能力值:
![]()
(RANK:1170 )
|
-
-
2 楼
是.net的吗?
如果是,一般在加解密类的.cctor里会有线索
如果不是,就不知道了。
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
个人观点,希望有用.
typedef struct
{
uint32 erk[64]; /* encryption round keys */
uint32 drk[64]; /* decryption round keys */
int nr; /* number of rounds */
}
aes_context;
int aes_set_key( aes_context *ctx, uint8 *key, int nbits );
void aes_encrypt( aes_context *ctx, uint8 input[16], uint8 output[16] );
void aes_decrypt( aes_context *ctx, uint8 input[16], uint8 output[16] );
如果函数和结构是这样的, 找到aes_context* ctx这个地址, 然后erk中前面的buffer和drk最后的buffer
如果不是可以察看在encrypt中和input进行xor的buffer
或者decrpyt中最后和RSb进行xor的buffer.
可能还可以修改FSb和Rsb
int aes_set_key( aes_context *ctx, uint8 *key, int nbits )
{
int i;
uint32 *RK, *SK;
...
RK = ctx->erk;
for( i = 0; i < (nbits >> 5); i++ )
{
GET_UINT32( RK[i], key, i * 4 );
}
...
}
void aes_encrypt( aes_context *ctx, uint8 input[16], uint8 output[16] )
{
uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
RK = ctx->erk;
GET_UINT32( X0, input, 0 ); X0 ^= RK[0];
GET_UINT32( X1, input, 4 ); X1 ^= RK[1];
GET_UINT32( X2, input, 8 ); X2 ^= RK[2];
GET_UINT32( X3, input, 12 ); X3 ^= RK[3];
...
}
void aes_decrypt( aes_context *ctx, uint8 input[16], uint8 output[16] )
{
uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
RK = ctx->drk;
...
/* last round */
RK += 4;
X0 = RK[0] ^ ( RSb[ (uint8) ( Y0 >> 24 ) ] << 24 ) ^
( RSb[ (uint8) ( Y3 >> 16 ) ] << 16 ) ^
( RSb[ (uint8) ( Y2 >> 8 ) ] << 8 ) ^
( RSb[ (uint8) ( Y1 ) ] );
X1 = RK[1] ^ ( RSb[ (uint8) ( Y1 >> 24 ) ] << 24 ) ^
( RSb[ (uint8) ( Y0 >> 16 ) ] << 16 ) ^
( RSb[ (uint8) ( Y3 >> 8 ) ] << 8 ) ^
( RSb[ (uint8) ( Y2 ) ] );
X2 = RK[2] ^ ( RSb[ (uint8) ( Y2 >> 24 ) ] << 24 ) ^
( RSb[ (uint8) ( Y1 >> 16 ) ] << 16 ) ^
( RSb[ (uint8) ( Y0 >> 8 ) ] << 8 ) ^
( RSb[ (uint8) ( Y3 ) ] );
X3 = RK[3] ^ ( RSb[ (uint8) ( Y3 >> 24 ) ] << 24 ) ^
( RSb[ (uint8) ( Y2 >> 16 ) ] << 16 ) ^
( RSb[ (uint8) ( Y1 >> 8 ) ] << 8 ) ^
( RSb[ (uint8) ( Y0 ) ] );
PUT_UINT32( X0, output, 0 );
PUT_UINT32( X1, output, 4 );
PUT_UINT32( X2, output, 8 );
PUT_UINT32( X3, output, 12 );
}
|
