-
-
[原创]使用trace进行算法还原
-
发表于: 2021-11-2 11:36
-
小伙伴发来的题,说是某比赛线下题目
sub_F08
AES的S盒
验证一下
我使用trace进行的算法还原
输入由32补全40位,08补全
输入长度 40 >> 3 = 5
进行了5次大循环,每次循环进行了12+1次
每次小循环使用的数组:
逆推
还原算法
对加密算法进行逆运算
使用AES Decrypt
int __fastcall sub_F08(JNIEnv *a1, int a2, int a3)
{ const char *v3; // r9
size_t v4; // r6
char *v5; // r4
void *v6; // r8
_DWORD *v7; // r5
int v8; // r9
unsigned __int8 *v9; // r6
int v10; // r0
char *v11; // r1
int v12; // r2
int v13; // t1
int v14; // t1
v3 = (*a1)->GetStringUTFChars(a1, a3, 0);
v4 = strlen(v3);
v5 = malloc(v4);
v6 = malloc(4 * v4 + 64);
v7 = malloc(0x20u);
*v7 = 0x1010101;
v7[1] = 0x1010101;
v7[2] = 0x1010101;
v7[3] = 0x1010101;
qmemcpy(v5, v3, v4);
v8 = sub_D68(v6, v5, v4, v7);
free(v5);
memset(v7, 2, 0x20u);
v9 = malloc(4 * v8 + 32);
v10 = sub_E80(v9, v6, v8, v7);
v11 = &c_cipher;
while ( v10 )
{
v13 = *v11++;
v12 = v13;
--v10;
v14 = *v9++;
if ( v14 != v12 )
return 0;
}
return 1;
}int __fastcall sub_F08(JNIEnv *a1, int a2, int a3)
{ const char *v3; // r9
size_t v4; // r6
char *v5; // r4
void *v6; // r8
_DWORD *v7; // r5
int v8; // r9
unsigned __int8 *v9; // r6
int v10; // r0
char *v11; // r1
int v12; // r2
int v13; // t1
int v14; // t1
v3 = (*a1)->GetStringUTFChars(a1, a3, 0);
v4 = strlen(v3);
v5 = malloc(v4);
v6 = malloc(4 * v4 + 64);
v7 = malloc(0x20u);
*v7 = 0x1010101;
v7[1] = 0x1010101;
v7[2] = 0x1010101;
v7[3] = 0x1010101;
qmemcpy(v5, v3, v4);
v8 = sub_D68(v6, v5, v4, v7);
free(v5);
memset(v7, 2, 0x20u);
v9 = malloc(4 * v8 + 32);
v10 = sub_E80(v9, v6, v8, v7);
v11 = &c_cipher;
while ( v10 )
{
v13 = *v11++;
v12 = v13;
--v10;
v14 = *v9++;
if ( v14 != v12 )
return 0;
}
return 1;
}第一加密 v8 = sub_D68(v6, v5, v4, v7);
第二次加密 v10 = sub_E80(v9, v6, v8, v7);
解密结果与 &c_cipher进行比较第一加密 v8 = sub_D68(v6, v5, v4, v7);
第二次加密 v10 = sub_E80(v9, v6, v8, v7);
解密结果与 &c_cipher进行比较unsigned char c_cipher[56] = {
0xCA, 0x60, 0x55, 0x30, 0xB5, 0xDB, 0xD4, 0xA6, 0x01, 0x15, 0x3F, 0xB8, 0xBC, 0x4C, 0x9C, 0x88,
0xEA, 0xF4, 0x76, 0xDD, 0x8D, 0x7B, 0x1A, 0x26, 0xDA, 0x74, 0x2C, 0x1D, 0x28, 0x63, 0x4B, 0x88,
0x44, 0x22, 0x7E, 0x21, 0x0E, 0x6C, 0xF4, 0xAE, 0xE4, 0x21, 0xC7, 0x67, 0x21, 0x40, 0xC5, 0x3B,
0xB2, 0x55, 0x92, 0x21, 0x9B, 0x29, 0xFA, 0x33
};
unsigned char c_cipher[56] = {
0xCA, 0x60, 0x55, 0x30, 0xB5, 0xDB, 0xD4, 0xA6, 0x01, 0x15, 0x3F, 0xB8, 0xBC, 0x4C, 0x9C, 0x88,
0xEA, 0xF4, 0x76, 0xDD, 0x8D, 0x7B, 0x1A, 0x26, 0xDA, 0x74, 0x2C, 0x1D, 0x28, 0x63, 0x4B, 0x88,
0x44, 0x22, 0x7E, 0x21, 0x0E, 0x6C, 0xF4, 0xAE, 0xE4, 0x21, 0xC7, 0x67, 0x21, 0x40, 0xC5, 0x3B,
0xB2, 0x55, 0x92, 0x21, 0x9B, 0x29, 0xFA, 0x33
};
输入 flag{0123456789}
key 01010101010101010101010101010101
加密结果 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
输入 flag{0123456789}
key 01010101010101010101010101010101
加密结果 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
key 0202020202020202020202020202020202020202020202020202020202020202加密结果 8B A8 1D 1F DF E9 09 98 78 B0 0A CA F7 8F DE 1D
56 6F B4 65 E0 32 DC BA BE 7B 8A 81 A1 41 59 BA
B2 55 92 21 9B 29 FA 33
输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
key 0202020202020202020202020202020202020202020202020202020202020202加密结果 8B A8 1D 1F DF E9 09 98 78 B0 0A CA F7 8F DE 1D
56 6F B4 65 E0 32 DC BA BE 7B 8A 81 A1 41 59 BA
B2 55 92 21 9B 29 FA 33
unsigned int __fastcall sub_E80(int a1, int a2, int a3, int a4)
{ unsigned int result; // r0
int i; // r10
int v9; // r9
int v10; // r1
int v11; // r4
int j; // r5
__int64 v13; // kr00_8
sub_DA8(a4);
result = sub_994(a1, a2, a3, 8);
for ( i = 0; i != result >> 3; ++i )
{
v9 = 2 * i + 1;
v10 = *(a1 + 8 * i) + dword_5E50[0];
v11 = *(a1 + 4 * v9) + unk_5E54;
for ( j = 0; j != 12; ++j )
{
v13 = *&dword_5E50[2 * j + 2];
v10 = __ROR4__(v10 ^ v11, 32 - v11) + v13;
v11 = __ROR4__(v10 ^ v11, 32 - v10) + HIDWORD(v13);
}
*(a1 + 8 * i) = v10;
*(a1 + 4 * v9) = v11;
}
return result;
}unsigned int __fastcall sub_E80(int a1, int a2, int a3, int a4)
{ unsigned int result; // r0
int i; // r10
int v9; // r9
int v10; // r1
int v11; // r4
int j; // r5
__int64 v13; // kr00_8
sub_DA8(a4);
result = sub_994(a1, a2, a3, 8);
for ( i = 0; i != result >> 3; ++i )
{
v9 = 2 * i + 1;
v10 = *(a1 + 8 * i) + dword_5E50[0];
v11 = *(a1 + 4 * v9) + unk_5E54;
for ( j = 0; j != 12; ++j )
{
v13 = *&dword_5E50[2 * j + 2];
v10 = __ROR4__(v10 ^ v11, 32 - v11) + v13;
v11 = __ROR4__(v10 ^ v11, 32 - v10) + HIDWORD(v13);
}
*(a1 + 8 * i) = v10;
*(a1 + 4 * v9) = v11;
}
return result;
}输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
加密结果 8B A8 1D 1F DF E9 09 98 78 B0 0A CA F7 8F DE 1D
56 6F B4 65 E0 32 DC BA BE 7B 8A 81 A1 41 59 BA
B2 55 92 21 9B 29 FA 33
输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
加密结果 8B A8 1D 1F DF E9 09 98 78 B0 0A CA F7 8F DE 1D
56 6F B4 65 E0 32 DC BA BE 7B 8A 81 A1 41 59 BA
B2 55 92 21 9B 29 FA 33
输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
08 08 08 08 08 08 08 08
输入 7E D8 C7 01 11 B4 88 27 0E 42 0B 31 59 CB 42 63
68 43 4D 37 D7 F6 9F 0E 03 B7 5B B1 5B C9 4B 6C
08 08 08 08 08 08 08 08
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
第一次加密是aes trace是第二次加密 你看仔细了吗 |
|
|
|
