-
-
[原创]看雪CTF.TSRC 2018 团队赛 第八题 二向箔
-
2018-12-17 11:22 2665
-
看雪CTF.TSRC 2018 团队赛 第八题 二向箔
没什么时间,暂时先写点,如果有空的话。。。。
##初识
初看程序很“正常”,主流程清晰,输入72字节,unhex后的36字节分两个部分进行分别校验,这种明了的控制台程序让人看了感觉很舒服,典型做题人的懒人心理,如下:
int mainroutine() { char l_input[260]; // [esp+0h] [ebp-130h] char l_unhex_input[36]; // [esp+104h] [ebp-2Ch] char v3; // [esp+128h] [ebp-8h] while ( 1 ) { *(_DWORD *)l_unhex_input = 0; *(_DWORD *)&l_unhex_input[4] = 0; *(_DWORD *)&l_unhex_input[8] = 0; *(_DWORD *)&l_unhex_input[12] = 0; *(_DWORD *)&l_unhex_input[16] = 0; *(_DWORD *)&l_unhex_input[20] = 0; *(_DWORD *)&l_unhex_input[24] = 0; *(_DWORD *)&l_unhex_input[28] = 0; *(_DWORD *)&l_unhex_input[32] = 0; v3 = 0; printf("\nInput RegCode:"); memset(l_input, 0, 0x101u); scanf("%245s", l_input); if ( check_format_and_unhex(l_input, l_unhex_input) == 36 && check_part1((int)l_unhex_input) && check_part2((unsigned int *)&l_unhex_input[16]) ) { break; } printf("\n Wrong, Plz Try Again...\n"); } printf("\n Good!\n"); return getch(); }
part1
这部分校验是通过复数计算实现的,背后的数学意义不知,也别再和我谈数学,头疼。
代码比较乱,就不上了。大致过程是:16字节输入矩阵点乘包含16个复数元素的常量矩阵A后进行变换,接着再点乘常量矩阵B后进行变换,结果与常量比较,可以参照反解代码。
def decomp1(m_a): m_a = [x*4 for x in m_a] for i in range(4): tmp = m_a[i+4] m_a[i+4] = m_a[i+8] m_a[i+8] = tmp tmp = m_a[i] m_a[i] = (m_a[i]+m_a[i+4])/2 m_a[i+4] = tmp-m_a[i] tmp = m_a[i+8] m_a[i+8] = (m_a[i+8]+m_a[i+12])/2 m_a[i+12] = tmp-m_a[i+8] tmp = m_a[i] m_a[i] = (m_a[i]+m_a[i+8])/2 m_a[i+8] = tmp-m_a[i] tmp = m_a[i+4] # m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11+1j))/2 m_a[i+4] = (m_a[i+4]+m_a[i+12]*-1j)/2 m_a[i+12] = tmp-m_a[i+4] m_a = [x*4 for x in m_a] for i in range(4): tmp = m_a[4*i+1] m_a[4*i+1] = m_a[4*i+2] m_a[4*i+2] = tmp tmp = m_a[4*i] m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2 m_a[4*i+1] = tmp-m_a[4*i] tmp = m_a[4*i+2] m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2 m_a[4*i+3] = tmp-m_a[4*i+2] tmp = m_a[4*i] m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2 m_a[4*i+2] = tmp-m_a[4*i] tmp = m_a[4*i+1] # m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11+1j))/2 m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*-1j)/2 m_a[4*i+3] = tmp-m_a[4*i+1] return m_a def decomp2(m_a): for i in range(4): tmp = m_a[4*i+1] m_a[4*i+1] = m_a[4*i+2] m_a[4*i+2] = tmp tmp = m_a[4*i] m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2 m_a[4*i+1] = tmp-m_a[4*i] tmp = m_a[4*i+2] m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2 m_a[4*i+3] = tmp-m_a[4*i+2] tmp = m_a[4*i] m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2 m_a[4*i+2] = tmp-m_a[4*i] tmp = m_a[4*i+1] # m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11-1j))/2 m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*1j)/2 m_a[4*i+3] = tmp-m_a[4*i+1] for i in range(4): tmp = m_a[i+4] m_a[i+4] = m_a[i+8] m_a[i+8] = tmp tmp = m_a[i] m_a[i] = (m_a[i]+m_a[i+4])/2 m_a[i+4] = tmp-m_a[i] tmp = m_a[i+8] m_a[i+8] = (m_a[i+8]+m_a[i+12])/2 m_a[i+12] = tmp-m_a[i+8] tmp = m_a[i] m_a[i] = (m_a[i]+m_a[i+8])/2 m_a[i+8] = tmp-m_a[i] tmp = m_a[i+4] # m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11-1j))/2 m_a[i+4] = (m_a[i+4]+m_a[i+12]*1j)/2 m_a[i+12] = tmp-m_a[i+4] return m_a def de_part1(): check_table =[[ 89.29755308453579,-79.17379644565403], [-111.2163512360939, 2.214913370549852], [ 58.53994866406929, 29.06501356902275], [ 50.10366738039983, 43.81443778796614], [-38.57218738982585,-6.003177682012292], [ 95.28512164227500, 23.93090391296341], [ 126.2134704052789,-55.13922097302165], [ 40.52291517137797, 21.22526960238724], [ 3.958915911257385, 13.81283030051250], [ 64.70049327204174,-11.21899032986361], [ 69.33635962322674, 37.77305291719599], [ 49.80532876967061, 1.042567029449955], [ 7.814589741286500, 29.57759317220326], [ 8.137180677718944, 11.51468293321896], [-6.034516127726973,-8.093284855693909], [ 25.53885330339410, 1.665054146893387],] m_table1 = [[ 0.6276739465982339, -0.7784763430970765], [-0.9635532393515180, 0.2675166442208714], [ 1.000000000000000,-2.449293598294706e-16], [ 1.000000000000000, 0.0], [-0.9635532393515180, 0.2675166442208714], [ 1.000000000000000, 0.0], [ 0.7316273320795593, -0.6817048092496826], [ 0.9954095040352868, -0.09570746719156304], [ 1.000000000000000,-2.449293598294706e-16], [ 0.7316273320795593, -0.6817048092496826], [ 0.9393388792184448, 0.3429904809009075], [ 0.9993790498804484, 0.03523513388724686], [ 1.000000000000000, 0.0], [ 0.9954095040352868, -0.09570746719156304], [ 0.9993790498804484, 0.03523513388724686], [ 0.9338385710183578, -0.3576947347647030],] m_table2 = [[ 0.8872448700399544, 0.4612987541580664], [ 1.000000000000000,-2.449293598294706e-16], [ 1.000000000000000, 0.0], [ 0.8661842563768241, 0.4997247582469054], [ 1.000000000000000,-2.449293598294706e-16], [ 0.8661842563768241, 0.4997247582469054], [ 0.9985971885883368, 0.05294955092793100], [ 0.9953266793156614, -0.09656501148168592], [ 1.000000000000000, 0.0], [ 0.9985971885883368, 0.05294955092793100], [ 0.9945026452220342, 0.1047114542272075], [ 0.9878936003329052, 0.1551329572376227], [ 0.8661842563768241, 0.4997247582469054], [ 0.9953266793156614, -0.09656501148168592], [ 0.9878936003329052, 0.1551329572376227], [ 0.7738490104360864, 0.6333701201091584],] pos_table = [0,9,2,11,15,4,13,6,10,3,8,1,5,14,7,12] check_a = [] m_a1 = [] m_a2 = [] for r,v in check_table: check_a.append(r+v*1.j) for r,v in m_table1: m_a1.append(r+v*1.j) for r,v in m_table2: m_a2.append(r+v*1.j) m_a1 = np.array(m_a1) m_a2 = np.array(m_a2) check_a = np.array(check_a) check_a = decomp1(check_a) check_a = check_a/m_a2 check_a = decomp2(check_a) check_a = check_a/m_a1 # print check_a part1 = [0]*16 for i,p in enumerate(pos_table): part1[i] = chr(int(round(abs(check_a[p])))) print ''.join(part1).encode('hex').upper()
part2
这部分流程如下:
BOOL __cdecl check_part2(unsigned int *a1) { unsigned int v1; // edx unsigned int v2; // ecx unsigned int v3; // edx unsigned int v4; // eax char *v5; // ebx BOOL result; // eax void *v7; // edi int v8; // esi signed int v9; // eax int a5; // [esp+4h] [ebp-70h] char tea_key[16]; // [esp+8h] [ebp-6Ch] char part2[20]; // [esp+18h] [ebp-5Ch] char aes_result[16]; // [esp+30h] [ebp-44h] char aes_key[32]; // [esp+40h] [ebp-34h] char part2_check[16]; // [esp+60h] [ebp-14h] v1 = a1[1]; aes_key[20] = 0x6D; *(_DWORD *)part2 = 0; *(_DWORD *)&part2[5] = 0; *(_DWORD *)&part2[9] = 0; *(_DWORD *)&part2[13] = 0; *(_DWORD *)&part2[17] = 0; *(_DWORD *)part2 = *a1; v2 = a1[2]; *(_DWORD *)&part2[4] = v1; v3 = a1[3]; v4 = a1[4]; *(_DWORD *)&part2[8] = v2; *(_DWORD *)&part2[16] = v4; strcpy(tea_key, "goodLuck7777777"); *(_DWORD *)&part2[12] = v3; *(_DWORD *)aes_key = 0xD4CF6E7E; *(_DWORD *)&aes_key[4] = 0x274BBC92; *(_DWORD *)&aes_key[8] = 0x65F2CFC0; *(_DWORD *)&aes_key[12] = 0xD1493C6D; *(_DWORD *)&aes_key[16] = 0xA845B1AA; *(_DWORD *)&aes_key[21] = 0xDFC19B75; *(_DWORD *)&aes_key[25] = 0x8DDD6075; *(_WORD *)&aes_key[29] = 0x13DD; aes_key[31] = 0xDAu; *(_DWORD *)part2_check = 0x9A4A4BA5; *(_DWORD *)&part2_check[4] = 0xA28A49C5; *(_DWORD *)&part2_check[8] = 0x56C5A462; *(_DWORD *)&part2_check[12] = 0xA65A522D; a5 = 0x14; v5 = j_tea_decrypt((int)part2, 20, tea_key, strlen(tea_key), (int)&a5); result = 0; if ( v5 ) { *(_DWORD *)aes_result = 0; *(_DWORD *)&aes_result[4] = 0; *(_DWORD *)&aes_result[8] = 0; *(_DWORD *)&aes_result[12] = 0; v7 = malloc(0xF0u); key_expand((int)aes_key, (int)v7); aes_decrypt((int)v5, v5, (int)aes_result, (int)v7); v8 = 0; v9 = 0; do { if ( part2_check[v9] == aes_result[v9] ) ++v8; if ( part2_check[v9 + 1] == aes_result[v9 + 1] ) ++v8; if ( part2_check[v9 + 2] == aes_result[v9 + 2] ) ++v8; if ( part2_check[v9 + 3] == aes_result[v9 + 3] ) ++v8; v9 += 4; } while ( v9 < 16 ); free(v5); free(v7); result = v8 == 16; } return result; }
似乎过程也很明了。经过unhex后的20字节,先进行魔改tea解密,再进行魔改aes解密,最后进行常量校验。
但是做题做到aes_decrypt
函数里,发现里面有函数调用被非常大量的混淆代码替代了,有点痛苦。暂且不说。先把魔改tea搞定。
魔改tea解密后还有个细节,解密后第5个int数在[14,16]
范围内,对应长度的解密结果被copy加填充后进行后面的魔改aes解密。魔改tea的加密解用py实现如下:
def u32(b_str): result = [] n = (len(b_str)+3)/4 n1 = len(b_str)%4 if n1: n1 = 4 - n1 b_str += '\x00'*n1 result = list(struct.unpack('I'*n,b_str)) return result def p32(l_num): result = '' for i in l_num: result += struct.pack('I',i) return result def tea_en_group(): delta = 0x9E3779B9 sum = delta key = 'goodLuck7777777' key = u32(key) d = u32('F7D23456CE34BA18714DAA40DBE2AD4710'.decode('hex')) for i in range(16): tmp = d[4] for j in xrange(4): d[j] += (((d[j+1] ^ sum) + (tmp ^ key[((sum>>2)&3)^(j&3)]))^(((tmp<<4)^(d[j+1]>>3))+((tmp>>5)^(d[j+1]<<2)))) d[j] &= 0xffffffff tmp = d[j] d[4] += (((d[0] ^ sum) + (tmp ^ key[((sum>>2)&3)^(4&3)]))^(((tmp<<4)^(d[0]>>3))+((tmp>>5)^(d[0]<<2)))) d[4] &= 0xffffffff sum = (sum + delta)&0xffffffff print p32(d).encode('hex').upper() def tea_de_group(): delta = 0x9E3779B9 sum = (delta*16)&0xffffffff key = 'goodLuck7777777' key = u32(key) d = u32('1234567890ABCDEF1234567890ABCDEF12345678'.decode('hex')) for i in range(16): tmp = d[0] for j in xrange(4,0,-1): d[j] -= (((tmp ^ sum) + (d[j-1] ^ key[((sum>>2)&3)^(j&3)]))^(((d[j-1]<<4)^(tmp>>3))+((d[j-1]>>5)^(tmp<<2)))) d[j] &= 0xffffffff tmp = d[j] d[0] -= (((tmp ^ sum) + (d[4] ^ key[(sum>>2)&3]))^(((d[4]<<4)^(tmp>>3))+((d[4]>>5)^(tmp<<2)))) d[0] &= 0xffffffff sum = (sum - delta)&0xffffffff print p32(d).encode('hex').upper()
魔改aes的识别主要靠猜,依据是密钥扩展和解密过程中的字节替换
及S盒和逆S盒的关系。
在aes解密的主函数中,第一次轮密钥加,循环中的行变换、字节替换和最后一轮的操作过程都清晰可见,循环中的轮密钥加和列混合变换函数调用被混淆代码填充了,编译后修改痕迹比较明显。
.text:004013B1 8B 7D EC mov edi, dword ptr [ebp+var_14] .text:004013B4 8B 45 F0 mov eax, dword ptr [ebp+var_14+4] .text:004013B7 8B 4D F4 mov ecx, dword ptr [ebp+var_14+8] .text:004013BA 8B 75 F8 mov esi, dword ptr [ebp+var_14+0Ch] .text:004013BD 8B D7 mov edx, edi .text:004013BF C1 EA 08 shr edx, 8 .text:004013C2 88 55 F5 mov [ebp+var_14+9], dl .text:004013C5 8B D0 mov edx, eax .text:004013C7 C1 EA 08 shr edx, 8 .text:004013CA 88 55 F9 mov [ebp+var_14+0Dh], dl .text:004013CD 8B D1 mov edx, ecx .text:004013CF C1 EA 08 shr edx, 8 .text:004013D2 88 55 ED mov [ebp+var_14+1], dl .text:004013D5 8B D6 mov edx, esi .text:004013D7 C1 EA 08 shr edx, 8 .text:004013DA 88 55 F1 mov [ebp+var_14+5], dl .text:004013DD 8B D7 mov edx, edi .text:004013DF C1 EA 10 shr edx, 10h .text:004013E2 88 55 F6 mov [ebp+var_14+0Ah], dl .text:004013E5 8B D0 mov edx, eax .text:004013E7 C1 EA 10 shr edx, 10h .text:004013EA 88 55 FA mov [ebp+var_14+0Eh], dl .text:004013ED 8B D1 mov edx, ecx .text:004013EF C1 EA 10 shr edx, 10h .text:004013F2 88 55 EE mov [ebp+var_14+2], dl .text:004013F5 8B D6 mov edx, esi .text:004013F7 C1 EA 10 shr edx, 10h .text:004013FA C1 E8 18 shr eax, 18h .text:004013FD 88 55 F2 mov [ebp+var_14+6], dl .text:00401400 88 45 EF mov [ebp+var_14+3], al .text:00401403 8B D7 mov edx, edi .text:00401405 C1 E9 18 shr ecx, 18h .text:00401408 8B C6 mov eax, esi .text:0040140A C1 EA 18 shr edx, 18h .text:0040140D C1 E8 18 shr eax, 18h .text:00401410 88 4D F3 mov [ebp+var_14+7], cl .text:00401413 88 55 FB mov [ebp+var_14+0Fh], dl .text:00401416 88 45 F7 mov [ebp+var_14+0Bh], al .text:00401419 8D 4D EC lea ecx, [ebp+var_14] .text:0040141C BE 04 00 00 00 mov esi, 4 .text:00401421 .text:00401421 loc_401421: .text:00401421 BA 04 00 00 00 mov edx, 4 .text:00401426 .text:00401426 loc_401426: .text:00401426 0F B6 01 movzx eax, byte ptr [ecx] .text:00401429 8B F8 mov edi, eax .text:0040142B 83 E7 F0 and edi, 0FFFFFFF0h .text:0040142E 83 E0 0F and eax, 0Fh .text:00401431 8A 84 07 08 81 41 00 mov al, g_rsbox_418108[edi+eax] .text:00401438 88 01 mov [ecx], al .text:0040143A 41 inc ecx .text:0040143B 4A dec edx .text:0040143C 75 E8 jnz short loc_401426 .text:0040143E 4E dec esi .text:0040143F 75 E0 jnz short loc_401421 .text:00401441 90 nop .text:00401442 90 nop .text:00401443 90 nop .text:00401444 90 nop .text:00401445 90 nop .text:00401446 90 nop .text:00401447 90 nop .text:00401448 90 nop .text:00401449 90 nop .text:0040144A 90 nop .text:0040144B 90 nop .text:0040144C 90 nop .text:0040144D 90 nop .text:0040144E 90 nop .text:0040144F 90 nop .text:00401450 90 nop .text:00401451 90 nop .text:00401452 E9 E6 AF 02 00 jmp loc_42C43D .text:00401452 aes_decrypt endp .text:00401452 .text:00401452 ; --------------------------------------------------------------------------- .text:00401457 00 align 4 .text:00401458 00 00 00 00 00 00 00 00+ dd 26h dup(0) .text:004014F0 00 db 0 .text:004014F1 00 db 0 .text:004014F2 ; --------------------------------------------------------------------------- .text:004014F2 90 nop .text:004014F3 90 nop .text:004014F4 90 nop .text:004014F5 90 nop .text:004014F6 90 nop .text:004014F7 90 nop .text:004014F8 90 nop .text:004014F9 90 nop .text:004014FA 90 nop .text:004014FB 90 nop .text:004014FC 90 nop .text:004014FD 90 nop .text:004014FE 90 nop .text:004014FF 90 nop .text:00401500 90 nop .text:00401501 83 6D D8 10 sub dword ptr [ebp-28h], 10h .text:00401505 FF 4D D4 dec dword ptr [ebp-2Ch] .text:00401508 0F 85 A3 FE FF FF jnz loc_4013B1 .text:0040150E 8B 7D EC mov edi, [ebp-14h] .text:00401511 8B 45 F0 mov eax, [ebp-10h] .text:00401514 8B 4D F4 mov ecx, [ebp-0Ch] .text:00401517 8B 75 F8 mov esi, [ebp-8] .text:0040151A 8B D7 mov edx, edi
4013B0
-401508
本是一个循环。这个混淆也挺有意思,有个统一的业务流程跳转处理。不过对于做题这部分不要细看。直接上动态,跟踪数据写入。很容易就发现混淆在分散处理的功能就是轮密钥加,写入位置为421621
,而列混合变换是完整函数实现401080
。通过动态跟踪比对,发现了所有魔改之处,包括:
- 行变换 (实际成了列变换)
- 循环过程中的轮密钥加
- 混合列变换 (此变动较大,两列变换一次,变换矩阵8*8)
- 当然还有S盒及逆S盒。
具体过程见代码(代码也是网上copy来的):
/* * Advanced Encryption Standard * @author Dani Huertas * @email huertas.dani@gmail.com * * Based on the document FIPS PUB 197 */ #include <stdio.h> #include <stdlib.h> #include <stdint.h> /* * Addition in GF(2^8) * http://en.wikipedia.org/wiki/Finite_field_arithmetic */ uint8_t gadd(uint8_t a, uint8_t b) { return a^b; } /* * Subtraction in GF(2^8) * http://en.wikipedia.org/wiki/Finite_field_arithmetic */ uint8_t gsub(uint8_t a, uint8_t b) { return a^b; } /* * Multiplication in GF(2^8) * http://en.wikipedia.org/wiki/Finite_field_arithmetic * Irreducible polynomial m(x) = x8 + x4 + x3 + x + 1 */ uint8_t gmult(uint8_t a, uint8_t b) { uint8_t p = 0, i = 0, hbs = 0; for (i = 0; i < 8; i++) { if (b & 1) { p ^= a; } hbs = a & 0x80; a <<= 1; if (hbs) a ^= 0x1b; // 0000 0001 0001 1011 b >>= 1; } return (uint8_t)p; } /* * Addition of 4 byte words * m(x) = x4+1 */ void coef_add(uint8_t a[], uint8_t b[], uint8_t d[]) { d[0] = a[0]^b[0]; d[1] = a[1]^b[1]; d[2] = a[2]^b[2]; d[3] = a[3]^b[3]; } /* * Multiplication of 4 byte words * m(x) = x4+1 */ void coef_mult(uint8_t *a, uint8_t *b, uint8_t *d) { d[0] = gmult(a[0],b[0])^gmult(a[3],b[1])^gmult(a[2],b[2])^gmult(a[1],b[3]); d[1] = gmult(a[1],b[0])^gmult(a[0],b[1])^gmult(a[3],b[2])^gmult(a[2],b[3]); d[2] = gmult(a[2],b[0])^gmult(a[1],b[1])^gmult(a[0],b[2])^gmult(a[3],b[3]); d[3] = gmult(a[3],b[0])^gmult(a[2],b[1])^gmult(a[1],b[2])^gmult(a[0],b[3]); } void coef_mult_1(uint8_t *a, uint8_t *b, uint8_t *d) { d[0] = gmult(a[0],b[0])^gmult(a[1],b[1])^gmult(a[2],b[2])^gmult(a[3],b[3])^gmult(a[4],b[4])^gmult(a[5],b[5])^gmult(a[6],b[6])^gmult(a[7],b[7]); d[1] = gmult(a[8],b[0])^gmult(a[9],b[1])^gmult(a[10],b[2])^gmult(a[11],b[3])^gmult(a[12],b[4])^gmult(a[13],b[5])^gmult(a[14],b[6])^gmult(a[15],b[7]); d[2] = gmult(a[16],b[0])^gmult(a[17],b[1])^gmult(a[18],b[2])^gmult(a[19],b[3])^gmult(a[20],b[4])^gmult(a[21],b[5])^gmult(a[22],b[6])^gmult(a[23],b[7]); d[3] = gmult(a[24],b[0])^gmult(a[25],b[1])^gmult(a[26],b[2])^gmult(a[27],b[3])^gmult(a[28],b[4])^gmult(a[29],b[5])^gmult(a[30],b[6])^gmult(a[31],b[7]); d[4] = gmult(a[32],b[0])^gmult(a[33],b[1])^gmult(a[34],b[2])^gmult(a[35],b[3])^gmult(a[36],b[4])^gmult(a[37],b[5])^gmult(a[38],b[6])^gmult(a[39],b[7]); d[5] = gmult(a[40],b[0])^gmult(a[41],b[1])^gmult(a[42],b[2])^gmult(a[43],b[3])^gmult(a[44],b[4])^gmult(a[45],b[5])^gmult(a[46],b[6])^gmult(a[47],b[7]); d[6] = gmult(a[48],b[0])^gmult(a[49],b[1])^gmult(a[50],b[2])^gmult(a[51],b[3])^gmult(a[52],b[4])^gmult(a[53],b[5])^gmult(a[54],b[6])^gmult(a[55],b[7]); d[7] = gmult(a[56],b[0])^gmult(a[57],b[1])^gmult(a[58],b[2])^gmult(a[59],b[3])^gmult(a[60],b[4])^gmult(a[61],b[5])^gmult(a[62],b[6])^gmult(a[63],b[7]); } /* * The cipher Key. */ int K; /* * Number of columns (32-bit words) comprising the State. For this * standard, Nb = 4. */ #define Nb 4 /* * Number of 32-bit words comprising the Cipher Key. For this * standard, Nk = 4, 6, or 8. */ int Nk; /* * Number of rounds, which is a function of Nk and Nb (which is * fixed). For this standard, Nr = 10, 12, or 14. */ int Nr; /* * S-box transformation table */ //static uint8_t s_box[256] = { // 0 1 2 3 4 5 6 7 8 9 a b c d e f // 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, // 0 // 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, // 1 // 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, // 2 // 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, // 3 // 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, // 4 // 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, // 5 // 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, // 6 // 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, // 7 // 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, // 8 // 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, // 9 // 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, // a // 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, // b // 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, // c // 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, // d // 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, // e // 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16};// f static uint8_t s_box[256] = { // 0 1 2 3 4 5 6 7 8 9 a b c d e f 0x03, 0x10, 0xD1, 0xD5, 0xC9, 0x27, 0xC8, 0x68, 0xB3, 0xEF, 0x30, 0xFA, 0x33, 0xB0, 0xCA, 0x51, 0x7E, 0x37, 0x74, 0xF6, 0xC7, 0x4B, 0xE3, 0x0A, 0x36, 0x98, 0x9B, 0xB6, 0xD3, 0x9E, 0x1D, 0x77, 0x9D, 0x46, 0xED, 0x8C, 0xEC, 0xE6, 0xA7, 0x12, 0x92, 0xF4, 0x76, 0xDC, 0xA0, 0x14, 0x24, 0xD9, 0x20, 0x79, 0x59, 0x08, 0x4E, 0xB1, 0x07, 0x90, 0xAA, 0x2E, 0xD7, 0x4F, 0x11, 0xCD, 0xC5, 0x8A, 0xA5, 0x1C, 0x6A, 0x19, 0xC2, 0x66, 0xB4, 0xBC, 0x94, 0xC0, 0x9C, 0x2D, 0xE1, 0x29, 0xE2, 0x15, 0x55, 0x2A, 0x97, 0x81, 0xCF, 0x1A, 0x5A, 0xF5, 0x2C, 0xF3, 0xDD, 0x93, 0xB5, 0x4A, 0xE0, 0x39, 0x57, 0x6F, 0x6E, 0xD6, 0x0C, 0x61, 0xAE, 0x31, 0xFF, 0xBD, 0xCE, 0x35, 0xD2, 0x5C, 0x40, 0x82, 0x17, 0x89, 0x75, 0xE7, 0x7C, 0xA6, 0x32, 0x01, 0x22, 0x78, 0x18, 0x3A, 0x5D, 0x44, 0xAD, 0x84, 0x45, 0x6B, 0xDB, 0xC3, 0x25, 0x5F, 0x06, 0x7F, 0xF0, 0xAB, 0xFD, 0x60, 0x2F, 0x3B, 0x00, 0x48, 0x2B, 0xFB, 0x96, 0x9F, 0x05, 0xE5, 0x91, 0x1E, 0x8F, 0x0F, 0x50, 0xA9, 0x0D, 0xF9, 0x3D, 0x21, 0xFE, 0xEE, 0x1B, 0x04, 0x13, 0x95, 0xB7, 0x42, 0xBF, 0x7A, 0x3E, 0x49, 0xB2, 0xAF, 0xCC, 0x28, 0xCB, 0x8D, 0x70, 0x54, 0xDE, 0x99, 0x3C, 0x26, 0xF7, 0x83, 0x85, 0x7D, 0x34, 0xE9, 0xBA, 0x3F, 0x9A, 0xDF, 0x02, 0x69, 0x5E, 0x7B, 0x43, 0x38, 0x67, 0xD8, 0xA4, 0xC4, 0xEA, 0x88, 0xE4, 0xD4, 0xBB, 0xB8, 0x47, 0xA2, 0xE8, 0x23, 0xA8, 0xF8, 0x73, 0x58, 0xF1, 0x6D, 0x1F, 0xAC, 0x65, 0x86, 0x8E, 0x09, 0x0E, 0x0B, 0xDA, 0xEB, 0x41, 0x62, 0xD0, 0x5B, 0x6C, 0x87, 0x4C, 0xFC, 0x71, 0x8B, 0x56, 0x4D, 0x64, 0xC1, 0x52, 0xA1, 0xBE, 0xB9, 0xC6, 0x53, 0x80, 0xF2, 0x16, 0x72, 0xA3, 0x63};// f /* * Inverse S-box transformation table */ //static uint8_t inv_s_box[256] = { // 0 1 2 3 4 5 6 7 8 9 a b c d e f // 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, // 0 // 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, // 1 // 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, // 2 // 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, // 3 // 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, // 4 // 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, // 5 // 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, // 6 // 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, // 7 // 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, // 8 // 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, // 9 // 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, // a // 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, // b // 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, // c // 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, // d // 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, // e // 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};// f static uint8_t inv_s_box[256] = { // 0 1 2 3 4 5 6 7 8 9 a b c d e f 0x8E, 0x77, 0xC2, 0x00, 0xA3, 0x94, 0x86, 0x36, 0x33, 0xE1, 0x17, 0xE3, 0x64, 0x9C, 0xE2, 0x99, 0x01, 0x3C, 0x27, 0xA4, 0x2D, 0x4F, 0xFC, 0x70, 0x7A, 0x43, 0x55, 0xA2, 0x41, 0x1E, 0x97, 0xDC, 0x30, 0x9F, 0x78, 0xD5, 0x2E, 0x84, 0xB7, 0x05, 0xAF, 0x4D, 0x51, 0x90, 0x58, 0x4B, 0x39, 0x8C, 0x0A, 0x67, 0x76, 0x0C, 0xBC, 0x6B, 0x18, 0x11, 0xC7, 0x5F, 0x7B, 0x8D, 0xB6, 0x9E, 0xAA, 0xBF, 0x6E, 0xE6, 0xA7, 0xC6, 0x7D, 0x80, 0x21, 0xD2, 0x8F, 0xAB, 0x5D, 0x15, 0xEC, 0xF1, 0x34, 0x3B, 0x9A, 0x0F, 0xF4, 0xF9, 0xB3, 0x50, 0xF0, 0x60, 0xD9, 0x32, 0x56, 0xE9, 0x6D, 0x7C, 0xC4, 0x85, 0x8B, 0x65, 0xE7, 0xFF, 0xF2, 0xDE, 0x45, 0xC8, 0x07, 0xC3, 0x42, 0x81, 0xEA, 0xDB, 0x62, 0x61, 0xB2, 0xEE, 0xFD, 0xD8, 0x12, 0x72, 0x2A, 0x1F, 0x79, 0x31, 0xA9, 0xC5, 0x74, 0xBB, 0x10, 0x87, 0xFA, 0x53, 0x6F, 0xB9, 0x7F, 0xBA, 0xDF, 0xEB, 0xCD, 0x71, 0x3F, 0xEF, 0x23, 0xB1, 0xE0, 0x98, 0x37, 0x96, 0x28, 0x5B, 0x48, 0xA5, 0x92, 0x52, 0x19, 0xB5, 0xC0, 0x1A, 0x4A, 0x20, 0x1D, 0x93, 0x2C, 0xF5, 0xD3, 0xFE, 0xCA, 0x40, 0x75, 0x26, 0xD6, 0x9B, 0x38, 0x89, 0xDD, 0x7E, 0x66, 0xAD, 0x0D, 0x35, 0xAC, 0x08, 0x46, 0x5C, 0x1B, 0xA6, 0xD1, 0xF7, 0xBE, 0xD0, 0x47, 0x69, 0xF6, 0xA8, 0x49, 0xF3, 0x44, 0x83, 0xCB, 0x3E, 0xF8, 0x14, 0x06, 0x04, 0x0E, 0xB0, 0xAE, 0x3D, 0x6A, 0x54, 0xE8, 0x02, 0x6C, 0x1C, 0xCF, 0x03, 0x63, 0x3A, 0xC9, 0x2F, 0xE4, 0x82, 0x2B, 0x5A, 0xB4, 0xC1, 0x5E, 0x4C, 0x4E, 0x16, 0xCE, 0x95, 0x25, 0x73, 0xD4, 0xBD, 0xCC, 0xE5, 0x24, 0x22, 0xA1, 0x09, 0x88, 0xDA, 0xFB, 0x59, 0x29, 0x57, 0x13, 0xB8, 0xD7, 0x9D, 0x0B, 0x91, 0xED, 0x8A, 0xA0, 0x68};// f /* * Generates the round constant Rcon[i] */ uint8_t R[] = {0x02, 0x00, 0x00, 0x00}; uint8_t * Rcon(uint8_t i) { if (i == 1) { R[0] = 0x01; // x^(1-1) = x^0 = 1 } else if (i > 1) { R[0] = 0x02; i--; while (i-1 > 0) { R[0] = gmult(R[0], 0x02); i--; } } return R; } /* * Transformation in the Cipher and Inverse Cipher in which a Round * Key is added to the State using an XOR operation. The length of a * Round Key equals the size of the State (i.e., for Nb = 4, the Round * Key length equals 128 bits/16 bytes). */ void add_round_key(uint8_t *state, uint8_t *w, uint8_t r) { uint8_t c; for (c = 0; c < Nb; c++) { state[Nb*0+c] = state[Nb*0+c]^w[4*Nb*r+4*c+0]; //debug, so it works for Nb !=4 state[Nb*1+c] = state[Nb*1+c]^w[4*Nb*r+4*c+1]; state[Nb*2+c] = state[Nb*2+c]^w[4*Nb*r+4*c+2]; state[Nb*3+c] = state[Nb*3+c]^w[4*Nb*r+4*c+3]; } } void add_round_key_1(uint8_t *state, uint8_t *w, uint8_t r) { uint8_t c; uint8_t st_tmp[16]; memcpy(st_tmp,state,16); for (c = 0; c < Nb; c++) { state[Nb*c] = st_tmp[Nb*0+c]^w[4*Nb*r+c+0]; //debug, so it works for Nb !=4 state[Nb*c+1] = st_tmp[Nb*1+c]^w[4*Nb*r+c+1*4]; state[Nb*c+2] = st_tmp[Nb*2+c]^w[4*Nb*r+c+2*4]; state[Nb*c+3] = st_tmp[Nb*3+c]^w[4*Nb*r+c+3*4]; } } void add_round_key_2(uint8_t *state, uint8_t *w, uint8_t r) { uint8_t c; uint8_t st_tmp[16]; memcpy(st_tmp,state,16); for (c = 0; c < Nb; c++) { state[Nb*0+c] = st_tmp[Nb*c]^w[4*Nb*r+c+0]; //debug, so it works for Nb !=4 state[Nb*1+c] = st_tmp[Nb*c+1]^w[4*Nb*r+c+1*4]; state[Nb*2+c] = st_tmp[Nb*c+2]^w[4*Nb*r+c+2*4]; state[Nb*3+c] = st_tmp[Nb*c+3]^w[4*Nb*r+c+3*4]; } } /* * Transformation in the Cipher that takes all of the columns of the * State and mixes their data (independently of one another) to * produce new columns. */ void mix_columns(uint8_t *state) { uint8_t a[] = {0x02, 0x01, 0x01, 0x03}; // a(x) = {02} + {01}x + {01}x2 + {03}x3 uint8_t i, j, col[4], res[4]; for (j = 0; j < Nb; j++) { for (i = 0; i < 4; i++) { col[i] = state[Nb*i+j]; } coef_mult(a, col, res); for (i = 0; i < 4; i++) { state[Nb*i+j] = res[i]; } } } void mix_columns_1(uint8_t *state) { uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07, 0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01, 0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03, 0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04, 0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05, 0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06, 0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08, 0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3 uint8_t i, j, col[8], res[8]; for (j = 0; j < 2; j++) { for (i = 0; i < 4; i++) { col[i] = state[Nb*i+j]; col[i+4] = state[Nb*i+j+2]; } coef_mult_1(a, col, res); for (i = 0; i < 4; i++) { state[Nb*i+j] = res[i]; state[Nb*i+j+2] = res[i+4]; } } } /* * Transformation in the Inverse Cipher that is the inverse of * MixColumns(). */ void inv_mix_columns(uint8_t *state) { uint8_t a[] = {0x0e, 0x09, 0x0d, 0x0b}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3 uint8_t i, j, col[4], res[4]; for (j = 0; j < Nb; j++) { for (i = 0; i < 4; i++) { col[i] = state[Nb*i+j]; } coef_mult(a, col, res); for (i = 0; i < 4; i++) { state[Nb*i+j] = res[i]; } } } void inv_mix_columns_1(uint8_t *state) { uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07, 0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01, 0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03, 0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04, 0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05, 0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06, 0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08, 0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3 uint8_t i, j, col[8], res[8]; for (j = 0; j < 2; j++) { for (i = 0; i < 4; i++) { col[i] = state[Nb*i+j]; col[i+4] = state[Nb*i+j+2]; } coef_mult_1(a, col, res); for (i = 0; i < 4; i++) { state[Nb*i+j] = res[i]; state[Nb*i+j+2] = res[i+4]; } } } /* * Transformation in the Cipher that processes the State by cyclically * shifting the last three rows of the State by different offsets. */ void shift_rows(uint8_t *state) { uint8_t i, k, s, tmp,tmp1,tmp2; tmp1 = state[1]; tmp2 = state[5]; state[1] = state[9]; state[5] = state[13]; state[9] = tmp1; state[13] = tmp2; tmp1 = state[2]; tmp2 = state[6]; state[2] = state[10]; state[6] = state[14]; state[10] = tmp1; state[14] = tmp2; tmp1 = state[15]; state[15] = state[11]; state[11] = state[7]; state[7] = state[3]; state[3] = tmp1; //for (i = 1; i < 4; i++) { // shift(1,4)=1; shift(2,4)=2; shift(3,4)=3 // shift(r, 4) = r; // s = 0; // while (s < i) { // tmp = state[Nb*i+0]; // for (k = 1; k < Nb; k++) { // state[Nb*i+k-1] = state[Nb*i+k]; // } // state[Nb*i+Nb-1] = tmp; // s++; // } //} } /* * Transformation in the Inverse Cipher that is the inverse of * ShiftRows(). */ void inv_shift_rows(uint8_t *state) { uint8_t i, k, s, tmp,tmp1,tmp2; tmp1 = state[1]; tmp2 = state[5]; state[1] = state[9]; state[5] = state[13]; state[9] = tmp1; state[13] = tmp2; tmp1 = state[2]; tmp2 = state[6]; state[2] = state[10]; state[6] = state[14]; state[10] = tmp1; state[14] = tmp2; tmp1 = state[3]; state[3] = state[7]; state[7] = state[11]; state[11] = state[15]; state[15] = tmp1; //for (i = 1; i < 4; i++) { // s = 0; // while (s < i) { // tmp = state[Nb*i+Nb-1]; // for (k = Nb-1; k > 0; k--) { // state[Nb*i+k] = state[Nb*i+k-1]; // } // state[Nb*i+0] = tmp; // s++; // } //} } /* * Transformation in the Cipher that processes the State using a non? * linear byte substitution table (S-box) that operates on each of the * State bytes independently. */ void sub_bytes(uint8_t *state) { uint8_t i, j; uint8_t row, col; for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { row = (state[Nb*i+j] & 0xf0) >> 4; col = state[Nb*i+j] & 0x0f; state[Nb*i+j] = s_box[16*row+col]; } } } /* * Transformation in the Inverse Cipher that is the inverse of * SubBytes(). */ void inv_sub_bytes(uint8_t *state) { uint8_t i, j; uint8_t row, col; for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { row = (state[Nb*i+j] & 0xf0) >> 4; col = state[Nb*i+j] & 0x0f; state[Nb*i+j] = inv_s_box[16*row+col]; } } } /* * Function used in the Key Expansion routine that takes a four-byte * input word and applies an S-box to each of the four bytes to * produce an output word. */ void sub_word(uint8_t *w) { uint8_t i; for (i = 0; i < 4; i++) { w[i] = s_box[16*((w[i] & 0xf0) >> 4) + (w[i] & 0x0f)]; } } /* * Function used in the Key Expansion routine that takes a four-byte * word and performs a cyclic permutation. */ void rot_word(uint8_t *w) { uint8_t tmp; uint8_t i; tmp = w[0]; for (i = 0; i < 3; i++) { w[i] = w[i+1]; } w[3] = tmp; } /* * Key Expansion */ void key_expansion(uint8_t *key, uint8_t *w) { uint8_t tmp[4]; uint8_t i, j; uint8_t len = Nb*(Nr+1); for (i = 0; i < Nk; i++) { w[4*i+0] = key[4*i+0]; w[4*i+1] = key[4*i+1]; w[4*i+2] = key[4*i+2]; w[4*i+3] = key[4*i+3]; } for (i = Nk; i < len; i++) { tmp[0] = w[4*(i-1)+0]; tmp[1] = w[4*(i-1)+1]; tmp[2] = w[4*(i-1)+2]; tmp[3] = w[4*(i-1)+3]; if (i%Nk == 0) { rot_word(tmp); sub_word(tmp); coef_add(tmp, Rcon(i/Nk), tmp); } else if (Nk > 6 && i%Nk == 4) { sub_word(tmp); } w[4*i+0] = w[4*(i-Nk)+0]^tmp[0]; w[4*i+1] = w[4*(i-Nk)+1]^tmp[1]; w[4*i+2] = w[4*(i-Nk)+2]^tmp[2]; w[4*i+3] = w[4*(i-Nk)+3]^tmp[3]; } } void print_info(uint8_t* out){ int i; for (i = 0; i < 4; i++) { printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]); } printf("\n"); } void cipher(uint8_t *in, uint8_t *out, uint8_t *w) { uint8_t state[4*Nb]; uint8_t r, i, j; for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { state[Nb*i+j] = in[i+4*j]; } } add_round_key(state, w, 0); for (r = 1; r < Nr; r++) { sub_bytes(state); shift_rows(state); mix_columns_1(state); add_round_key_2(state, w, r); } sub_bytes(state); shift_rows(state); add_round_key(state, w, Nr); for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { out[i+4*j] = state[Nb*i+j]; } } } void inv_cipher(uint8_t *in, uint8_t *out, uint8_t *w) { uint8_t state[4*Nb]; uint8_t r, i, j; for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { state[Nb*i+j] = in[i+4*j]; } } add_round_key(state, w, Nr); for (r = Nr-1; r >= 1; r--) { inv_shift_rows(state); inv_sub_bytes(state); add_round_key_1(state, w, r); inv_mix_columns_1(state); } inv_shift_rows(state); inv_sub_bytes(state); add_round_key(state, w, 0); for (i = 0; i < 4; i++) { for (j = 0; j < Nb; j++) { out[i+4*j] = state[Nb*i+j]; } } } int main(int argc, char *argv[]) { uint8_t i; uint8_t key[] = { 0x7E, 0x6E, 0xCF, 0xD4, 0x92, 0xBC, 0x4B, 0x27, 0xC0, 0xCF, 0xF2, 0x65, 0x6D, 0x3C, 0x49, 0xD1, 0xAA, 0xB1, 0x45, 0xA8, 0x6D, 0x75, 0x9B, 0xC1, 0xDF, 0x75, 0x60, 0xDD, 0x8D, 0xDD, 0x13, 0xDA}; //uint8_t in[] = { // 0x7B, 0x85, 0xC9, 0x5F, 0x14, 0x1F, 0xA6, 0x38, 0x3F, 0x7E, 0xB7, 0x10, 0x24, 0x19, 0xB3, 0x6F}; uint8_t in[] = {0xA5, 0x4B, 0x4A, 0x9A, 0xC5, 0x49, 0x8A, 0xA2, 0x62, 0xA4, 0xC5, 0x56, 0x2D, 0x52, 0x5A, 0xA6}; uint8_t out[16]; // 128 uint8_t *w; // expanded key switch (sizeof(key)) { default: case 16: Nk = 4; Nr = 10; break; case 24: Nk = 6; Nr = 12; break; case 32: Nk = 8; Nr = 14; break; } w = malloc(Nb*(Nr+1)*4); key_expansion(key, w); cipher(in /* in */, out /* out */, w /* expanded key */); printf("out:\n"); for (i = 0; i < 4; i++) { printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]); } printf("\n"); inv_cipher(out, in, w); for (i = 0; i < 4; i++) { printf("%02X %02X %02X %02X ", in[4*i+0], in[4*i+1], in[4*i+2], in[4*i+3]); } printf("\n"); exit(0); }
最后结果为:76474B2B1926009C452B00627200190268740438FDCC641665D0EA735F2739B3EE7B315A
。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课