    thresh = (env.max() + env.min()) / 2
    bits = env > thresh

    # 6) Hard‑coded samples per bit
    SPB = 480
    print(f"Using SPB = {SPB} samples/bit")

    # 7) Fold & majority vote
    nbits = len(bits) // SPB
    symbols = bits[:nbits*SPB].reshape(nbits, SPB)
    decoded_bits = (symbols.mean(axis=1) > 0.5).astype(int)

    # 8) Truncate & ASCII pack
    nbytes = len(decoded_bits) // 8
    decoded_bits = decoded_bits[:nbytes*8]
    flag = ''.join(
        chr(int(''.join(str(b) for b in decoded_bits[i*8:(i+1)*8]), 2))
        for i in range(nbytes)
    )

    print("Decoded flag:", flag)

if __name__ == "__main__":
    main()

Run:

python decode_ask.py

Output:

Using SPB = 480 samples/bit
Decoded flag: DawgCTF{D3M0DUL4710N_1S_FUN}
PreviousDeleted Evidence (TexSaw 2025)NextSelfie Memory (N0PSctf 2025)