Forum Discussion

Russell_Moore_8's avatar
Icon for Nimbostratus rankNimbostratus
May 10, 2012

ActiveSync Windows Phone query decode

I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. If you search Google for base64 ActiveSync you'll find the specification for this query method.



This rule works but I am studying it for optimization as I find it a bit ugly myself.


Feedback welcome! (The following code may contain snippets from other contributors for which I do not take credit but thank those contributors)





create variable to contain the query string


set string_b64encoded [HTTP::query]


test the contents of the query string to see if it is base64 and if so place the content


in a variable


if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""}{


scan the decoded content for the Device ID length


the "x4H2" format says to move forward 4 bytes and select the next 2 places


as HEX and put them in varible IDlenHEX


binary scan $string_b64decoded x4H2 IDlenHEX


convert HEX to decimal


scan $IDlenHEX %x IDlenDEC


multiply by two to get the correct character count


set IDlen [expr "$IDlenDEC * 2"]


knowing the DeviceID starts at the 6th pair we move "x5" to the that starting place


then select "H$IDlen" to put in variable HEXdeviceID


binary scan $string_b64decoded x5H$IDlen HEXdeviceID


try to match the found ID to a data group of allowed IDs


if { [matchclass $HEXdeviceID contains allowHEXdeviceIDs] } {


pool ASOWA.example.com_443


log local0. "Found ALLOWED Hexadecimal DeviceID: $HEXdeviceID"


} else {


log local0. "Found DENIED Hexadecimal DeviceID: $HEXdeviceID"











11 Replies