-
-
[原创]看雪CTF.TSRC 2018 团队赛 第八题 二向箔
-
2018-12-17 11:22 2665
-
看雪CTF.TSRC 2018 团队赛 第八题 二向箔
没什么时间,暂时先写点,如果有空的话。。。。
##初识
初看程序很“正常”,主流程清晰,输入72字节,unhex后的36字节分两个部分进行分别校验,这种明了的控制台程序让人看了感觉很舒服,典型做题人的懒人心理,如下:
int mainroutine()
{
char l_input[260]; // [esp+0h] [ebp-130h]
char l_unhex_input[36]; // [esp+104h] [ebp-2Ch]
char v3; // [esp+128h] [ebp-8h]
while ( 1 )
{
*(_DWORD *)l_unhex_input = 0;
*(_DWORD *)&l_unhex_input[4] = 0;
*(_DWORD *)&l_unhex_input[8] = 0;
*(_DWORD *)&l_unhex_input[12] = 0;
*(_DWORD *)&l_unhex_input[16] = 0;
*(_DWORD *)&l_unhex_input[20] = 0;
*(_DWORD *)&l_unhex_input[24] = 0;
*(_DWORD *)&l_unhex_input[28] = 0;
*(_DWORD *)&l_unhex_input[32] = 0;
v3 = 0;
printf("\nInput RegCode:");
memset(l_input, 0, 0x101u);
scanf("%245s", l_input);
if ( check_format_and_unhex(l_input, l_unhex_input) == 36
&& check_part1((int)l_unhex_input)
&& check_part2((unsigned int *)&l_unhex_input[16]) )
{
break;
}
printf("\n Wrong, Plz Try Again...\n");
}
printf("\n Good!\n");
return getch();
}
part1
这部分校验是通过复数计算实现的,背后的数学意义不知,也别再和我谈数学,头疼。
代码比较乱,就不上了。大致过程是:16字节输入矩阵点乘包含16个复数元素的常量矩阵A后进行变换,接着再点乘常量矩阵B后进行变换,结果与常量比较,可以参照反解代码。
def decomp1(m_a):
m_a = [x*4 for x in m_a]
for i in range(4):
tmp = m_a[i+4]
m_a[i+4] = m_a[i+8]
m_a[i+8] = tmp
tmp = m_a[i]
m_a[i] = (m_a[i]+m_a[i+4])/2
m_a[i+4] = tmp-m_a[i]
tmp = m_a[i+8]
m_a[i+8] = (m_a[i+8]+m_a[i+12])/2
m_a[i+12] = tmp-m_a[i+8]
tmp = m_a[i]
m_a[i] = (m_a[i]+m_a[i+8])/2
m_a[i+8] = tmp-m_a[i]
tmp = m_a[i+4]
# m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11+1j))/2
m_a[i+4] = (m_a[i+4]+m_a[i+12]*-1j)/2
m_a[i+12] = tmp-m_a[i+4]
m_a = [x*4 for x in m_a]
for i in range(4):
tmp = m_a[4*i+1]
m_a[4*i+1] = m_a[4*i+2]
m_a[4*i+2] = tmp
tmp = m_a[4*i]
m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2
m_a[4*i+1] = tmp-m_a[4*i]
tmp = m_a[4*i+2]
m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2
m_a[4*i+3] = tmp-m_a[4*i+2]
tmp = m_a[4*i]
m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2
m_a[4*i+2] = tmp-m_a[4*i]
tmp = m_a[4*i+1]
# m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11+1j))/2
m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*-1j)/2
m_a[4*i+3] = tmp-m_a[4*i+1]
return m_a
def decomp2(m_a):
for i in range(4):
tmp = m_a[4*i+1]
m_a[4*i+1] = m_a[4*i+2]
m_a[4*i+2] = tmp
tmp = m_a[4*i]
m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2
m_a[4*i+1] = tmp-m_a[4*i]
tmp = m_a[4*i+2]
m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2
m_a[4*i+3] = tmp-m_a[4*i+2]
tmp = m_a[4*i]
m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2
m_a[4*i+2] = tmp-m_a[4*i]
tmp = m_a[4*i+1]
# m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11-1j))/2
m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*1j)/2
m_a[4*i+3] = tmp-m_a[4*i+1]
for i in range(4):
tmp = m_a[i+4]
m_a[i+4] = m_a[i+8]
m_a[i+8] = tmp
tmp = m_a[i]
m_a[i] = (m_a[i]+m_a[i+4])/2
m_a[i+4] = tmp-m_a[i]
tmp = m_a[i+8]
m_a[i+8] = (m_a[i+8]+m_a[i+12])/2
m_a[i+12] = tmp-m_a[i+8]
tmp = m_a[i]
m_a[i] = (m_a[i]+m_a[i+8])/2
m_a[i+8] = tmp-m_a[i]
tmp = m_a[i+4]
# m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11-1j))/2
m_a[i+4] = (m_a[i+4]+m_a[i+12]*1j)/2
m_a[i+12] = tmp-m_a[i+4]
return m_a
def de_part1():
check_table =[[ 89.29755308453579,-79.17379644565403],
[-111.2163512360939, 2.214913370549852],
[ 58.53994866406929, 29.06501356902275],
[ 50.10366738039983, 43.81443778796614],
[-38.57218738982585,-6.003177682012292],
[ 95.28512164227500, 23.93090391296341],
[ 126.2134704052789,-55.13922097302165],
[ 40.52291517137797, 21.22526960238724],
[ 3.958915911257385, 13.81283030051250],
[ 64.70049327204174,-11.21899032986361],
[ 69.33635962322674, 37.77305291719599],
[ 49.80532876967061, 1.042567029449955],
[ 7.814589741286500, 29.57759317220326],
[ 8.137180677718944, 11.51468293321896],
[-6.034516127726973,-8.093284855693909],
[ 25.53885330339410, 1.665054146893387],]
m_table1 = [[ 0.6276739465982339, -0.7784763430970765],
[-0.9635532393515180, 0.2675166442208714],
[ 1.000000000000000,-2.449293598294706e-16],
[ 1.000000000000000, 0.0],
[-0.9635532393515180, 0.2675166442208714],
[ 1.000000000000000, 0.0],
[ 0.7316273320795593, -0.6817048092496826],
[ 0.9954095040352868, -0.09570746719156304],
[ 1.000000000000000,-2.449293598294706e-16],
[ 0.7316273320795593, -0.6817048092496826],
[ 0.9393388792184448, 0.3429904809009075],
[ 0.9993790498804484, 0.03523513388724686],
[ 1.000000000000000, 0.0],
[ 0.9954095040352868, -0.09570746719156304],
[ 0.9993790498804484, 0.03523513388724686],
[ 0.9338385710183578, -0.3576947347647030],]
m_table2 = [[ 0.8872448700399544, 0.4612987541580664],
[ 1.000000000000000,-2.449293598294706e-16],
[ 1.000000000000000, 0.0],
[ 0.8661842563768241, 0.4997247582469054],
[ 1.000000000000000,-2.449293598294706e-16],
[ 0.8661842563768241, 0.4997247582469054],
[ 0.9985971885883368, 0.05294955092793100],
[ 0.9953266793156614, -0.09656501148168592],
[ 1.000000000000000, 0.0],
[ 0.9985971885883368, 0.05294955092793100],
[ 0.9945026452220342, 0.1047114542272075],
[ 0.9878936003329052, 0.1551329572376227],
[ 0.8661842563768241, 0.4997247582469054],
[ 0.9953266793156614, -0.09656501148168592],
[ 0.9878936003329052, 0.1551329572376227],
[ 0.7738490104360864, 0.6333701201091584],]
pos_table = [0,9,2,11,15,4,13,6,10,3,8,1,5,14,7,12]
check_a = []
m_a1 = []
m_a2 = []
for r,v in check_table:
check_a.append(r+v*1.j)
for r,v in m_table1:
m_a1.append(r+v*1.j)
for r,v in m_table2:
m_a2.append(r+v*1.j)
m_a1 = np.array(m_a1)
m_a2 = np.array(m_a2)
check_a = np.array(check_a)
check_a = decomp1(check_a)
check_a = check_a/m_a2
check_a = decomp2(check_a)
check_a = check_a/m_a1
# print check_a
part1 = [0]*16
for i,p in enumerate(pos_table):
part1[i] = chr(int(round(abs(check_a[p]))))
print ''.join(part1).encode('hex').upper()
part2
这部分流程如下:
BOOL __cdecl check_part2(unsigned int *a1)
{
unsigned int v1; // edx
unsigned int v2; // ecx
unsigned int v3; // edx
unsigned int v4; // eax
char *v5; // ebx
BOOL result; // eax
void *v7; // edi
int v8; // esi
signed int v9; // eax
int a5; // [esp+4h] [ebp-70h]
char tea_key[16]; // [esp+8h] [ebp-6Ch]
char part2[20]; // [esp+18h] [ebp-5Ch]
char aes_result[16]; // [esp+30h] [ebp-44h]
char aes_key[32]; // [esp+40h] [ebp-34h]
char part2_check[16]; // [esp+60h] [ebp-14h]
v1 = a1[1];
aes_key[20] = 0x6D;
*(_DWORD *)part2 = 0;
*(_DWORD *)&part2[5] = 0;
*(_DWORD *)&part2[9] = 0;
*(_DWORD *)&part2[13] = 0;
*(_DWORD *)&part2[17] = 0;
*(_DWORD *)part2 = *a1;
v2 = a1[2];
*(_DWORD *)&part2[4] = v1;
v3 = a1[3];
v4 = a1[4];
*(_DWORD *)&part2[8] = v2;
*(_DWORD *)&part2[16] = v4;
strcpy(tea_key, "goodLuck7777777");
*(_DWORD *)&part2[12] = v3;
*(_DWORD *)aes_key = 0xD4CF6E7E;
*(_DWORD *)&aes_key[4] = 0x274BBC92;
*(_DWORD *)&aes_key[8] = 0x65F2CFC0;
*(_DWORD *)&aes_key[12] = 0xD1493C6D;
*(_DWORD *)&aes_key[16] = 0xA845B1AA;
*(_DWORD *)&aes_key[21] = 0xDFC19B75;
*(_DWORD *)&aes_key[25] = 0x8DDD6075;
*(_WORD *)&aes_key[29] = 0x13DD;
aes_key[31] = 0xDAu;
*(_DWORD *)part2_check = 0x9A4A4BA5;
*(_DWORD *)&part2_check[4] = 0xA28A49C5;
*(_DWORD *)&part2_check[8] = 0x56C5A462;
*(_DWORD *)&part2_check[12] = 0xA65A522D;
a5 = 0x14;
v5 = j_tea_decrypt((int)part2, 20, tea_key, strlen(tea_key), (int)&a5);
result = 0;
if ( v5 )
{
*(_DWORD *)aes_result = 0;
*(_DWORD *)&aes_result[4] = 0;
*(_DWORD *)&aes_result[8] = 0;
*(_DWORD *)&aes_result[12] = 0;
v7 = malloc(0xF0u);
key_expand((int)aes_key, (int)v7);
aes_decrypt((int)v5, v5, (int)aes_result, (int)v7);
v8 = 0;
v9 = 0;
do
{
if ( part2_check[v9] == aes_result[v9] )
++v8;
if ( part2_check[v9 + 1] == aes_result[v9 + 1] )
++v8;
if ( part2_check[v9 + 2] == aes_result[v9 + 2] )
++v8;
if ( part2_check[v9 + 3] == aes_result[v9 + 3] )
++v8;
v9 += 4;
}
while ( v9 < 16 );
free(v5);
free(v7);
result = v8 == 16;
}
return result;
}
似乎过程也很明了。经过unhex后的20字节,先进行魔改tea解密,再进行魔改aes解密,最后进行常量校验。
但是做题做到aes_decrypt函数里,发现里面有函数调用被非常大量的混淆代码替代了,有点痛苦。暂且不说。先把魔改tea搞定。
魔改tea解密后还有个细节,解密后第5个int数在[14,16]范围内,对应长度的解密结果被copy加填充后进行后面的魔改aes解密。魔改tea的加密解用py实现如下:
def u32(b_str):
result = []
n = (len(b_str)+3)/4
n1 = len(b_str)%4
if n1:
n1 = 4 - n1
b_str += '\x00'*n1
result = list(struct.unpack('I'*n,b_str))
return result
def p32(l_num):
result = ''
for i in l_num:
result += struct.pack('I',i)
return result
def tea_en_group():
delta = 0x9E3779B9
sum = delta
key = 'goodLuck7777777'
key = u32(key)
d = u32('F7D23456CE34BA18714DAA40DBE2AD4710'.decode('hex'))
for i in range(16):
tmp = d[4]
for j in xrange(4):
d[j] += (((d[j+1] ^ sum) + (tmp ^ key[((sum>>2)&3)^(j&3)]))^(((tmp<<4)^(d[j+1]>>3))+((tmp>>5)^(d[j+1]<<2))))
d[j] &= 0xffffffff
tmp = d[j]
d[4] += (((d[0] ^ sum) + (tmp ^ key[((sum>>2)&3)^(4&3)]))^(((tmp<<4)^(d[0]>>3))+((tmp>>5)^(d[0]<<2))))
d[4] &= 0xffffffff
sum = (sum + delta)&0xffffffff
print p32(d).encode('hex').upper()
def tea_de_group():
delta = 0x9E3779B9
sum = (delta*16)&0xffffffff
key = 'goodLuck7777777'
key = u32(key)
d = u32('1234567890ABCDEF1234567890ABCDEF12345678'.decode('hex'))
for i in range(16):
tmp = d[0]
for j in xrange(4,0,-1):
d[j] -= (((tmp ^ sum) + (d[j-1] ^ key[((sum>>2)&3)^(j&3)]))^(((d[j-1]<<4)^(tmp>>3))+((d[j-1]>>5)^(tmp<<2))))
d[j] &= 0xffffffff
tmp = d[j]
d[0] -= (((tmp ^ sum) + (d[4] ^ key[(sum>>2)&3]))^(((d[4]<<4)^(tmp>>3))+((d[4]>>5)^(tmp<<2))))
d[0] &= 0xffffffff
sum = (sum - delta)&0xffffffff
print p32(d).encode('hex').upper()
魔改aes的识别主要靠猜,依据是密钥扩展和解密过程中的字节替换及S盒和逆S盒的关系。
在aes解密的主函数中,第一次轮密钥加,循环中的行变换、字节替换和最后一轮的操作过程都清晰可见,循环中的轮密钥加和列混合变换函数调用被混淆代码填充了,编译后修改痕迹比较明显。
.text:004013B1 8B 7D EC mov edi, dword ptr [ebp+var_14] .text:004013B4 8B 45 F0 mov eax, dword ptr [ebp+var_14+4] .text:004013B7 8B 4D F4 mov ecx, dword ptr [ebp+var_14+8] .text:004013BA 8B 75 F8 mov esi, dword ptr [ebp+var_14+0Ch] .text:004013BD 8B D7 mov edx, edi .text:004013BF C1 EA 08 shr edx, 8 .text:004013C2 88 55 F5 mov [ebp+var_14+9], dl .text:004013C5 8B D0 mov edx, eax .text:004013C7 C1 EA 08 shr edx, 8 .text:004013CA 88 55 F9 mov [ebp+var_14+0Dh], dl .text:004013CD 8B D1 mov edx, ecx .text:004013CF C1 EA 08 shr edx, 8 .text:004013D2 88 55 ED mov [ebp+var_14+1], dl .text:004013D5 8B D6 mov edx, esi .text:004013D7 C1 EA 08 shr edx, 8 .text:004013DA 88 55 F1 mov [ebp+var_14+5], dl .text:004013DD 8B D7 mov edx, edi .text:004013DF C1 EA 10 shr edx, 10h .text:004013E2 88 55 F6 mov [ebp+var_14+0Ah], dl .text:004013E5 8B D0 mov edx, eax .text:004013E7 C1 EA 10 shr edx, 10h .text:004013EA 88 55 FA mov [ebp+var_14+0Eh], dl .text:004013ED 8B D1 mov edx, ecx .text:004013EF C1 EA 10 shr edx, 10h .text:004013F2 88 55 EE mov [ebp+var_14+2], dl .text:004013F5 8B D6 mov edx, esi .text:004013F7 C1 EA 10 shr edx, 10h .text:004013FA C1 E8 18 shr eax, 18h .text:004013FD 88 55 F2 mov [ebp+var_14+6], dl .text:00401400 88 45 EF mov [ebp+var_14+3], al .text:00401403 8B D7 mov edx, edi .text:00401405 C1 E9 18 shr ecx, 18h .text:00401408 8B C6 mov eax, esi .text:0040140A C1 EA 18 shr edx, 18h .text:0040140D C1 E8 18 shr eax, 18h .text:00401410 88 4D F3 mov [ebp+var_14+7], cl .text:00401413 88 55 FB mov [ebp+var_14+0Fh], dl .text:00401416 88 45 F7 mov [ebp+var_14+0Bh], al .text:00401419 8D 4D EC lea ecx, [ebp+var_14] .text:0040141C BE 04 00 00 00 mov esi, 4 .text:00401421 .text:00401421 loc_401421: .text:00401421 BA 04 00 00 00 mov edx, 4 .text:00401426 .text:00401426 loc_401426: .text:00401426 0F B6 01 movzx eax, byte ptr [ecx] .text:00401429 8B F8 mov edi, eax .text:0040142B 83 E7 F0 and edi, 0FFFFFFF0h .text:0040142E 83 E0 0F and eax, 0Fh .text:00401431 8A 84 07 08 81 41 00 mov al, g_rsbox_418108[edi+eax] .text:00401438 88 01 mov [ecx], al .text:0040143A 41 inc ecx .text:0040143B 4A dec edx .text:0040143C 75 E8 jnz short loc_401426 .text:0040143E 4E dec esi .text:0040143F 75 E0 jnz short loc_401421 .text:00401441 90 nop .text:00401442 90 nop .text:00401443 90 nop .text:00401444 90 nop .text:00401445 90 nop .text:00401446 90 nop .text:00401447 90 nop .text:00401448 90 nop .text:00401449 90 nop .text:0040144A 90 nop .text:0040144B 90 nop .text:0040144C 90 nop .text:0040144D 90 nop .text:0040144E 90 nop .text:0040144F 90 nop .text:00401450 90 nop .text:00401451 90 nop .text:00401452 E9 E6 AF 02 00 jmp loc_42C43D .text:00401452 aes_decrypt endp .text:00401452 .text:00401452 ; --------------------------------------------------------------------------- .text:00401457 00 align 4 .text:00401458 00 00 00 00 00 00 00 00+ dd 26h dup(0) .text:004014F0 00 db 0 .text:004014F1 00 db 0 .text:004014F2 ; --------------------------------------------------------------------------- .text:004014F2 90 nop .text:004014F3 90 nop .text:004014F4 90 nop .text:004014F5 90 nop .text:004014F6 90 nop .text:004014F7 90 nop .text:004014F8 90 nop .text:004014F9 90 nop .text:004014FA 90 nop .text:004014FB 90 nop .text:004014FC 90 nop .text:004014FD 90 nop .text:004014FE 90 nop .text:004014FF 90 nop .text:00401500 90 nop .text:00401501 83 6D D8 10 sub dword ptr [ebp-28h], 10h .text:00401505 FF 4D D4 dec dword ptr [ebp-2Ch] .text:00401508 0F 85 A3 FE FF FF jnz loc_4013B1 .text:0040150E 8B 7D EC mov edi, [ebp-14h] .text:00401511 8B 45 F0 mov eax, [ebp-10h] .text:00401514 8B 4D F4 mov ecx, [ebp-0Ch] .text:00401517 8B 75 F8 mov esi, [ebp-8] .text:0040151A 8B D7 mov edx, edi
4013B0-401508本是一个循环。这个混淆也挺有意思,有个统一的业务流程跳转处理。不过对于做题这部分不要细看。直接上动态,跟踪数据写入。很容易就发现混淆在分散处理的功能就是轮密钥加,写入位置为421621,而列混合变换是完整函数实现401080。通过动态跟踪比对,发现了所有魔改之处,包括:
- 行变换 (实际成了列变换)
- 循环过程中的轮密钥加
- 混合列变换 (此变动较大,两列变换一次,变换矩阵8*8)
- 当然还有S盒及逆S盒。
具体过程见代码(代码也是网上copy来的):
/*
* Advanced Encryption Standard
* @author Dani Huertas
* @email huertas.dani@gmail.com
*
* Based on the document FIPS PUB 197
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
/*
* Addition in GF(2^8)
* http://en.wikipedia.org/wiki/Finite_field_arithmetic
*/
uint8_t gadd(uint8_t a, uint8_t b) {
return a^b;
}
/*
* Subtraction in GF(2^8)
* http://en.wikipedia.org/wiki/Finite_field_arithmetic
*/
uint8_t gsub(uint8_t a, uint8_t b) {
return a^b;
}
/*
* Multiplication in GF(2^8)
* http://en.wikipedia.org/wiki/Finite_field_arithmetic
* Irreducible polynomial m(x) = x8 + x4 + x3 + x + 1
*/
uint8_t gmult(uint8_t a, uint8_t b) {
uint8_t p = 0, i = 0, hbs = 0;
for (i = 0; i < 8; i++) {
if (b & 1) {
p ^= a;
}
hbs = a & 0x80;
a <<= 1;
if (hbs) a ^= 0x1b; // 0000 0001 0001 1011
b >>= 1;
}
return (uint8_t)p;
}
/*
* Addition of 4 byte words
* m(x) = x4+1
*/
void coef_add(uint8_t a[], uint8_t b[], uint8_t d[]) {
d[0] = a[0]^b[0];
d[1] = a[1]^b[1];
d[2] = a[2]^b[2];
d[3] = a[3]^b[3];
}
/*
* Multiplication of 4 byte words
* m(x) = x4+1
*/
void coef_mult(uint8_t *a, uint8_t *b, uint8_t *d) {
d[0] = gmult(a[0],b[0])^gmult(a[3],b[1])^gmult(a[2],b[2])^gmult(a[1],b[3]);
d[1] = gmult(a[1],b[0])^gmult(a[0],b[1])^gmult(a[3],b[2])^gmult(a[2],b[3]);
d[2] = gmult(a[2],b[0])^gmult(a[1],b[1])^gmult(a[0],b[2])^gmult(a[3],b[3]);
d[3] = gmult(a[3],b[0])^gmult(a[2],b[1])^gmult(a[1],b[2])^gmult(a[0],b[3]);
}
void coef_mult_1(uint8_t *a, uint8_t *b, uint8_t *d) {
d[0] = gmult(a[0],b[0])^gmult(a[1],b[1])^gmult(a[2],b[2])^gmult(a[3],b[3])^gmult(a[4],b[4])^gmult(a[5],b[5])^gmult(a[6],b[6])^gmult(a[7],b[7]);
d[1] = gmult(a[8],b[0])^gmult(a[9],b[1])^gmult(a[10],b[2])^gmult(a[11],b[3])^gmult(a[12],b[4])^gmult(a[13],b[5])^gmult(a[14],b[6])^gmult(a[15],b[7]);
d[2] = gmult(a[16],b[0])^gmult(a[17],b[1])^gmult(a[18],b[2])^gmult(a[19],b[3])^gmult(a[20],b[4])^gmult(a[21],b[5])^gmult(a[22],b[6])^gmult(a[23],b[7]);
d[3] = gmult(a[24],b[0])^gmult(a[25],b[1])^gmult(a[26],b[2])^gmult(a[27],b[3])^gmult(a[28],b[4])^gmult(a[29],b[5])^gmult(a[30],b[6])^gmult(a[31],b[7]);
d[4] = gmult(a[32],b[0])^gmult(a[33],b[1])^gmult(a[34],b[2])^gmult(a[35],b[3])^gmult(a[36],b[4])^gmult(a[37],b[5])^gmult(a[38],b[6])^gmult(a[39],b[7]);
d[5] = gmult(a[40],b[0])^gmult(a[41],b[1])^gmult(a[42],b[2])^gmult(a[43],b[3])^gmult(a[44],b[4])^gmult(a[45],b[5])^gmult(a[46],b[6])^gmult(a[47],b[7]);
d[6] = gmult(a[48],b[0])^gmult(a[49],b[1])^gmult(a[50],b[2])^gmult(a[51],b[3])^gmult(a[52],b[4])^gmult(a[53],b[5])^gmult(a[54],b[6])^gmult(a[55],b[7]);
d[7] = gmult(a[56],b[0])^gmult(a[57],b[1])^gmult(a[58],b[2])^gmult(a[59],b[3])^gmult(a[60],b[4])^gmult(a[61],b[5])^gmult(a[62],b[6])^gmult(a[63],b[7]);
}
/*
* The cipher Key.
*/
int K;
/*
* Number of columns (32-bit words) comprising the State. For this
* standard, Nb = 4.
*/
#define Nb 4
/*
* Number of 32-bit words comprising the Cipher Key. For this
* standard, Nk = 4, 6, or 8.
*/
int Nk;
/*
* Number of rounds, which is a function of Nk and Nb (which is
* fixed). For this standard, Nr = 10, 12, or 14.
*/
int Nr;
/*
* S-box transformation table
*/
//static uint8_t s_box[256] = {
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
// 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, // 0
// 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, // 1
// 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, // 2
// 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, // 3
// 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, // 4
// 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, // 5
// 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, // 6
// 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, // 7
// 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, // 8
// 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, // 9
// 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, // a
// 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, // b
// 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, // c
// 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, // d
// 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, // e
// 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16};// f
static uint8_t s_box[256] = {
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
0x03, 0x10, 0xD1, 0xD5, 0xC9, 0x27, 0xC8, 0x68, 0xB3, 0xEF, 0x30, 0xFA, 0x33, 0xB0, 0xCA, 0x51,
0x7E, 0x37, 0x74, 0xF6, 0xC7, 0x4B, 0xE3, 0x0A, 0x36, 0x98, 0x9B, 0xB6, 0xD3, 0x9E, 0x1D, 0x77,
0x9D, 0x46, 0xED, 0x8C, 0xEC, 0xE6, 0xA7, 0x12, 0x92, 0xF4, 0x76, 0xDC, 0xA0, 0x14, 0x24, 0xD9,
0x20, 0x79, 0x59, 0x08, 0x4E, 0xB1, 0x07, 0x90, 0xAA, 0x2E, 0xD7, 0x4F, 0x11, 0xCD, 0xC5, 0x8A,
0xA5, 0x1C, 0x6A, 0x19, 0xC2, 0x66, 0xB4, 0xBC, 0x94, 0xC0, 0x9C, 0x2D, 0xE1, 0x29, 0xE2, 0x15,
0x55, 0x2A, 0x97, 0x81, 0xCF, 0x1A, 0x5A, 0xF5, 0x2C, 0xF3, 0xDD, 0x93, 0xB5, 0x4A, 0xE0, 0x39,
0x57, 0x6F, 0x6E, 0xD6, 0x0C, 0x61, 0xAE, 0x31, 0xFF, 0xBD, 0xCE, 0x35, 0xD2, 0x5C, 0x40, 0x82,
0x17, 0x89, 0x75, 0xE7, 0x7C, 0xA6, 0x32, 0x01, 0x22, 0x78, 0x18, 0x3A, 0x5D, 0x44, 0xAD, 0x84,
0x45, 0x6B, 0xDB, 0xC3, 0x25, 0x5F, 0x06, 0x7F, 0xF0, 0xAB, 0xFD, 0x60, 0x2F, 0x3B, 0x00, 0x48,
0x2B, 0xFB, 0x96, 0x9F, 0x05, 0xE5, 0x91, 0x1E, 0x8F, 0x0F, 0x50, 0xA9, 0x0D, 0xF9, 0x3D, 0x21,
0xFE, 0xEE, 0x1B, 0x04, 0x13, 0x95, 0xB7, 0x42, 0xBF, 0x7A, 0x3E, 0x49, 0xB2, 0xAF, 0xCC, 0x28,
0xCB, 0x8D, 0x70, 0x54, 0xDE, 0x99, 0x3C, 0x26, 0xF7, 0x83, 0x85, 0x7D, 0x34, 0xE9, 0xBA, 0x3F,
0x9A, 0xDF, 0x02, 0x69, 0x5E, 0x7B, 0x43, 0x38, 0x67, 0xD8, 0xA4, 0xC4, 0xEA, 0x88, 0xE4, 0xD4,
0xBB, 0xB8, 0x47, 0xA2, 0xE8, 0x23, 0xA8, 0xF8, 0x73, 0x58, 0xF1, 0x6D, 0x1F, 0xAC, 0x65, 0x86,
0x8E, 0x09, 0x0E, 0x0B, 0xDA, 0xEB, 0x41, 0x62, 0xD0, 0x5B, 0x6C, 0x87, 0x4C, 0xFC, 0x71, 0x8B,
0x56, 0x4D, 0x64, 0xC1, 0x52, 0xA1, 0xBE, 0xB9, 0xC6, 0x53, 0x80, 0xF2, 0x16, 0x72, 0xA3, 0x63};// f
/*
* Inverse S-box transformation table
*/
//static uint8_t inv_s_box[256] = {
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
// 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, // 0
// 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, // 1
// 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, // 2
// 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, // 3
// 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, // 4
// 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, // 5
// 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, // 6
// 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, // 7
// 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, // 8
// 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, // 9
// 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, // a
// 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, // b
// 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, // c
// 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, // d
// 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, // e
// 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};// f
static uint8_t inv_s_box[256] = {
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
0x8E, 0x77, 0xC2, 0x00, 0xA3, 0x94, 0x86, 0x36, 0x33, 0xE1, 0x17, 0xE3, 0x64, 0x9C, 0xE2, 0x99,
0x01, 0x3C, 0x27, 0xA4, 0x2D, 0x4F, 0xFC, 0x70, 0x7A, 0x43, 0x55, 0xA2, 0x41, 0x1E, 0x97, 0xDC,
0x30, 0x9F, 0x78, 0xD5, 0x2E, 0x84, 0xB7, 0x05, 0xAF, 0x4D, 0x51, 0x90, 0x58, 0x4B, 0x39, 0x8C,
0x0A, 0x67, 0x76, 0x0C, 0xBC, 0x6B, 0x18, 0x11, 0xC7, 0x5F, 0x7B, 0x8D, 0xB6, 0x9E, 0xAA, 0xBF,
0x6E, 0xE6, 0xA7, 0xC6, 0x7D, 0x80, 0x21, 0xD2, 0x8F, 0xAB, 0x5D, 0x15, 0xEC, 0xF1, 0x34, 0x3B,
0x9A, 0x0F, 0xF4, 0xF9, 0xB3, 0x50, 0xF0, 0x60, 0xD9, 0x32, 0x56, 0xE9, 0x6D, 0x7C, 0xC4, 0x85,
0x8B, 0x65, 0xE7, 0xFF, 0xF2, 0xDE, 0x45, 0xC8, 0x07, 0xC3, 0x42, 0x81, 0xEA, 0xDB, 0x62, 0x61,
0xB2, 0xEE, 0xFD, 0xD8, 0x12, 0x72, 0x2A, 0x1F, 0x79, 0x31, 0xA9, 0xC5, 0x74, 0xBB, 0x10, 0x87,
0xFA, 0x53, 0x6F, 0xB9, 0x7F, 0xBA, 0xDF, 0xEB, 0xCD, 0x71, 0x3F, 0xEF, 0x23, 0xB1, 0xE0, 0x98,
0x37, 0x96, 0x28, 0x5B, 0x48, 0xA5, 0x92, 0x52, 0x19, 0xB5, 0xC0, 0x1A, 0x4A, 0x20, 0x1D, 0x93,
0x2C, 0xF5, 0xD3, 0xFE, 0xCA, 0x40, 0x75, 0x26, 0xD6, 0x9B, 0x38, 0x89, 0xDD, 0x7E, 0x66, 0xAD,
0x0D, 0x35, 0xAC, 0x08, 0x46, 0x5C, 0x1B, 0xA6, 0xD1, 0xF7, 0xBE, 0xD0, 0x47, 0x69, 0xF6, 0xA8,
0x49, 0xF3, 0x44, 0x83, 0xCB, 0x3E, 0xF8, 0x14, 0x06, 0x04, 0x0E, 0xB0, 0xAE, 0x3D, 0x6A, 0x54,
0xE8, 0x02, 0x6C, 0x1C, 0xCF, 0x03, 0x63, 0x3A, 0xC9, 0x2F, 0xE4, 0x82, 0x2B, 0x5A, 0xB4, 0xC1,
0x5E, 0x4C, 0x4E, 0x16, 0xCE, 0x95, 0x25, 0x73, 0xD4, 0xBD, 0xCC, 0xE5, 0x24, 0x22, 0xA1, 0x09,
0x88, 0xDA, 0xFB, 0x59, 0x29, 0x57, 0x13, 0xB8, 0xD7, 0x9D, 0x0B, 0x91, 0xED, 0x8A, 0xA0, 0x68};// f
/*
* Generates the round constant Rcon[i]
*/
uint8_t R[] = {0x02, 0x00, 0x00, 0x00};
uint8_t * Rcon(uint8_t i) {
if (i == 1) {
R[0] = 0x01; // x^(1-1) = x^0 = 1
} else if (i > 1) {
R[0] = 0x02;
i--;
while (i-1 > 0) {
R[0] = gmult(R[0], 0x02);
i--;
}
}
return R;
}
/*
* Transformation in the Cipher and Inverse Cipher in which a Round
* Key is added to the State using an XOR operation. The length of a
* Round Key equals the size of the State (i.e., for Nb = 4, the Round
* Key length equals 128 bits/16 bytes).
*/
void add_round_key(uint8_t *state, uint8_t *w, uint8_t r) {
uint8_t c;
for (c = 0; c < Nb; c++) {
state[Nb*0+c] = state[Nb*0+c]^w[4*Nb*r+4*c+0]; //debug, so it works for Nb !=4
state[Nb*1+c] = state[Nb*1+c]^w[4*Nb*r+4*c+1];
state[Nb*2+c] = state[Nb*2+c]^w[4*Nb*r+4*c+2];
state[Nb*3+c] = state[Nb*3+c]^w[4*Nb*r+4*c+3];
}
}
void add_round_key_1(uint8_t *state, uint8_t *w, uint8_t r) {
uint8_t c;
uint8_t st_tmp[16];
memcpy(st_tmp,state,16);
for (c = 0; c < Nb; c++) {
state[Nb*c] = st_tmp[Nb*0+c]^w[4*Nb*r+c+0]; //debug, so it works for Nb !=4
state[Nb*c+1] = st_tmp[Nb*1+c]^w[4*Nb*r+c+1*4];
state[Nb*c+2] = st_tmp[Nb*2+c]^w[4*Nb*r+c+2*4];
state[Nb*c+3] = st_tmp[Nb*3+c]^w[4*Nb*r+c+3*4];
}
}
void add_round_key_2(uint8_t *state, uint8_t *w, uint8_t r) {
uint8_t c;
uint8_t st_tmp[16];
memcpy(st_tmp,state,16);
for (c = 0; c < Nb; c++) {
state[Nb*0+c] = st_tmp[Nb*c]^w[4*Nb*r+c+0]; //debug, so it works for Nb !=4
state[Nb*1+c] = st_tmp[Nb*c+1]^w[4*Nb*r+c+1*4];
state[Nb*2+c] = st_tmp[Nb*c+2]^w[4*Nb*r+c+2*4];
state[Nb*3+c] = st_tmp[Nb*c+3]^w[4*Nb*r+c+3*4];
}
}
/*
* Transformation in the Cipher that takes all of the columns of the
* State and mixes their data (independently of one another) to
* produce new columns.
*/
void mix_columns(uint8_t *state) {
uint8_t a[] = {0x02, 0x01, 0x01, 0x03}; // a(x) = {02} + {01}x + {01}x2 + {03}x3
uint8_t i, j, col[4], res[4];
for (j = 0; j < Nb; j++) {
for (i = 0; i < 4; i++) {
col[i] = state[Nb*i+j];
}
coef_mult(a, col, res);
for (i = 0; i < 4; i++) {
state[Nb*i+j] = res[i];
}
}
}
void mix_columns_1(uint8_t *state) {
uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07,
0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01,
0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03,
0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04,
0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05,
0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06,
0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08,
0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
uint8_t i, j, col[8], res[8];
for (j = 0; j < 2; j++) {
for (i = 0; i < 4; i++) {
col[i] = state[Nb*i+j];
col[i+4] = state[Nb*i+j+2];
}
coef_mult_1(a, col, res);
for (i = 0; i < 4; i++) {
state[Nb*i+j] = res[i];
state[Nb*i+j+2] = res[i+4];
}
}
}
/*
* Transformation in the Inverse Cipher that is the inverse of
* MixColumns().
*/
void inv_mix_columns(uint8_t *state) {
uint8_t a[] = {0x0e, 0x09, 0x0d, 0x0b}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
uint8_t i, j, col[4], res[4];
for (j = 0; j < Nb; j++) {
for (i = 0; i < 4; i++) {
col[i] = state[Nb*i+j];
}
coef_mult(a, col, res);
for (i = 0; i < 4; i++) {
state[Nb*i+j] = res[i];
}
}
}
void inv_mix_columns_1(uint8_t *state) {
uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07,
0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01,
0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03,
0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04,
0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05,
0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06,
0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08,
0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
uint8_t i, j, col[8], res[8];
for (j = 0; j < 2; j++) {
for (i = 0; i < 4; i++) {
col[i] = state[Nb*i+j];
col[i+4] = state[Nb*i+j+2];
}
coef_mult_1(a, col, res);
for (i = 0; i < 4; i++) {
state[Nb*i+j] = res[i];
state[Nb*i+j+2] = res[i+4];
}
}
}
/*
* Transformation in the Cipher that processes the State by cyclically
* shifting the last three rows of the State by different offsets.
*/
void shift_rows(uint8_t *state) {
uint8_t i, k, s, tmp,tmp1,tmp2;
tmp1 = state[1];
tmp2 = state[5];
state[1] = state[9];
state[5] = state[13];
state[9] = tmp1;
state[13] = tmp2;
tmp1 = state[2];
tmp2 = state[6];
state[2] = state[10];
state[6] = state[14];
state[10] = tmp1;
state[14] = tmp2;
tmp1 = state[15];
state[15] = state[11];
state[11] = state[7];
state[7] = state[3];
state[3] = tmp1;
//for (i = 1; i < 4; i++) {
// shift(1,4)=1; shift(2,4)=2; shift(3,4)=3
// shift(r, 4) = r;
// s = 0;
// while (s < i) {
// tmp = state[Nb*i+0];
// for (k = 1; k < Nb; k++) {
// state[Nb*i+k-1] = state[Nb*i+k];
// }
// state[Nb*i+Nb-1] = tmp;
// s++;
// }
//}
}
/*
* Transformation in the Inverse Cipher that is the inverse of
* ShiftRows().
*/
void inv_shift_rows(uint8_t *state) {
uint8_t i, k, s, tmp,tmp1,tmp2;
tmp1 = state[1];
tmp2 = state[5];
state[1] = state[9];
state[5] = state[13];
state[9] = tmp1;
state[13] = tmp2;
tmp1 = state[2];
tmp2 = state[6];
state[2] = state[10];
state[6] = state[14];
state[10] = tmp1;
state[14] = tmp2;
tmp1 = state[3];
state[3] = state[7];
state[7] = state[11];
state[11] = state[15];
state[15] = tmp1;
//for (i = 1; i < 4; i++) {
// s = 0;
// while (s < i) {
// tmp = state[Nb*i+Nb-1];
// for (k = Nb-1; k > 0; k--) {
// state[Nb*i+k] = state[Nb*i+k-1];
// }
// state[Nb*i+0] = tmp;
// s++;
// }
//}
}
/*
* Transformation in the Cipher that processes the State using a non?
* linear byte substitution table (S-box) that operates on each of the
* State bytes independently.
*/
void sub_bytes(uint8_t *state) {
uint8_t i, j;
uint8_t row, col;
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
row = (state[Nb*i+j] & 0xf0) >> 4;
col = state[Nb*i+j] & 0x0f;
state[Nb*i+j] = s_box[16*row+col];
}
}
}
/*
* Transformation in the Inverse Cipher that is the inverse of
* SubBytes().
*/
void inv_sub_bytes(uint8_t *state) {
uint8_t i, j;
uint8_t row, col;
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
row = (state[Nb*i+j] & 0xf0) >> 4;
col = state[Nb*i+j] & 0x0f;
state[Nb*i+j] = inv_s_box[16*row+col];
}
}
}
/*
* Function used in the Key Expansion routine that takes a four-byte
* input word and applies an S-box to each of the four bytes to
* produce an output word.
*/
void sub_word(uint8_t *w) {
uint8_t i;
for (i = 0; i < 4; i++) {
w[i] = s_box[16*((w[i] & 0xf0) >> 4) + (w[i] & 0x0f)];
}
}
/*
* Function used in the Key Expansion routine that takes a four-byte
* word and performs a cyclic permutation.
*/
void rot_word(uint8_t *w) {
uint8_t tmp;
uint8_t i;
tmp = w[0];
for (i = 0; i < 3; i++) {
w[i] = w[i+1];
}
w[3] = tmp;
}
/*
* Key Expansion
*/
void key_expansion(uint8_t *key, uint8_t *w) {
uint8_t tmp[4];
uint8_t i, j;
uint8_t len = Nb*(Nr+1);
for (i = 0; i < Nk; i++) {
w[4*i+0] = key[4*i+0];
w[4*i+1] = key[4*i+1];
w[4*i+2] = key[4*i+2];
w[4*i+3] = key[4*i+3];
}
for (i = Nk; i < len; i++) {
tmp[0] = w[4*(i-1)+0];
tmp[1] = w[4*(i-1)+1];
tmp[2] = w[4*(i-1)+2];
tmp[3] = w[4*(i-1)+3];
if (i%Nk == 0) {
rot_word(tmp);
sub_word(tmp);
coef_add(tmp, Rcon(i/Nk), tmp);
} else if (Nk > 6 && i%Nk == 4) {
sub_word(tmp);
}
w[4*i+0] = w[4*(i-Nk)+0]^tmp[0];
w[4*i+1] = w[4*(i-Nk)+1]^tmp[1];
w[4*i+2] = w[4*(i-Nk)+2]^tmp[2];
w[4*i+3] = w[4*(i-Nk)+3]^tmp[3];
}
}
void print_info(uint8_t* out){
int i;
for (i = 0; i < 4; i++) {
printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]);
}
printf("\n");
}
void cipher(uint8_t *in, uint8_t *out, uint8_t *w) {
uint8_t state[4*Nb];
uint8_t r, i, j;
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
state[Nb*i+j] = in[i+4*j];
}
}
add_round_key(state, w, 0);
for (r = 1; r < Nr; r++) {
sub_bytes(state);
shift_rows(state);
mix_columns_1(state);
add_round_key_2(state, w, r);
}
sub_bytes(state);
shift_rows(state);
add_round_key(state, w, Nr);
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
out[i+4*j] = state[Nb*i+j];
}
}
}
void inv_cipher(uint8_t *in, uint8_t *out, uint8_t *w) {
uint8_t state[4*Nb];
uint8_t r, i, j;
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
state[Nb*i+j] = in[i+4*j];
}
}
add_round_key(state, w, Nr);
for (r = Nr-1; r >= 1; r--) {
inv_shift_rows(state);
inv_sub_bytes(state);
add_round_key_1(state, w, r);
inv_mix_columns_1(state);
}
inv_shift_rows(state);
inv_sub_bytes(state);
add_round_key(state, w, 0);
for (i = 0; i < 4; i++) {
for (j = 0; j < Nb; j++) {
out[i+4*j] = state[Nb*i+j];
}
}
}
int main(int argc, char *argv[]) {
uint8_t i;
uint8_t key[] = {
0x7E, 0x6E, 0xCF, 0xD4,
0x92, 0xBC, 0x4B, 0x27,
0xC0, 0xCF, 0xF2, 0x65,
0x6D, 0x3C, 0x49, 0xD1,
0xAA, 0xB1, 0x45, 0xA8,
0x6D, 0x75, 0x9B, 0xC1,
0xDF, 0x75, 0x60, 0xDD,
0x8D, 0xDD, 0x13, 0xDA};
//uint8_t in[] = {
// 0x7B, 0x85, 0xC9, 0x5F, 0x14, 0x1F, 0xA6, 0x38, 0x3F, 0x7E, 0xB7, 0x10, 0x24, 0x19, 0xB3, 0x6F};
uint8_t in[] = {0xA5, 0x4B, 0x4A, 0x9A, 0xC5, 0x49, 0x8A, 0xA2, 0x62, 0xA4, 0xC5, 0x56, 0x2D, 0x52, 0x5A, 0xA6};
uint8_t out[16]; // 128
uint8_t *w; // expanded key
switch (sizeof(key)) {
default:
case 16: Nk = 4; Nr = 10; break;
case 24: Nk = 6; Nr = 12; break;
case 32: Nk = 8; Nr = 14; break;
}
w = malloc(Nb*(Nr+1)*4);
key_expansion(key, w);
cipher(in /* in */, out /* out */, w /* expanded key */);
printf("out:\n");
for (i = 0; i < 4; i++) {
printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]);
}
printf("\n");
inv_cipher(out, in, w);
for (i = 0; i < 4; i++) {
printf("%02X %02X %02X %02X ", in[4*i+0], in[4*i+1], in[4*i+2], in[4*i+3]);
}
printf("\n");
exit(0);
}
最后结果为:76474B2B1926009C452B00627200190268740438FDCC641665D0EA735F2739B3EE7B315A。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-12-17 11:38
被poyoten编辑
,原因:
赞赏
他的文章
