2025GHCTF Re-wp+复现

读汇编就行，可以用AI辅助。

要注意的是下面这里的数据

ENC PROC
    PUSH CX
    MOV SI,OFFSET BUFFER1 + 2
    MOV DI,OFFSET DATA1
    MOV CX,8
LOOP2:
    MOV AX,WORD PTR[DI + 1]  ;读取的是双字WORD，所以AX应该是di[2]和di[1]组成的2字节数据
    XOR WORD PTR[SI],AX ;这里也是读取的si[1] 和si[0]的2字节数据
    MOV AX,WORD PTR[DI + 2] ;di[2]和di[3]同上
    XOR WORD PTR[SI + 2],AX ;si[2]和si[3]同上
    ADD SI,4
    ADD DI,4
    LOOP LOOP2
    POP CX
    RET
ENC ENDP

就一个异或加密，异或回来就行。

大概逻辑和解密脚本

#include <stdio.h>
#include <string.h>

unsigned char DATA1[32] = {
    0x26, 0x27, 0x24, 0x25, 0x2A, 0x2B, 0x28, 0x00,
    0x2E, 0x2F, 0x2C, 0x2D, 0x32, 0x33, 0x30, 0x00,
    0x36, 0x37, 0x34, 0x35, 0x3A, 0x3B, 0x38, 0x39,
    0x3E, 0x3F, 0x3C, 0x3D, 0x3F, 0x27, 0x34, 0x11
};

unsigned char DATA2[32] = {
    0x69, 0x77, 0x77, 0x66, 0x73, 0x72, 0x4F, 0x46,
    0x03, 0x47, 0x6F, 0x79, 0x07, 0x41, 0x13, 0x47,
    0x5E, 0x67, 0x5F, 0x09, 0x0F, 0x58, 0x63, 0x7D,
    0x5F, 0x77, 0x68, 0x35, 0x62, 0x0D, 0x0D, 0x50
};

void do1(unsigned char* data) {
    for (int cx = 0; cx < 8; cx++) {
        int si = cx * 4;
        int di = si + 4;
        if (di >= 28) di -= 28;
        for (int i = 0; i < 4; i++) {  //这里是do2的逻辑，交换值
            unsigned char temp = data[si + i];
            data[si + i] = data[di + i];
            data[di + i] = temp;
        }
    }
}

void enc(unsigned char* input) {
    for (int i = 0; i < 32; i += 4) {
        input[i] ^= DATA1[i + 1];
        input[i+1] ^= DATA1[i + 2];  //因为双字的关系，这里data1中有一个值被重复使用了
        input[i + 2] ^= DATA1[i + 2]; 
        input[i + 3] ^= DATA1[i + 3];
    }
}

int main() {
    //unsigned char buffer[34] = { 0 }; //注释部分是AI写的
    //printf("Welcome to GHCTF!\n");
    //printf("Input your flag: ");
    //fgets((char*)buffer + 2, 33, stdin);
    //buffer[strcspn((char*)buffer + 2, "\n")] = 0; 
    do1(DATA1); 
    //enc(buffer + 2);
    //if (memcmp(buffer + 2, DATA2, 32) == 0) {
    //    printf("\nRight!\n");
    //}
    //else {
    //    printf("\nWrong!\n");
    //}
    enc(DATA2);
    printf("%s", DATA2);
    return 0;
}
NSSCTF{W0w_y0u're_g00d_@t_@5M!!}

法2：用dosbox编译运行，结合ida分析找到处理完后的盒直接异或解密。

FishingKit

主函数里面有一个方程

用z3解

from z3 import *
s = Solver()
x = [BitVec(f"a_{i}",8) for i in range(10)]

s.add(202 * x[8] + 216 * x[5] - 4 * x[4] - 330 * x[9] - 13 * x[4] - 268 * x[6] == -14982)
s.add(325 * x[8] + 195 * x[0] + 229 * x[1] - 121 * x[6] - 409 * x[6] - (x[1] << 7) == 22606)
s.add(489 * x[1] + 480 * x[6] + 105 * x[2] + 367 * x[3] - 135 * x[4] - 482 * x[9] == 63236)
s.add(493 * x[1] - 80 * x[4] - 253 * x[8] - 121 * x[2] - 177 * x[0] - 243 * x[9] == -39664)
s.add(275 * x[4] + 271 * x[6] + 473 * x[7] - 72 * x[5] - 260 * x[4] - 367 * x[4] == 14255)
s.add(286 * x[0] + 196 * x[7] + 483 * x[2] + 442 * x[1] - 495 * x[8] - 351 * x[4] == 41171)
s.add(212 * x[2] + 283 * x[7] - 329 * x[8] - 429 * x[9] - 362 * x[2] - 261 * x[6] == -90284)
s.add(456 * x[5] + 244 * x[7] + 92 * x[4] + 348 * x[7] - 225 * x[1] - 31 * x[2] == 88447)
s.add(238 * x[9] + 278 * x[7] + 216 * x[6] + 237 * x[0] + 8 * x[2] - 17 * x[9] == 83838)
s.add(323 * x[9] + 121 * x[1] + 370 * x[7] - (x[4] << 6) - 196 * x[9] - 422 * x[0] == 26467)
s.add(166 * x[9] + 90 * x[1] + 499 * x[2] + 301 * x[8] - 31 * x[2] - 206 * x[2] == 88247)
s.add(355 * x[0] + 282 * x[4] + 44 * x[9] + 359 * x[8] - 167 * x[5] - 62 * x[3] == 76658)
s.add(488 * x[6] + 379 * x[9] + 318 * x[2] - 85 * x[1] - 357 * x[2] - 277 * x[5] == 35398)
s.add(40 * x[0] + 281 * x[4] + 217 * x[5] - 241 * x[1] - 407 * x[7] - 309 * x[7] == -35436)
s.add(429 * x[3] + 441 * x[3] + 115 * x[1] + 96 * x[8] + 464 * x[1] - 133 * x[7] == 157448)

s.check()
# print(s.model())
for i in range (10):
    print(f"{chr(s.model()[x[i]].as_long())}",end ="")
    
# DeluxeBait

解出的字符串”DeluxeBait”作为密钥进行RC4加密。解密后会发现RC4加密是假的，会解出假flag，NSSCTF{Fake!Fake!Fake!}。

查看main函数之前的函数我们会发现一些其他的函数。

这里获取strcmp的地址，然后传入到VirtualProtect中，然后修改了strcmp的逻辑达到hook的目的。

这里利用了VirtualProtect修改了函数。

在这里下面还有一个enc函数，里面有许多被加密的字符串，看来这里的加密逻辑就是真正的加密逻辑。在enc之前还有一个getsecret函数获取了真正的密文。

enc函数里是一个xtea加密，魔改了delta，轮数为24，输入被分为4字节两两加密。动调可以获取密钥就是”DeluxeBait”后面补0。

#include<stdio.h>
#include<stdint.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], delta = 0x66778899, sum = delta * num_rounds;

    for (i = 0; i < num_rounds; i++) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum -= delta;
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
    }
    v[0] = v0; v[1] = v1;
}

int main() {
    uint32_t v[6] = { 0xA6975621, 0xDEC4D51A, 0x4D829CA4, 0x56C845D1, 0x5C96B4A7, 0x2087494D };
    uint32_t const k[4] = { 0x756C6544, 0x61426578, 0x00007469, 0x00000000 };
    unsigned int r = 24;

    for (int i = 0; i < 6; i += 2) {
        decipher(r, &v[i], k);
    }
    
    for (int i = 0; i < 24; i++) {
        printf("%c", *((char*)v + i));
    }
    return 0;
}
NSSCTF{Wh@t_@_b1g_F1sh}

LockedSecret

换头UPX,手动修头，UPX!前面是版本，这里找了个UPX头的模板随便填的。upx脱壳就行。

加密逻辑就在_main里，第一个函数是用于异或处理密钥的，第二个是一个tea加密。

不知道为什么IDA给我识别成这鸟样~~，用Ghidra和BN分析会更好，但是解题的时候没想到~~。写出加密逻辑后动调看了好久发现数据对不上后面看一下汇编才发现v12和v5那些那里的那一长串是假的，其实就只有类似v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);的操作，其实就是普通的tea加密逻辑。所以这里的轮数只有八轮。密钥的话直接动调获取k的值就行，delta就是开始的值1579382783，最后还异或了一个0xf。不用管之前的那些操作。密文也同理动调获取就行，4字节分组两两解密。

#include <stdio.h>
#include <stdint.h>

void encrypt(uint32_t* v, uint32_t* k) { //加密逻辑
    uint32_t v0 = v[0], v1 = v[1],  i;
    int delta = 0x5E2377FF,sum = 0;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];

    for (i = 0; i < 8; i++) {
        sum += delta;
        //printf("sum: %d  ,%d\n", sum,i);
        /*if (i == 2) {  //假的
            uint32_t a, b, c;
            a = (k3 + ((v0 + ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1)) >> 5));
            b = (v0 + ((v1 + ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1) + sum)));
            c = (k2 + ((v0 + ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1)) << 4));
            v1 += a ^ b ^ c;

            v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        }*/
        v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        //printf("%8x  %8x\n", v0, v1);
    }
    v[0] = v0 ^0xf; v[1] = v1^0xf;
}
void decrypt(uint32_t* v, uint32_t* k) { //解密逻辑
    int und = 8;
    uint32_t v0 = v[0] ^0xf, v1 = v[1] ^0xf; //异或解密
    int sum = 0x5E2377FF * und, i;  
    int delta = 0x5E2377FF;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];

    for (i = 0; i < und; i++) {
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        sum -= delta;
    }
    v[0] = v0; v[1] = v1;
}

int main() {
    uint32_t v[8] = { 0x031E45DC, 0x2776E989, 0x01234847, 0x64CED270, 0x33467FDA, 0xA34903B1, 0x2CD10027, 0x75BDB337 };
    uint32_t k[4] = { 0x423DF72D, 0x05F59A01, 0x633FCF1D, 0x77D19122 };         
    //unsigned int data[8] = {
    //0x31313131, 0x31313131, 0x31313131, 0x31313131, 0x31313131, 0x31313131, 0x31313131, 0x31313131
    //}; //测试数据
    for (int i = 0; i < 8; i += 2) {
        encrypt(&data[i], k);
        //printf("%8x  %8x\n", data[i], data[i + 1]);
    }

    for (int i = 0; i < 8; i += 2) {
        decrypt(&v[i], k);
    }
    
    for (int i = 0; i < 32; i++) {
        printf("%c", *((char*)v + i));
    }
    return 0;
}
NSSCTF{!!!Y0u_g3t_th3_s3cr3t!!!}

Mio？Ryo？Soyo？

解包的时候要用相同的python版本3.8。secret模块在子包里面。用pycdc反编译后让AI给我们重命名一下

class Base85Encoder:
    CHARSET = ''.join(chr(c) for c in range(33, 118))

    @staticmethod
    def encode(data: bytes) -> str:
        encoded_str = ''
        padding = (4 - len(data) % 4) % 4
        data += b'\x00' * padding

        for i in range(0, len(data), 4):
            chunk = data[i:i + 4]
            value = int.from_bytes(chunk, 'big')
            encoded_chunk = ''
            for _ in range(5):
                encoded_chunk = Base85Encoder.CHARSET[value % 85] + encoded_chunk
                value //= 85
            encoded_str += encoded_chunk

        if padding:
            encoded_str = encoded_str[:-padding]
        return encoded_str


class Base45Encoder:
    CHARSET = ''.join(chr(c) for c in range(48, 93)) # 换表

    @staticmethod
    def encode(data: bytes) -> str:
        encoded_list = []
        i = 0
        while i < len(data):
            if i + 1 < len(data):
                value = data[i] << 8 | data[i + 1]
                encoded_list.append(Base45Encoder.CHARSET[value % 45])
                value //= 45
                encoded_list.append(Base45Encoder.CHARSET[value % 45])
                value //= 45
                encoded_list.append(Base45Encoder.CHARSET[value])
                i += 2
            else:
                value = data[i]
                encoded_list.append(Base45Encoder.CHARSET[value % 45])
                value //= 45
                encoded_list.append(Base45Encoder.CHARSET[value])
                i += 1

        return ''.join(encoded_list)


def ShiftCipher(text: str, shift: int) -> str:
    result = []
    for char in text:
        if 'a' <= char <= 'z':
            new_char = chr(ord('a') + (ord(char) - ord('a') + shift) % 26)
            result.append(new_char)
        elif '0' <= char <= '9':
            new_char = chr(ord('0') + (ord(char) - ord('0') - shift) % 10)
            result.append(new_char)
        else:
            result.append(char)
    return ''.join(result)



# 可能是加密后的字节数据
encrypted_bytes = bytes([
    57, 118, 33, 114, 68, 56, 117, 115, 34, 52, 52, 95, 78, 40, 49, 59, 95, 85, 63, 122,
    54, 33, 77, 110, 49, 54, 34, 109, 106, 122, 60, 92, 108, 91, 61, 51, 42, 62, 35, 38,
    52, 67, 62, 122, 116, 48, 76, 50, 67, 51, 59, 41, 122, 45, 45, 51, 90
])

def decrypt_data(data: str) -> str:
    """ 解密输入字符串 """
    step1 = Base45Encoder.encode(data.encode())  # Base45 编码
    step2 = ShiftCipher(step1, 7).encode()  # 位移加密
    step3 = Base85Encoder.encode(step2)  # Base85 编码
    final_result = ShiftCipher(step3, 9)  # 再次位移加密
    return final_result

换表base45，base85，和位移加密。直接写出解密就行，不过不知道base解码有点问题一，所以输出用赛博厨师解base。

def reshift(text: str, shift: int) -> str:
    result = []
    for char in text:
        if 'a' <= char <= 'z':
            new_char = chr(ord('a') + (ord(char) - ord('a') - shift) % 26)
            result.append(new_char)
        elif '0' <= char <= '9':
            new_char = chr(ord('0') + (ord(char) - ord('0') + shift) % 10)
            result.append(new_char)
        else:
            result.append(char)
    return ''.join(result)


a = [
    57, 118, 33, 114, 68, 56, 117, 115, 34, 52, 52, 95, 78, 40, 49, 59, 95, 85, 63, 122,
    54, 33, 77, 110, 49, 54, 34, 109, 106, 122, 60, 92, 108, 91, 61, 51, 42, 62, 35, 38,
    52, 67, 62, 122, 116, 48, 76, 50, 67, 51, 59, 41, 122, 45, 45, 51, 90
]
m = ""
for i in a:
    m+=chr(i)
re = reshift(m,9)

print(re)

# 赛博厨师解码base85后导出十六进制
data=[0x4a,0x58,0x32,0x4e,0x47,0x3a,0x43,0x4d,0x3a,0x4b,0x4a,0x3f,0x53,0x30,0x3d,0x3a,0x3e,0x3f,0x4e,0x43,0x3e,0x4b,0x35,0x3c,0x56,0x32,0x39,0x5a,0x35,0x3c,0x59,0x3a,0x39,0x43,0x3d,0x3b,0x4c,0x41,0x31,0x52,0x51,0x39,0x47,0x3a,0x37]
datastr =""
for i in data:
    datastr+=chr(i)

decdata = reshift(datastr,7)
base45table =""
for i in range(48,94):
    base45table += chr(i)
print(base45table) #输出base45的表
print(decdata) 


# 8m!iD7lj"33_N(0;_U?q5!Me05"daq<\c[=2*>#&3C>qk9L1C2;)q--2Z
# 0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
# JX9NG:CM:KJ?S7=:>?NC>K2<V96Z2<Y:6C=;LA8RQ6G:4

TimeSpaceRescue

大概逻辑就是获取系统的年月日保存到一个数组中，然后用这些值生成MD5值，把MD5值作为密钥进行魔改AES加密。

struct tm
{
    int tm_sec;  /*秒，正常范围0-59， 但允许至61*/
    int tm_min;  /*分钟，0-59*/
    int tm_hour; /*小时， 0-23*/
    int tm_mday; /*日，即一个月中的第几天，1-31*/
    int tm_mon;  /*月， 从一月算起，0-11*/
    int tm_year; /*年， 从1900至今已经多少年*/
    int tm_wday; /*星期，一周中的第几天， 从星期日算起，0-6*/
    int tm_yday; /*从今年1月1日到目前的天数，范围0-365*/
    int tm_isdst;/*日光节约时间的旗标*/
};

函数中隐藏了一花指令如下，nop掉就可以发现一些异或。

.text:00401407                 push    eax
.text:00401408                 xor     eax, eax
.text:0040140A                 call    $+5
.text:0040140F                 add     eax, 5
.text:00401412                 add     eax, 6
.text:00401415                 add     eax, 7
.text:00401418                 shl     eax, 1
.text:0040141A                 xor     eax, 2
.text:0040141D                 add     eax, 1
.text:00401420                 cmp     eax, 71h ; 'q'
.text:00401423                 jz      short loc_401426
.text:00401425                 retn
.text:00401426 ; ---------------------------------------------------------------------------
.text:00401426
.text:00401426 loc_401426:                             ; CODE XREF: sub_401210+213↑j
.text:00401426                 pop     eax

生成的MD5值会被异或0x11和0x14。

AES中多加了一些异或。因为在最后a3+=16执行了两次，所以a3的索引已经没有指向我们的数据了。直接忽略掉就行，对数据没有影响。xor1和xor2的逻辑直接写出来就行，不需要修改。

解密时把xor1和下面的xor2互换一下就行。题目提示是2024年的一天，直接爆破获得MD5值解密就行。

#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

typedef unsigned char* POINTER; //指针类型定义
typedef struct {
    unsigned int state[4];    
    unsigned int count[2];     
    unsigned char buffer[64];     
} MD5_CTX; //存放MD5算法相关信息的结构体定义

void MD5Init(MD5_CTX*);
void MD5Update(MD5_CTX*, unsigned char*, unsigned int);
void MD5Final(unsigned char[16], MD5_CTX*);
void MD5Transform(unsigned int[4], unsigned char[64]);
void Encode(unsigned char*, unsigned int*, unsigned int);
void Decode(unsigned int*, unsigned char*, unsigned int);
void xor1(unsigned char* data);
unsigned int xor2(unsigned char* input);

//循环左移的位数
#define S11 7
#define S12 12
#define S13 17
#define S14 22
#define S21 5
#define S22 9
#define S23 14
#define S24 20
#define S31 4
#define S32 11
#define S33 16
#define S34 23
#define S41 6
#define S42 10
#define S43 15
#define S44 21

//数据填充的内容
unsigned char PADDING[64] = {
  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

//F,G,H,I四个非线性变换函数
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))

//x循环左移n位的操作
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))

//FF,GG,HH,II是四轮循环变换分别用到的变换函数
#define FF(a, b, c, d, x, s, ac) { \
 (a) += F ((b), (c), (d)) + (x) + (unsigned int)(ac); \
 (a) = ROTATE_LEFT ((a), (s)); \
 (a) += (b); \
  }
#define GG(a, b, c, d, x, s, ac) { \
 (a) += G ((b), (c), (d)) + (x) + (unsigned int)(ac); \
 (a) = ROTATE_LEFT ((a), (s)); \
 (a) += (b); \
  }
#define HH(a, b, c, d, x, s, ac) { \
 (a) += H ((b), (c), (d)) + (x) + (unsigned int)(ac); \
 (a) = ROTATE_LEFT ((a), (s)); \
 (a) += (b); \
  }
#define II(a, b, c, d, x, s, ac) { \
 (a) += I ((b), (c), (d)) + (x) + (unsigned int)(ac); \
 (a) = ROTATE_LEFT ((a), (s)); \
 (a) += (b); \
  }

/**
 * S盒
 */
static const int S[16][16] = { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };

/**
 * 逆S盒
 */
static const int S2[16][16] = { 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };

/**
 * 获取整形数据的低8位的左4个位
 */
static int getLeft4Bit(int num) {
    int left = num & 0x000000f0;
    return left >> 4;
}

/**
 * 获取整形数据的低8位的右4个位
 */
static int getRight4Bit(int num) {
    return num & 0x0000000f;
}
/**
 * 根据索引，从S盒中获得元素
 */
static int getNumFromSBox(int index) {
    int row = getLeft4Bit(index);
    int col = getRight4Bit(index);
    return S[row][col];
}

/**
 * 把一个字符转变成整型
 */
static int getIntFromChar(char c) {
    int result = (int)c;
    return result & 0x000000ff;
}

/**
 * 把16个字符转变成4X4的数组，
 * 该矩阵中字节的排列顺序为从上到下，
 * 从左到右依次排列。
 */
static void convertToIntArray(char* str, int pa[4][4]) {
    int k = 0;
    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++) {
            pa[j][i] = getIntFromChar(str[k]);
            k++;
        }
}

/**
 * 打印4X4的数组
 */
static void printArray(int a[4][4]) {
    for (int i = 0; i < 4; i++) {
        for (int j = 0; j < 4; j++)
            printf("a[%d][%d] = 0x%x ", i, j, a[i][j]);
        printf("\n");
    }
    printf("\n");
}

/**
 * 打印字符串的ASSCI，
 * 以十六进制显示。
 */
static void printASSCI(char* str, int len) {
    for (int i = 0; i < len; i++)
        printf("0x%x ", getIntFromChar(str[i]));
    printf("\n");
}

/**
 * 把连续的4个字符合并成一个4字节的整型
 */
static int getWordFromStr(char* str) {
    int one = getIntFromChar(str[0]);
    one = one << 24;
    int two = getIntFromChar(str[1]);
    two = two << 16;
    int three = getIntFromChar(str[2]);
    three = three << 8;
    int four = getIntFromChar(str[3]);
    return one | two | three | four;
}

/**
 * 把一个4字节的数的第一、二、三、四个字节取出，
 * 入进一个4个元素的整型数组里面。
 */
static void splitIntToArray(int num, int array[4]) {
    int one = num >> 24;
    array[0] = one & 0x000000ff;
    int two = num >> 16;
    array[1] = two & 0x000000ff;
    int three = num >> 8;
    array[2] = three & 0x000000ff;
    array[3] = num & 0x000000ff;
}

/**
 * 将数组中的元素循环左移step位
 */
static void leftLoop4int(int array[4], int step) {
    int temp[4];
    for (int i = 0; i < 4; i++)
        temp[i] = array[i];

    int index = step % 4 == 0 ? 0 : step % 4;
    for (int i = 0; i < 4; i++) {
        array[i] = temp[index];
        index++;
        index = index % 4;
    }
}

/**
 * 把数组中的第一、二、三和四元素分别作为
 * 4字节整型的第一、二、三和四字节，合并成一个4字节整型
 */
static int mergeArrayToInt(int array[4]) {
    int one = array[0] << 24;
    int two = array[1] << 16;
    int three = array[2] << 8;
    int four = array[3];
    return one | two | three | four;
}

/**
 * 常量轮值表
 */
static const int Rcon[10] = { 0x01000000, 0x02000000,
    0x04000000, 0x08000000,
    0x10000000, 0x20000000,
    0x40000000, 0x80000000,
    0x1b000000, 0x36000000 };
/**
 * 密钥扩展中的T函数
 */
static int T(int num, int round) {
    int numArray[4];
    splitIntToArray(num, numArray);
    leftLoop4int(numArray, 1);//字循环

    //字节代换
    for (int i = 0; i < 4; i++)
        numArray[i] = getNumFromSBox(numArray[i]);

    int result = mergeArrayToInt(numArray);
    return result ^ Rcon[round];
}

//密钥对应的扩展数组
static int w[44];

/**
 * 扩展密钥，结果是把w[44]中的每个元素初始化
 */
static void extendKey(char* key) {
    for (int i = 0; i < 4; i++)
        w[i] = getWordFromStr(key + i * 4);

    for (int i = 4, j = 0; i < 44; i++) {
        if (i % 4 == 0) {
            w[i] = w[i - 4] ^ T(w[i - 1], j);
            j++;//下一轮
        }
        else {
            w[i] = w[i - 4] ^ w[i - 1];
        }
    }

}

/**
 * 轮密钥加
 */
static void addRoundKey(int array[4][4], int round) {
    int warray[4];
    for (int i = 0; i < 4; i++) {

        splitIntToArray(w[round * 4 + i], warray);

        for (int j = 0; j < 4; j++) {
            array[j][i] = array[j][i] ^ warray[j];
        }
    }
}

/**
 * 字节代换
 */
static void subBytes(int array[4][4]) {
    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            array[i][j] = getNumFromSBox(array[i][j]);
}

/**
 * 行移位
 */
static void shiftRows(int array[4][4]) {
    int rowTwo[4], rowThree[4], rowFour[4];
    //复制状态矩阵的第2,3,4行
    for (int i = 0; i < 4; i++) {
        rowTwo[i] = array[1][i];
        rowThree[i] = array[2][i];
        rowFour[i] = array[3][i];
    }
    //循环左移相应的位数
    leftLoop4int(rowTwo, 1);
    leftLoop4int(rowThree, 2);
    leftLoop4int(rowFour, 3);

    //把左移后的行复制回状态矩阵中
    for (int i = 0; i < 4; i++) {
        array[1][i] = rowTwo[i];
        array[2][i] = rowThree[i];
        array[3][i] = rowFour[i];
    }
}

/**
 * 列混合要用到的矩阵
 */
static const int colM[4][4] = { 2, 3, 1, 1,
    1, 2, 3, 1,
    1, 1, 2, 3,
    3, 1, 1, 2 };

static int GFMul2(int s) {
    int result = s << 1;
    int a7 = result & 0x00000100;

    if (a7 != 0) {
        result = result & 0x000000ff;
        result = result ^ 0x1b;
    }

    return result;
}

static int GFMul3(int s) {
    return GFMul2(s) ^ s;
}

static int GFMul4(int s) {
    return GFMul2(GFMul2(s));
}

static int GFMul8(int s) {
    return GFMul2(GFMul4(s));
}

static int GFMul9(int s) {
    return GFMul8(s) ^ s;
}

static int GFMul11(int s) {
    return GFMul9(s) ^ GFMul2(s);
}

static int GFMul12(int s) {
    return GFMul8(s) ^ GFMul4(s);
}

static int GFMul13(int s) {
    return GFMul12(s) ^ s;
}

static int GFMul14(int s) {
    return GFMul12(s) ^ GFMul2(s);
}

/**
 * GF上的二元运算
 */
static int GFMul(int n, int s) {
    int result;

    if (n == 1)
        result = s;
    else if (n == 2)
        result = GFMul2(s);
    else if (n == 3)
        result = GFMul3(s);
    else if (n == 0x9)
        result = GFMul9(s);
    else if (n == 0xb)//11
        result = GFMul11(s);
    else if (n == 0xd)//13
        result = GFMul13(s);
    else if (n == 0xe)//14
        result = GFMul14(s);

    return result;
}
/**
 * 列混合
 */
static void mixColumns(int array[4][4]) {

    int tempArray[4][4];

    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            tempArray[i][j] = array[i][j];

    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++) {
            array[i][j] = GFMul(colM[i][0], tempArray[0][j]) ^ GFMul(colM[i][1], tempArray[1][j])
                ^ GFMul(colM[i][2], tempArray[2][j]) ^ GFMul(colM[i][3], tempArray[3][j]);
        }
}
/**
 * 把4X4数组转回字符串
 */
static void convertArrayToStr(int array[4][4], char* str) {
    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            *str++ = (char)array[j][i];
}
/**
 * 检查密钥长度
 */
static int checkKeyLen(int len) {
    if (len == 16)
        return 1;
    else
        return 0;
}

/**
 * 参数 p: 明文的字符串数组。
 * 参数 plen: 明文的长度。
 * 参数 key: 密钥的字符串数组。
 */
int aes(char* p, int plen, char* key) {

    int keylen = strlen(key);
    if (plen == 0 || plen % 16 != 0) {
        return 0;
    }

    if (!checkKeyLen(keylen)) {
        return 0;
    }
    xor1((unsigned char*)key);
    extendKey(key);//扩展密钥
    int pArray[4][4];

    for (int k = 0; k < plen; k += 16) {
        xor2((unsigned char*)p + k);
        convertToIntArray(p + k, pArray);

        addRoundKey(pArray, 0);//一开始的轮密钥加

        for (int i = 1; i < 10; i++) {//前9轮

            subBytes(pArray);//字节代换

            shiftRows(pArray);//行移位

            mixColumns(pArray);//列混合

            addRoundKey(pArray, i);

        }

        //第10轮
        subBytes(pArray);//字节代换

        shiftRows(pArray);//行移位

        addRoundKey(pArray, 10);

        convertArrayToStr(pArray, p + k);
        xor1((unsigned char*)p + k);
    }

}
/**
 * 根据索引从逆S盒中获取值
 */
static int getNumFromS1Box(int index) {
    int row = getLeft4Bit(index);
    int col = getRight4Bit(index);
    return S2[row][col];
}
/**
 * 逆字节变换
 */
static void deSubBytes(int array[4][4]) {
    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            array[i][j] = getNumFromS1Box(array[i][j]);
}
/**
 * 把4个元素的数组循环右移step位
 */
static void rightLoop4int(int array[4], int step) {
    int temp[4];
    for (int i = 0; i < 4; i++)
        temp[i] = array[i];

    int index = step % 4 == 0 ? 0 : step % 4;
    index = 3 - index;
    for (int i = 3; i >= 0; i--) {
        array[i] = temp[index];
        index--;
        index = index == -1 ? 3 : index;
    }
}

/**
 * 逆行移位
 */
static void deShiftRows(int array[4][4]) {
    int rowTwo[4], rowThree[4], rowFour[4];
    for (int i = 0; i < 4; i++) {
        rowTwo[i] = array[1][i];
        rowThree[i] = array[2][i];
        rowFour[i] = array[3][i];
    }

    rightLoop4int(rowTwo, 1);
    rightLoop4int(rowThree, 2);
    rightLoop4int(rowFour, 3);

    for (int i = 0; i < 4; i++) {
        array[1][i] = rowTwo[i];
        array[2][i] = rowThree[i];
        array[3][i] = rowFour[i];
    }
}
/**
 * 逆列混合用到的矩阵
 */
static const int deColM[4][4] = { 0xe, 0xb, 0xd, 0x9,
    0x9, 0xe, 0xb, 0xd,
    0xd, 0x9, 0xe, 0xb,
    0xb, 0xd, 0x9, 0xe };

/**
 * 逆列混合
 */
static void deMixColumns(int array[4][4]) {
    int tempArray[4][4];

    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            tempArray[i][j] = array[i][j];

    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++) {
            array[i][j] = GFMul(deColM[i][0], tempArray[0][j]) ^ GFMul(deColM[i][1], tempArray[1][j])
                ^ GFMul(deColM[i][2], tempArray[2][j]) ^ GFMul(deColM[i][3], tempArray[3][j]);
        }
}
/**
 * 把两个4X4数组进行异或
 */
static void addRoundTowArray(int aArray[4][4], int bArray[4][4]) {
    for (int i = 0; i < 4; i++)
        for (int j = 0; j < 4; j++)
            aArray[i][j] = aArray[i][j] ^ bArray[i][j];
}
/**
 * 从4个32位的密钥字中获得4X4数组，
 * 用于进行逆列混合
 */
static void getArrayFrom4W(int i, int array[4][4]) {
    int index = i * 4;
    int colOne[4], colTwo[4], colThree[4], colFour[4];
    splitIntToArray(w[index], colOne);
    splitIntToArray(w[index + 1], colTwo);
    splitIntToArray(w[index + 2], colThree);
    splitIntToArray(w[index + 3], colFour);

    for (int i = 0; i < 4; i++) {
        array[i][0] = colOne[i];
        array[i][1] = colTwo[i];
        array[i][2] = colThree[i];
        array[i][3] = colFour[i];
    }

}
void xor1(unsigned char* data)
{
    uint8_t temp;
    for (unsigned int i = 0; i < 16; i += 2)
    {
        temp = data[i] ^ 5;
        data[i] = data[i + 1] ^ 5;
        data[i + 1] = temp;
    }
}

unsigned int xor2(unsigned char* input) {
    unsigned int i_1 = 0;
    unsigned int i = 15;
    char v4;

    while (i_1 < i) {
        v4 = input[i_1] ^ 0xF;
        input[i_1] = input[i] ^ 0xF;
        input[i] = v4;
        ++i_1;
        --i;
    }

    return i_1;
}
/**
 * 参数 c: 密文的字符串数组。
 * 参数 clen: 密文的长度。
 * 参数 key: 密钥的字符串数组。
 */
int deAes(char* c, int clen, char* key) {

    int keylen = strlen(key);
    if (clen == 0 || clen % 16 != 0) {
        return 0;
    }

    if (!checkKeyLen(keylen)) {
        return 0;
    }
    xor1((unsigned char*)key);
    extendKey(key);//扩展密钥
    int cArray[4][4];
    for (int k = 0; k < clen; k += 16) {
        xor1((unsigned char*)c + k);
        convertToIntArray(c + k, cArray);


        addRoundKey(cArray, 10);

        int wArray[4][4];
        for (int i = 9; i >= 1; i--) {
            deSubBytes(cArray);

            deShiftRows(cArray);

            deMixColumns(cArray);
            getArrayFrom4W(i, wArray);
            deMixColumns(wArray);

            addRoundTowArray(cArray, wArray);
        }

        deSubBytes(cArray);

        deShiftRows(cArray);

        addRoundKey(cArray, 0);

        convertArrayToStr(cArray, c + k);
        xor2((unsigned char*)c + k);


    }
}

//MD5算法初始化操作
void MD5Init(MD5_CTX* context)
{
    //bit计数器清零
    context->count[0] = context->count[1] = 0;
    //A,B,C,D被初始化为四个特定的常数(Magic Number)
    context->state[0] = 0x67452301;
    context->state[1] = 0xefcdab89;
    context->state[2] = 0x98badcfe;
    context->state[3] = 0x10325476;
}

//使用MD5算法对input的数据进行处理
void MD5Update(MD5_CTX* context, unsigned char* input, unsigned int inputLen)
{
    unsigned int i, index, partLen;
    //计算[已处理数据长度(byte) mod 64]
    index = (unsigned int)((context->count[0] >> 3) & 0x3F);
    //bit计数器累加
    if ((context->count[0] += ((unsigned int)inputLen << 3))
        < ((unsigned int)inputLen << 3)) //处理加法进位溢出的情况
        context->count[1]++;
    context->count[1] += ((unsigned int)inputLen >> 29);
    //计算缓冲区还有多少字节空间
    partLen = 64 - index;
    //以512位数据为一组进行处理
    if (inputLen >= partLen) {
        memcpy(&context->buffer[index], input, partLen);
        MD5Transform(context->state, context->buffer);
        for (i = partLen; i + 63 < inputLen; i += 64)
            MD5Transform(context->state, &input[i]);
        index = 0;
    }
    else i = 0;
    //缓存未处理的输入
    memcpy(&context->buffer[index], &input[i], inputLen - i);
}

//获取MD5码（由digest返回），顺便清除context数据
void MD5Final(unsigned char digest[16], MD5_CTX* context)
{
    unsigned char bits[8];
    unsigned int index, padLen;
    //记录数据长度
    Encode(bits, context->count, 8);
    //填充数据
    index = (unsigned int)((context->count[0] >> 3) & 0x3f);
    padLen = (index < 56) ? (56 - index) : (120 - index);
    MD5Update(context, PADDING, padLen);
    //追加数据长度信息
    MD5Update(context, bits, 8);
    //获取MD5码。其实就是将ABCD四个32位整数以16进制方式级联
    Encode(digest, context->state, 16);
    //清除数据
    memset(context, 0, sizeof(*context));
}

//MD5变换函数
void MD5Transform(unsigned int state[4], unsigned char block[64])
{
    unsigned int a = state[0], b = state[1], c = state[2], d = state[3], x[16];
    //将64字节的一组数据进一步划分为16个子分组
    Decode(x, block, 64);
    //第1轮循环变换
    FF(a, b, c, d, x[0], S11, 0xd76aa478); /* 1 */
    FF(d, a, b, c, x[1], S12, 0xe8c7b756); /* 2 */
    FF(c, d, a, b, x[2], S13, 0x242070db); /* 3 */
    FF(b, c, d, a, x[3], S14, 0xc1bdceee); /* 4 */
    FF(a, b, c, d, x[4], S11, 0xf57c0faf); /* 5 */
    FF(d, a, b, c, x[5], S12, 0x4787c62a); /* 6 */
    FF(c, d, a, b, x[6], S13, 0xa8304613); /* 7 */
    FF(b, c, d, a, x[7], S14, 0xfd469501); /* 8 */
    FF(a, b, c, d, x[8], S11, 0x698098d8); /* 9 */
    FF(d, a, b, c, x[9], S12, 0x8b44f7af); /* 10 */
    FF(c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
    FF(b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
    FF(a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
    FF(d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
    FF(c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
    FF(b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
    //第2轮循环变换
    GG(a, b, c, d, x[1], S21, 0xf61e2562); /* 17 */
    GG(d, a, b, c, x[6], S22, 0xc040b340); /* 18 */
    GG(c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
    GG(b, c, d, a, x[0], S24, 0xe9b6c7aa); /* 20 */
    GG(a, b, c, d, x[5], S21, 0xd62f105d); /* 21 */
    GG(d, a, b, c, x[10], S22, 0x2441453); /* 22 */
    GG(c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
    GG(b, c, d, a, x[4], S24, 0xe7d3fbc8); /* 24 */
    GG(a, b, c, d, x[9], S21, 0x21e1cde6); /* 25 */
    GG(d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
    GG(c, d, a, b, x[3], S23, 0xf4d50d87); /* 27 */
    GG(b, c, d, a, x[8], S24, 0x455a14ed); /* 28 */
    GG(a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
    GG(d, a, b, c, x[2], S22, 0xfcefa3f8); /* 30 */
    GG(c, d, a, b, x[7], S23, 0x676f02d9); /* 31 */
    GG(b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
    //第3轮循环变换
    HH(a, b, c, d, x[5], S31, 0xfffa3942); /* 33 */
    HH(d, a, b, c, x[8], S32, 0x8771f681); /* 34 */
    HH(c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
    HH(b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
    HH(a, b, c, d, x[1], S31, 0xa4beea44); /* 37 */
    HH(d, a, b, c, x[4], S32, 0x4bdecfa9); /* 38 */
    HH(c, d, a, b, x[7], S33, 0xf6bb4b60); /* 39 */
    HH(b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
    HH(a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
    HH(d, a, b, c, x[0], S32, 0xeaa127fa); /* 42 */
    HH(c, d, a, b, x[3], S33, 0xd4ef3085); /* 43 */
    HH(b, c, d, a, x[6], S34, 0x4881d05); /* 44 */
    HH(a, b, c, d, x[9], S31, 0xd9d4d039); /* 45 */
    HH(d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
    HH(c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
    HH(b, c, d, a, x[2], S34, 0xc4ac5665); /* 48 */
    //第4轮循环变换
    II(a, b, c, d, x[0], S41, 0xf4292244); /* 49 */
    II(d, a, b, c, x[7], S42, 0x432aff97); /* 50 */
    II(c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
    II(b, c, d, a, x[5], S44, 0xfc93a039); /* 52 */
    II(a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
    II(d, a, b, c, x[3], S42, 0x8f0ccc92); /* 54 */
    II(c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
    II(b, c, d, a, x[1], S44, 0x85845dd1); /* 56 */
    II(a, b, c, d, x[8], S41, 0x6fa87e4f); /* 57 */
    II(d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
    II(c, d, a, b, x[6], S43, 0xa3014314); /* 59 */
    II(b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
    II(a, b, c, d, x[4], S41, 0xf7537e82); /* 61 */
    II(d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
    II(c, d, a, b, x[2], S43, 0x2ad7d2bb); /* 63 */
    II(b, c, d, a, x[9], S44, 0xeb86d391); /* 64 */

    state[0] += a;
    state[1] += b;
    state[2] += c;
    state[3] += d;
}

//将无符号整数转为字节类型数组
void Encode(unsigned char* output, unsigned int* input, unsigned int len)
{
    unsigned int i, j;

    for (i = 0, j = 0; j < len; i++, j += 4) {
        output[j] = (unsigned char)(input[i] & 0xff);
        output[j + 1] = (unsigned char)((input[i] >> 8) & 0xff);
        output[j + 2] = (unsigned char)((input[i] >> 16) & 0xff);
        output[j + 3] = (unsigned char)((input[i] >> 24) & 0xff);
    }
}

//将字节类型数组转为无符号整数
void Decode(unsigned int* output, unsigned char* input, unsigned int len)
{
    unsigned int i, j;

    for (i = 0, j = 0; j < len; i++, j += 4)
        output[i] = ((unsigned int)input[j]) | (((unsigned int)input[j + 1]) << 8) |
        (((unsigned int)input[j + 2]) << 16) | (((unsigned int)input[j + 3]) << 24);
}

int main()
{
    uint8_t mm[] = { 0xCD, 0x16, 0xDB, 0xB5, 0xD1, 0x02, 0xA4, 0x82, 0x8E, 0x59, 0x73, 0x9E, 0x96, 0x26, 0x56, 0xF2,
0x16, 0x8E, 0x46, 0xF2, 0x55, 0x7B, 0x92, 0x31, 0x30, 0xDC, 0xAA, 0x8A, 0xF3, 0x1C, 0xA0, 0xAA };
    for (int n = 0; n < 13; n++) {
        for (int m = 0; m < 31; m++) {
            MD5_CTX md5_calc;
            unsigned int c[] = { 0x00000007, 0x00000002, 0x0000007c };
            c[0] = m;
            c[1] = n;
            unsigned char md5[17];

            MD5Init(&md5_calc);
            MD5Update(&md5_calc, (unsigned char*)c, 12);
            MD5Final(md5, &md5_calc);

            for (int i = 0; i < 16; i++) {
                md5[i] ^= 0x14;
                md5[i] ^= 0x11;
            }

            char in[100];
            for (int l = 0; l < 32; l++) {
                in[l] = mm[l];
            }
            md5[16] = '\0';
            deAes(in,32,(char*)md5 );

            if (!strncmp("NSSCTF",in,6)) {
                printf("2024年%d月%d日\n", n+1, m);
                for (int i = 0; i < 32; ++i) {
                    printf("%c",(unsigned char)in[i]);
                }
            }
        }
    }

    return 0;
}

// 2024年7月21日
// NSSCTF{W0w_Y0u're_@n_AE5_M@5t3r}

Canon

程序把输入分成三部分，并按照规定的流程把每个部分作为密钥和输入进行加密操作。加密函数里面有6种操作，根据传入的参数选择特定的操作。

用在选择操作的位置下断点用idapython提取程序的执行流程。

main函数

加密函数

得到程序的执行流程

1 2	0, 0, 1, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2 //第一层控制流 1, 5, 1, 6, 5, 1, 3, 6, 5, 4, 3, 6, 1, 4, 3, 4, 1, 4, 5, 4, 1 //第二层控制流

现在去逆向加密函数里面的每一个操作

case1是一个位移加密。case2没有用到就不管了。case3把数据按列存储按行读出，即行列互换。

case4把最一个元素放到第一位去，后面的元素向后移一位。case5把输入与密文异或并进行换表base64加密。case6是一个魔改rc4加密，异或完后加上57，然后进行换表base64编码。把所有加密逆向一遍按控制流反向执行就行。一些要注意的问题写在脚本注释里了。解密后有些数据里面有0，用strlen会直接得到错误的长度。尽量别用strlen。

#include <stdio.h>
#include<string.h>
#include <stdlib.h>

#define size 256
char base64[65] = "stuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr";
int op1[] = {0, 0, 1, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2}; //第一层控制流
int op2[] = { 1, 5, 1, 6, 5, 1, 3, 6, 5, 4, 3, 6, 1, 4, 3, 4, 1, 4, 5, 4, 1 };//第二层控制流

int rexor5(char* data1, char* data2, int len);
void enc_dec(unsigned char* key, unsigned char* data, int n);
void init_sbox(unsigned char* key);
int rerc4r6(char* data1, char* data2, int len);
int re3(char* data1, char* data2, int len);
int re4(char* data1, char* data2, int len);
int decodeBase64(char* str, int len);

void re1(char* Source, int i, char* Destination, int v21) {
    for (int j = 0; j < i; ++j) {
        char v22 = Destination[j % v21];
        if (Source[j] >= 'A' && Source[j] <= 'Z') {
            for (int i = 65; i <= 90; i++) { //直接爆破，遍历符合逻辑的source
                char a = (i + v22 - 'A') % 26;
                char b = Source[j] - 'A';
                if (b == a) { Source[j] = i; break; };
            }
        }
        else if (Source[j] >= 'a' && Source[j] <= 'z') {
            for (int i = 97; i <= 'z'; i++) {
                char a = (i + v22 - 'a') % 26;
                if (Source[j] - 'a' == a) { Source[j] = i; break; };
            }
        }
        else if (Source[j] >= '0' && Source[j] <= '9') {
            for (int i = '0'; i <= '9'; i++) {
                char a = (i + v22 - '0') % 10;
                if (Source[j] - '0' == a) { Source[j] = i; break; };
            }
        }
    }
}

int main() {
    char m1[] = "WgvDmssEvcY326bHo3nNro3vXvvfmgrz";
    char m2[] = "gX+Ri9PG=bt5=00B6hscPQOL";
    char m3[] = "T6bHgUPL2gXUd=xT=FNHtPzV";
    for (int i = 20; i>=0; i--) { //反向遍历
        switch (op1[i]) { //选择加密方法和密钥
        case 0:
            switch (op2[i]) {
            case 1:
                re1(m1, strlen(m1), m2, strlen(m2));
                break;
            case 3:
                re3(m1, m2, strlen(m1));
                break;
            case 4:
                re4(m1, m2, strlen(m1));
                break;
            case 5:
                rexor5(m1, m2, strlen(m1));
                break;
            case 6:
                rerc4r6(m1, m2, strlen(m1));
                break;
            }
            break;
        case 1:
            switch (op2[i]) {
            case 1:
                re1(m2, strlen(m2), m3, strlen(m3));
                break;
            case 3:
                re3(m2, m3, strlen(m2));
                break;
            case 4:
                re4(m2, m3, strlen(m2));
                break;
            case 5:
                rexor5(m2, m3, strlen(m2));
                break;
            case 6:
                rerc4r6(m2, m3, strlen(m2));
                break;
            }
            break;

        case 2:
            switch (op2[i]) {
            case 1:
                re1(m3, strlen(m3), m1, strlen(m1));
                break;
            case 3:
                re3(m3, m1, strlen(m3));
                break;
            case 4:
                re4(m3, m1, strlen(m3));
                break;
            case 5:
                rexor5(m3, m1, strlen(m3));
                break;
            case 6:
                rerc4r6(m3, m1, strlen(m3));
                break;
            }
            break;
        }
    }

    printf("%s", m1);
    printf("%s", m2);
    printf("%s", m3);

}

int rexor5(char* data1, char* data2, int len) {
    int k = decodeBase64(data1,len); //data1解密后会有0，于是直接让decode函数返回正确长度
    for (int i = 0; i < k; i++) {
        data1[i] = (data2[i % strlen(data2)] + 57) ^ (unsigned char)data1[i];
    }
    return 0;
}

int rerc4r6(char* data1, char* data2, int len) {
    int k =decodeBase64(data1, len); //同上

    for (int i = 0; i <len ; i++) {
        data1[i] -= 57;
    }
    enc_dec((unsigned char*)data2, (unsigned char*)data1,k);
    data1[k] = '\0';
    return 0;
}

int re3(char* data1, char* data2, int len) {
    char block[13][13];
    char blocklen = data2[0] % 10 + 2;

    for (int i = 0; i < blocklen; i++) {
        memset(block[i], 0, len + 1);
    }

    int i = 0, index = 0,reamind = len%blocklen;

    for (int jj = 0; jj < blocklen; ++jj) {
        int leng = len / blocklen;
        if (reamind > 0) { leng++; reamind--; } //注意剩余的元素要多用一列输入，直接加1会导致列数不正确
        for (int kk = 0; kk  <leng ; ++kk) {
            if (index < len) {
                *(char*)(block[jj] + kk) = data1[index++]; //按行输入
            }
        }
    }

    index = 0;

    for (i = 0; i * blocklen < len; ++i) {
        for (int ii = 0; ii < blocklen && ii + blocklen * i < len; ++ii) {
            data1[ii + blocklen * i] = *(char*)(block[ii] + i); //按列取出
        }
    }
    return 0;
}


int re4(char* data1, char* data2, int len) {
    char blocklen = data2[0] % 10 + 2;
    for (int nn = 0; nn < blocklen; ++nn)
    {
        char v11 = data1[0];
        for (int i1 = 0; i1 < len-1; ++i1)
            data1[i1] = data1[i1+1];
        data1[len-1] = v11;
    }
    return 0;
}

unsigned char sbox[257] = { 0 };

void init_sbox(unsigned char* key) {
    unsigned int i, j, k;
    int tmp;

    for (i = 0; i < size; i++) {
        sbox[i] = i;
    }

    j =k = 0;
    for (i = 0; i < size; i++) {
        tmp = sbox[i];
        j = (j + tmp + key[i % strlen((char*)key)]) % size; 
        sbox[i] = sbox[j];
        sbox[j] = tmp;
    }
}

void enc_dec(unsigned char* key, unsigned char* data,int n) {
    int i, j, k, R, tmp;

    init_sbox(key);

    j = k = 0;
    for (i = 0; i < n; i++) {
        j = (j + 1) % size;
        k = (k + sbox[j]) % size;

        tmp = sbox[j];
        sbox[j] = sbox[k];
        sbox[k] = tmp;

        R = sbox[(sbox[j] + sbox[k]) % size];
        
        data[i] ^= R;
        
    }
}

int decodeBase64(char* str, int len) {
    
    unsigned char ascill[129] = { 0 };
    int k = 0;
    for (int i = 0; i < 64; i++) {
        ascill[base64[i]] = k++;
    }
    int decodeStrlen = len / 4 * 3 + 1;
    char* decodeStr = (char*)malloc(sizeof(char) * decodeStrlen);
    k = 0;
    for (int i = 0; i < len; i++) {
        unsigned char a, b, c;
        a = ascill[str[i]];
        b = ascill[str[++i]];
        c = (a << 2) | (b >> 4);
        decodeStr[k++] = c;
        if (str[i + 1] == '=') {
            break;
        }
        a = ascill[str[i]];
        b = ascill[str[++i]];
        c = (a << 4) | (b >> 2);
        decodeStr[k++] = c;
        if (str[i + 1] == '=') {
            break;
        }
        a = ascill[str[i]];
        b = ascill[str[++i]];
        c = (a << 6) | (b);
        decodeStr[k++] = c;
    }
    decodeStr[k] = '\0';
    for (int i = 0; i <= k; i++) {
        str[i] = decodeStr[i];
    }
    free(decodeStr);
    return k; //返回长度以便进行数据处理
}
//NSSCTF{P4ch3Lbel's_C@n0n_1n_D_mAjOr}

Room 0

多看看main前面的函数就可以发现一个smc函数，用一个传进来的密钥对enc段进行异或解密，动调可以发现其实密钥就是我们输入进来的key。

交叉引用发现了异常处理中调用了函数，加上之前在main里面看到的中有一个除法运算可以推测出我们输入的密钥应该是要触发除0异常，于是打算直接把运算函数拿下来进行爆破。我们可以知道函数开头3字节的值是固定的55 8b ec，我们可以先提取出enc函数的前三字节进行异或得到前三位密钥再进行爆破。

这个函数把hex字符串转为对应的整数。我们的输入应该是结果的十六进制字符串。

前3字节是75 5f f0直接提取出伪代码爆破最后一字节

#include<stdio.h>

unsigned int __cdecl sub_402000(unsigned int inputInt)
{

    int iterator; // [esp+4h] [ebp-18h]
    int byte1; // [esp+8h] [ebp-14h]
    int byte2; // [esp+Ch] [ebp-10h]
    int v6; // [esp+10h] [ebp-Ch]
    int tempResult; // [esp+10h] [ebp-Ch]
    unsigned int highByte; // [esp+14h] [ebp-8h]
    int inputInt_1; // [esp+18h] [ebp-4h]

    if (!inputInt)
        return 0;
    v6 = 0;
    inputInt_1 = inputInt;
    highByte = inputInt >> 24 & 0xff;
    byte2 = inputInt >> 16 & 0xff;
    byte1 = inputInt >> 8 & 0xff;
    for (iterator = 0; iterator < 32; ++iterator)
    {
        tempResult = v6 * (highByte + 1415881080) * (inputInt_1 - 1467486175) * ((highByte - inputInt_1) ^ (highByte >> 4));
        byte2 = (inputInt_1 + byte2) ^ (8 * byte1);
        byte1 = (inputInt_1 + highByte) ^ (8 * byte2);
        highByte = (inputInt_1 + byte1) ^ (8 * byte2);
        inputInt_1 -= byte1 + byte2 + highByte;
        if (inputInt_1 - 1415881080 == 0)return inputInt;
        v6 = tempResult
            + (highByte + 1467486175)
            * (((highByte - inputInt_1) ^ (unsigned __int64)(highByte >> 4))
                / (unsigned int)(inputInt_1 - 1415881080));
    }
    return 0;
}
int main() {
    for (unsigned int i = 0x755ff000; i < 0x755ff0ff; i++) {
        printf("%x\n", sub_402000(i));
    }
}

//755ff0d3

得到密钥775ff0d3

提取汇编指令，对dia内的数据进行异或处理

用ida脚本对enc段解密，并去除花指令

import idc
import ida_bytes

#获取范围内的数据
def getbyte_data(start,end):
    len = end - start
    data = idc.get_bytes(start,len)
    return data

def xordatas(data,key):
    res = b""
    data = bytearray(data)
    for i in range(len(data)):
        data[i]= data[i] ^ key[i % 4]
    print(data)
    return data

#smc解密
def decsmc(start,end):
    data = getbyte_data(start,end)
    print(data)
    try:
        res = xordatas(data,bytes.fromhex("755ff0d3"))
        ida_bytes.patch_bytes(start,bytes(res))
        print(res)
        print("ok")
    except Exception as e:
        print(e)

def nop_jzjnz(start_addr,endaddr,pattern):
    length =len(pattern)
    flag = 0
    while start_addr < endaddr:
        getbytes =idc.get_bytes(start_addr,length) #获取指定范围内指定地址的字节码并返回成列表
        if(getbytes[0]==pattern[0] and getbytes[1]==pattern[1] and getbytes[2] == pattern[2] and getbytes[3] == pattern[3]):  #匹配花指令模板
            flag = 1
            for i in range(length):        
                idc.patch_byte(start_addr + i,0x90)  #nop
            print(f"success! nop 0x{hex(start_addr)} to 0x{hex(start_addr + length -1)} length:{length}")
            start_addr += length - 1
        start_addr += 1
    if(flag == 0):
        print("Not find!!!")
        
pattern = [0x50, 0xB8, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x83, 0xC0, 0x01, 0x83, 0xF8, 0x02, 0x74, 0x01, 0xC3, 0x58]
pattern2 = [0x74, 0x03, 0x75, 0x01, 0xE8]

start = 0x00401000
end = 0x0401600


decsmc(start,end)
nop_jzjnz(start,end,pattern)
nop_jzjnz(start,end,pattern2)

下断点在xor处用ida脚本提取异或数据解密。

a = [108 ,151 ,243 ,25 ,138 ,171 ,25 ,23 ,75 ,150 ,94 ,212 ,54 ,212 ,84 ,188 ,19 ,254 ,13 ,11 ,193 ,228 ,32 ,170 ,123 ,232 ,5 ,169 ,64 ,237 ,253 ,212 ,]

data = [0x22, 0xC4, 0xA0, 0x5A, 0xDE, 0xED, 0x62, 0x5E, 0x25, 0xE2, 0x6D, 0xA6, 0x05, 0xA7, 0x20, 0x8D, 0x7D, 0x99, 0x52, 0x3E, 0x8C, 0xA7, 0x7F, 0xFA, 0x09, 0xD8, 0x62, 0xDB, 0x00, 0x80, 0xC2, 0xA9]
flag = ''
for i,j in zip(a,data):
    flag += chr(i ^ j)
print(flag)

#NSSCTF{Int3r3st1ng_5MC_Pr0gr@m?}

这里的密钥是触发异常前v6的值，因为在触发异常后系统会把异常前的数据压入栈中保存以便后续的恢复。从下面也可以看出。

插曲:我为了保证patch的部分不被原来的函数修改，于是nop掉了smc函数里面的一些代码，但是正好后面rc4的密钥是通过栈转递的，因为修改代码导致栈与原来不符，也就导致了密钥的不符，最后通过密钥转递的位置把修改了密钥的位置nop掉才行。