AES

前言

相比于DES算法，AES算法更为复杂，逆向的难度也相对较大，广义上来说AES可以算是DES的升级版。

比较与DES固定8字节密钥，AES有三种密钥模式可选，分别为128位，192位和256位，同时AES也有ECB，CBC和CTR三种模式，所以在出题和实际生产生活中AES的选择更多，组合更多，实际难度更大。虽然AES算法的组合方式有很多种，整体看起来很复杂，但其实在这多种模式中主体上都是不变的，而所谓的密钥长度和模式只不过更改了密钥处理函数和最终的处理方式，相当于在AES核心算法外套了层皮，并不是什么特别的东西。

以及AES是分组密码。

AES的核心组件

在AES九种模式都不变的组件

总览

static const uint8_t sbox[256] =
{
    0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
    0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
    0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
    0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
    0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
    0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
    0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
    0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
    0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
    0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
    0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
    0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
    0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
    0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
    0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
    0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16
};

static const uint8_t inv_sbox[256] =
{
    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
};

static const uint8_t Rcon[11] =
{
    0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1B,0x36
};

static const uint8_t AES_MIX_COL_MATRIX[4][4] =
{
    {0x02,0x03,0x01,0x01},
    {0x01,0x02,0x03,0x01},
    {0x01,0x01,0x02,0x03},
    {0x03,0x01,0x01,0x02}
};

static const uint8_t AES_INV_MIX_COL_MATRIX[4][4] =
{
    {0x0E,0x0B,0x0D,0x09},
    {0x09,0x0E,0x0B,0x0D},
    {0x0D,0x09,0x0E,0x0B},
    {0x0B,0x0D,0x09,0x0E}
};

S盒与逆S盒

static const uint8_t sbox[256] =
{
    0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
    0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
    0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
    0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
    0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
    0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
    0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
    0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
    0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
    0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
    0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
    0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
    0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
    0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
    0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
    0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16
};

static const uint8_t inv_sbox[256] =
{
    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
};

作用与DES中的相同，就不多赘述了。

轮常数

static const uint8_t Rcon[11] =
{
    0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1B,0x36
};

作用在于输入数据进行S盒查找替换时与第一个数据进行异或。

固定矩阵常量与逆固定矩阵常量

static const uint8_t AES_MIX_COL_MATRIX[4][4] =
{
    {0x02,0x03,0x01,0x01},
    {0x01,0x02,0x03,0x01},
    {0x01,0x01,0x02,0x03},
    {0x03,0x01,0x01,0x02}
};

static const uint8_t AES_INV_MIX_COL_MATRIX[4][4] =
{
    {0x0E,0x0B,0x0D,0x09},
    {0x09,0x0E,0x0B,0x0D},
    {0x0D,0x09,0x0E,0x0B},
    {0x0B,0x0D,0x09,0x0E}
};

一般在代码中不会直接显示出来，详细的内容在后文的MixColumns函数中会讲。

AES核心逻辑

xtime乘法

static uint8_t xtime(uint8_t x)
{
    return (x << 1) ^ ((x >> 7) * 0x1b);
}

为AES实现快速的模约减放溢出和乘2

轮密钥异或(AddRoundKey)

static void AddRoundKey(uint8_t *state, const uint8_t *roundKey)
{
    for (int i = 0; i < 16; i++)
        state[i] ^= roundKey[i];
}

字节替换与逆字节替换(SubBytes)

static void SubBytes(uint8_t *state)
{
    for (int i = 0; i < 16; i++)
        state[i] = AES_SBOX[state[i]];
}

加密时使用S盒，解密时使用逆S盒

static void InvSubBytes(uint8_t *state)
{
    for (int i = 0; i < 16; i++)
        state[i] = AES_INV_SBOX[state[i]];
}

行位移(ShiftRows)

static void ShiftRows(uint8_t *state)
{
    uint8_t tmp;

    tmp = state[1];
    state[1]  = state[5];
    state[5]  = state[9];
    state[9]  = state[13];
    state[13] = tmp;

    tmp = state[2];
    state[2]  = state[10];
    state[10] = tmp;
    tmp = state[6];
    state[6]  = state[14];
    state[14] = tmp;

    tmp = state[3];
    state[3]  = state[15];
    state[15] = state[11];
    state[11] = state[7];
    state[7]  = tmp;
}

很明显，这里在进行数组内的元素替换，并且由于state数组是以矩阵的形式存在的，所以这里可以分开看：第一块分块是第一行元素，其在数组中的位置统一向左移动四位；第二块是第二行，向左移动八位；第三块是第三行，向左移动十二位。每一行自重复。

逆位移如下

static void InvShiftRows(uint8_t *state)
{
    uint8_t tmp;

    tmp = state[13];
    state[13] = state[9];
    state[9]  = state[5];
    state[5]  = state[1];
    state[1]  = tmp;

    tmp = state[2];
    state[2]  = state[10];
    state[10] = tmp;
    tmp = state[6];
    state[6]  = state[14];
    state[14] = tmp;

    tmp = state[3];
    state[3]  = state[7];
    state[7]  = state[11];
    state[11] = state[15];
    state[15] = tmp;
}

值得注意的是，这一部分由于反编译出来后阅读量偏大，所以很容易出现魔改(比如在某处添加异或什么的)，在做题时需要小心审阅。

隐式矩阵乘法(MixColumns)

static void MixColumns(uint8_t *state)
{
    for (int i = 0; i < 4; i++)
    {
        uint8_t *col = state + i * 4;

        uint8_t a0 = col[0];
        uint8_t a1 = col[1];
        uint8_t a2 = col[2];
        uint8_t a3 = col[3];

        col[0] = xtime(a0) ^ (xtime(a1) ^ a1) ^ a2 ^ a3;
        col[1] = a0 ^ xtime(a1) ^ (xtime(a2) ^ a2) ^ a3;
        col[2] = a0 ^ a1 ^ xtime(a2) ^ (xtime(a3) ^ a3);
        col[3] = (xtime(a0) ^ a0) ^ a1 ^ a2 ^ xtime(a3);
    }
}

AES算法的扩展核心，加密过程使用上文的固定矩阵常量，解密过程使用上文的逆固定矩阵常量。解密如下

static void InvMixColumns(uint8_t *state)
{
    for (int i = 0; i < 4; i++)
    {
        uint8_t *col = state + i * 4;

        uint8_t a0 = col[0];
        uint8_t a1 = col[1];
        uint8_t a2 = col[2];
        uint8_t a3 = col[3];

        col[0] = gf_mul(a0,0x0E) ^ gf_mul(a1,0x0B) ^
                 gf_mul(a2,0x0D) ^ gf_mul(a3,0x09);

        col[1] = gf_mul(a0,0x09) ^ gf_mul(a1,0x0E) ^
                 gf_mul(a2,0x0B) ^ gf_mul(a3,0x0D);

        col[2] = gf_mul(a0,0x0D) ^ gf_mul(a1,0x09) ^
                 gf_mul(a2,0x0E) ^ gf_mul(a3,0x0B);

        col[3] = gf_mul(a0,0x0B) ^ gf_mul(a1,0x0D) ^
                 gf_mul(a2,0x09) ^ gf_mul(a3,0x0E);
    }
}

加解密执行流总结

加密轮结构

Round0: AddRoundKey
Rounds: SubBytes → ShiftRows → MixColumns → AddRoundKey
Final : SubBytes → ShiftRows → AddRoundKey

解密轮结构

Round0: AddRoundKey
Rounds: InvShiftRows → InvSubBytes → AddRoundKey → InvMixColumns
Final : InvShiftRows → InvSubBytes → AddRoundKey

密钥扩展函数(KeyExpansion)

极其重要的函数，并且特征性非常明显，在做题中可以做到通过函数处理的轮数立刻判断出密钥的长度。

128位密钥的处理函数如下

void KeyExpansion128(const uint8_t *Key, uint8_t *RoundKey)
{
    int i = 0;
    uint8_t temp[4];

    /* 前16字节直接复制 */
    while (i < 16)
    {
        RoundKey[i] = Key[i];
        i++;
    }

    i = 4;

    while (i < 44)
    {
        temp[0] = RoundKey[4*(i-1) + 0];
        temp[1] = RoundKey[4*(i-1) + 1];
        temp[2] = RoundKey[4*(i-1) + 2];
        temp[3] = RoundKey[4*(i-1) + 3];

        if (i % 4 == 0)
        {
            uint8_t t = temp[0];
            temp[0] = temp[1];
            temp[1] = temp[2];
            temp[2] = temp[3];
            temp[3] = t;

            temp[0] = AES_SBOX[temp[0]];
            temp[1] = AES_SBOX[temp[1]];
            temp[2] = AES_SBOX[temp[2]];
            temp[3] = AES_SBOX[temp[3]];

            temp[0] ^= AES_RCON[i/4];
        }

        RoundKey[4*i+0] = RoundKey[4*(i-4)+0] ^ temp[0];
        RoundKey[4*i+1] = RoundKey[4*(i-4)+1] ^ temp[1];
        RoundKey[4*i+2] = RoundKey[4*(i-4)+2] ^ temp[2];
        RoundKey[4*i+3] = RoundKey[4*(i-4)+3] ^ temp[3];

        i++;
    }
}

192位密钥的处理函数如下

void KeyExpansion192(const uint8_t *Key, uint8_t *RoundKey)
{
    int i = 0;
    uint8_t temp[4];

    /* 前24字节复制 */
    while (i < 24)
    {
        RoundKey[i] = Key[i];
        i++;
    }

    i = 6;

    while (i < 52)
    {
        temp[0] = RoundKey[4*(i-1)+0];
        temp[1] = RoundKey[4*(i-1)+1];
        temp[2] = RoundKey[4*(i-1)+2];
        temp[3] = RoundKey[4*(i-1)+3];

        if (i % 6 == 0)
        {
            uint8_t t = temp[0];
            temp[0] = temp[1];
            temp[1] = temp[2];
            temp[2] = temp[3];
            temp[3] = t;

            temp[0] = AES_SBOX[temp[0]];
            temp[1] = AES_SBOX[temp[1]];
            temp[2] = AES_SBOX[temp[2]];
            temp[3] = AES_SBOX[temp[3]];

            temp[0] ^= AES_RCON[i/6];
        }

        RoundKey[4*i+0] = RoundKey[4*(i-6)+0] ^ temp[0];
        RoundKey[4*i+1] = RoundKey[4*(i-6)+1] ^ temp[1];
        RoundKey[4*i+2] = RoundKey[4*(i-6)+2] ^ temp[2];
        RoundKey[4*i+3] = RoundKey[4*(i-6)+3] ^ temp[3];

        i++;
    }
}

256位密钥的处理函数如下

void KeyExpansion256(const uint8_t *Key, uint8_t *RoundKey)
{
    int i = 0;
    uint8_t temp[4];

    /* 前32字节复制 */
    while (i < 32)
    {
        RoundKey[i] = Key[i];
        i++;
    }

    i = 8;

    while (i < 60)
    {
        temp[0] = RoundKey[4*(i-1)+0];
        temp[1] = RoundKey[4*(i-1)+1];
        temp[2] = RoundKey[4*(i-1)+2];
        temp[3] = RoundKey[4*(i-1)+3];

        if (i % 8 == 0)
        {
            uint8_t t = temp[0];
            temp[0] = temp[1];
            temp[1] = temp[2];
            temp[2] = temp[3];
            temp[3] = t;

            temp[0] = AES_SBOX[temp[0]];
            temp[1] = AES_SBOX[temp[1]];
            temp[2] = AES_SBOX[temp[2]];
            temp[3] = AES_SBOX[temp[3]];

            temp[0] ^= AES_RCON[i/8];
        }

        /* AES-256独有：i%8==4 时 SubWord */
        else if (i % 8 == 4)
        {
            temp[0] = AES_SBOX[temp[0]];
            temp[1] = AES_SBOX[temp[1]];
            temp[2] = AES_SBOX[temp[2]];
            temp[3] = AES_SBOX[temp[3]];
        }

        RoundKey[4*i+0] = RoundKey[4*(i-8)+0] ^ temp[0];
        RoundKey[4*i+1] = RoundKey[4*(i-8)+1] ^ temp[1];
        RoundKey[4*i+2] = RoundKey[4*(i-8)+2] ^ temp[2];
        RoundKey[4*i+3] = RoundKey[4*(i-8)+3] ^ temp[3];

        i++;
    }
}

通过上面三个函数，我们不难看出每一个长度的密钥处理都有其不变的特征：

128位的密钥完整复制前16字节数据，要处理44轮，最后与轮常数异或时分母为4；192位的密钥完整复制前24字节数据，要处理52，最后与轮常数异或时分母为6；256位的密钥完整复制前32字节数据，要处理60轮，最后与轮常数异或时分母为8，并且i%8==4时要再S盒替换一遍。一般来说这里不怎么会魔改。

例题

以furryctf2025的分组密码为例来讲讲AES。

进入main逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  FILE *Stream; // eax
  size_t n0x100; // eax
  char n4; // cl
  char *v6; // edx
  unsigned __int8 v7; // ah
  char v8; // ch
  char v9; // ah
  char v10; // al
  unsigned int n0x20; // eax
  __m128 *v12; // edx
  __m128 *v13; // esi
  char *v14; // eax
  int v15; // edx
  int n16; // edi
  char v17; // cl
  _OWORD *v18; // ecx
  _OWORD *v19; // edx
  unsigned int n28; // esi
  int v21; // edx
  bool v22; // cf
  unsigned __int8 v23; // al
  unsigned __int8 v24; // al
  unsigned __int8 v25; // al
  int n32; // eax
  char *p_fake_flag; // eax
  char ArgList; // [esp+0h] [ebp-220h]
  char ArgList_1; // [esp+0h] [ebp-220h]
  char ArgList_2; // [esp+0h] [ebp-220h]
  unsigned __int8 v32; // [esp+8h] [ebp-218h]
  unsigned __int8 v33; // [esp+9h] [ebp-217h]
  unsigned __int8 v34; // [esp+Ah] [ebp-216h]
  unsigned int n4_1; // [esp+Ch] [ebp-214h]
  unsigned int n0x20_1; // [esp+Ch] [ebp-214h]
  _DWORD v37[3]; // [esp+10h] [ebp-210h] BYREF
  unsigned int v38; // [esp+1Ch] [ebp-204h] BYREF
  _DWORD v39[4]; // [esp+C0h] [ebp-160h] BYREF
  _OWORD v40[2]; // [esp+D0h] [ebp-150h] BYREF
  _OWORD v41[2]; // [esp+F8h] [ebp-128h] BYREF
  char Buffer[16]; // [esp+118h] [ebp-108h] BYREF
  __int128 v43; // [esp+128h] [ebp-F8h]

  printf("input your flag:\n", ArgList);
  Stream = _acrt_iob_func(0);
  fgets(Buffer, 256, Stream);
  n0x100 = strcspn(Buffer, "\r\n");
  if ( n0x100 >= 0x100 )
    sub_401784();
  Buffer[n0x100] = 0;
  v40[0] = *Buffer;
  v40[1] = v43;
  if ( strlen(v40) < 0x20
    || *Buffer != 'OP'
    || Buffer[2] != 'F'
    || Buffer[3] != 'P'
    || *&Buffer[4] != 'TC'
    || Buffer[6] != 'F'
    || Buffer[7] != '{'
    || HIBYTE(v43) != '}' )
  {
    printf("flag length error", ArgList_1);
    exit(0);
  }
  n4 = 4;
  v39[0] = 0x278CF13A;
  v39[1] = 0xE2609BD4;
  v6 = &v38 + 1;
  v39[2] = 0xC3A75D11;
  v7 = 0xCD;
  v39[3] = 0x4EB8097F;
  v37[0] = 0xF3022201;
  v37[1] = 0xF7E6F544;
  v37[2] = 0xB0AB9A8;
  v38 = 0xFFEECDAC;
  for ( n4_1 = 4; n4_1 < 44; ++n4_1 )
  {
    v32 = *(v6 - 1);
    v33 = v6[1];
    v34 = v6[2];
    if ( (n4 & 3) != 0 )
    {
      v8 = v7;
    }
    else
    {
      v8 = byte_403158[v33];
      v33 = byte_403158[v34];
      v34 = byte_403158[v32];
      v32 = byte_403158[v7] ^ byte_403258[n4_1 >> 2];
    }
    v9 = *(v6 - 12);
    v6[3] = v32 ^ *(v6 - 13);
    v7 = v8 ^ v9;
    n4 = n4_1 + 1;
    v6[5] = v33 ^ *(v6 - 11);
    v10 = v34 ^ *(v6 - 10);
    v6[4] = v7;
    v6[6] = v10;
    v6 += 4;
  }
  n0x20 = 0;
  v12 = v39;
  n0x20_1 = 0;
  do
  {
    v13 = (v40 + n0x20);
    if ( v40 + n0x20 > &v12->m128_u32[3] + 3 || (&v13->m128_u32[3] + 3) < v12 )
    {
      *v13 = _mm_xor_ps(*v13, *v12);
    }
    else
    {
      v14 = v40 + n0x20;
      v15 = v12 - v13;
      n16 = 16;
      do
      {
        v17 = v14[v15];
        *v14++ ^= v17;
        --n16;
      }
      while ( n16 );
    }
    sub_4010B0(v13, v37);
    v12 = v13;
    n0x20 = n0x20_1 + 16;
    n0x20_1 = n0x20;
  }
  while ( n0x20 < 0x20 );
  v18 = v41;
  v41[0] = xmmword_403270;
  v19 = v40;
  n28 = 28;
  v41[1] = xmmword_403280;
  while ( *v18 == *v19 )
  {
    v18 = (v18 + 4);
    v19 = (v19 + 4);
    v22 = n28 < 4;
    n28 -= 4;
    if ( v22 )
    {
      v21 = 0;
      goto LABEL_33;
    }
  }
  v22 = *v18 < *v19;
  if ( *v18 == *v19
    && (v23 = *(v18 + 1), v22 = v23 < *(v19 + 1), v23 == *(v19 + 1))
    && (v24 = *(v18 + 2), v22 = v24 < *(v19 + 2), v24 == *(v19 + 2))
    && (v25 = *(v18 + 3), v22 = v25 < *(v19 + 3), v25 == *(v19 + 3)) )
  {
    v21 = 0;
  }
  else
  {
    v21 = v22 ? -1 : 1;
  }
LABEL_33:
  n32 = 32;
  do
    --n32;
  while ( n32 );
  p_fake_flag = "yes";
  if ( v21 )
    p_fake_flag = "fake flag";
  printf(p_fake_flag, ArgList_1);
  printf("\n", ArgList_2);
  return 0;
}

首先说明了flag格式，遍历所有函数后确认这是略有魔改的AES算法128位密钥模式，那么main逻辑里面那个地方就是密钥扩展混淆逻辑。

可以确认xmmword_403270和xmmword_403280是目标密文

int __fastcall sub_4010B0(char *a1, int a2)
{
  int n4; // edx
  char *v4; // edi
  int v5; // esi
  int v6; // ebx
  char *v7; // ecx
  char v8; // al
  char *v9; // ebx
  int n4_1; // esi
  char v11; // cl
  char v12; // al
  char v13; // cl
  char v14; // al
  char v15; // cl
  char v16; // al
  char v17; // cl
  char *v18; // edi
  char v19; // bh
  char v20; // ch
  char v21; // dl
  char v22; // dh
  int n4_2; // edx
  _BYTE *v24; // esi
  char *v25; // eax
  char v26; // cl
  bool v27; // zf
  char v28; // cl
  int n4_3; // edx
  char v30; // al
  char v31; // cl
  char v32; // al
  char v33; // cl
  char v34; // al
  char v35; // cl
  char v36; // al
  int v37; // ecx
  char v38; // al
  int result; // eax
  int v41; // [esp+10h] [ebp-10h]
  int n9; // [esp+14h] [ebp-Ch]
  _BYTE *v43; // [esp+18h] [ebp-8h]
  char v44; // [esp+1Fh] [ebp-1h]

  n4 = 4;
  v4 = a1;
  v41 = a2;
  v5 = a2 + 3;
  v6 = a2 - a1;
  v7 = a1 + 1;
  do
  {
    v8 = *(v5 - 3);
    v5 += 4;
    *(v7 - 1) ^= v8;
    v7 += 4;
    *(v7 - 4) ^= v7[v6 - 4];
    *(v7 - 3) ^= *(v5 - 5);
    *(v7 - 2) ^= *(v5 - 4);
    --n4;
  }
  while ( n4 );
  v9 = v4 + 2;
  n9 = 9;
  v43 = (v41 + 18);
  do
  {
    sub_401050(v4);
    n4_1 = 4;
    v11 = v4[1];
    v4[1] = v4[5];
    v4[5] = v4[9];
    v4[9] = v4[13];
    v12 = v4[10];
    v4[13] = v11;
    v13 = *v9;
    *v9 = v12;
    v14 = v4[14];
    v4[10] = v13;
    v15 = v4[6];
    v4[6] = v14;
    v16 = v4[15];
    v4[14] = v15;
    v17 = v4[3];
    v4[3] = v16;
    v4[15] = v4[11];
    v4[11] = v4[7];
    v4[7] = v17 ^ 0x66;
    v18 = v9;
    do
    {
      v19 = v18[1];
      v18 += 4;
      v20 = *(v18 - 4);
      v21 = *(v18 - 5);
      v44 = *(v18 - 6);
      v22 = v21 ^ v44 ^ v20 ^ v19;
      *(v18 - 6) = v22 ^ v44 ^ (2 * (v21 ^ v44)) ^ (0x1B * ((v21 ^ v44) >> 7));
      *(v18 - 5) = v22 ^ v21 ^ (2 * (v20 ^ v21)) ^ (0x1B * ((v20 ^ v21) >> 7));
      *(v18 - 4) = v22 ^ v20 ^ (2 * (v20 ^ v19)) ^ (0x1B * ((v20 ^ v19) >> 7));
      *(v18 - 3) = v22 ^ v19 ^ (2 * (v19 ^ v44)) ^ (0x1B * ((v19 ^ v44) >> 7));
      --n4_1;
    }
    while ( n4_1 );
    v4 = a1;
    n4_2 = 4;
    v24 = v43;
    v9 = a1 + 2;
    v25 = a1 + 2;
    do
    {
      v25 += 4;
      *(v25 - 6) ^= *(v24 - 2);
      *(v25 - 5) ^= *(v24 - 1);
      *(v25 - 4) ^= *v24;
      v26 = v24[1];
      v24 += 4;
      *(v25 - 3) ^= v26;
      --n4_2;
    }
    while ( n4_2 );
    v27 = n9-- == 1;
    v43 = v24;
  }
  while ( !v27 );
  sub_401050(a1);
  v28 = a1[1];
  n4_3 = 4;
  a1[1] = a1[5];
  a1[5] = a1[9];
  a1[9] = a1[13];
  v30 = a1[10];
  a1[13] = v28;
  v31 = *v9;
  *v9 = v30;
  v32 = a1[14];
  a1[10] = v31;
  v33 = a1[6];
  a1[6] = v32;
  v34 = a1[15];
  a1[14] = v33;
  v35 = a1[3];
  a1[3] = v34;
  a1[15] = a1[11];
  v36 = a1[7];
  a1[7] = v35 ^ 0x66;
  a1[11] = v36;
  v37 = v41 + 161;
  do
  {
    v38 = *(v37 - 1);
    v37 += 4;
    *(v9 - 2) ^= v38;
    v9 += 4;
    *(v9 - 5) ^= *(v37 - 4);
    *(v9 - 4) ^= *(v37 - 3);
    result = *(v37 - 2);
    *(v9 - 3) ^= result;
    --n4_3;
  }
  while ( n4_3 );
  return result;
}

可知sub_4010B0为AES算法中的轮换和列混淆函数。现在来看看传参，这个函数传入了v13和v37，由于main逻辑存在以下代码

n0x20 = 0;
v12 = v39;
n0x20_1 = 0;
do
{
  v13 = (v40 + n0x20);
  if ( v40 + n0x20 > &v12->m128_u32[3] + 3 || (&v13->m128_u32[3] + 3) < v12 )
  {
    *v13 = _mm_xor_ps(*v13, *v12);
  }
  else
  {
    v14 = v40 + n0x20;
    v15 = v12 - v13;
    n16 = 16;
    do
    {
      v17 = v14[v15];
      *v14++ ^= v17;
      --n16;
    }
    while ( n16 );

可以推断v13为输入明文，而由于这个mm_xor_ps()是SSE指令，作用是将128位寄存器按位异或存储到另一个寄存器上，即v13^=v12，所以v12，即v39，就是初始向量。if的条件判断是放溢出，保证数据安全，无需过多在意。那么此时就可以确定v37是密钥。

那么现在我们密钥，初始向量，密文都有了，由于密钥混淆扩展函数写在main逻辑里面，那么那里的byte_403258就无疑是轮常数了。好，现在数据全齐，逻辑也大多摸清楚。检查魔改。

发现在轮换逻辑中

sub_401050(v4);
n4_1 = 4;
v11 = v4[1];
v4[1] = v4[5];
v4[5] = v4[9];
v4[9] = v4[13];
v12 = v4[10];
v4[13] = v11;
v13 = *v9;
*v9 = v12;
v14 = v4[14];
v4[10] = v13;
v15 = v4[6];
v4[6] = v14;
v16 = v4[15];
v4[14] = v15;
v17 = v4[3];
v4[3] = v16;
v4[15] = v4[11];
v4[11] = v4[7];
v4[7] = v17 ^ 0x66;
v18 = v9;

与普通的AES轮换不同，这里异或了一个常数0x66。函数sub_401050为

char *__thiscall sub_401050(char *this)
{
  char *result; // eax
  int n4; // edx
  int v3; // ecx

  result = this + 2;
  n4 = 4;
  do
  {
    v3 = *(result - 2);
    result += 4;
    *(result - 6) = byte_403158[v3];
    *(result - 5) = byte_403158[*(result - 5)];
    *(result - 4) = byte_403158[*(result - 4)];
    *(result - 3) = byte_403158[*(result - 3)];
    --n4;
  }
  while ( n4 );
  return result;
}

那么很明显这个就是标准的S盒查表替换混淆。

最终逆向脚本如下

#include <stdio.h>
#include <stdint.h>
#include <string.h>

/* ===========================
   AES-128 CBC Decrypt (Magic)
   =========================== */

static const uint8_t sbox[256] = {
    0x63,0x1E,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
    0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
    0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
    0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
    0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
    0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
    0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
    0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
    0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
    0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
    0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
    0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
    0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
    0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
    0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,0x9B,0x7C,0x87,0xE9,0xCE,0x55,0x28,0xDF,
    0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16
};

static uint8_t inv_sbox[256];
static const uint8_t Rcon[11] = {0x07,0x09,0x12,0x04,0x08,0x10,0x21,0x40,0x88,0x1B,0x36};

/* ===== Init InvSbox ===== */
static void InitInvSBox() {
    for(int i=0;i<256;i++)
        inv_sbox[sbox[i]] = i;
}

static uint8_t xtime(uint8_t x) {
    return (x << 1) ^ ((x >> 7) * 0x1B);
}


/* ===== GF Multiply ===== */
static uint8_t gmul(uint8_t x, uint8_t m) {

    uint8_t x2 = xtime(x);      // x * 2
    uint8_t x4 = xtime(x2);     // x * 4
    uint8_t x8 = xtime(x4);     // x * 8

    if (m == 0x09) return x8 ^ x;           // 8x + x
    if (m == 0x0B) return x8 ^ x2 ^ x;      // 8x + 2x + x
    if (m == 0x0D) return x8 ^ x4 ^ x;      // 8x + 4x + x
    if (m == 0x0E) return x8 ^ x4 ^ x2;     // 8x + 4x + 2x

    return 0;
}


/* ===== KeyExpansion ===== */
static void KeyExpansion(const uint8_t *key, uint8_t *RoundKey) {
    memcpy(RoundKey, key, 16);

    uint8_t temp[4];
    int rcon_idx = 1;

    for(int i=16;i<176;i+=4) {
        memcpy(temp, RoundKey+i-4, 4);

        if(i % 16 == 0) {
            uint8_t t=temp[0];
            temp[0]=temp[1];
            temp[1]=temp[2];
            temp[2]=temp[3];
            temp[3]=t;

            temp[0]=sbox[temp[0]];
            temp[1]=sbox[temp[1]];
            temp[2]=sbox[temp[2]];
            temp[3]=sbox[temp[3]];

            temp[0] ^= Rcon[rcon_idx++];
        }

        for(int j=0;j<4;j++)
            RoundKey[i+j] = RoundKey[i-16+j] ^ temp[j];
    }
}

/* ===== AddRoundKey ===== */
static void AddRoundKey(uint8_t *state, uint8_t *rk) {
    for(int i=0;i<16;i++)
        state[i] ^= rk[i];
}

/* ===== InvSubBytes ===== */
static void InvSubBytes(uint8_t *state) {
    for(int i=0;i<16;i++)
        state[i] = inv_sbox[state[i]];
}

/* ===== InvShiftRows + Magic ===== */
static void InvShiftRows_Magic(uint8_t *s) {
    uint8_t tmp[16];
    memcpy(tmp,s,16);

    s[1]=tmp[13]; s[5]=tmp[1]; s[9]=tmp[5]; s[13]=tmp[9];
    s[2]=tmp[10]; s[6]=tmp[14]; s[10]=tmp[2]; s[14]=tmp[6];

    s[3]=tmp[7]^0x66;
    s[7]=tmp[11];
    s[11]=tmp[15];
    s[15]=tmp[3];
}

/* ===== InvMixColumns ===== */
static void InvMixColumns(uint8_t *s) {
    uint8_t t[16];
    for(int c=0;c<4;c++) {
        int i=c*4;
        t[i+0]=gmul(s[i],0x0e)^gmul(s[i+1],0x0b)^gmul(s[i+2],0x0d)^gmul(s[i+3],0x09);
        t[i+1]=gmul(s[i],0x09)^gmul(s[i+1],0x0e)^gmul(s[i+2],0x0b)^gmul(s[i+3],0x0d);
        t[i+2]=gmul(s[i],0x0d)^gmul(s[i+1],0x09)^gmul(s[i+2],0x0e)^gmul(s[i+3],0x0b);
        t[i+3]=gmul(s[i],0x0b)^gmul(s[i+1],0x0d)^gmul(s[i+2],0x09)^gmul(s[i+3],0x0e);
    }
    memcpy(s,t,16);
}

/* ===== AES Block Decrypt ===== */
static void AES_decrypt_block(uint8_t *block, uint8_t *rk) {
    AddRoundKey(block, rk+160);

    for(int round=9; round>=1; round--) {
        InvShiftRows_Magic(block);
        InvSubBytes(block);
        AddRoundKey(block, rk+round*16);
        InvMixColumns(block);
    }

    InvShiftRows_Magic(block);
    InvSubBytes(block);
    AddRoundKey(block, rk);
}

/* ===========================
   Main CBC Decrypt
   =========================== */
int main() {
    InitInvSBox();

    uint8_t key[16] = {
        0x01,0x22,0x02,0xF3,
        0x44,0xF5,0xE6,0xF7,
        0xA8,0xB9,0x0A,0x0B,
        0xAC,0xCD,0xEE,0xFF
    };

    uint8_t iv[16] = {
        0x3A,0xF1,0x8C,0x27,
        0xD4,0x9B,0x60,0xE2,
        0x11,0x5D,0xA7,0xC3,
        0x7F,0x09,0xB8,0x4E
    };

    uint8_t ciphertext[32] = {
        0x2B,0x1B,0xC9,0x99,0xBE,0xBD,0xE6,0x85,
        0x30,0xC9,0x09,0x10,0x26,0x3C,0xF3,0x26,
        0x62,0xE7,0xD0,0xED,0xE0,0x9F,0x07,0xCF,
        0x3E,0x7E,0x21,0xBD,0xF7,0x29,0x11,0x9E
    };

    uint8_t RoundKey[176];
    KeyExpansion(key, RoundKey);

    uint8_t flag[33]={0};
    uint8_t block[16];

    /* Block1 */
    memcpy(block,ciphertext,16);
    AES_decrypt_block(block,RoundKey);
    for(int i=0;i<16;i++)
        flag[i]=block[i]^iv[i];

    /* Block2 */
    memcpy(block,ciphertext+16,16);
    AES_decrypt_block(block,RoundKey);
    for(int i=0;i<16;i++)
        flag[16+i]=block[i]^ciphertext[i];

    printf("Flag: %s\n",flag);
    return 0;
}

噢噢对，值得注意的一点是，这里的轮换函数与标准的AES也不同，所以在逆向的时候需要按着IDA里面的逻辑来，以及异或的位置不要放错了。

TIP

AES在128，192和256模式中，除了上文提及的区别外，还有在执行时的总循环次数也是不一样的，128是10次，192是12次，256是14次。

附录

https://pan.quark.cn/s/593a5034540b

再次提醒，所谓的密钥长度只不过更改了密钥扩展函数和总体循环次数，所以需要修改的地方不多，这里只提供128长度的完整代码。