[原创]KCTF2025 day4 wp-CTF对抗-看雪安全社区｜专业技术交流与安全研究论坛

[原创]KCTF2025 day4 wp
发表于: 2025-8-22 16:06 4798
[原创]KCTF2025 day4 wp

1k0ct
2025-8-22 16:06
4798
注意到函数列表里IDA识别出来的TLS回调, 其中初始化了一些资源, 这些都不重要, 重点看看其中的反调试.
0000000140003774调用了0000000140007303来执行系统调用, 此处系统调用号为0x19, 接触过VMP的反调试就知道这是ZwQueryInformationProcess的系统调用, 第一个参数为自身进程句柄, 二个参数7说明查询的是调试器信息:
 
将检测到调试器调用先前分配的可执行页的分支patch掉:
 
main+373是一样的反调试, main+1ae处有同样的反调试手法, 调用的是SetInformation, 将调试器从进程剥离.
另外main+1c9注册了一个异常处理函数(0000000140006D40), 一上来就清除了进程的调试寄存器, 虽然不一定会用到硬件断点但还是patch掉:
 
若触发软件断点就会根据一个全局变量进行不同的操作:
 
之前的反调试就是将ctol设置为4然后执行int 3来让程序退出的, 由于不用写注册机, 所以这里不分析用户名的处理, 直接跳到处理序列号的地方, 对应ctol为3:
 
核心处理逻辑在decryptstring(0000000140005D6C), 这是先前用来解密一些字符串使用的函数, 也就是说需要编写的是相应的加密函数, 从公开序列号可以看出最后一步的加密应该是base64编码(对应题目中的0000000140001684), 但是使用题目中发现的表会发现编码不回原来的字符串, 调试会发现题目中的解码过程将每3个字符合成时竟然是大端序的, 那只能自己手搓一个对应的base64编码函数了:
然后程序进行了一个类似AES的操作(000000014000593C):
从使用的SBOX可以看出是标准逆SBOX, 但是其中的列混合步骤用的貌似是白盒:
 
tbl是一个整整5 * 0x100字节的盒, 拷打AI写出爆破脚本后来到最后一步解密, 是一个简单的异或, 调试拿到异或的字节流即可, 完整脚本:
table = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789+/'
 
idx = 0
res = []
eof = False
padding = 0
while True:
    p = 0
    if idx >= 0x40 - 3:
        p = enc[idx :]
        padding = 3 - len(p)
        eof = True
    else:
        p = enc[idx : idx + 3]
    n = 0
    for i, b in enumerate(p):
        n |= b << 8  * i
    c = []
    for _ in range(4 - padding):
        c += [table[n & 0x3f]]
        n >>= 6
    c += ['='] * (4 - len(c))
    res += c
    if eof:
        break
    idx += 3
table = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789+/'
 
idx = 0
res = []
eof = False
padding = 0
while True:
    p = 0
    if idx >= 0x40 - 3:
        p = enc[idx :]
        padding = 3 - len(p)
        eof = True
    else:
        p = enc[idx : idx + 3]
    n = 0
    for i, b in enumerate(p):
        n |= b << 8  * i
    c = []
    for _ in range(4 - padding):
        c += [table[n & 0x3f]]
        n >>= 6
    c += ['='] * (4 - len(c))
    res += c
    if eof:
        break
    idx += 3
_QWORD *__fastcall aes(__int64 a1, _QWORD *key)
{
  size_t v4; // rdx
  char *v5; // rdi
  size_t Size; // rbx
  BYTE **to_encrypt; // rdi
  _DWORD *key_1; // rbx
  int i; // ebp
  _QWORD *v10; // r14
  __int64 v11; // rbx
  int i_1; // ebp
  __int64 v13; // r12
  int j; // r15d
  __int64 v15; // r13
  _BYTE *v16; // rbx
  _QWORD *v17; // rcx
  void *v19[2]; // [rsp+20h] [rbp-58h] BYREF
  __int64 v20; // [rsp+30h] [rbp-48h]
  _QWORD *v21; // [rsp+38h] [rbp-40h]
  __int64 v22; // [rsp+40h] [rbp-38h]
 
  v22 = a1;
  *(_OWORD *)v19 = 0;
  v20 = 0;
  v4 = *(_QWORD *)(a1 + 8) - *(_QWORD *)a1;
  if ( v4 )
  {
    sub_140002824(v19, v4);
    v5 = (char *)v19[0];
    Size = *(_QWORD *)(a1 + 8) - *(_QWORD *)a1;
    memmove(v19[0], *(const void **)a1, Size);
    v19[1] = &v5[Size];
  }
  to_encrypt = (BYTE **)sub_140004A60(v19);
  AddRoundKey(to_encrypt, (_DWORD *)(*key + 160LL));
  key_1 = (_DWORD *)(*key + 144LL);
  for ( i = 9; i > 0; --i )
  {
    SBOXswap(to_encrypt);
    ShiftRows(to_encrypt);
    AddRoundKey(to_encrypt, key_1);
    key_1 -= 4;
    col_mix(to_encrypt);
  }
  SBOXswap(to_encrypt);
  ShiftRows(to_encrypt);
  AddRoundKey(to_encrypt, key_1);
  v10 = operator new(0x18u);
  v21 = v10;
  *(_OWORD *)v10 = 0;
  v10[2] = 0;
  *v10 = 0;
  v10[1] = 0;
  v10[2] = 0;
  sub_140002824(v10, 0x10u);
  v11 = *v10;
  memset((void *)*v10, 0, 0x10u);
  v10[1] = v11 + 16;
  i_1 = 0;
  v13 = 0;
  do
  {
    j = 0;
    v15 = v13;
    do
    {
      v16 = (_BYTE *)*v10;
      v16[v15] = *(_BYTE *)byteat_matrix((__int64)to_encrypt, i_1, j++);
      v15 += 4;
    }
    while ( j < 4 );
    ++i_1;
    ++v13;
  }
  while ( i_1 < 4 );
  if ( to_encrypt )
  {
    j_j_free(*to_encrypt);
    j_j_free(to_encrypt);
  }
  v17 = *(_QWORD **)a1;
  if ( *(_QWORD *)a1 )
  {
    if ( *(_QWORD *)(a1 + 16) - (_QWORD)v17 >= 0x1000u )
    {
      if ( (unsigned __int64)v17 - *(v17 - 1) - 8 > 0x1F )
        invalid_parameter_noinfo_noreturn();
      v17 = (_QWORD *)*(v17 - 1);
    }
    j_j_free(v17);
    *(_QWORD *)a1 = 0;
    *(_QWORD *)(a1 + 8) = 0;
    *(_QWORD *)(a1 + 16) = 0;
  }
  return v10;
}
_QWORD *__fastcall aes(__int64 a1, _QWORD *key)
{
  size_t v4; // rdx
  char *v5; // rdi
  size_t Size; // rbx
  BYTE **to_encrypt; // rdi
  _DWORD *key_1; // rbx
  int i; // ebp
  _QWORD *v10; // r14
  __int64 v11; // rbx
  int i_1; // ebp
  __int64 v13; // r12
  int j; // r15d
  __int64 v15; // r13
  _BYTE *v16; // rbx
  _QWORD *v17; // rcx
  void *v19[2]; // [rsp+20h] [rbp-58h] BYREF
  __int64 v20; // [rsp+30h] [rbp-48h]
  _QWORD *v21; // [rsp+38h] [rbp-40h]
  __int64 v22; // [rsp+40h] [rbp-38h]
 
  v22 = a1;
  *(_OWORD *)v19 = 0;
  v20 = 0;
  v4 = *(_QWORD *)(a1 + 8) - *(_QWORD *)a1;
  if ( v4 )
  {
    sub_140002824(v19, v4);
    v5 = (char *)v19[0];
    Size = *(_QWORD *)(a1 + 8) - *(_QWORD *)a1;
    memmove(v19[0], *(const void **)a1, Size);
    v19[1] = &v5[Size];
  }
  to_encrypt = (BYTE **)sub_140004A60(v19);
  AddRoundKey(to_encrypt, (_DWORD *)(*key + 160LL));
  key_1 = (_DWORD *)(*key + 144LL);
  for ( i = 9; i > 0; --i )
  {
    SBOXswap(to_encrypt);
    ShiftRows(to_encrypt);
    AddRoundKey(to_encrypt, key_1);
    key_1 -= 4;
    col_mix(to_encrypt);
  }
  SBOXswap(to_encrypt);
  ShiftRows(to_encrypt);
  AddRoundKey(to_encrypt, key_1);
  v10 = operator new(0x18u);
  v21 = v10;
  *(_OWORD *)v10 = 0;
  v10[2] = 0;
  *v10 = 0;
  v10[1] = 0;
  v10[2] = 0;
  sub_140002824(v10, 0x10u);
  v11 = *v10;
  memset((void *)*v10, 0, 0x10u);
  v10[1] = v11 + 16;
  i_1 = 0;
  v13 = 0;
  do
  {
    j = 0;
    v15 = v13;
    do
    {
      v16 = (_BYTE *)*v10;
      v16[v15] = *(_BYTE *)byteat_matrix((__int64)to_encrypt, i_1, j++);
      v15 += 4;
    }
    while ( j < 4 );
    ++i_1;
    ++v13;
  }
  while ( i_1 < 4 );
  if ( to_encrypt )
  {
    j_j_free(*to_encrypt);
    j_j_free(to_encrypt);
  }
  v17 = *(_QWORD **)a1;
  if ( *(_QWORD *)a1 )
  {
    if ( *(_QWORD *)(a1 + 16) - (_QWORD)v17 >= 0x1000u )
    {
      if ( (unsigned __int64)v17 - *(v17 - 1) - 8 > 0x1F )
        invalid_parameter_noinfo_noreturn();
      v17 = (_QWORD *)*(v17 - 1);
    }
    j_j_free(v17);
    *(_QWORD *)a1 = 0;
    *(_QWORD *)(a1 + 8) = 0;
    *(_QWORD *)(a1 + 16) = 0;
  }
  return v10;
}
from base64 import b64encode, b64decode
 
enc = bytearray(b'l/SxsR0BCjRZTmc7XWscrMv38iYuoiUECvi9Tuvi+ZiJZmdR5EcvVnTZOZvrnOrw')
 
inv_sbox = [0x52, 0x9, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0xB, 0x42, 0xFA, 0xC3, 0x4E, 0x8, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x0, 0x8C, 0xBC, 0xD3, 0xA, 0xF7, 0xE4, 0x58, 0x5, 0xB8, 0xB3, 0x45, 0x6, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0xF, 0x2, 0xC1, 0xAF, 0xBD, 0x3, 0x1, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0xE, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x7, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0xD, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x4, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0xC, 0x7D]
 
tbl = [0x0, 0xD, 0x1A, 0x17, 0x34, 0x39, 0x2E, 0x23, 0x68, 0x65, 0x72, 0x7F, 0x5C, 0x51, 0x46, 0x4B, 0xD0, 0xDD, 0xCA, 0xC7, 0xE4, 0xE9, 0xFE, 0xF3, 0xB8, 0xB5, 0xA2, 0xAF, 0x8C, 0x81, 0x96, 0x9B, 0xBB, 0xB6, 0xA1, 0xAC, 0x8F, 0x82, 0x95, 0x98, 0xD3, 0xDE, 0xC9, 0xC4, 0xE7, 0xEA, 0xFD, 0xF0, 0x6B, 0x66, 0x71, 0x7C, 0x5F, 0x52, 0x45, 0x48, 0x3, 0xE, 0x19, 0x14, 0x37, 0x3A, 0x2D, 0x20, 0x6D, 0x60, 0x77, 0x7A, 0x59, 0x54, 0x43, 0x4E, 0x5, 0x8, 0x1F, 0x12, 0x31, 0x3C, 0x2B, 0x26, 0xBD, 0xB0, 0xA7, 0xAA, 0x89, 0x84, 0x93, 0x9E, 0xD5, 0xD8, 0xCF, 0xC2, 0xE1, 0xEC, 0xFB, 0xF6, 0xD6, 0xDB, 0xCC, 0xC1, 0xE2, 0xEF, 0xF8, 0xF5, 0xBE, 0xB3, 0xA4, 0xA9, 0x8A, 0x87, 0x90, 0x9D, 0x6, 0xB, 0x1C, 0x11, 0x32, 0x3F, 0x28, 0x25, 0x6E, 0x63, 0x74, 0x79, 0x5A, 0x57, 0x40, 0x4D, 0xDA, 0xD7, 0xC0, 0xCD, 0xEE, 0xE3, 0xF4, 0xF9, 0xB2, 0xBF, 0xA8, 0xA5, 0x86, 0x8B, 0x9C, 0x91, 0xA, 0x7, 0x10, 0x1D, 0x3E, 0x33, 0x24, 0x29, 0x62, 0x6F, 0x78, 0x75, 0x56, 0x5B, 0x4C, 0x41, 0x61, 0x6C, 0x7B, 0x76, 0x55, 0x58, 0x4F, 0x42, 0x9, 0x4, 0x13, 0x1E, 0x3D, 0x30, 0x27, 0x2A, 0xB1, 0xBC, 0xAB, 0xA6, 0x85, 0x88, 0x9F, 0x92, 0xD9, 0xD4, 0xC3, 0xCE, 0xED, 0xE0, 0xF7, 0xFA, 0xB7, 0xBA, 0xAD, 0xA0, 0x83, 0x8E, 0x99, 0x94, 0xDF, 0xD2, 0xC5, 0xC8, 0xEB, 0xE6, 0xF1, 0xFC, 0x67, 0x6A, 0x7D, 0x70, 0x53, 0x5E, 0x49, 0x44, 0xF, 0x2, 0x15, 0x18, 0x3B, 0x36, 0x21, 0x2C, 0xC, 0x1, 0x16, 0x1B, 0x38, 0x35, 0x22, 0x2F, 0x64, 0x69, 0x7E, 0x73, 0x50, 0x5D, 0x4A, 0x47, 0xDC, 0xD1, 0xC6, 0xCB, 0xE8, 0xE5, 0xF2, 0xFF, 0xB4, 0xB9, 0xAE, 0xA3, 0x80, 0x8D, 0x9A, 0x97, 0x0, 0xE, 0x1C, 0x12, 0x38, 0x36, 0x24, 0x2A, 0x70, 0x7E, 0x6C, 0x62, 0x48, 0x46, 0x54, 0x5A, 0xE0, 0xEE, 0xFC, 0xF2, 0xD8, 0xD6, 0xC4, 0xCA, 0x90, 0x9E, 0x8C, 0x82, 0xA8, 0xA6, 0xB4, 0xBA, 0xDB, 0xD5, 0xC7, 0xC9, 0xE3, 0xED, 0xFF, 0xF1, 0xAB, 0xA5, 0xB7, 0xB9, 0x93, 0x9D, 0x8F, 0x81, 0x3B, 0x35, 0x27, 0x29, 0x3, 0xD, 0x1F, 0x11, 0x4B, 0x45, 0x57, 0x59, 0x73, 0x7D, 0x6F, 0x61, 0xAD, 0xA3, 0xB1, 0xBF, 0x95, 0x9B, 0x89, 0x87, 0xDD, 0xD3, 0xC1, 0xCF, 0xE5, 0xEB, 0xF9, 0xF7, 0x4D, 0x43, 0x51, 0x5F, 0x75, 0x7B, 0x69, 0x67, 0x3D, 0x33, 0x21, 0x2F, 0x5, 0xB, 0x19, 0x17, 0x76, 0x78, 0x6A, 0x64, 0x4E, 0x40, 0x52, 0x5C, 0x6, 0x8, 0x1A, 0x14, 0x3E, 0x30, 0x22, 0x2C, 0x96, 0x98, 0x8A, 0x84, 0xAE, 0xA0, 0xB2, 0xBC, 0xE6, 0xE8, 0xFA, 0xF4, 0xDE, 0xD0, 0xC2, 0xCC, 0x41, 0x4F, 0x5D, 0x53, 0x79, 0x77, 0x65, 0x6B, 0x31, 0x3F, 0x2D, 0x23, 0x9, 0x7, 0x15, 0x1B, 0xA1, 0xAF, 0xBD, 0xB3, 0x99, 0x97, 0x85, 0x8B, 0xD1, 0xDF, 0xCD, 0xC3, 0xE9, 0xE7, 0xF5, 0xFB, 0x9A, 0x94, 0x86, 0x88, 0xA2, 0xAC, 0xBE, 0xB0, 0xEA, 0xE4, 0xF6, 0xF8, 0xD2, 0xDC, 0xCE, 0xC0, 0x7A, 0x74, 0x66, 0x68, 0x42, 0x4C, 0x5E, 0x50, 0xA, 0x4, 0x16, 0x18, 0x32, 0x3C, 0x2E, 0x20, 0xEC, 0xE2, 0xF0, 0xFE, 0xD4, 0xDA, 0xC8, 0xC6, 0x9C, 0x92, 0x80, 0x8E, 0xA4, 0xAA, 0xB8, 0xB6, 0xC, 0x2, 0x10, 0x1E, 0x34, 0x3A, 0x28, 0x26, 0x7C, 0x72, 0x60, 0x6E, 0x44, 0x4A, 0x58, 0x56, 0x37, 0x39, 0x2B, 0x25, 0xF, 0x1, 0x13, 0x1D, 0x47, 0x49, 0x5B, 0x55, 0x7F, 0x71, 0x63, 0x6D, 0xD7, 0xD9, 0xCB, 0xC5, 0xEF, 0xE1, 0xF3, 0xFD, 0xA7, 0xA9, 0xBB, 0xB5, 0x9F, 0x91, 0x83, 0x8D, 0x0, 0x2, 0x4, 0x6, 0x8, 0xA, 0xC, 0xE, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1A, 0x1C, 0x1E, 0x20, 0x22, 0x24, 0x26, 0x28, 0x2A, 0x2C, 0x2E, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3A, 0x3C, 0x3E, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x4E, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5A, 0x5C, 0x5E, 0x60, 0x62, 0x64, 0x66, 0x68, 0x6A, 0x6C, 0x6E, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7A, 0x7C, 0x7E, 0x80, 0x82, 0x84, 0x86, 0x88, 0x8A, 0x8C, 0x8E, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9A, 0x9C, 0x9E, 0xA0, 0xA2, 0xA4, 0xA6, 0xA8, 0xAA, 0xAC, 0xAE, 0xB0, 0xB2, 0xB4, 0xB6, 0xB8, 0xBA, 0xBC, 0xBE, 0xC0, 0xC2, 0xC4, 0xC6, 0xC8, 0xCA, 0xCC, 0xCE, 0xD0, 0xD2, 0xD4, 0xD6, 0xD8, 0xDA, 0xDC, 0xDE, 0xE0, 0xE2, 0xE4, 0xE6, 0xE8, 0xEA, 0xEC, 0xEE, 0xF0, 0xF2, 0xF4, 0xF6, 0xF8, 0xFA, 0xFC, 0xFE, 0x1B, 0x19, 0x1F, 0x1D, 0x13, 0x11, 0x17, 0x15, 0xB, 0x9, 0xF, 0xD, 0x3, 0x1, 0x7, 0x5, 0x3B, 0x39, 0x3F, 0x3D, 0x33, 0x31, 0x37, 0x35, 0x2B, 0x29, 0x2F, 0x2D, 0x23, 0x21, 0x27, 0x25, 0x5B, 0x59, 0x5F, 0x5D, 0x53, 0x51, 0x57, 0x55, 0x4B, 0x49, 0x4F, 0x4D, 0x43, 0x41, 0x47, 0x45, 0x7B, 0x79, 0x7F, 0x7D, 0x73, 0x71, 0x77, 0x75, 0x6B, 0x69, 0x6F, 0x6D, 0x63, 0x61, 0x67, 0x65, 0x9B, 0x99, 0x9F, 0x9D, 0x93, 0x91, 0x97, 0x95, 0x8B, 0x89, 0x8F, 0x8D, 0x83, 0x81, 0x87, 0x85, 0xBB, 0xB9, 0xBF, 0xBD, 0xB3, 0xB1, 0xB7, 0xB5, 0xAB, 0xA9, 0xAF, 0xAD, 0xA3, 0xA1, 0xA7, 0xA5, 0xDB, 0xD9, 0xDF, 0xDD, 0xD3, 0xD1, 0xD7, 0xD5, 0xCB, 0xC9, 0xCF, 0xCD, 0xC3, 0xC1, 0xC7, 0xC5, 0xFB, 0xF9, 0xFF, 0xFD, 0xF3, 0xF1, 0xF7, 0xF5, 0xEB, 0xE9, 0xEF, 0xED, 0xE3, 0xE1, 0xE7, 0xE5, 0x0, 0x9, 0x12, 0x1B, 0x24, 0x2D, 0x36, 0x3F, 0x48, 0x41, 0x5A, 0x53, 0x6C, 0x65, 0x7E, 0x77, 0x90, 0x99, 0x82, 0x8B, 0xB4, 0xBD, 0xA6, 0xAF, 0xD8, 0xD1, 0xCA, 0xC3, 0xFC, 0xF5, 0xEE, 0xE7, 0x3B, 0x32, 0x29, 0x20, 0x1F, 0x16, 0xD, 0x4, 0x73, 0x7A, 0x61, 0x68, 0x57, 0x5E, 0x45, 0x4C, 0xAB, 0xA2, 0xB9, 0xB0, 0x8F, 0x86, 0x9D, 0x94, 0xE3, 0xEA, 0xF1, 0xF8, 0xC7, 0xCE, 0xD5, 0xDC, 0x76, 0x7F, 0x64, 0x6D, 0x52, 0x5B, 0x40, 0x49, 0x3E, 0x37, 0x2C, 0x25, 0x1A, 0x13, 0x8, 0x1, 0xE6, 0xEF, 0xF4, 0xFD, 0xC2, 0xCB, 0xD0, 0xD9, 0xAE, 0xA7, 0xBC, 0xB5, 0x8A, 0x83, 0x98, 0x91, 0x4D, 0x44, 0x5F, 0x56, 0x69, 0x60, 0x7B, 0x72, 0x5, 0xC, 0x17, 0x1E, 0x21, 0x28, 0x33, 0x3A, 0xDD, 0xD4, 0xCF, 0xC6, 0xF9, 0xF0, 0xEB, 0xE2, 0x95, 0x9C, 0x87, 0x8E, 0xB1, 0xB8, 0xA3, 0xAA, 0xEC, 0xE5, 0xFE, 0xF7, 0xC8, 0xC1, 0xDA, 0xD3, 0xA4, 0xAD, 0xB6, 0xBF, 0x80, 0x89, 0x92, 0x9B, 0x7C, 0x75, 0x6E, 0x67, 0x58, 0x51, 0x4A, 0x43, 0x34, 0x3D, 0x26, 0x2F, 0x10, 0x19, 0x2, 0xB, 0xD7, 0xDE, 0xC5, 0xCC, 0xF3, 0xFA, 0xE1, 0xE8, 0x9F, 0x96, 0x8D, 0x84, 0xBB, 0xB2, 0xA9, 0xA0, 0x47, 0x4E, 0x55, 0x5C, 0x63, 0x6A, 0x71, 0x78, 0xF, 0x6, 0x1D, 0x14, 0x2B, 0x22, 0x39, 0x30, 0x9A, 0x93, 0x88, 0x81, 0xBE, 0xB7, 0xAC, 0xA5, 0xD2, 0xDB, 0xC0, 0xC9, 0xF6, 0xFF, 0xE4, 0xED, 0xA, 0x3, 0x18, 0x11, 0x2E, 0x27, 0x3C, 0x35, 0x42, 0x4B, 0x50, 0x59, 0x66, 0x6F, 0x74, 0x7D, 0xA1, 0xA8, 0xB3, 0xBA, 0x85, 0x8C, 0x97, 0x9E, 0xE9, 0xE0, 0xFB, 0xF2, 0xCD, 0xC4, 0xDF, 0xD6, 0x31, 0x38, 0x23, 0x2A, 0x15, 0x1C, 0x7, 0xE, 0x79, 0x70, 0x6B, 0x62, 0x5D, 0x54, 0x4F, 0x46, 0x0, 0xB, 0x16, 0x1D, 0x2C, 0x27, 0x3A, 0x31, 0x58, 0x53, 0x4E, 0x45, 0x74, 0x7F, 0x62, 0x69, 0xB0, 0xBB, 0xA6, 0xAD, 0x9C, 0x97, 0x8A, 0x81, 0xE8, 0xE3, 0xFE, 0xF5, 0xC4, 0xCF, 0xD2, 0xD9, 0x7B, 0x70, 0x6D, 0x66, 0x57, 0x5C, 0x41, 0x4A, 0x23, 0x28, 0x35, 0x3E, 0xF, 0x4, 0x19, 0x12, 0xCB, 0xC0, 0xDD, 0xD6, 0xE7, 0xEC, 0xF1, 0xFA, 0x93, 0x98, 0x85, 0x8E, 0xBF, 0xB4, 0xA9, 0xA2, 0xF6, 0xFD, 0xE0, 0xEB, 0xDA, 0xD1, 0xCC, 0xC7, 0xAE, 0xA5, 0xB8, 0xB3, 0x82, 0x89, 0x94, 0x9F, 0x46, 0x4D, 0x50, 0x5B, 0x6A, 0x61, 0x7C, 0x77, 0x1E, 0x15, 0x8, 0x3, 0x32, 0x39, 0x24, 0x2F, 0x8D, 0x86, 0x9B, 0x90, 0xA1, 0xAA, 0xB7, 0xBC, 0xD5, 0xDE, 0xC3, 0xC8, 0xF9, 0xF2, 0xEF, 0xE4, 0x3D, 0x36, 0x2B, 0x20, 0x11, 0x1A, 0x7, 0xC, 0x65, 0x6E, 0x73, 0x78, 0x49, 0x42, 0x5F, 0x54, 0xF7, 0xFC, 0xE1, 0xEA, 0xDB, 0xD0, 0xCD, 0xC6, 0xAF, 0xA4, 0xB9, 0xB2, 0x83, 0x88, 0x95, 0x9E, 0x47, 0x4C, 0x51, 0x5A, 0x6B, 0x60, 0x7D, 0x76, 0x1F, 0x14, 0x9, 0x2, 0x33, 0x38, 0x25, 0x2E, 0x8C, 0x87, 0x9A, 0x91, 0xA0, 0xAB, 0xB6, 0xBD, 0xD4, 0xDF, 0xC2, 0xC9, 0xF8, 0xF3, 0xEE, 0xE5, 0x3C, 0x37, 0x2A, 0x21, 0x10, 0x1B, 0x6, 0xD, 0x64, 0x6F, 0x72, 0x79, 0x48, 0x43, 0x5E, 0x55, 0x1, 0xA, 0x17, 0x1C, 0x2D, 0x26, 0x3B, 0x30, 0x59, 0x52, 0x4F, 0x44, 0x75, 0x7E, 0x63, 0x68, 0xB1, 0xBA, 0xA7, 0xAC, 0x9D, 0x96, 0x8B, 0x80, 0xE9, 0xE2, 0xFF, 0xF4, 0xC5, 0xCE, 0xD3, 0xD8, 0x7A, 0x71, 0x6C, 0x67, 0x56, 0x5D, 0x40, 0x4B, 0x22, 0x29, 0x34, 0x3F, 0xE, 0x5, 0x18, 0x13, 0xCA, 0xC1, 0xDC, 0xD7, 0xE6, 0xED, 0xF0, 0xFB, 0x92, 0x99, 0x84, 0x8F, 0xBE, 0xB5, 0xA8, 0xA3]
tblstate = []
for i in range(5):
    tblstate.append(tbl[0x100 * i:0x100 * (i + 1)])
 
 
def bytes2state(data: bytes) -> list[list[int]]:
    return [[data[i * 4 + j] for j in range(4)] for i in range(4)]
 
def state2bytes(state: list[list[int]]) -> bytes:
    return bytes(state[i][j] for i in range(4) for j in range(4))
 
key = [0x0, 0x73, 0x69, 0x68, 0x0, 0x41, 0x63, 0x6E, 0x0, 0x65, 0x44, 0x64, 0x0, 0x79, 0x65, 0x4B, 0x0, 0x73, 0x69, 0x69, 0x0, 0x32, 0xA, 0x7, 0x0, 0x57, 0x4E, 0x63, 0x0, 0x2E, 0x2B, 0x28, 0x0, 0x73, 0x69, 0x68, 0x0, 0x41, 0x63, 0x6F, 0x0, 0x16, 0x2D, 0xC, 0x0, 0x38, 0x6, 0x24, 0x0, 0x73, 0x69, 0x6A, 0x0, 0x32, 0xA, 0x5, 0x0, 0x24, 0x27, 0x9, 0x0, 0x1C, 0x21, 0x2D, 0x0, 0x73, 0x69, 0x6E, 0x0, 0x41, 0x63, 0x6B, 0x0, 0x65, 0x44, 0x62, 0x0, 0x79, 0x65, 0x4F, 0x0, 0x73, 0x69, 0x66, 0x0, 0x32, 0xA, 0xD, 0x0, 0x57, 0x4E, 0x6F, 0x0, 0x2E, 0x2B, 0x20, 0x0, 0x73, 0x69, 0x76, 0x0, 0x41, 0x63, 0x7B, 0x0, 0x16, 0x2D, 0x14, 0x0, 0x38, 0x6, 0x34, 0x0, 0x73, 0x69, 0x56, 0x0, 0x32, 0xA, 0x2D, 0x0, 0x24, 0x27, 0x39, 0x0, 0x1C, 0x21, 0xD, 0x0, 0x73, 0x69, 0x16, 0x0, 0x41, 0x63, 0x3B, 0x0, 0x65, 0x44, 0x2, 0x0, 0x79, 0x65, 0xF, 0x0, 0x73, 0x69, 0x96, 0x0, 0x32, 0xA, 0xAD, 0x0, 0x57, 0x4E, 0xAF, 0x0, 0x2E, 0x2B, 0xA0, 0x0, 0x73, 0x69, 0x8D, 0x0, 0x41, 0x63, 0x20, 0x0, 0x16, 0x2D, 0x8F, 0x0, 0x38, 0x6, 0x2F]
key = [key[0x10 * i : 0x10 * (i + 1)] for i in range(len(key) // 16)]
key = [bytes2state(k) for k in key]
 
from collections import defaultdict
from typing import List, Tuple
 
def build_pair_maps(tbl: List[bytes]):
    assert len(tbl) == 5 and all(len(t) == 256 for t in tbl)
    p_map = defaultdict(list)
    q_map = defaultdict(list)
 
    t1 = tbl[1]
    t4 = tbl[4]
    t0 = tbl[0]
    t3 = tbl[3]
 
    # build p_map: p = t1[a0] ^ t4[a1]
    for a0 in range(256):
        v0 = t1[a0]
        for a1 in range(256):
            p = v0 ^ t4[a1]
            p_map[p].append((a0, a1))
 
    # build q_map: q = t0[a2] ^ t3[a3]
    for a2 in range(256):
        v2 = t0[a2]
        for a3 in range(256):
            q = v2 ^ t3[a3]
            q_map[q].append((a2, a3))
 
    return p_map, q_map
 
def invert_one_column(b0: int, b1: int, b2: int, b3: int,
                      tbl: List[bytes],
                      p_map, q_map) -> List[Tuple[int,int,int,int]]:
    t0, t1, t2, t3, t4 = tbl  # t2 not used directly here but kept for clarity
    solutions = []
    # p ^ q = b0 => q = p ^ b0
    for p, left_pairs in p_map.items():
        q = p ^ b0
        right_pairs = q_map.get(q)
        if not right_pairs:
            continue
 
        for (a0, a1) in left_pairs:
            # prepare some reused values to speed up
            t1_a0 = t3[a0]  # note: b1 uses tbl[3][a0]
            t1_a1 = t1[a1]  # tbl[1][a1] used in b1 (but careful indices below)
            for (a2, a3) in right_pairs:
                # compute b1,b2,b3 according to formulas:
                # b1 = tbl[3][a0] ^ tbl[1][a1] ^ tbl[4][a2] ^ tbl[0][a3]
                if (t3[a0] ^ t1[a1] ^ t4[a2] ^ t0[a3]) != b1:
                    continue
                # b2 = tbl[0][a0] ^ tbl[3][a1] ^ tbl[1][a2] ^ tbl[4][a3]
                if (t0[a0] ^ t3[a1] ^ t1[a2] ^ t4[a3]) != b2:
                    continue
                # b3 = tbl[4][a0] ^ tbl[0][a1] ^ tbl[3][a2] ^ tbl[1][a3]
                if (t4[a0] ^ t0[a1] ^ t3[a2] ^ t1[a3]) != b3:
                    continue
 
                # all matched
                solutions.append((a0, a1, a2, a3))
 
    return solutions
 
def inv_col_mix(state: List[List[int]], tbl: List[bytes]) -> List[List[int]]:
    assert len(state) == 4 and all(len(row) == 4 for row in state)
    assert len(tbl) == 5 and all(len(t) == 256 for t in tbl)
 
    p_map, q_map = build_pair_maps(tbl)
 
    out = [[0]*4 for _ in range(4)]
    solutions_per_col = []
 
    for col in range(4):
        # read output bytes b0..b3 from rows 0..3 at this column
        b0 = state[0][col] & 0xFF
        b1 = state[1][col] & 0xFF
        b2 = state[2][col] & 0xFF
        b3 = state[3][col] & 0xFF
 
        sols = invert_one_column(b0, b1, b2, b3, tbl, p_map, q_map)
        if not sols:
            raise ValueError(f"No inverse found for column {col} with bytes {(b0,b1,b2,b3)}")
        a0,a1,a2,a3 = sols[0]
        out[0][col] = a0
        out[1][col] = a1
        out[2][col] = a2
        out[3][col] = a3
        solutions_per_col.append(sols)
 
    return out, solutions_per_col
 
def inv_addroundkey(state : list[list[int]], round_key : list[list[int]]):
    for i in range(4):
        for j in range(4):
            state[i][j] ^= round_key[j][i]
    return state
 
def inv_SBOXswap(state: list[list[int]]):
    for i in range(4):
        for j in range(4):
            state[i][j] = inv_sbox.index(state[i][j])
    return state
 
def inv_ShiftRows(state: list[list[int]]):
    for i in range(4):
        state[i] = state[i][i:] + state[i][:i]
    return state
 
def inv_AES(data):
    global key, inv_sbox, tblstate
 
    state = bytes2state(data)
    real_state = [[0] * 4 for _ in range(4)]
    for i in range(4):
        for j in range(4):
            real_state[i][j] = state[j][i]
    real_state = inv_addroundkey(real_state, key[0])
    real_state = inv_ShiftRows(real_state)
    real_state = inv_SBOXswap(real_state)
    for i in range(1, 10):
        real_state, _ = inv_col_mix(real_state, tblstate)
        real_state = inv_addroundkey(real_state, key[i])
        real_state = inv_ShiftRows(real_state)
        real_state = inv_SBOXswap(real_state)
    real_state = inv_addroundkey(real_state, key[10])
    for i in range(4):
        for j in range(4):
            state[i][j] = real_state[j][i]
 
    return state2bytes(state)
 
xor_key = [0xA0, 0x81, 0x3E, 0x4D, 0x5B, 0x6A, 0xD4, 0xC2, 0x7B, 0xA5, 0x46, 0x20, 0x82, 0xB5, 0x1C, 0xEF, 0x43, 0x51, 0x8B, 0xC3, 0x5E, 0x57, 0xCC, 0x4, 0xF0, 0xBC, 0x43, 0x85, 0x1E, 0x9C, 0xBB, 0x51, 0xED, 0x59, 0x82, 0xE8, 0x1C, 0x4, 0xAC, 0xB, 0xE4, 0xBA, 0xC2, 0xBA, 0x53, 0x27, 0xF0, 0x1B, 0xA1, 0x35, 0x1, 0xDF, 0xBB, 0x6F, 0xD2, 0x83, 0xEB, 0x49, 0xB5, 0x4A, 0xF7, 0xE5, 0x40, 0x4B]
xor_key = [xor_key[0x10 * i : 0x10 * (i + 1)] for i in range(len(xor_key) // 16)]
for i in range(len(enc) // 0x10):
    enc[0x10 * i : 0x10 * (i + 1)] = map(int.__xor__, enc[0x10 * i : 0x10 * (i + 1)], xor_key[i])
    enc[0x10 * i : 0x10 * (i + 1)] = bytearray(inv_AES(enc[0x10 * i : 0x10 * (i + 1)]))
 
print(enc)
 
table = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789+/'
 
idx = 0
res = []
eof = False
padding = 0
while True:
    p = 0
    if idx >= 0x40 - 3:
        p = enc[idx :]
        padding = 3 - len(p)
        eof = True
    else:
        p = enc[idx : idx + 3]
    n = 0
    for i, b in enumerate(p):
        n |= b << 8  * i
    c = []
    for _ in range(4 - padding):
        c += [table[n & 0x3f]]
        n >>= 6
    c += ['='] * (4 - len(c))
    res += c
    if eof:
        break
    idx += 3
 
print(''.join(res))
from base64 import b64encode, b64decode
 
enc = bytearray(b'l/SxsR0BCjRZTmc7XWscrMv38iYuoiUECvi9Tuvi+ZiJZmdR5EcvVnTZOZvrnOrw')
 
inv_sbox = [0x52, 0x9, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0xB, 0x42, 0xFA, 0xC3, 0x4E, 0x8, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x0, 0x8C, 0xBC, 0xD3, 0xA, 0xF7, 0xE4, 0x58, 0x5, 0xB8, 0xB3, 0x45, 0x6, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0xF, 0x2, 0xC1, 0xAF, 0xBD, 0x3, 0x1, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0xE, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x7, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0xD, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x4, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0xC, 0x7D]
 
tbl = [0x0, 0xD, 0x1A, 0x17, 0x34, 0x39, 0x2E, 0x23, 0x68, 0x65, 0x72, 0x7F, 0x5C, 0x51, 0x46, 0x4B, 0xD0, 0xDD, 0xCA, 0xC7, 0xE4, 0xE9, 0xFE, 0xF3, 0xB8, 0xB5, 0xA2, 0xAF, 0x8C, 0x81, 0x96, 0x9B, 0xBB, 0xB6, 0xA1, 0xAC, 0x8F, 0x82, 0x95, 0x98, 0xD3, 0xDE, 0xC9, 0xC4, 0xE7, 0xEA, 0xFD, 0xF0, 0x6B, 0x66, 0x71, 0x7C, 0x5F, 0x52, 0x45, 0x48, 0x3, 0xE, 0x19, 0x14, 0x37, 0x3A, 0x2D, 0x20, 0x6D, 0x60, 0x77, 0x7A, 0x59, 0x54, 0x43, 0x4E, 0x5, 0x8, 0x1F, 0x12, 0x31, 0x3C, 0x2B, 0x26, 0xBD, 0xB0, 0xA7, 0xAA, 0x89, 0x84, 0x93, 0x9E, 0xD5, 0xD8, 0xCF, 0xC2, 0xE1, 0xEC, 0xFB, 0xF6, 0xD6, 0xDB, 0xCC, 0xC1, 0xE2, 0xEF, 0xF8, 0xF5, 0xBE, 0xB3, 0xA4, 0xA9, 0x8A, 0x87, 0x90, 0x9D, 0x6, 0xB, 0x1C, 0x11, 0x32, 0x3F, 0x28, 0x25, 0x6E, 0x63, 0x74, 0x79, 0x5A, 0x57, 0x40, 0x4D, 0xDA, 0xD7, 0xC0, 0xCD, 0xEE, 0xE3, 0xF4, 0xF9, 0xB2, 0xBF, 0xA8, 0xA5, 0x86, 0x8B, 0x9C, 0x91, 0xA, 0x7, 0x10, 0x1D, 0x3E, 0x33, 0x24, 0x29, 0x62, 0x6F, 0x78, 0x75, 0x56, 0x5B, 0x4C, 0x41, 0x61, 0x6C, 0x7B, 0x76, 0x55, 0x58, 0x4F, 0x42, 0x9, 0x4, 0x13, 0x1E, 0x3D, 0x30, 0x27, 0x2A, 0xB1, 0xBC, 0xAB, 0xA6, 0x85, 0x88, 0x9F, 0x92, 0xD9, 0xD4, 0xC3, 0xCE, 0xED, 0xE0, 0xF7, 0xFA, 0xB7, 0xBA, 0xAD, 0xA0, 0x83, 0x8E, 0x99, 0x94, 0xDF, 0xD2, 0xC5, 0xC8, 0xEB, 0xE6, 0xF1, 0xFC, 0x67, 0x6A, 0x7D, 0x70, 0x53, 0x5E, 0x49, 0x44, 0xF, 0x2, 0x15, 0x18, 0x3B, 0x36, 0x21, 0x2C, 0xC, 0x1, 0x16, 0x1B, 0x38, 0x35, 0x22, 0x2F, 0x64, 0x69, 0x7E, 0x73, 0x50, 0x5D, 0x4A, 0x47, 0xDC, 0xD1, 0xC6, 0xCB, 0xE8, 0xE5, 0xF2, 0xFF, 0xB4, 0xB9, 0xAE, 0xA3, 0x80, 0x8D, 0x9A, 0x97, 0x0, 0xE, 0x1C, 0x12, 0x38, 0x36, 0x24, 0x2A, 0x70, 0x7E, 0x6C, 0x62, 0x48, 0x46, 0x54, 0x5A, 0xE0, 0xEE, 0xFC, 0xF2, 0xD8, 0xD6, 0xC4, 0xCA, 0x90, 0x9E, 0x8C, 0x82, 0xA8, 0xA6, 0xB4, 0xBA, 0xDB, 0xD5, 0xC7, 0xC9, 0xE3, 0xED, 0xFF, 0xF1, 0xAB, 0xA5, 0xB7, 0xB9, 0x93, 0x9D, 0x8F, 0x81, 0x3B, 0x35, 0x27, 0x29, 0x3, 0xD, 0x1F, 0x11, 0x4B, 0x45, 0x57, 0x59, 0x73, 0x7D, 0x6F, 0x61, 0xAD, 0xA3, 0xB1, 0xBF, 0x95, 0x9B, 0x89, 0x87, 0xDD, 0xD3, 0xC1, 0xCF, 0xE5, 0xEB, 0xF9, 0xF7, 0x4D, 0x43, 0x51, 0x5F, 0x75, 0x7B, 0x69, 0x67, 0x3D, 0x33, 0x21, 0x2F, 0x5, 0xB, 0x19, 0x17, 0x76, 0x78, 0x6A, 0x64, 0x4E, 0x40, 0x52, 0x5C, 0x6, 0x8, 0x1A, 0x14, 0x3E, 0x30, 0x22, 0x2C, 0x96, 0x98, 0x8A, 0x84, 0xAE, 0xA0, 0xB2, 0xBC, 0xE6, 0xE8, 0xFA, 0xF4, 0xDE, 0xD0, 0xC2, 0xCC, 0x41, 0x4F, 0x5D, 0x53, 0x79, 0x77, 0x65, 0x6B, 0x31, 0x3F, 0x2D, 0x23, 0x9, 0x7, 0x15, 0x1B, 0xA1, 0xAF, 0xBD, 0xB3, 0x99, 0x97, 0x85, 0x8B, 0xD1, 0xDF, 0xCD, 0xC3, 0xE9, 0xE7, 0xF5, 0xFB, 0x9A, 0x94, 0x86, 0x88, 0xA2, 0xAC, 0xBE, 0xB0, 0xEA, 0xE4, 0xF6, 0xF8, 0xD2, 0xDC, 0xCE, 0xC0, 0x7A, 0x74, 0x66, 0x68, 0x42, 0x4C, 0x5E, 0x50, 0xA, 0x4, 0x16, 0x18, 0x32, 0x3C, 0x2E, 0x20, 0xEC, 0xE2, 0xF0, 0xFE, 0xD4, 0xDA, 0xC8, 0xC6, 0x9C, 0x92, 0x80, 0x8E, 0xA4, 0xAA, 0xB8, 0xB6, 0xC, 0x2, 0x10, 0x1E, 0x34, 0x3A, 0x28, 0x26, 0x7C, 0x72, 0x60, 0x6E, 0x44, 0x4A, 0x58, 0x56, 0x37, 0x39, 0x2B, 0x25, 0xF, 0x1, 0x13, 0x1D, 0x47, 0x49, 0x5B, 0x55, 0x7F, 0x71, 0x63, 0x6D, 0xD7, 0xD9, 0xCB, 0xC5, 0xEF, 0xE1, 0xF3, 0xFD, 0xA7, 0xA9, 0xBB, 0xB5, 0x9F, 0x91, 0x83, 0x8D, 0x0, 0x2, 0x4, 0x6, 0x8, 0xA, 0xC, 0xE, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1A, 0x1C, 0x1E, 0x20, 0x22, 0x24, 0x26, 0x28, 0x2A, 0x2C, 0x2E, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3A, 0x3C, 0x3E, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x4E, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5A, 0x5C, 0x5E, 0x60, 0x62, 0x64, 0x66, 0x68, 0x6A, 0x6C, 0x6E, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7A, 0x7C, 0x7E, 0x80, 0x82, 0x84, 0x86, 0x88, 0x8A, 0x8C, 0x8E, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9A, 0x9C, 0x9E, 0xA0, 0xA2, 0xA4, 0xA6, 0xA8, 0xAA, 0xAC, 0xAE, 0xB0, 0xB2, 0xB4, 0xB6, 0xB8, 0xBA, 0xBC, 0xBE, 0xC0, 0xC2, 0xC4, 0xC6, 0xC8, 0xCA, 0xCC, 0xCE, 0xD0, 0xD2, 0xD4, 0xD6, 0xD8, 0xDA, 0xDC, 0xDE, 0xE0, 0xE2, 0xE4, 0xE6, 0xE8, 0xEA, 0xEC, 0xEE, 0xF0, 0xF2, 0xF4, 0xF6, 0xF8, 0xFA, 0xFC, 0xFE, 0x1B, 0x19, 0x1F, 0x1D, 0x13, 0x11, 0x17, 0x15, 0xB, 0x9, 0xF, 0xD, 0x3, 0x1, 0x7, 0x5, 0x3B, 0x39, 0x3F, 0x3D, 0x33, 0x31, 0x37, 0x35, 0x2B, 0x29, 0x2F, 0x2D, 0x23, 0x21, 0x27, 0x25, 0x5B, 0x59, 0x5F, 0x5D, 0x53, 0x51, 0x57, 0x55, 0x4B, 0x49, 0x4F, 0x4D, 0x43, 0x41, 0x47, 0x45, 0x7B, 0x79, 0x7F, 0x7D, 0x73, 0x71, 0x77, 0x75, 0x6B, 0x69, 0x6F, 0x6D, 0x63, 0x61, 0x67, 0x65, 0x9B, 0x99, 0x9F, 0x9D, 0x93, 0x91, 0x97, 0x95, 0x8B, 0x89, 0x8F, 0x8D, 0x83, 0x81, 0x87, 0x85, 0xBB, 0xB9, 0xBF, 0xBD, 0xB3, 0xB1, 0xB7, 0xB5, 0xAB, 0xA9, 0xAF, 0xAD, 0xA3, 0xA1, 0xA7, 0xA5, 0xDB, 0xD9, 0xDF, 0xDD, 0xD3, 0xD1, 0xD7, 0xD5, 0xCB, 0xC9, 0xCF, 0xCD, 0xC3, 0xC1, 0xC7, 0xC5, 0xFB, 0xF9, 0xFF, 0xFD, 0xF3, 0xF1, 0xF7, 0xF5, 0xEB, 0xE9, 0xEF, 0xED, 0xE3, 0xE1, 0xE7, 0xE5, 0x0, 0x9, 0x12, 0x1B, 0x24, 0x2D, 0x36, 0x3F, 0x48, 0x41, 0x5A, 0x53, 0x6C, 0x65, 0x7E, 0x77, 0x90, 0x99, 0x82, 0x8B, 0xB4, 0xBD, 0xA6, 0xAF, 0xD8, 0xD1, 0xCA, 0xC3, 0xFC, 0xF5, 0xEE, 0xE7, 0x3B, 0x32, 0x29, 0x20, 0x1F, 0x16, 0xD, 0x4, 0x73, 0x7A, 0x61, 0x68, 0x57, 0x5E, 0x45, 0x4C, 0xAB, 0xA2, 0xB9, 0xB0, 0x8F, 0x86, 0x9D, 0x94, 0xE3, 0xEA, 0xF1, 0xF8, 0xC7, 0xCE, 0xD5, 0xDC, 0x76, 0x7F, 0x64, 0x6D, 0x52, 0x5B, 0x40, 0x49, 0x3E, 0x37, 0x2C, 0x25, 0x1A, 0x13, 0x8, 0x1, 0xE6, 0xEF, 0xF4, 0xFD, 0xC2, 0xCB, 0xD0, 0xD9, 0xAE, 0xA7, 0xBC, 0xB5, 0x8A, 0x83, 0x98, 0x91, 0x4D, 0x44, 0x5F, 0x56, 0x69, 0x60, 0x7B, 0x72, 0x5, 0xC, 0x17, 0x1E, 0x21, 0x28, 0x33, 0x3A, 0xDD, 0xD4, 0xCF, 0xC6, 0xF9, 0xF0, 0xEB, 0xE2, 0x95, 0x9C, 0x87, 0x8E, 0xB1, 0xB8, 0xA3, 0xAA, 0xEC, 0xE5, 0xFE, 0xF7, 0xC8, 0xC1, 0xDA, 0xD3, 0xA4, 0xAD, 0xB6, 0xBF, 0x80, 0x89, 0x92, 0x9B, 0x7C, 0x75, 0x6E, 0x67, 0x58, 0x51, 0x4A, 0x43, 0x34, 0x3D, 0x26, 0x2F, 0x10, 0x19, 0x2, 0xB, 0xD7, 0xDE, 0xC5, 0xCC, 0xF3, 0xFA, 0xE1, 0xE8, 0x9F, 0x96, 0x8D, 0x84, 0xBB, 0xB2, 0xA9, 0xA0, 0x47, 0x4E, 0x55, 0x5C, 0x63, 0x6A, 0x71, 0x78, 0xF, 0x6, 0x1D, 0x14, 0x2B, 0x22, 0x39, 0x30, 0x9A, 0x93, 0x88, 0x81, 0xBE, 0xB7, 0xAC, 0xA5, 0xD2, 0xDB, 0xC0, 0xC9, 0xF6, 0xFF, 0xE4, 0xED, 0xA, 0x3, 0x18, 0x11, 0x2E, 0x27, 0x3C, 0x35, 0x42, 0x4B, 0x50, 0x59, 0x66, 0x6F, 0x74, 0x7D, 0xA1, 0xA8, 0xB3, 0xBA, 0x85, 0x8C, 0x97, 0x9E, 0xE9, 0xE0, 0xFB, 0xF2, 0xCD, 0xC4, 0xDF, 0xD6, 0x31, 0x38, 0x23, 0x2A, 0x15, 0x1C, 0x7, 0xE, 0x79, 0x70, 0x6B, 0x62, 0x5D, 0x54, 0x4F, 0x46, 0x0, 0xB, 0x16, 0x1D, 0x2C, 0x27, 0x3A, 0x31, 0x58, 0x53, 0x4E, 0x45, 0x74, 0x7F, 0x62, 0x69, 0xB0, 0xBB, 0xA6, 0xAD, 0x9C, 0x97, 0x8A, 0x81, 0xE8, 0xE3, 0xFE, 0xF5, 0xC4, 0xCF, 0xD2, 0xD9, 0x7B, 0x70, 0x6D, 0x66, 0x57, 0x5C, 0x41, 0x4A, 0x23, 0x28, 0x35, 0x3E, 0xF, 0x4, 0x19, 0x12, 0xCB, 0xC0, 0xDD, 0xD6, 0xE7, 0xEC, 0xF1, 0xFA, 0x93, 0x98, 0x85, 0x8E, 0xBF, 0xB4, 0xA9, 0xA2, 0xF6, 0xFD, 0xE0, 0xEB, 0xDA, 0xD1, 0xCC, 0xC7, 0xAE, 0xA5, 0xB8, 0xB3, 0x82, 0x89, 0x94, 0x9F, 0x46, 0x4D, 0x50, 0x5B, 0x6A, 0x61, 0x7C, 0x77, 0x1E, 0x15, 0x8, 0x3, 0x32, 0x39, 0x24, 0x2F, 0x8D, 0x86, 0x9B, 0x90, 0xA1, 0xAA, 0xB7, 0xBC, 0xD5, 0xDE, 0xC3, 0xC8, 0xF9, 0xF2, 0xEF, 0xE4, 0x3D, 0x36, 0x2B, 0x20, 0x11, 0x1A, 0x7, 0xC, 0x65, 0x6E, 0x73, 0x78, 0x49, 0x42, 0x5F, 0x54, 0xF7, 0xFC, 0xE1, 0xEA, 0xDB, 0xD0, 0xCD, 0xC6, 0xAF, 0xA4, 0xB9, 0xB2, 0x83, 0x88, 0x95, 0x9E, 0x47, 0x4C, 0x51, 0x5A, 0x6B, 0x60, 0x7D, 0x76, 0x1F, 0x14, 0x9, 0x2, 0x33, 0x38, 0x25, 0x2E, 0x8C, 0x87, 0x9A, 0x91, 0xA0, 0xAB, 0xB6, 0xBD, 0xD4, 0xDF, 0xC2, 0xC9, 0xF8, 0xF3, 0xEE, 0xE5, 0x3C, 0x37, 0x2A, 0x21, 0x10, 0x1B, 0x6, 0xD, 0x64, 0x6F, 0x72, 0x79, 0x48, 0x43, 0x5E, 0x55, 0x1, 0xA, 0x17, 0x1C, 0x2D, 0x26, 0x3B, 0x30, 0x59, 0x52, 0x4F, 0x44, 0x75, 0x7E, 0x63, 0x68, 0xB1, 0xBA, 0xA7, 0xAC, 0x9D, 0x96, 0x8B, 0x80, 0xE9, 0xE2, 0xFF, 0xF4, 0xC5, 0xCE, 0xD3, 0xD8, 0x7A, 0x71, 0x6C, 0x67, 0x56, 0x5D, 0x40, 0x4B, 0x22, 0x29, 0x34, 0x3F, 0xE, 0x5, 0x18, 0x13, 0xCA, 0xC1, 0xDC, 0xD7, 0xE6, 0xED, 0xF0, 0xFB, 0x92, 0x99, 0x84, 0x8F, 0xBE, 0xB5, 0xA8, 0xA3]
tblstate = []
for i in range(5):
    tblstate.append(tbl[0x100 * i:0x100 * (i + 1)])
 
 
def bytes2state(data: bytes) -> list[list[int]]:
    return [[data[i * 4 + j] for j in range(4)] for i in range(4)]
 
def state2bytes(state: list[list[int]]) -> bytes:
    return bytes(state[i][j] for i in range(4) for j in range(4))
 
key = [0x0, 0x73, 0x69, 0x68, 0x0, 0x41, 0x63, 0x6E, 0x0, 0x65, 0x44, 0x64, 0x0, 0x79, 0x65, 0x4B, 0x0, 0x73, 0x69, 0x69, 0x0, 0x32, 0xA, 0x7, 0x0, 0x57, 0x4E, 0x63, 0x0, 0x2E, 0x2B, 0x28, 0x0, 0x73, 0x69, 0x68, 0x0, 0x41, 0x63, 0x6F, 0x0, 0x16, 0x2D, 0xC, 0x0, 0x38, 0x6, 0x24, 0x0, 0x73, 0x69, 0x6A, 0x0, 0x32, 0xA, 0x5, 0x0, 0x24, 0x27, 0x9, 0x0, 0x1C, 0x21, 0x2D, 0x0, 0x73, 0x69, 0x6E, 0x0, 0x41, 0x63, 0x6B, 0x0, 0x65, 0x44, 0x62, 0x0, 0x79, 0x65, 0x4F, 0x0, 0x73, 0x69, 0x66, 0x0, 0x32, 0xA, 0xD, 0x0, 0x57, 0x4E, 0x6F, 0x0, 0x2E, 0x2B, 0x20, 0x0, 0x73, 0x69, 0x76, 0x0, 0x41, 0x63, 0x7B, 0x0, 0x16, 0x2D, 0x14, 0x0, 0x38, 0x6, 0x34, 0x0, 0x73, 0x69, 0x56, 0x0, 0x32, 0xA, 0x2D, 0x0, 0x24, 0x27, 0x39, 0x0, 0x1C, 0x21, 0xD, 0x0, 0x73, 0x69, 0x16, 0x0, 0x41, 0x63, 0x3B, 0x0, 0x65, 0x44, 0x2, 0x0, 0x79, 0x65, 0xF, 0x0, 0x73, 0x69, 0x96, 0x0, 0x32, 0xA, 0xAD, 0x0, 0x57, 0x4E, 0xAF, 0x0, 0x2E, 0x2B, 0xA0, 0x0, 0x73, 0x69, 0x8D, 0x0, 0x41, 0x63, 0x20, 0x0, 0x16, 0x2D, 0x8F, 0x0, 0x38, 0x6, 0x2F]
key = [key[0x10 * i : 0x10 * (i + 1)] for i in range(len(key) // 16)]
key = [bytes2state(k) for k in key]
 
from collections import defaultdict
from typing import List, Tuple
 

		
								
				
				登录后可查看完整内容
			
			
				
	

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

	