AES加密算法逆向识别与实战分析<\/h1>

1. AES加密算法概述<\/h2>

AES(Advanced Encryption Standard)又称Rijndael加密法，是用于取代DES的对称加密算法，具有以下特点：<\/p>

分组大小为128位的分组密码<\/li>
支持三种密钥长度：128位、192位和256位<\/li>
软硬件实现高效<\/li>
加密轮数：128位10轮、192位12轮、256位14轮<\/li>

明文长度必须是16的倍数，不足时需要填充<\/li> <\/ul>

1.1 填充模式<\/h3>

常见填充模式包括：<\/p>

NONE<\/li>
PKCS7<\/li>
ZERO<\/li>
ANSI923<\/li>
IOS7816_4<\/li>

IOS10126<\/li> <\/ul>

2. AES加密流程详解<\/h2>

2.1 加密过程概述<\/h3>

完整加密流程分为三个阶段：<\/p>

初始轮(1)<\/strong>：<\/p>

AddRoundKey：明文矩阵与第一轮密钥异或<\/li> <\/ul> <\/li>

中间轮(2~9\/11\/13)<\/strong>：<\/p>

SubBytes：字节替换<\/li>
ShiftRows：行移位<\/li>
MixColumns：列混淆<\/li>
AddRoundKey：轮密钥加<\/li> <\/ul> <\/li>

最终轮(10\/12\/14)<\/strong>：<\/p>

SubBytes<\/li>
ShiftRows<\/li>
AddRoundKey<\/li> <\/ul> <\/li> <\/ol>
2.2 核心组件<\/h3>
2.2.1 State(状态矩阵)<\/h4>

将明文数据分成多个4×4的数据块<\/li>
第一个字节位于第一列第一行，第二个字节位于第一列第二行，以此类推<\/li> <\/ul>
2.2.2 S盒(S-Box)<\/h4>

用于SubBytes操作的替换表<\/li>
加密使用S-Box，解密使用逆S-Box<\/li>
标准AES提供固定的S-Box表<\/li> <\/ul>
2.2.3 密钥扩展(Key Expansion)<\/h4>
将原始密钥扩展为轮密钥数组：<\/p>
# Round Constants (AES-128)<\/span> <\/span><\/span>RCON =<\/span> [None<\/span>, 0x01<\/span>, 0x02<\/span>, 0x04<\/span>, 0x08<\/span>, 0x10<\/span>, 0x20<\/span>, 0x40<\/span>, 0x80<\/span>, 0x1B<\/span>, 0x36<\/span>] <\/span><\/span> <\/span><\/span>def<\/span> subword<\/span>(self, word): <\/span><\/span> """AES SubWord方法"""<\/span> <\/span><\/span> bs =<\/span> struct.<\/span>pack('>I'<\/span>, word) <\/span><\/span> nw =<\/span> [] <\/span><\/span> for<\/span> b in<\/span> bs: <\/span><\/span> nw.<\/span>append(self.<\/span>s_box[b]) <\/span><\/span> nw =<\/span> struct.<\/span>unpack('>I'<\/span>, bytes(nw))[0<\/span>] <\/span><\/span> return<\/span> nw <\/span><\/span> <\/span><\/span>def<\/span> rotword<\/span>(self, word): <\/span><\/span> """AES RotateWord方法"""<\/span> <\/span><\/span> bs =<\/span> list(struct.<\/span>pack('>I'<\/span>, word)) <\/span><\/span> bs.<\/span>append(bs.<\/span>pop(0<\/span>)) <\/span><\/span> nw =<\/span> struct.<\/span>unpack('>I'<\/span>, bytes(bs))[0<\/span>] <\/span><\/span> return<\/span> nw <\/span><\/span> <\/span><\/span>def<\/span> key_expansion<\/span>(self, key): <\/span><\/span> """AES密钥扩展算法"""<\/span> <\/span><\/span> ek =<\/span> [] <\/span><\/span> i =<\/span> 0<\/span> <\/span><\/span> <\/span><\/span> # 保存原始密钥<\/span> <\/span><\/span> while<\/span> i <<\/span> 4<\/span>: # AES-128为4个字<\/span> <\/span><\/span> b =<\/span> bytes(key[i*<\/span>4<\/span>:(i*<\/span>4<\/span>)+<\/span>4<\/span>]) <\/span><\/span> w =<\/span> struct.<\/span>unpack('>I'<\/span>, b)[0<\/span>] <\/span><\/span> ek.<\/span>append(w) <\/span><\/span> i +=<\/span> 1<\/span> <\/span><\/span> <\/span><\/span> # 生成扩展密钥<\/span> <\/span><\/span> while<\/span> i <<\/span> 44<\/span>: # AES-128生成44个字<\/span> <\/span><\/span> tmp =<\/span> ek[i-<\/span>1<\/span>] <\/span><\/span> if<\/span> i %<\/span> 4<\/span> ==<\/span> 0<\/span>: <\/span><\/span> rcon_val =<\/span> struct.<\/span>unpack('>I'<\/span>, bytes([self.<\/span>RCON[i\/\/<\/span>4<\/span>], 0<\/span>, 0<\/span>, 0<\/span>]))[0<\/span>] <\/span><\/span> tmp =<\/span> self.<\/span>subword(self.<\/span>rotword(tmp)) ^<\/span> rcon_val <\/span><\/span> nw =<\/span> tmp ^<\/span> ek[i-<\/span>4<\/span>] <\/span><\/span> ek.<\/span>append(nw) <\/span><\/span> i +=<\/span> 1<\/span> <\/span><\/span> return<\/span> ek <\/span><\/span><\/code><\/pre>2.3 加密操作详解<\/h3> 2.3.1 AddRoundKey(轮密钥加)<\/h4> 将数据矩阵与密钥矩阵进行逐字节异或：<\/p> def<\/span> add_round_key<\/span>(s, k): <\/span><\/span> for<\/span> i in<\/span> range(4<\/span>): <\/span><\/span> for<\/span> j in<\/span> range(4<\/span>): <\/span><\/span> s[i][j] ^=<\/span> k[i][j] <\/span><\/span><\/code><\/pre>2.3.2 SubBytes(字节替换)<\/h4> 使用S-Box进行字节替换：<\/p> def<\/span> sub_bytes<\/span>(s): <\/span><\/span> for<\/span> i in<\/span> range(4<\/span>): <\/span><\/span> for<\/span> j in<\/span> range(4<\/span>): <\/span><\/span> s[i][j] =<\/span> s_box[s[i][j]] <\/span><\/span><\/code><\/pre>2.3.3 ShiftRows(行移位)<\/h4> 第一行不变<\/li> 第二行左移1字节<\/li> 第三行左移2字节<\/li> 第四行左移3字节<\/li> <\/ul> def<\/span> shift_rows<\/span>(grid, inv=<\/span>False<\/span>): <\/span><\/span> for<\/span> i in<\/span> range(4<\/span>): <\/span><\/span> if<\/span> inv: # 解密<\/span> <\/span><\/span> grid[i::4<\/span>] =<\/span> grid[i::4<\/span>][-<\/span>i:] +<\/span> grid[i::4<\/span>][:-<\/span>i] <\/span><\/span> else<\/span>: # 加密<\/span> <\/span><\/span> grid[i::4<\/span>] =<\/span> grid[i::4<\/span>][i:] +<\/span> grid[i::4<\/span>][:i] <\/span><\/span><\/code><\/pre>2.3.4 MixColumns(列混淆)<\/h4> 在GF(2^8)有限域做矩阵乘法：<\/p> def<\/span> mix_columns<\/span>(grid): <\/span><\/span> def<\/span> mul_by_2<\/span>(n): <\/span><\/span> s =<\/span> (n <<<\/span> 1<\/span>) &<\/span> 0xff<\/span> <\/span><\/span> if<\/span> n &<\/span> 128<\/span>: <\/span><\/span> s ^=<\/span> 0x1b<\/span> <\/span><\/span> return<\/span> s <\/span><\/span> <\/span><\/span> def<\/span> mul_by_3<\/span>(n): <\/span><\/span> return<\/span> n ^<\/span> mul_by_2(n) <\/span><\/span> <\/span><\/span> def<\/span> mix_column<\/span>(c): <\/span><\/span> return<\/span> [ <\/span><\/span> mul_by_2(c[0<\/span>]) ^<\/span> mul_by_3(c[1<\/span>]) ^<\/span> c[2<\/span>] ^<\/span> c[3<\/span>], <\/span><\/span> c[0<\/span>] ^<\/span> mul_by_2(c[1<\/span>]) ^<\/span> mul_by_3(c[2<\/span>]) ^<\/span> c[3<\/span>], <\/span><\/span> c[0<\/span>] ^<\/span> c[1<\/span>] ^<\/span> mul_by_2(c[2<\/span>]) ^<\/span> mul_by_3(c[3<\/span>]), <\/span><\/span> mul_by_3(c[0<\/span>]) ^<\/span> c[1<\/span>] ^<\/span> c[2<\/span>] ^<\/span> mul_by_2(c[3<\/span>]) <\/span><\/span> ] <\/span><\/span> <\/span><\/span> for<\/span> i in<\/span> range(0<\/span>, 16<\/span>, 4<\/span>): <\/span><\/span> grid[i:i+<\/span>4<\/span>] =<\/span> mix_column(grid[i:i+<\/span>4<\/span>]) <\/span><\/span><\/code><\/pre>3. AES优化实现：T表(T-Table)方法<\/h2> 为提高效率，将MixColumns、ShiftRows和SubBytes合并为查找表操作。<\/p> 3.1 T表生成<\/h3> def<\/span> gmul<\/span>(a, b): <\/span><\/span> """AES专用乘法函数"""<\/span> <\/span><\/span> p =<\/span> 0<\/span> <\/span><\/span> for<\/span> c in<\/span> range(8<\/span>): <\/span><\/span> if<\/span> b &<\/span> 1<\/span>: <\/span><\/span> p ^=<\/span> a <\/span><\/span> a <<=<\/span> 1<\/span> <\/span><\/span> if<\/span> a &<\/span> 0x100<\/span>: <\/span><\/span> a ^=<\/span> 0x11b<\/span> <\/span><\/span> b >>=<\/span> 1<\/span> <\/span><\/span> return<\/span> p <\/span><\/span> <\/span><\/span>def<\/span> generate_t_tables<\/span>(self): <\/span><\/span> """生成AES查找表方法使用的T表"""<\/span> <\/span><\/span> self.<\/span>t1 =<\/span> [] <\/span><\/span> self.<\/span>t2 =<\/span> [] <\/span><\/span> self.<\/span>t3 =<\/span> [] <\/span><\/span> self.<\/span>t4 =<\/span> [] <\/span><\/span> self.<\/span>t5 =<\/span> [] <\/span><\/span> <\/span><\/span> for<\/span> i in<\/span> range(len(self.<\/span>s_box)): <\/span><\/span> word1 =<\/span> [gmul(self.<\/span>s_box[i], 2<\/span>), self.<\/span>s_box[i], self.<\/span>s_box[i], gmul(self.<\/span>s_box[i], 3<\/span>)] <\/span><\/span> word2 =<\/span> [gmul(self.<\/span>s_box[i], 3<\/span>), gmul(self.<\/span>s_box[i], 2<\/span>), self.<\/span>s_box[i], self.<\/span>s_box[i]] <\/span><\/span> word3 =<\/span> [self.<\/span>s_box[i], gmul(self.<\/span>s_box[i], 3<\/span>), gmul(self.<\/span>s_box[i], 2<\/span>), self.<\/span>s_box[i]] <\/span><\/span> word4 =<\/span> [self.<\/span>s_box[i], self.<\/span>s_box[i], gmul(self.<\/span>s_box[i], 3<\/span>), gmul(self.<\/span>s_box[i], 2<\/span>)] <\/span><\/span> word5 =<\/span> [self.<\/span>s_box[i]] *<\/span> 4<\/span> <\/span><\/span> <\/span><\/span> self.<\/span>t1.<\/span>append(struct.<\/span>unpack('>I'<\/span>, bytes(word1))[0<\/span>]) <\/span><\/span> self.<\/span>t2.<\/span>append(struct.<\/span>unpack('>I'<\/span>, bytes(word2))[0<\/span>]) <\/span><\/span> self.<\/span>t3.<\/span>append(struct.<\/span>unpack('>I'<\/span>, bytes(word3))[0<\/span>]) <\/span><\/span> self.<\/span>t4.<\/span>append(struct.<\/span>unpack('>I'<\/span>, bytes(word4))[0<\/span>]) <\/span><\/span> self.<\/span>t5.<\/span>append(struct.<\/span>unpack('>I'<\/span>, bytes(word5))[0<\/span>]) <\/span><\/span><\/code><\/pre>3.2 基于T表的加密实现<\/h3> def<\/span> cipher_t_table<\/span>(self, pt): <\/span><\/span> """查找表实现的AES加密"""<\/span> <\/span><\/span> ct =<\/span> [] <\/span><\/span> around_key =<\/span> [0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>] <\/span><\/span> tmp =<\/span> [0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>] <\/span><\/span> <\/span><\/span> # 初始化轮密钥<\/span> <\/span><\/span> around_key[0<\/span>] =<\/span> struct.<\/span>unpack('>I'<\/span>, pt[0<\/span>:4<\/span>])[0<\/span>] ^<\/span> self.<\/span>ek[0<\/span>] <\/span><\/span> around_key[1<\/span>] =<\/span> struct.<\/span>unpack('>I'<\/span>, pt[4<\/span>:8<\/span>])[0<\/span>] ^<\/span> self.<\/span>ek[1<\/span>] <\/span><\/span> around_key[2<\/span>] =<\/span> struct.<\/span>unpack('>I'<\/span>, pt[8<\/span>:12<\/span>])[0<\/span>] ^<\/span> self.<\/span>ek[2<\/span>] <\/span><\/span> around_key[3<\/span>] =<\/span> struct.<\/span>unpack('>I'<\/span>, pt[12<\/span>:16<\/span>])[0<\/span>] ^<\/span> self.<\/span>ek[3<\/span>] <\/span><\/span> <\/span><\/span> # 前9轮加密<\/span> <\/span><\/span> for<\/span> round in<\/span> range(1<\/span>, 10<\/span>): <\/span><\/span> for<\/span> i in<\/span> range(4<\/span>): <\/span><\/span> tmp[i] =<\/span> (self.<\/span>t1[(around_key[i] >><\/span> 24<\/span>) &<\/span> 0xff<\/span>] ^<\/span> <\/span><\/span> self.<\/span>t2[(around_key[(i+<\/span>1<\/span>)%<\/span>4<\/span>] >><\/span> 16<\/span>) &<\/span> 0xff<\/span>] ^<\/span> <\/span><\/span> self.<\/span>t3[(around_key[(i+<\/span>2<\/span>)%<\/span>4<\/span>] >><\/span> 8<\/span>) &<\/span> 0xff<\/span>] ^<\/span> <\/span><\/span> self.<\/span>t4[(around_key[(i+<\/span>3<\/span>)%<\/span>4<\/span>]) &<\/span> 0xff<\/span>] ^<\/span> <\/span><\/span> self.<\/span>ek[(round*<\/span>4<\/span>)+<\/span>i]) <\/span><\/span> around_key =<\/span> tmp.<\/span>copy() <\/span><\/span> <\/span><\/span> # 最后一轮加密<\/span> <\/span><\/span> for<\/span> i in<\/span> range(4<\/span>): <\/span><\/span> ct.<\/span>append(self.<\/span>s_box[(around_key[i] >><\/span> 24<\/span>) &<\/span> 0xff<\/span>] ^<\/span> ((self.<\/span>ek[-<\/span>4<\/span>+<\/span>i] >><\/span> 24<\/span>) &<\/span> 0xff<\/span>)) <\/span><\/span> ct.<\/span>append(self.<\/span>s_box[(around_key[(i+<\/span>1<\/span>)%<\/span>4<\/span>] >><\/span> 16<\/span>) &<\/span> 0xff<\/span>] ^<\/span> ((self.<\/span>ek[-<\/span>4<\/span>+<\/span>i] >><\/span> 16<\/span>) &<\/span> 0xff<\/span>)) <\/span><\/span> ct.<\/span>append(self.<\/span>s_box[(around_key[(i+<\/span>2<\/span>)%<\/span>4<\/span>] >><\/span> 8<\/span>) &<\/span> 0xff<\/span>] ^<\/span> ((self.<\/span>ek[-<\/span>4<\/span>+<\/span>i] >><\/span> 8<\/span>) &<\/span> 0xff<\/span>)) <\/span><\/span> ct.<\/span>append(self.<\/span>s_box[(around_key[(i+<\/span>3<\/span>)%<\/span>4<\/span>]) &<\/span> 0xff<\/span>] ^<\/span> ((self.<\/span>ek[-<\/span>4<\/span>+<\/span>i]) &<\/span> 0xff<\/span>)) <\/span><\/span> <\/span><\/span> return<\/span> bytes(ct) <\/span><\/span><\/code><\/pre>4. AES逆向识别实战<\/h2> 4.1 强网拟态2024 babyre题目分析<\/h3> 识别加密函数<\/strong>：<\/p> 主函数调用sub_401550进行解密<\/li> sub_401bce被调用3次，疑似AddRoundKey操作<\/li> <\/ul> <\/li> 识别S-Box<\/strong>：<\/p> 作者将S-Box写成4字节间隔，增加识别难度<\/li> 可通过标准S-Box交叉验证<\/li> <\/ul> <\/li> 识别密钥扩展<\/strong>：<\/p> 查找轮常量(RCON)特征<\/li> 识别密钥扩展函数中的S-Box替换和轮常量异或操作<\/li> <\/ul> <\/li> <\/ol> 4.2 Sodinokibi勒索软件分析<\/h3> 识别T表<\/strong>：<\/p> 计算T表前4字节：0xc66363a5, 0xa5c66363, 0x63a5c663, 0x6363a5c6<\/li> 在IDA中搜索这些特征值定位T表<\/li> <\/ul> <\/li> 识别加密流程<\/strong>：<\/p> 跟踪T表的使用位置<\/li> 识别轮密钥加操作<\/li> 根据轮数判断AES版本(128\/192\/256)<\/li> <\/ul> <\/li> <\/ol> 5. 逆向识别技巧总结<\/h2> 识别S-Box<\/strong>：<\/p> 查找256字节的固定表<\/li> 标准S-Box以0x63开头<\/li> <\/ul> <\/li> 识别轮常量(RCON)<\/strong>：<\/p> 查找0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36序列<\/li> <\/ul> <\/li> 识别T表<\/strong>：<\/p> 查找4个256项的查找表<\/li> 计算前几项验证是否为T表<\/li> <\/ul> <\/li> 判断AES版本<\/strong>：<\/p> 根据轮数：10轮(AES-128), 12轮(AES-192), 14轮(AES-256)<\/li> 根据密钥扩展后的轮密钥数量<\/li> <\/ul> <\/li> 识别加密模式<\/strong>：<\/p> ECB模式：相同的明文块产生相同的密文块<\/li> CBC模式：需要初始向量(IV)，状态矩阵作为下一轮输入<\/li> <\/ul> <\/li> <\/ol> 6. 参考资源<\/h2> AES标准文档<\/a><\/li> OpenSSL AES实现<\/a><\/li> AES可视化工具<\/a><\/li> <\/ol>