首页
社区
课程
招聘
[原创]看雪CTF.TSRC 2018 团队赛 第八题 二向箔
2018-12-17 11:22 3025

[原创]看雪CTF.TSRC 2018 团队赛 第八题 二向箔

2018-12-17 11:22
3025

看雪CTF.TSRC 2018 团队赛 第八题 二向箔

没什么时间,暂时先写点,如果有空的话。。。。

 

##初识
初看程序很“正常”,主流程清晰,输入72字节,unhex后的36字节分两个部分进行分别校验,这种明了的控制台程序让人看了感觉很舒服,典型做题人的懒人心理,如下:

int mainroutine()
{
  char l_input[260]; // [esp+0h] [ebp-130h]
  char l_unhex_input[36]; // [esp+104h] [ebp-2Ch]
  char v3; // [esp+128h] [ebp-8h]

  while ( 1 )
  {
    *(_DWORD *)l_unhex_input = 0;
    *(_DWORD *)&l_unhex_input[4] = 0;
    *(_DWORD *)&l_unhex_input[8] = 0;
    *(_DWORD *)&l_unhex_input[12] = 0;
    *(_DWORD *)&l_unhex_input[16] = 0;
    *(_DWORD *)&l_unhex_input[20] = 0;
    *(_DWORD *)&l_unhex_input[24] = 0;
    *(_DWORD *)&l_unhex_input[28] = 0;
    *(_DWORD *)&l_unhex_input[32] = 0;
    v3 = 0;
    printf("\nInput RegCode:");
    memset(l_input, 0, 0x101u);
    scanf("%245s", l_input);
    if ( check_format_and_unhex(l_input, l_unhex_input) == 36
      && check_part1((int)l_unhex_input)
      && check_part2((unsigned int *)&l_unhex_input[16]) )
    {
      break;
    }
    printf("\n Wrong, Plz Try Again...\n");
  }
  printf("\n Good!\n");
  return getch();
}

part1

这部分校验是通过复数计算实现的,背后的数学意义不知,也别再和我谈数学,头疼。
代码比较乱,就不上了。大致过程是:16字节输入矩阵点乘包含16个复数元素的常量矩阵A后进行变换,接着再点乘常量矩阵B后进行变换,结果与常量比较,可以参照反解代码。

def decomp1(m_a):
  m_a = [x*4 for x in m_a]
  for i in range(4):
    tmp = m_a[i+4]
    m_a[i+4] = m_a[i+8]
    m_a[i+8] = tmp

    tmp = m_a[i]
    m_a[i] = (m_a[i]+m_a[i+4])/2
    m_a[i+4] = tmp-m_a[i]
    tmp = m_a[i+8]
    m_a[i+8] = (m_a[i+8]+m_a[i+12])/2
    m_a[i+12] = tmp-m_a[i+8]

    tmp = m_a[i]
    m_a[i] = (m_a[i]+m_a[i+8])/2
    m_a[i+8] = tmp-m_a[i]
    tmp = m_a[i+4]
    # m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11+1j))/2
    m_a[i+4] = (m_a[i+4]+m_a[i+12]*-1j)/2
    m_a[i+12] = tmp-m_a[i+4]
  m_a = [x*4 for x in m_a]
  for i in range(4):
    tmp = m_a[4*i+1]
    m_a[4*i+1] = m_a[4*i+2]
    m_a[4*i+2] = tmp

    tmp = m_a[4*i]
    m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2
    m_a[4*i+1] = tmp-m_a[4*i]
    tmp = m_a[4*i+2]
    m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2
    m_a[4*i+3] = tmp-m_a[4*i+2]

    tmp = m_a[4*i]
    m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2
    m_a[4*i+2] = tmp-m_a[4*i]
    tmp = m_a[4*i+1]
    # m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11+1j))/2
    m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*-1j)/2
    m_a[4*i+3] = tmp-m_a[4*i+1]  
  return m_a

def decomp2(m_a):  
  for i in range(4):
    tmp = m_a[4*i+1]
    m_a[4*i+1] = m_a[4*i+2]
    m_a[4*i+2] = tmp

    tmp = m_a[4*i]
    m_a[4*i] = (m_a[4*i]+m_a[i*4+1])/2
    m_a[4*i+1] = tmp-m_a[4*i]
    tmp = m_a[4*i+2]
    m_a[4*i+2] = (m_a[4*i+2]+m_a[i*4+3])/2
    m_a[4*i+3] = tmp-m_a[4*i+2]

    tmp = m_a[4*i]
    m_a[4*i] = (m_a[4*i]+m_a[i*4+2])/2
    m_a[4*i+2] = tmp-m_a[4*i]
    tmp = m_a[4*i+1]
    # m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]/(2.489659051495416e-11-1j))/2
    m_a[4*i+1] = (m_a[4*i+1]+m_a[i*4+3]*1j)/2
    m_a[4*i+3] = tmp-m_a[4*i+1]

  for i in range(4):
    tmp = m_a[i+4]
    m_a[i+4] = m_a[i+8]
    m_a[i+8] = tmp

    tmp = m_a[i]
    m_a[i] = (m_a[i]+m_a[i+4])/2
    m_a[i+4] = tmp-m_a[i]
    tmp = m_a[i+8]
    m_a[i+8] = (m_a[i+8]+m_a[i+12])/2
    m_a[i+12] = tmp-m_a[i+8]

    tmp = m_a[i]
    m_a[i] = (m_a[i]+m_a[i+8])/2
    m_a[i+8] = tmp-m_a[i]
    tmp = m_a[i+4]
    # m_a[i+4] = (m_a[i+4]+m_a[i+12]/(2.489659051495416e-11-1j))/2
    m_a[i+4] = (m_a[i+4]+m_a[i+12]*1j)/2
    m_a[i+12] = tmp-m_a[i+4]
  return m_a

def de_part1():
  check_table =[[ 89.29755308453579,-79.17379644565403],
                [-111.2163512360939, 2.214913370549852],
                [ 58.53994866406929, 29.06501356902275],
                [ 50.10366738039983, 43.81443778796614],
                [-38.57218738982585,-6.003177682012292],
                [ 95.28512164227500, 23.93090391296341],
                [ 126.2134704052789,-55.13922097302165],
                [ 40.52291517137797, 21.22526960238724],
                [ 3.958915911257385, 13.81283030051250],
                [ 64.70049327204174,-11.21899032986361],
                [ 69.33635962322674, 37.77305291719599],
                [ 49.80532876967061, 1.042567029449955],
                [ 7.814589741286500, 29.57759317220326],
                [ 8.137180677718944, 11.51468293321896],
                [-6.034516127726973,-8.093284855693909],
                [ 25.53885330339410, 1.665054146893387],]
  m_table1 = [[ 0.6276739465982339,   -0.7784763430970765],
              [-0.9635532393515180,    0.2675166442208714],
              [  1.000000000000000,-2.449293598294706e-16],
              [  1.000000000000000,                   0.0],
              [-0.9635532393515180,    0.2675166442208714],
              [  1.000000000000000,                   0.0],
              [ 0.7316273320795593,   -0.6817048092496826],
              [ 0.9954095040352868,  -0.09570746719156304],
              [  1.000000000000000,-2.449293598294706e-16],
              [ 0.7316273320795593,   -0.6817048092496826],
              [ 0.9393388792184448,    0.3429904809009075],
              [ 0.9993790498804484,   0.03523513388724686],
              [  1.000000000000000,                   0.0],
              [ 0.9954095040352868,  -0.09570746719156304],
              [ 0.9993790498804484,   0.03523513388724686],
              [ 0.9338385710183578,   -0.3576947347647030],]
  m_table2 = [[ 0.8872448700399544,    0.4612987541580664],
              [  1.000000000000000,-2.449293598294706e-16],
              [  1.000000000000000,                   0.0],
              [ 0.8661842563768241,    0.4997247582469054],
              [  1.000000000000000,-2.449293598294706e-16],
              [ 0.8661842563768241,    0.4997247582469054],
              [ 0.9985971885883368,   0.05294955092793100],
              [ 0.9953266793156614,  -0.09656501148168592],
              [  1.000000000000000,                   0.0],
              [ 0.9985971885883368,   0.05294955092793100],
              [ 0.9945026452220342,    0.1047114542272075],
              [ 0.9878936003329052,    0.1551329572376227],
              [ 0.8661842563768241,    0.4997247582469054],
              [ 0.9953266793156614,  -0.09656501148168592],
              [ 0.9878936003329052,    0.1551329572376227],
              [ 0.7738490104360864,    0.6333701201091584],]


  pos_table = [0,9,2,11,15,4,13,6,10,3,8,1,5,14,7,12]
  check_a = []
  m_a1 = []
  m_a2 = []
  for r,v in check_table:
    check_a.append(r+v*1.j)
  for r,v in m_table1:
    m_a1.append(r+v*1.j)
  for r,v in m_table2:
    m_a2.append(r+v*1.j)

  m_a1 = np.array(m_a1)
  m_a2 = np.array(m_a2)
  check_a = np.array(check_a)  

  check_a = decomp1(check_a)
  check_a = check_a/m_a2  
  check_a = decomp2(check_a)  
  check_a = check_a/m_a1
  # print check_a
  part1 = [0]*16
  for i,p in enumerate(pos_table):
    part1[i] = chr(int(round(abs(check_a[p]))))
  print ''.join(part1).encode('hex').upper()

part2

这部分流程如下:

BOOL __cdecl check_part2(unsigned int *a1)
{
  unsigned int v1; // edx
  unsigned int v2; // ecx
  unsigned int v3; // edx
  unsigned int v4; // eax
  char *v5; // ebx
  BOOL result; // eax
  void *v7; // edi
  int v8; // esi
  signed int v9; // eax
  int a5; // [esp+4h] [ebp-70h]
  char tea_key[16]; // [esp+8h] [ebp-6Ch]
  char part2[20]; // [esp+18h] [ebp-5Ch]
  char aes_result[16]; // [esp+30h] [ebp-44h]
  char aes_key[32]; // [esp+40h] [ebp-34h]
  char part2_check[16]; // [esp+60h] [ebp-14h]

  v1 = a1[1];
  aes_key[20] = 0x6D;
  *(_DWORD *)part2 = 0;
  *(_DWORD *)&part2[5] = 0;
  *(_DWORD *)&part2[9] = 0;
  *(_DWORD *)&part2[13] = 0;
  *(_DWORD *)&part2[17] = 0;
  *(_DWORD *)part2 = *a1;
  v2 = a1[2];
  *(_DWORD *)&part2[4] = v1;
  v3 = a1[3];
  v4 = a1[4];
  *(_DWORD *)&part2[8] = v2;
  *(_DWORD *)&part2[16] = v4;
  strcpy(tea_key, "goodLuck7777777");
  *(_DWORD *)&part2[12] = v3;
  *(_DWORD *)aes_key = 0xD4CF6E7E;
  *(_DWORD *)&aes_key[4] = 0x274BBC92;
  *(_DWORD *)&aes_key[8] = 0x65F2CFC0;
  *(_DWORD *)&aes_key[12] = 0xD1493C6D;
  *(_DWORD *)&aes_key[16] = 0xA845B1AA;
  *(_DWORD *)&aes_key[21] = 0xDFC19B75;
  *(_DWORD *)&aes_key[25] = 0x8DDD6075;
  *(_WORD *)&aes_key[29] = 0x13DD;
  aes_key[31] = 0xDAu;
  *(_DWORD *)part2_check = 0x9A4A4BA5;
  *(_DWORD *)&part2_check[4] = 0xA28A49C5;
  *(_DWORD *)&part2_check[8] = 0x56C5A462;
  *(_DWORD *)&part2_check[12] = 0xA65A522D;
  a5 = 0x14;
  v5 = j_tea_decrypt((int)part2, 20, tea_key, strlen(tea_key), (int)&a5);
  result = 0;
  if ( v5 )
  {
    *(_DWORD *)aes_result = 0;
    *(_DWORD *)&aes_result[4] = 0;
    *(_DWORD *)&aes_result[8] = 0;
    *(_DWORD *)&aes_result[12] = 0;
    v7 = malloc(0xF0u);
    key_expand((int)aes_key, (int)v7);
    aes_decrypt((int)v5, v5, (int)aes_result, (int)v7);
    v8 = 0;
    v9 = 0;
    do
    {
      if ( part2_check[v9] == aes_result[v9] )
        ++v8;
      if ( part2_check[v9 + 1] == aes_result[v9 + 1] )
        ++v8;
      if ( part2_check[v9 + 2] == aes_result[v9 + 2] )
        ++v8;
      if ( part2_check[v9 + 3] == aes_result[v9 + 3] )
        ++v8;
      v9 += 4;
    }
    while ( v9 < 16 );
    free(v5);
    free(v7);
    result = v8 == 16;
  }
  return result;
}

似乎过程也很明了。经过unhex后的20字节,先进行魔改tea解密,再进行魔改aes解密,最后进行常量校验。
但是做题做到aes_decrypt函数里,发现里面有函数调用被非常大量的混淆代码替代了,有点痛苦。暂且不说。先把魔改tea搞定。
魔改tea解密后还有个细节,解密后第5个int数在[14,16]范围内,对应长度的解密结果被copy加填充后进行后面的魔改aes解密。魔改tea的加密解用py实现如下:

def u32(b_str):
  result = []
  n = (len(b_str)+3)/4
  n1 = len(b_str)%4
  if n1:
    n1 = 4 - n1
    b_str += '\x00'*n1
  result = list(struct.unpack('I'*n,b_str))
  return result

def p32(l_num):
  result = ''
  for i in l_num:
    result += struct.pack('I',i)
  return result

def tea_en_group():
  delta = 0x9E3779B9
  sum = delta
  key = 'goodLuck7777777'
  key = u32(key)
  d = u32('F7D23456CE34BA18714DAA40DBE2AD4710'.decode('hex'))
  for i in range(16):
    tmp = d[4]    
    for j in xrange(4):
      d[j] += (((d[j+1] ^ sum) + (tmp ^ key[((sum>>2)&3)^(j&3)]))^(((tmp<<4)^(d[j+1]>>3))+((tmp>>5)^(d[j+1]<<2))))
      d[j] &= 0xffffffff
      tmp = d[j]
    d[4] += (((d[0] ^ sum) + (tmp ^ key[((sum>>2)&3)^(4&3)]))^(((tmp<<4)^(d[0]>>3))+((tmp>>5)^(d[0]<<2))))
    d[4] &= 0xffffffff
    sum = (sum + delta)&0xffffffff

  print p32(d).encode('hex').upper()

def tea_de_group():
  delta = 0x9E3779B9
  sum = (delta*16)&0xffffffff
  key = 'goodLuck7777777'
  key = u32(key)
  d = u32('1234567890ABCDEF1234567890ABCDEF12345678'.decode('hex'))
  for i in range(16):
    tmp = d[0]
    for j in xrange(4,0,-1):
      d[j] -= (((tmp ^ sum) + (d[j-1] ^ key[((sum>>2)&3)^(j&3)]))^(((d[j-1]<<4)^(tmp>>3))+((d[j-1]>>5)^(tmp<<2))))
      d[j] &= 0xffffffff
      tmp = d[j]
    d[0] -= (((tmp ^ sum) + (d[4] ^ key[(sum>>2)&3]))^(((d[4]<<4)^(tmp>>3))+((d[4]>>5)^(tmp<<2))))
    d[0] &= 0xffffffff
    sum = (sum - delta)&0xffffffff

  print p32(d).encode('hex').upper()

魔改aes的识别主要靠猜,依据是密钥扩展和解密过程中的字节替换及S盒和逆S盒的关系。
在aes解密的主函数中,第一次轮密钥加,循环中的行变换、字节替换和最后一轮的操作过程都清晰可见,循环中的轮密钥加和列混合变换函数调用被混淆代码填充了,编译后修改痕迹比较明显。

.text:004013B1 8B 7D EC                                mov     edi, dword ptr [ebp+var_14]
.text:004013B4 8B 45 F0                                mov     eax, dword ptr [ebp+var_14+4]
.text:004013B7 8B 4D F4                                mov     ecx, dword ptr [ebp+var_14+8]
.text:004013BA 8B 75 F8                                mov     esi, dword ptr [ebp+var_14+0Ch]
.text:004013BD 8B D7                                   mov     edx, edi
.text:004013BF C1 EA 08                                shr     edx, 8
.text:004013C2 88 55 F5                                mov     [ebp+var_14+9], dl
.text:004013C5 8B D0                                   mov     edx, eax
.text:004013C7 C1 EA 08                                shr     edx, 8
.text:004013CA 88 55 F9                                mov     [ebp+var_14+0Dh], dl
.text:004013CD 8B D1                                   mov     edx, ecx
.text:004013CF C1 EA 08                                shr     edx, 8
.text:004013D2 88 55 ED                                mov     [ebp+var_14+1], dl
.text:004013D5 8B D6                                   mov     edx, esi
.text:004013D7 C1 EA 08                                shr     edx, 8
.text:004013DA 88 55 F1                                mov     [ebp+var_14+5], dl
.text:004013DD 8B D7                                   mov     edx, edi
.text:004013DF C1 EA 10                                shr     edx, 10h
.text:004013E2 88 55 F6                                mov     [ebp+var_14+0Ah], dl
.text:004013E5 8B D0                                   mov     edx, eax
.text:004013E7 C1 EA 10                                shr     edx, 10h
.text:004013EA 88 55 FA                                mov     [ebp+var_14+0Eh], dl
.text:004013ED 8B D1                                   mov     edx, ecx
.text:004013EF C1 EA 10                                shr     edx, 10h
.text:004013F2 88 55 EE                                mov     [ebp+var_14+2], dl
.text:004013F5 8B D6                                   mov     edx, esi
.text:004013F7 C1 EA 10                                shr     edx, 10h
.text:004013FA C1 E8 18                                shr     eax, 18h
.text:004013FD 88 55 F2                                mov     [ebp+var_14+6], dl
.text:00401400 88 45 EF                                mov     [ebp+var_14+3], al
.text:00401403 8B D7                                   mov     edx, edi
.text:00401405 C1 E9 18                                shr     ecx, 18h
.text:00401408 8B C6                                   mov     eax, esi
.text:0040140A C1 EA 18                                shr     edx, 18h
.text:0040140D C1 E8 18                                shr     eax, 18h
.text:00401410 88 4D F3                                mov     [ebp+var_14+7], cl
.text:00401413 88 55 FB                                mov     [ebp+var_14+0Fh], dl
.text:00401416 88 45 F7                                mov     [ebp+var_14+0Bh], al
.text:00401419 8D 4D EC                                lea     ecx, [ebp+var_14]
.text:0040141C BE 04 00 00 00                          mov     esi, 4
.text:00401421
.text:00401421                         loc_401421:                             
.text:00401421 BA 04 00 00 00                          mov     edx, 4
.text:00401426
.text:00401426                         loc_401426:                             
.text:00401426 0F B6 01                                movzx   eax, byte ptr [ecx]
.text:00401429 8B F8                                   mov     edi, eax
.text:0040142B 83 E7 F0                                and     edi, 0FFFFFFF0h
.text:0040142E 83 E0 0F                                and     eax, 0Fh
.text:00401431 8A 84 07 08 81 41 00                    mov     al, g_rsbox_418108[edi+eax]
.text:00401438 88 01                                   mov     [ecx], al
.text:0040143A 41                                      inc     ecx
.text:0040143B 4A                                      dec     edx
.text:0040143C 75 E8                                   jnz     short loc_401426
.text:0040143E 4E                                      dec     esi
.text:0040143F 75 E0                                   jnz     short loc_401421
.text:00401441 90                                      nop
.text:00401442 90                                      nop
.text:00401443 90                                      nop
.text:00401444 90                                      nop
.text:00401445 90                                      nop
.text:00401446 90                                      nop
.text:00401447 90                                      nop
.text:00401448 90                                      nop
.text:00401449 90                                      nop
.text:0040144A 90                                      nop
.text:0040144B 90                                      nop
.text:0040144C 90                                      nop
.text:0040144D 90                                      nop
.text:0040144E 90                                      nop
.text:0040144F 90                                      nop
.text:00401450 90                                      nop
.text:00401451 90                                      nop
.text:00401452 E9 E6 AF 02 00                          jmp     loc_42C43D
.text:00401452                         aes_decrypt     endp
.text:00401452
.text:00401452                         ; ---------------------------------------------------------------------------
.text:00401457 00                                      align 4
.text:00401458 00 00 00 00 00 00 00 00+                dd 26h dup(0)
.text:004014F0 00                                      db    0
.text:004014F1 00                                      db    0
.text:004014F2                         ; ---------------------------------------------------------------------------
.text:004014F2 90                                      nop
.text:004014F3 90                                      nop
.text:004014F4 90                                      nop
.text:004014F5 90                                      nop
.text:004014F6 90                                      nop
.text:004014F7 90                                      nop
.text:004014F8 90                                      nop
.text:004014F9 90                                      nop
.text:004014FA 90                                      nop
.text:004014FB 90                                      nop
.text:004014FC 90                                      nop
.text:004014FD 90                                      nop
.text:004014FE 90                                      nop
.text:004014FF 90                                      nop
.text:00401500 90                                      nop
.text:00401501 83 6D D8 10                             sub     dword ptr [ebp-28h], 10h
.text:00401505 FF 4D D4                                dec     dword ptr [ebp-2Ch]
.text:00401508 0F 85 A3 FE FF FF                       jnz     loc_4013B1
.text:0040150E 8B 7D EC                                mov     edi, [ebp-14h]
.text:00401511 8B 45 F0                                mov     eax, [ebp-10h]
.text:00401514 8B 4D F4                                mov     ecx, [ebp-0Ch]
.text:00401517 8B 75 F8                                mov     esi, [ebp-8]
.text:0040151A 8B D7                                   mov     edx, edi

4013B0-401508本是一个循环。这个混淆也挺有意思,有个统一的业务流程跳转处理。不过对于做题这部分不要细看。直接上动态,跟踪数据写入。很容易就发现混淆在分散处理的功能就是轮密钥加,写入位置为421621,而列混合变换是完整函数实现401080。通过动态跟踪比对,发现了所有魔改之处,包括:

  1. 行变换 (实际成了列变换)
  2. 循环过程中的轮密钥加
  3. 混合列变换 (此变动较大,两列变换一次,变换矩阵8*8)
  4. 当然还有S盒及逆S盒。

具体过程见代码(代码也是网上copy来的):

 /*
 * Advanced Encryption Standard
 * @author Dani Huertas
 * @email huertas.dani@gmail.com
 *
 * Based on the document FIPS PUB 197
 */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

/*
 * Addition in GF(2^8)
 * http://en.wikipedia.org/wiki/Finite_field_arithmetic
 */
uint8_t gadd(uint8_t a, uint8_t b) {
    return a^b;
}

/*
 * Subtraction in GF(2^8)
 * http://en.wikipedia.org/wiki/Finite_field_arithmetic
 */
uint8_t gsub(uint8_t a, uint8_t b) {
    return a^b;
}

/*
 * Multiplication in GF(2^8)
 * http://en.wikipedia.org/wiki/Finite_field_arithmetic
 * Irreducible polynomial m(x) = x8 + x4 + x3 + x + 1
 */
uint8_t gmult(uint8_t a, uint8_t b) {

    uint8_t p = 0, i = 0, hbs = 0;

    for (i = 0; i < 8; i++) {
        if (b & 1) {
            p ^= a;
        }

        hbs = a & 0x80;
        a <<= 1;
        if (hbs) a ^= 0x1b; // 0000 0001 0001 1011  
        b >>= 1;
    }

    return (uint8_t)p;
}

/*
 * Addition of 4 byte words
 * m(x) = x4+1
 */
void coef_add(uint8_t a[], uint8_t b[], uint8_t d[]) {

    d[0] = a[0]^b[0];
    d[1] = a[1]^b[1];
    d[2] = a[2]^b[2];
    d[3] = a[3]^b[3];
}

/*
 * Multiplication of 4 byte words
 * m(x) = x4+1
 */
void coef_mult(uint8_t *a, uint8_t *b, uint8_t *d) {

    d[0] = gmult(a[0],b[0])^gmult(a[3],b[1])^gmult(a[2],b[2])^gmult(a[1],b[3]);
    d[1] = gmult(a[1],b[0])^gmult(a[0],b[1])^gmult(a[3],b[2])^gmult(a[2],b[3]);
    d[2] = gmult(a[2],b[0])^gmult(a[1],b[1])^gmult(a[0],b[2])^gmult(a[3],b[3]);
    d[3] = gmult(a[3],b[0])^gmult(a[2],b[1])^gmult(a[1],b[2])^gmult(a[0],b[3]);
}

void coef_mult_1(uint8_t *a, uint8_t *b, uint8_t *d) {

    d[0] = gmult(a[0],b[0])^gmult(a[1],b[1])^gmult(a[2],b[2])^gmult(a[3],b[3])^gmult(a[4],b[4])^gmult(a[5],b[5])^gmult(a[6],b[6])^gmult(a[7],b[7]);
    d[1] = gmult(a[8],b[0])^gmult(a[9],b[1])^gmult(a[10],b[2])^gmult(a[11],b[3])^gmult(a[12],b[4])^gmult(a[13],b[5])^gmult(a[14],b[6])^gmult(a[15],b[7]);
    d[2] = gmult(a[16],b[0])^gmult(a[17],b[1])^gmult(a[18],b[2])^gmult(a[19],b[3])^gmult(a[20],b[4])^gmult(a[21],b[5])^gmult(a[22],b[6])^gmult(a[23],b[7]);
    d[3] = gmult(a[24],b[0])^gmult(a[25],b[1])^gmult(a[26],b[2])^gmult(a[27],b[3])^gmult(a[28],b[4])^gmult(a[29],b[5])^gmult(a[30],b[6])^gmult(a[31],b[7]);
    d[4] = gmult(a[32],b[0])^gmult(a[33],b[1])^gmult(a[34],b[2])^gmult(a[35],b[3])^gmult(a[36],b[4])^gmult(a[37],b[5])^gmult(a[38],b[6])^gmult(a[39],b[7]);
    d[5] = gmult(a[40],b[0])^gmult(a[41],b[1])^gmult(a[42],b[2])^gmult(a[43],b[3])^gmult(a[44],b[4])^gmult(a[45],b[5])^gmult(a[46],b[6])^gmult(a[47],b[7]);
    d[6] = gmult(a[48],b[0])^gmult(a[49],b[1])^gmult(a[50],b[2])^gmult(a[51],b[3])^gmult(a[52],b[4])^gmult(a[53],b[5])^gmult(a[54],b[6])^gmult(a[55],b[7]);
    d[7] = gmult(a[56],b[0])^gmult(a[57],b[1])^gmult(a[58],b[2])^gmult(a[59],b[3])^gmult(a[60],b[4])^gmult(a[61],b[5])^gmult(a[62],b[6])^gmult(a[63],b[7]);
}
/*
 * The cipher Key.  
 */
int K;

/*
 * Number of columns (32-bit words) comprising the State. For this 
 * standard, Nb = 4.
 */
#define Nb 4

/*
 * Number of 32-bit words comprising the Cipher Key. For this 
 * standard, Nk = 4, 6, or 8.
 */
int Nk;

/*
 * Number of rounds, which is a function of  Nk  and  Nb (which is 
 * fixed). For this standard, Nr = 10, 12, or 14.
 */
int Nr;

/*
 * S-box transformation table
 */
//static uint8_t s_box[256] = {
    // 0     1     2     3     4     5     6     7     8     9     a     b     c     d     e     f
//  0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, // 0
//  0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, // 1
//  0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, // 2
//  0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, // 3
//  0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, // 4
//  0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, // 5
//  0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, // 6
//  0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, // 7
//  0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, // 8
//  0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, // 9
//  0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, // a
//  0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, // b
//  0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, // c
//  0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, // d
//  0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, // e
//  0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16};// f
static uint8_t s_box[256] = {
    // 0     1     2     3     4     5     6     7     8     9     a     b     c     d     e     f
    0x03, 0x10, 0xD1, 0xD5, 0xC9, 0x27, 0xC8, 0x68, 0xB3, 0xEF, 0x30, 0xFA, 0x33, 0xB0, 0xCA, 0x51, 
    0x7E, 0x37, 0x74, 0xF6, 0xC7, 0x4B, 0xE3, 0x0A, 0x36, 0x98, 0x9B, 0xB6, 0xD3, 0x9E, 0x1D, 0x77, 
    0x9D, 0x46, 0xED, 0x8C, 0xEC, 0xE6, 0xA7, 0x12, 0x92, 0xF4, 0x76, 0xDC, 0xA0, 0x14, 0x24, 0xD9, 
    0x20, 0x79, 0x59, 0x08, 0x4E, 0xB1, 0x07, 0x90, 0xAA, 0x2E, 0xD7, 0x4F, 0x11, 0xCD, 0xC5, 0x8A, 
    0xA5, 0x1C, 0x6A, 0x19, 0xC2, 0x66, 0xB4, 0xBC, 0x94, 0xC0, 0x9C, 0x2D, 0xE1, 0x29, 0xE2, 0x15, 
    0x55, 0x2A, 0x97, 0x81, 0xCF, 0x1A, 0x5A, 0xF5, 0x2C, 0xF3, 0xDD, 0x93, 0xB5, 0x4A, 0xE0, 0x39,
    0x57, 0x6F, 0x6E, 0xD6, 0x0C, 0x61, 0xAE, 0x31, 0xFF, 0xBD, 0xCE, 0x35, 0xD2, 0x5C, 0x40, 0x82,
    0x17, 0x89, 0x75, 0xE7, 0x7C, 0xA6, 0x32, 0x01, 0x22, 0x78, 0x18, 0x3A, 0x5D, 0x44, 0xAD, 0x84,
    0x45, 0x6B, 0xDB, 0xC3, 0x25, 0x5F, 0x06, 0x7F, 0xF0, 0xAB, 0xFD, 0x60, 0x2F, 0x3B, 0x00, 0x48, 
    0x2B, 0xFB, 0x96, 0x9F, 0x05, 0xE5, 0x91, 0x1E, 0x8F, 0x0F, 0x50, 0xA9, 0x0D, 0xF9, 0x3D, 0x21, 
    0xFE, 0xEE, 0x1B, 0x04, 0x13, 0x95, 0xB7, 0x42, 0xBF, 0x7A, 0x3E, 0x49, 0xB2, 0xAF, 0xCC, 0x28, 
    0xCB, 0x8D, 0x70, 0x54, 0xDE, 0x99, 0x3C, 0x26, 0xF7, 0x83, 0x85, 0x7D, 0x34, 0xE9, 0xBA, 0x3F, 
    0x9A, 0xDF, 0x02, 0x69, 0x5E, 0x7B, 0x43, 0x38, 0x67, 0xD8, 0xA4, 0xC4, 0xEA, 0x88, 0xE4, 0xD4, 
    0xBB, 0xB8, 0x47, 0xA2, 0xE8, 0x23, 0xA8, 0xF8, 0x73, 0x58, 0xF1, 0x6D, 0x1F, 0xAC, 0x65, 0x86, 
    0x8E, 0x09, 0x0E, 0x0B, 0xDA, 0xEB, 0x41, 0x62, 0xD0, 0x5B, 0x6C, 0x87, 0x4C, 0xFC, 0x71, 0x8B, 
    0x56, 0x4D, 0x64, 0xC1, 0x52, 0xA1, 0xBE, 0xB9, 0xC6, 0x53, 0x80, 0xF2, 0x16, 0x72, 0xA3, 0x63};// f
/*
 * Inverse S-box transformation table
 */
//static uint8_t inv_s_box[256] = {
    // 0     1     2     3     4     5     6     7     8     9     a     b     c     d     e     f
//  0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, // 0
//  0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, // 1
//  0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, // 2
//  0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, // 3
//  0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, // 4
//  0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, // 5
//  0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, // 6
//  0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, // 7
//  0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, // 8
//  0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, // 9
//  0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, // a
//  0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, // b
//  0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, // c
//  0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, // d
//  0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, // e
//  0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};// f
static uint8_t inv_s_box[256] = {
    // 0     1     2     3     4     5     6     7     8     9     a     b     c     d     e     f
    0x8E, 0x77, 0xC2, 0x00, 0xA3, 0x94, 0x86, 0x36, 0x33, 0xE1, 0x17, 0xE3, 0x64, 0x9C, 0xE2, 0x99, 
    0x01, 0x3C, 0x27, 0xA4, 0x2D, 0x4F, 0xFC, 0x70, 0x7A, 0x43, 0x55, 0xA2, 0x41, 0x1E, 0x97, 0xDC, 
    0x30, 0x9F, 0x78, 0xD5, 0x2E, 0x84, 0xB7, 0x05, 0xAF, 0x4D, 0x51, 0x90, 0x58, 0x4B, 0x39, 0x8C, 
    0x0A, 0x67, 0x76, 0x0C, 0xBC, 0x6B, 0x18, 0x11, 0xC7, 0x5F, 0x7B, 0x8D, 0xB6, 0x9E, 0xAA, 0xBF, 
    0x6E, 0xE6, 0xA7, 0xC6, 0x7D, 0x80, 0x21, 0xD2, 0x8F, 0xAB, 0x5D, 0x15, 0xEC, 0xF1, 0x34, 0x3B, 
    0x9A, 0x0F, 0xF4, 0xF9, 0xB3, 0x50, 0xF0, 0x60, 0xD9, 0x32, 0x56, 0xE9, 0x6D, 0x7C, 0xC4, 0x85, 
    0x8B, 0x65, 0xE7, 0xFF, 0xF2, 0xDE, 0x45, 0xC8, 0x07, 0xC3, 0x42, 0x81, 0xEA, 0xDB, 0x62, 0x61, 
    0xB2, 0xEE, 0xFD, 0xD8, 0x12, 0x72, 0x2A, 0x1F, 0x79, 0x31, 0xA9, 0xC5, 0x74, 0xBB, 0x10, 0x87, 
    0xFA, 0x53, 0x6F, 0xB9, 0x7F, 0xBA, 0xDF, 0xEB, 0xCD, 0x71, 0x3F, 0xEF, 0x23, 0xB1, 0xE0, 0x98, 
    0x37, 0x96, 0x28, 0x5B, 0x48, 0xA5, 0x92, 0x52, 0x19, 0xB5, 0xC0, 0x1A, 0x4A, 0x20, 0x1D, 0x93, 
    0x2C, 0xF5, 0xD3, 0xFE, 0xCA, 0x40, 0x75, 0x26, 0xD6, 0x9B, 0x38, 0x89, 0xDD, 0x7E, 0x66, 0xAD, 
    0x0D, 0x35, 0xAC, 0x08, 0x46, 0x5C, 0x1B, 0xA6, 0xD1, 0xF7, 0xBE, 0xD0, 0x47, 0x69, 0xF6, 0xA8, 
    0x49, 0xF3, 0x44, 0x83, 0xCB, 0x3E, 0xF8, 0x14, 0x06, 0x04, 0x0E, 0xB0, 0xAE, 0x3D, 0x6A, 0x54, 
    0xE8, 0x02, 0x6C, 0x1C, 0xCF, 0x03, 0x63, 0x3A, 0xC9, 0x2F, 0xE4, 0x82, 0x2B, 0x5A, 0xB4, 0xC1, 
    0x5E, 0x4C, 0x4E, 0x16, 0xCE, 0x95, 0x25, 0x73, 0xD4, 0xBD, 0xCC, 0xE5, 0x24, 0x22, 0xA1, 0x09, 
    0x88, 0xDA, 0xFB, 0x59, 0x29, 0x57, 0x13, 0xB8, 0xD7, 0x9D, 0x0B, 0x91, 0xED, 0x8A, 0xA0, 0x68};// f


/*
 * Generates the round constant Rcon[i]
 */
uint8_t R[] = {0x02, 0x00, 0x00, 0x00};

uint8_t * Rcon(uint8_t i) {

    if (i == 1) {
        R[0] = 0x01; // x^(1-1) = x^0 = 1
    } else if (i > 1) {
        R[0] = 0x02;
        i--;
        while (i-1 > 0) {
            R[0] = gmult(R[0], 0x02);
            i--;
        }
    }

    return R;
}

/*
 * Transformation in the Cipher and Inverse Cipher in which a Round 
 * Key is added to the State using an XOR operation. The length of a 
 * Round Key equals the size of the State (i.e., for Nb = 4, the Round 
 * Key length equals 128 bits/16 bytes).
 */
void add_round_key(uint8_t *state, uint8_t *w, uint8_t r) {

    uint8_t c;

    for (c = 0; c < Nb; c++) {
        state[Nb*0+c] = state[Nb*0+c]^w[4*Nb*r+4*c+0];   //debug, so it works for Nb !=4 
        state[Nb*1+c] = state[Nb*1+c]^w[4*Nb*r+4*c+1];
        state[Nb*2+c] = state[Nb*2+c]^w[4*Nb*r+4*c+2];
        state[Nb*3+c] = state[Nb*3+c]^w[4*Nb*r+4*c+3];  
    }
}
void add_round_key_1(uint8_t *state, uint8_t *w, uint8_t r) {

    uint8_t c;
    uint8_t st_tmp[16];
    memcpy(st_tmp,state,16);

    for (c = 0; c < Nb; c++) {
        state[Nb*c] = st_tmp[Nb*0+c]^w[4*Nb*r+c+0];   //debug, so it works for Nb !=4 
        state[Nb*c+1] = st_tmp[Nb*1+c]^w[4*Nb*r+c+1*4];
        state[Nb*c+2] = st_tmp[Nb*2+c]^w[4*Nb*r+c+2*4];
        state[Nb*c+3] = st_tmp[Nb*3+c]^w[4*Nb*r+c+3*4]; 
    }
}

void add_round_key_2(uint8_t *state, uint8_t *w, uint8_t r) {

    uint8_t c;
    uint8_t st_tmp[16];
    memcpy(st_tmp,state,16);

    for (c = 0; c < Nb; c++) {
        state[Nb*0+c] = st_tmp[Nb*c]^w[4*Nb*r+c+0];   //debug, so it works for Nb !=4 
        state[Nb*1+c] = st_tmp[Nb*c+1]^w[4*Nb*r+c+1*4];
        state[Nb*2+c] = st_tmp[Nb*c+2]^w[4*Nb*r+c+2*4];
        state[Nb*3+c] = st_tmp[Nb*c+3]^w[4*Nb*r+c+3*4]; 
    }
}
/*
 * Transformation in the Cipher that takes all of the columns of the 
 * State and mixes their data (independently of one another) to 
 * produce new columns.
 */
void mix_columns(uint8_t *state) {

    uint8_t a[] = {0x02, 0x01, 0x01, 0x03}; // a(x) = {02} + {01}x + {01}x2 + {03}x3
    uint8_t i, j, col[4], res[4];

    for (j = 0; j < Nb; j++) {
        for (i = 0; i < 4; i++) {
            col[i] = state[Nb*i+j];
        }

        coef_mult(a, col, res);

        for (i = 0; i < 4; i++) {
            state[Nb*i+j] = res[i];
        }
    }
}
void mix_columns_1(uint8_t *state) {

    uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07,
                  0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01,
                  0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03, 
                  0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04,
                  0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05, 
                  0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06,
                  0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08, 
                  0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
    uint8_t i, j, col[8], res[8];

    for (j = 0; j < 2; j++) {
        for (i = 0; i < 4; i++) {
            col[i] = state[Nb*i+j];
            col[i+4] = state[Nb*i+j+2];
        }

        coef_mult_1(a, col, res);

        for (i = 0; i < 4; i++) {
            state[Nb*i+j] = res[i];
            state[Nb*i+j+2] = res[i+4];
        }
    }
}
/*
 * Transformation in the Inverse Cipher that is the inverse of 
 * MixColumns().
 */
void inv_mix_columns(uint8_t *state) {

    uint8_t a[] = {0x0e, 0x09, 0x0d, 0x0b}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
    uint8_t i, j, col[4], res[4];

    for (j = 0; j < Nb; j++) {
        for (i = 0; i < 4; i++) {
            col[i] = state[Nb*i+j];
        }

        coef_mult(a, col, res);

        for (i = 0; i < 4; i++) {
            state[Nb*i+j] = res[i];
        }
    }
}

void inv_mix_columns_1(uint8_t *state) {

    uint8_t a[] = { 0x0B, 0x08, 0x06, 0x05, 0x04, 0x03, 0x01, 0x07,
                  0x08, 0x0B, 0x05, 0x06, 0x03, 0x04, 0x07, 0x01,
                  0x06, 0x05, 0x0B, 0x08, 0x01, 0x07, 0x04, 0x03, 
                  0x05, 0x06, 0x08, 0x0B, 0x07, 0x01, 0x03, 0x04,
                  0x04, 0x03, 0x01, 0x07, 0x0B, 0x08, 0x06, 0x05, 
                  0x03, 0x04, 0x07, 0x01, 0x08, 0x0B, 0x05, 0x06,
                  0x01, 0x07, 0x04, 0x03, 0x06, 0x05, 0x0B, 0x08, 
                  0x07, 0x01, 0x03, 0x04, 0x05, 0x06, 0x08, 0x0B}; // a(x) = {0e} + {09}x + {0d}x2 + {0b}x3
    uint8_t i, j, col[8], res[8];

    for (j = 0; j < 2; j++) {
        for (i = 0; i < 4; i++) {
            col[i] = state[Nb*i+j];
            col[i+4] = state[Nb*i+j+2];
        }

        coef_mult_1(a, col, res);

        for (i = 0; i < 4; i++) {
            state[Nb*i+j] = res[i];
            state[Nb*i+j+2] = res[i+4];
        }
    }
}
/*
 * Transformation in the Cipher that processes the State by cyclically 
 * shifting the last three rows of the State by different offsets. 
 */
void shift_rows(uint8_t *state) {

  uint8_t i, k, s, tmp,tmp1,tmp2;
    tmp1 = state[1];
    tmp2 = state[5];
    state[1] = state[9];
    state[5] = state[13];
    state[9] = tmp1;
    state[13] = tmp2;
    tmp1 = state[2];
    tmp2 = state[6];
    state[2] = state[10];
    state[6] = state[14];
    state[10] = tmp1;
    state[14] = tmp2;
    tmp1 = state[15];
    state[15] = state[11];
    state[11] = state[7];
    state[7] = state[3];
    state[3] = tmp1;    

    //for (i = 1; i < 4; i++) {
        // shift(1,4)=1; shift(2,4)=2; shift(3,4)=3
        // shift(r, 4) = r;
    //  s = 0;
    //  while (s < i) {
    //      tmp = state[Nb*i+0];

    //      for (k = 1; k < Nb; k++) {
    //          state[Nb*i+k-1] = state[Nb*i+k];
    //      }

    //      state[Nb*i+Nb-1] = tmp;
    //      s++;
    //  }
    //}
}

/*
 * Transformation in the Inverse Cipher that is the inverse of 
 * ShiftRows().
 */
void inv_shift_rows(uint8_t *state) {

    uint8_t i, k, s, tmp,tmp1,tmp2;
    tmp1 = state[1];
    tmp2 = state[5];
    state[1] = state[9];
    state[5] = state[13];
    state[9] = tmp1;
    state[13] = tmp2;
    tmp1 = state[2];
    tmp2 = state[6];
    state[2] = state[10];
    state[6] = state[14];
    state[10] = tmp1;
    state[14] = tmp2;
    tmp1 = state[3];
    state[3] = state[7];
    state[7] = state[11];
    state[11] = state[15];
    state[15] = tmp1;

    //for (i = 1; i < 4; i++) {
    //  s = 0;
    //  while (s < i) {
    //      tmp = state[Nb*i+Nb-1];

    //      for (k = Nb-1; k > 0; k--) {
    //          state[Nb*i+k] = state[Nb*i+k-1];
    //      }

    //      state[Nb*i+0] = tmp;
    //      s++;
    //  }
    //}
}

/*
 * Transformation in the Cipher that processes the State using a non?
 * linear byte substitution table (S-box) that operates on each of the 
 * State bytes independently. 
 */
void sub_bytes(uint8_t *state) {

    uint8_t i, j;
    uint8_t row, col;

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            row = (state[Nb*i+j] & 0xf0) >> 4;
            col = state[Nb*i+j] & 0x0f;
            state[Nb*i+j] = s_box[16*row+col];
        }
    }
}

/*
 * Transformation in the Inverse Cipher that is the inverse of 
 * SubBytes().
 */
void inv_sub_bytes(uint8_t *state) {

    uint8_t i, j;
    uint8_t row, col;

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            row = (state[Nb*i+j] & 0xf0) >> 4;
            col = state[Nb*i+j] & 0x0f;
            state[Nb*i+j] = inv_s_box[16*row+col];
        }
    }
}

/*
 * Function used in the Key Expansion routine that takes a four-byte 
 * input word and applies an S-box to each of the four bytes to 
 * produce an output word.
 */
void sub_word(uint8_t *w) {

    uint8_t i;

    for (i = 0; i < 4; i++) {
        w[i] = s_box[16*((w[i] & 0xf0) >> 4) + (w[i] & 0x0f)];
    }
}

/*
 * Function used in the Key Expansion routine that takes a four-byte 
 * word and performs a cyclic permutation. 
 */
void rot_word(uint8_t *w) {

    uint8_t tmp;
    uint8_t i;

    tmp = w[0];

    for (i = 0; i < 3; i++) {
        w[i] = w[i+1];
    }

    w[3] = tmp;
}

/*
 * Key Expansion
 */
void key_expansion(uint8_t *key, uint8_t *w) {

    uint8_t tmp[4];
    uint8_t i, j;
    uint8_t len = Nb*(Nr+1);

    for (i = 0; i < Nk; i++) {
        w[4*i+0] = key[4*i+0];
        w[4*i+1] = key[4*i+1];
        w[4*i+2] = key[4*i+2];
        w[4*i+3] = key[4*i+3];
    }

    for (i = Nk; i < len; i++) {
        tmp[0] = w[4*(i-1)+0];
        tmp[1] = w[4*(i-1)+1];
        tmp[2] = w[4*(i-1)+2];
        tmp[3] = w[4*(i-1)+3];

        if (i%Nk == 0) {

            rot_word(tmp);
            sub_word(tmp);
            coef_add(tmp, Rcon(i/Nk), tmp);

        } else if (Nk > 6 && i%Nk == 4) {

            sub_word(tmp);

        }

        w[4*i+0] = w[4*(i-Nk)+0]^tmp[0];
        w[4*i+1] = w[4*(i-Nk)+1]^tmp[1];
        w[4*i+2] = w[4*(i-Nk)+2]^tmp[2];
        w[4*i+3] = w[4*(i-Nk)+3]^tmp[3];
    }
}

void print_info(uint8_t* out){
  int i;
  for (i = 0; i < 4; i++) {
        printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]);
    }
    printf("\n");
}

void cipher(uint8_t *in, uint8_t *out, uint8_t *w) {

    uint8_t state[4*Nb];
    uint8_t r, i, j;

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            state[Nb*i+j] = in[i+4*j];
        }
    }

    add_round_key(state, w, 0);

    for (r = 1; r < Nr; r++) {
        sub_bytes(state);       
        shift_rows(state);      
        mix_columns_1(state);

        add_round_key_2(state, w, r);
    }

    sub_bytes(state);
    shift_rows(state);
    add_round_key(state, w, Nr);

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            out[i+4*j] = state[Nb*i+j];
        }
    }
}

void inv_cipher(uint8_t *in, uint8_t *out, uint8_t *w) {

    uint8_t state[4*Nb];
    uint8_t r, i, j;

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            state[Nb*i+j] = in[i+4*j];
        }
    }

    add_round_key(state, w, Nr);

    for (r = Nr-1; r >= 1; r--) {
        inv_shift_rows(state);
        inv_sub_bytes(state);
        add_round_key_1(state, w, r);       
        inv_mix_columns_1(state);

    }
    inv_shift_rows(state);  
    inv_sub_bytes(state);
    add_round_key(state, w, 0);

    for (i = 0; i < 4; i++) {
        for (j = 0; j < Nb; j++) {
            out[i+4*j] = state[Nb*i+j];
        }
    }
}



int main(int argc, char *argv[]) {

    uint8_t i;


    uint8_t key[] = {
        0x7E, 0x6E, 0xCF, 0xD4,
        0x92, 0xBC, 0x4B, 0x27, 
        0xC0, 0xCF, 0xF2, 0x65, 
        0x6D, 0x3C, 0x49, 0xD1,
        0xAA, 0xB1, 0x45, 0xA8, 
        0x6D, 0x75, 0x9B, 0xC1, 
        0xDF, 0x75, 0x60, 0xDD, 
        0x8D, 0xDD, 0x13, 0xDA};

    //uint8_t in[] = {
    //  0x7B, 0x85, 0xC9, 0x5F, 0x14, 0x1F, 0xA6, 0x38, 0x3F, 0x7E, 0xB7, 0x10, 0x24, 0x19, 0xB3, 0x6F};
    uint8_t in[] = {0xA5, 0x4B, 0x4A, 0x9A, 0xC5, 0x49, 0x8A, 0xA2, 0x62, 0xA4, 0xC5, 0x56, 0x2D, 0x52, 0x5A, 0xA6};

    uint8_t out[16]; // 128

    uint8_t *w; // expanded key

    switch (sizeof(key)) {
        default:
        case 16: Nk = 4; Nr = 10; break;
        case 24: Nk = 6; Nr = 12; break;
        case 32: Nk = 8; Nr = 14; break;
    }

    w = malloc(Nb*(Nr+1)*4);

    key_expansion(key, w);

    cipher(in /* in */, out /* out */, w /* expanded key */);

    printf("out:\n");

    for (i = 0; i < 4; i++) {
        printf("%02X %02X %02X %02X ", out[4*i+0], out[4*i+1], out[4*i+2], out[4*i+3]);
    }

    printf("\n");

    inv_cipher(out, in, w);
    for (i = 0; i < 4; i++) {
        printf("%02X %02X %02X %02X ", in[4*i+0], in[4*i+1], in[4*i+2], in[4*i+3]);
    }


    printf("\n");

    exit(0);

}

最后结果为:76474B2B1926009C452B00627200190268740438FDCC641665D0EA735F2739B3EE7B315A


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2018-12-17 11:38 被poyoten编辑 ,原因:
收藏
免费 4
打赏
分享
最新回复 (2)
雪    币: 16219
活跃值: (6036)
能力值: ( LV13,RANK:861 )
在线值:
发帖
回帖
粉丝
大帅锅 4 2018-12-17 14:29
2
0
po叔tql!!
雪    币: 123
活跃值: (4954)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
wsc 2018-12-17 15:17
3
0
厉害了
游客
登录 | 注册 方可回帖
返回