byd APP逆向(AES白盒分析)
BYD 逆向
包名: com.byd.aeri.caranywhere
接口分析
https://dilinkappserver-cn.byd.auto/app/auth/loginPOST{"request": "FG7zvCpTEprDTez3LK7OuzDuFk9vgIgKi4qvd2JkmB25PtXlpJ+R1e0ZVr5uQu5TY+XNWbOlisMR7LF7ZQ7CnZ6SB3/Qdzyikf78XpE1zZqenhiiLmrup1L1rjec7ixspl7J9m4ZhcHXTdqWUIhOzRS0jr0lDXrN9gq6ryLbTPz7FZbT/+UhI1x6s/YwUHJk7uVuOO8A7QRaQCr7D2MGHJUiG3dNMHKiD6OsAS6tVwGyHw9j0RxXQaU6da0URr0WdZPM9JwS29yz02kOl7vy4qHnCtsIy5NwbX6A8KvodIGBQH6kyiVkqiBeA9RWUPEr4/j7W0KOLg819OA5x8Gzw99Z4RMvB8z6Jx/x1WLGWu9LsMxvHFjlOQn5fzwG/yB5MNGoax4Vg0/3pIjHsQ81QQnBK22otZY8YVTTOsGbP5x0jI9L9wGaHK8UU8Hn9d6U2/YC6pp8bc9iGyHGpcJxu8AXl7GYA3VpsTh3VPLCD6L9J1O1fjugvYn3ihNft6WGQzuhvKw7jYHi6tKOCZWVOecOGNOA9g5SCjJklb2CB8VNq1/riT0nPtjfQiHquo85OcpUszutvDrZp7xLAVAt6R7d8r5uCayBrHDsPIx0RD8CyGLEVZF78/azaUCEpUXfttxKKT7JPutPt6f1A0v51dWfP3VvTe14mxD1CiXA1DyqBDRvBx8L1jSy6byrgBuyHlGRw3OvvrdLpsXZYu5s3qCUD3lFoEnbgpOGRIa3a36cDxbipkCqLHQ39zZtw35S4WEf8fNr5ghPD1oOsCJEAM0FkPquqE4QoHKoP8IWvVxzpdt3dSXaXWR64FHDSgBw4UpTzTqcWTYc2moedufJltnYE5+BzHGya9iCR0JViTKQscajqX8Q5q6RQB5nyfGahWTLyjq7Yi5Ifo4nh40NFGk1UarsXbxWWEqnY3kMbHdCwrdijMnKbQj7nRrpLCotfql6mypAJxZ0j5xN/VM72wa38pWgtgpWu/iivLeNdIbDGI6Jphz1LN8VOAo47Za9CEOyB/Oh9NRTEFQ9WEeE3UYQruLl/7aAYV1Hgmod6k5FC5ULdy9e1tdspfuPAcRFSagf7ShG9a9THF+OJGtyM4IUSyv9faKJbReQ8F7Do53xg0U7dpWXoq20jIOTP9JBqVnlAzqXC+rdol3gNylR18qPOpMCi2lYg5wcDBrs5VbC3CK4+7/4N2HtQ0GDz6Xh5ZbtJ6I30RxxFsAx1GRqmflsA1Nc8f506Y1+qN50Fl/gyUALMldXOqip/s9t9Fe+rZr38pS2Vr6C4wKVIZxEs33zndsI50u7yeJZ2a3XP08zBUQtZu7sB/jC3DX1Rnweedpmb5Png/VxB7sIFez9+aGzfnN4kA7+jURuKANVmhNmLqqohs2k8O6Xxn5Wu0BpdmclPkqZSBUOYRDqeORKGEvWy6l5/07e5jdPMjL2peWRFkhKzHOWQ998qxneXLf3Acg55oNRUs7XQYDMQXTPgW+/TT2vLYLKSCk69EW6NF95wTvMxkLM1TWY72Okkh00OVX5r6DfiapoIINU1dD2NdeMbhm3Exvjd7HSkumxrU7PT0wNXsydKAZrK4Kms3yrDy7bNK5uYDZ/zDjND/4cVfMN8b0M0dpUuzL6DKvEa4LxcgsHklWNiiyi4+yJ7I6pbeFR4pLNxSo8rwA9U+qpUNMz0xulAKNdszRQZaAcYLl/L4kbrGAQzJsR8m1+mrG5F4qlH6DKR2Ddio95UvdOqCK0yhV4ZuogjNSZSDN4bZR8Y8u1Awo7ElB0kN7/BcBLJw05JDPYULpRsQmirYwrOGS3Kib/4j3RlGMFMVbEhoOtdxTdk9CPpOWz+ns1O9/5Top9XZQi04Sew67on6UfYaQ=="
}{"response": "Fel63A3fJsBnqDNoqrf3sNRYntlgl2bMzWrA56aEQZRggnMBao9z1ds1G/TqV2TMwrRu1wovdv5AwWkDlpdqO0A=="
}
发现请求被加密 返回也被加密
request定位
jsonObject.addProperty("request", checkcode);
request 分析
String checkcode = BaseApplication.baseApplication.checkCodeUtil.checkcode("F" + b, 1);
跟进 checkcode
public native String checkcode(String str, int i, String str2);hook checkcode
[Remote::com.byd.aeri.caranywhere ]-> CheckCodeUtil.checkcode is called: str=F{"encryData":"949563ADA4143C41147A2034A9C0E8927F8574D8CBEE7C9E014DE4B25D77CB7DC360F64DA2C897655FFFCD928787B0E7CF475DA8A04C4EE43898B3ABB8317D77A7B6B8E2E6277287F0822CF9963A862B98614688B7F6834FE7AEDE3C50889E4FFF25A419730D7E7304D50942F5A56A87ECCE4959383C07C91AF61A7A1CAFD8CE7DD4D2703759E908D010C0463F3B84931B97D54E388F1212CE4B08923233839F2489F99B1CBB11DEB0B1D34280C6E1D2F37305578E7929F4D0333E29A32C4B5FE4391EE593A1851FD72D1F419935818DA14F53DD511DBF1C7904B66AFDA73280224CC821E08DA96FD8C48D84DB94E64DE3230C9EF6BB51F92C27229D9541EBF3A59A363A374CFDE7EB4CC1E5CDACBD85DC10A3D8F6E59474B06B634A194B9703F409696C46F0B871D2F903734E5E8DF4E58F400247016B32B6482F244156459AE4B8817420E578A0F2F9192596B785A91DFD7D523B4E68424B505A2A6B845BA48236FB0F67606A75EEBF0AC4235C33411BAFA6B82A5FB3EE757D7E1D149944A37E5872BEAA18580BDC74C842D25A96F9F6EDD6DD97106AB66D9D080EB502CFAA2F8DE5DBA2622F7832A83607CCB51F8B76D2FB020491D9340A7A988994BB52559EFE6FD4C7ECFC1D0995B440859C4CBD7338D92D747C2B0915BA8E79FAD2EE22C19816496184556F45F839B171FADEF4","identifier":"17812345678","identifierType":"0","imeiMD5":"33567E594D1929344557F3DA059F03AE","isAuto":"1","loginType":0,"reqTimestamp":"1760345668122","sign":"69d9DFb113468D793a9C5cEEa73816C0ff45","appChannel":"1"}, i=1, str2=1760345668148CheckCodeUtil.checkcode result=FG7zvCpTEprDTez3LK7OuzDuFk9vgIgKi4qvd2JkmB25PtXlpJ+R1e0ZVr5uQu5TY+XNWbOlisMR7LF7ZQ7CnZ6SB3/Qdzyikf78XpE1zZqenhiiLmrup1L1rjec7ixspl7J9m4ZhcHXTdqWUIhOzRS0jr0lDXrN9gq6ryLbTPz7FZbT/+UhI1x6s/YwUHJk7uVuOO8A7QRaQCr7D2MGHJUiG3dNMHKiD6OsAS6tVwGyHw9j0RxXQaU6da0URr0WdZPM9JwS29yz02kOl7vy4qHnCtsIy5NwbX6A8KvodIGBQH6kyiVkqiBeA9RWUPEr4/j7W0KOLg819OA5x8Gzw99Z4RMvB8z6Jx/x1WLGWu9LsMxvHFjlOQn5fzwG/yB5MNGoax4Vg0/3pIjHsQ81QQnBK22otZY8YVTTOsGbP5x0jI9L9wGaHK8UU8Hn9d6U2/YC6pp8bc9iGyHGpcJxu8AXl7GYA3VpsTh3VPLCD6L9J1O1fjugvYn3ihNft6WGQzuhvKw7jYHi6tKOCZWVOecOGNOA9g5SCjJklb2CB8VNq1/riT0nPtjfQiHquo85OcpUszutvDrZp7xLAVAt6R7d8r5uCayBrHDsPIx0RD8CyGLEVZF78/azaUCEpUXfttxKKT7JPutPt6f1A0v51dWfP3VvTe14mxD1CiXA1DyqBDRvBx8L1jSy6byrgBuyHlGRw3OvvrdLpsXZYu5s3qCUD3lFoEnbgpOGRIa3a36cDxbipkCqLHQ39zZtw35S4WEf8fNr5ghPD1oOsCJEAM0FkPquqE4QoHKoP8IWvVxzpdt3dSXaXWR64FHDSgBw4UpTzTqcWTYc2moedufJltnYE5+BzHGya9iCR0JViTKQscajqX8Q5q6RQB5nyfGahWTLyjq7Yi5Ifo4nh40NFGk1UarsXbxWWEqnY3kMbHdCwrdijMnKbQj7nRrpLCotfql6mypAJxZ0j5xN/VM72wa38pWgtgpWu/iivLeNdIbDGI6Jphz1LN8VOAo47Za9CEOyB/Oh9NRTEFQ9WEeE3UYQruLl/7aAYV1Hgmod6k5GbjdWWIgnkNWj1RwhRJ8o728Ljd4MR7BUjai9yRcGSvTT51BfGs0futuLRP2JcEAORF8nnu1AyqRPtaKVwFE1p2shjXyxH1tx3I90qNGeg2woVd7+48/D7XiptMueaYLU3kSDR2EXupRF96Mniiy5tVldrt/t6CXEA/E6YHOKD2FstAhWpLDyMi5dQocyy4s1k1/61VFwrX9BL0gDq78ulvXe3TyD9ukMgGTuUOtTTQApL30z3acB7SJ4r6FkvSCjmiNUmXSBv4JslqqjKDNPboL1q8jLP4g++b5mPByv+2yFCxFDwt2qhCyVipGxCR0r1rzo7IK2KzcIPPe0yADJ+CLR7sn0ZPq9c8I+i2sZvo3JoBkTvhrMZB8Wz70xIHS8ApKTB9+i7mIOFal6CrjeRktFlXj5AIVFTQ3paByNcpqQqzoLtl7nLV5f9MkArexZFHNJvB1x68SfTX5lNqA6Yx1Rnq+wb8MtXwwfMJn9fUpyOS+A72B6+FgraSypdGuROtdLwqKErPCXhOrf6vvWODeobmjZqLSGSb0+rrJ3/90+QuM21RzpWfv9SLV2y1i4U57IaHmep8PzwgdIfLvItwVLKzgGUByQ4dDyjh/J7QTvoecB+yA5QwSuaBYsshCoowh6CeipsYs2NbBFeRUQuClv9yOZUgMM2BicGjypjQi9TLDNYFjPTTnEBiZoLOxeoDEp5VKnWmXGLBaR0xBIM35BXmnV7D+6pPttMy+pMB3tGw2bteQFexfML/D2oVXEszS9aFSsWedbtGPPJYCI0hsGF6j8xi0vPrHQHIuCK8g==
那so文件就是 libencrypt.so,需要修复
static {System.loadLibrary("encrypt");}
修复完打开so文件,有ollvm
so分析
发现是静态注册,我们看checkcode,我们发现有aes_encrypt1 aes_encrypt2,hook得知走了aes_encrypt1
我在java层固定参数调试
Java.perform(function () {// 1️⃣ 先获取类引用const CheckCodeUtils = Java.use("com.bangcle.comapiprotect.CheckCodeUtil");// 2️⃣ 打印一下确认类已加载// console.log("Class loaded:", CheckCodeUtils);// 3️⃣ 如果是非静态方法(需要实例调用)const instance = CheckCodeUtils.$new();// 4️⃣ 调用 checkcode 方法(参数类型一定要匹配)const result = instance.checkcode("0123456789abcdef", 1, "1761702812226");console.log(`[*] CheckCodeUtils.checkcode("0123456789abcdef", 1) => ${result}`);})
跟进,发现这是个AES-CBC128
__int64 __fastcall aes_encrypt1(unsigned __int8 *a1, unsigned __int8 *a2, unsigned __int64 *a3)
{_QWORD v7[6]; // [xsp+40h] [xbp+40h] BYREFv7[5] = *(_QWORD *)_stack_chk_guard_ptr_0;CWAESCipher::CWAESCipher((CWAESCipher *)v7);v7[0] = (char *)`vtable for'CWAESCipher_Auth + 16;CWAESCipher_Auth::WBACRAES_SwitchTable((CWAESCipher_Auth *)v7, 1);return CWAESCipher::WBACRAES128_EncryptCBC((CWAESCipher *)v7, a1, a2, a3, 1);
}
hook这个函数得知
{"encryData":"949563ADA4143C41147A2034A9C0E8927F8574D8CBEE7C9E014DE4B25D77CB7DC360F64DA2C897655FFFCD928787B0E7CF475DA8A04C4EE43898B3ABB8317D77A7B6B8E2E6277287F0822CF9963A862B98614688B7F6834FE7AEDE3C50889E4FFF25A419730D7E7304D50942F5A56A87ECCE4959383C07C91AF61A7A1CAFD8CE7DD4D2703759E908D010C0463F3B84931B97D54E388F1212CE4B08923233839F2489F99B1CBB11DEB0B1D34280C6E1D2F37305578E7929F4D0333E29A32C4B5FE4391EE593A1851FD72D1F419935818DA14F53DD511DBF1C7904B66AFDA73280224CC821E08DA96FD8C48D84DB94E64DE3230C9EF6BB51F92C27229D9541EBF3A59A363A374CFDE7EB4CC1E5CDACBD85DC10A3D8F6E59474B06B634A194B9703F409696C46F0B871D2F903734E5E8DF4E58F400247016B32B6482F244156459AE4B8817420E578A0F2F9192596B785A91DFD7D523B4E68424B505A2A6B845BA48236FB0F67606A75EEBF0AC4235C33411BAFA6B82A5FB3EE757D7E1D149944A37E5872BEAA18580BDC74C842D25A96F992E62EE21837AEAC3E2546DC157146F05A9D95DA95EC77D52D0A60EA0524766C93A029DB21A3D8F97EEA3253F18E2EEC716CEA371F64879CB7805164AC7633E6637609B2A5EB05856EC3CE225ADB69A28B1533589AF08E7DB8F7AB67E45AC87A","identifier":"17812345678","identifierType":"0","imeiMD5":"33567E594D1929344557F3DA059F03AE","isAuto":"1","loginType":0,"reqTimestamp":"1761725226387","sign":"E2a9A686FDc881040df2Ddc3ee581b1f0FA3d","appChannel":"1","ostype":"and","imei":"unknown","mac":"02:00:00:00:00:00","model":"Pixel 3","sdk":"29","serviceTime":"1761725226410","mod":"Google","checkcode":"e5e163442e1879dacc919c775bf3215a"}
可以发现ase_encrypy1被调用,第一个参数就是我们输入的字符串,说明加密应该是这里
跟进WBACRAES128_EncryptCBC
分析一下代码,可以看到这个函数有两个主要方法
还有 CWAESCipher::WBACRAES_EncryptOneBlock 跟进
根据上面代码分析,这个this指针应该是我们传入的字符串,我们可以在EncryptOneBlock这里hook看一下,这里就不放代码,可以发现就是我们传入的字符串,我们继续跟进
我们看一下汇编代码
主要看一下这个BLR指令,这是一个跳转指令,跳转地址是在x4这个寄存器里面,我们现在是看不懂x4寄存器内容,可以hook这个地址,使用frida的上下文查看x4寄存器的地址
这里可以hook下x4地址计算出偏移,ida最后跳转到位置到了CWAESCipher_Auth::WBACRAES_EncryptOneBlock
hook下这个函数,我们紧接着看这个函数CSecFunctProvider::PrepareAESMatrix
这里出现了PrepareAESMatrix这个函数,参数是我们输入的字符串,其他几个参数我们暂时不知道,跟进这个函数看看
这里看着像是对明文的一些操作,我们hook一下看一下参数,第三个参数需要在函数返回时进行hook
确实是对明文进行处理,这里先命名为indata_state,aes加密就是使用对明文进行处理,然后与密钥处理后的结果进行十轮加密,十轮加密都会对indata_state进行修改,因为没找到分析密钥,分析应该是白盒aes加密
我们采用DFA故障攻击,拿到密钥
可以发现,indata_state确实在被修改处理,我们现在要找到没有列混淆的最后一轮之前之前注入就行
v41 v41 = a4; a4又是传入进来的 hook得知为10,这里判断应该就是加密轮次,我们在看v11,v11 = 0;
初始被赋值为0,这里可以看一下v9到底被++了多少次
这里w20存的就是v9的值,我们可以在hook下,查看寄存器的值,判断到底cmp了多少次
可以发现这里应该进行了9轮加密,符合aes加密轮数,那我们在进入第9轮时,更改indata_state的内容,注入故障文就行,(对于10轮函数的AES-128,DFA攻击通常将最后两轮设为目标。当故障注入到最后2轮中时,密文的某一些字节会受到故障的影响。)
然后dfa攻击 我们在这里四个字节分别修改五次,总共20次,修改内存的数据使frida Memory.writeByteArray(data_state, [num])api进行修改
第二个字节修改Memory.writeByteArray(data_state.add(0x1), [num])就行,以此类推
故障文后aes加密结果
f49dde083764e43a5e8ca58732409573
b7cc23ea9eac5072008333b65a0ea202
957d10e99d2094a95f9c6c64e77c2e76
6ef00ca191a0bd0a43065d41da8c117d
59283af3b16909790fa13d7a04fd4953
501198207b65933227504949ac68f5c1
f3c3f073af161f1a25a862a5a2c27950
3960c10e98c10fcec420aa4665a89a8f
b24859af5e6c044357f243146f93fb83
cd92f1b15695e17e255d235dd45842e0
59283af3b16909790fa13d7a04fd4953
41f8ba3782fecd338a4f4006c4cb3275
eec772e31d51c518b0feee7bd9435bac
6c3c9fba8b8e61d1e78349ba708ff9db
0eaeae79fcfe733fecb6a99525ffd721
b068ab61ee5f63334c6a6cf76e1a5f94
c8bb057b8c7a08898a6b7ec045bf33d5
dc88ffe62f9b64c6f789bb44e643eedd
957d10e99d2094a95f9c6c64e77c2e76
2cc2f862b55ca8481f5206dd1845a736
66ed33fd8ebb27adc7de028e158ad444
c3677334903ca8de35a69e8c79c1a0a3
c171c7663b44d354dcc9c6a8af006020
d246663789c5a346c099e3c9af012662
7dde739849f114d0059a509800f4f016
5c8c76e4ed969397d65029a89e04598a
c171c7663b44d354dcc9c6a8af006020
9f834bc89c4fa5fbe55d863d7ebc8578
7dde739849f114d0059a509800f4f016
b7a84e6affae803a89f37a9807baa265
b24859af5e6c044357f243146f93fb83
d41d76a7e18127aeccf54a7cd69724d4
f49dde083764e43a5e8ca58732409573
b7cc23ea9eac5072008333b65a0ea202
f49dde083764e43a5e8ca58732409573
e8994b6f3524267852fcf9d1d0728ecc
66ed33fd8ebb27adc7de028e158ad444
ef8cf5d182177e697a925dd9c83b2efe
957d10e99d2094a95f9c6c64e77c2e76
2d7ecc14b273315a7d9fb93279e1a31c
db0252074e7bc155d9cc10007cda027b
76742db9994e492d25d8a759979e048d
0eaeae79fcfe733fecb6a99525ffd721
37a1e4bc645ea2adf1e04afcfa9e5c0b
957d10e99d2094a95f9c6c64e77c2e76
2d7ecc14b273315a7d9fb93279e1a31c
8dc894770866c740c36a65ddc8b98110
2cac346b449e3bc4cce8894de33d4e50
59283af3b16909790fa13d7a04fd4953
788d11e5aa0940de5c85d1817db718bd
eec772e31d51c518b0feee7bd9435bac
9c66b603a54a479c68186541d5172628
c171c7663b44d354dcc9c6a8af006020
12c4745c12ed124fcbbd2b36b8c9b886
7dde739849f114d0059a509800f4f016
f08bf8b7f518bf54daa40aa082459b0b
77d736496f45f0192abd352e0e2bb854
29dea59314e089f4c3f29e003e146cfd
f49dde083764e43a5e8ca58732409573
8221eccebc877e8a4c8f7dfac7613cb8
0eaeae79fcfe733fecb6a99525ffd721
1785f53dad774b5ab1047ef5b2a047e0
14b285ca9214162a590281d6c513da7a
facd7862ec3505df3294672c4e4ee439
0eaeae79fcfe733fecb6a99525ffd721
35a4507792deac9cb71148ace5331aef
69d9aa2fc1b5d26fedc5133d69755d67
7b0ed62386124b56834baeb37ab42ed8
77d736496f45f0192abd352e0e2bb854
29dea59314e089f4c3f29e003e146cfd
8dc894770866c740c36a65ddc8b98110
11344ca38ad1825219b91fb913da8da3
b24859af5e6c044357f243146f93fb83
cd92f1b15695e17e255d235dd45842e0
77d736496f45f0192abd352e0e2bb854
a4f3e55da7f8af5b8adf79fb567a5482
66ed33fd8ebb27adc7de028e158ad444
ef8cf5d182177e697a925dd9c83b2efe
0eaeae79fcfe733fecb6a99525ffd721
a9780de3e901d580e26bd997dd89bc8b
0eaeae79fcfe733fecb6a99525ffd721
b61eb4bd03581b68bb50ddc344103de2
69d9aa2fc1b5d26fedc5133d69755d67
c4e189a11693cc5bc8cc41c073578296
f3c3f073af161f1a25a862a5a2c27950
3bb585a4973f9690fa54e3e391cb19d6
957d10e99d2094a95f9c6c64e77c2e76
05eafd23fd15774c9b2891a565f3dbc5
957d10e99d2094a95f9c6c64e77c2e76
993c1bd5515b4cf6f8fc407ec808de6c
14b285ca9214162a590281d6c513da7a
13565edf53a093ca902b1cec69c7af85
0eaeae79fcfe733fecb6a99525ffd721
20baa530393dbe3a86bf7aadcff4c8a8
f49dde083764e43a5e8ca58732409573
e8994b6f3524267852fcf9d1d0728ecc
14b285ca9214162a590281d6c513da7a
13565edf53a093ca902b1cec69c7af85
c171c7663b44d354dcc9c6a8af006020
3303ac32f3592fbd12bee177ecbacd4f
c171c7663b44d354dcc9c6a8af006020
84fff0d8856454eb9ed145c12ab31247
14b285ca9214162a590281d6c513da7a
bc2a889378adbb653147f369bd6877e6
14b285ca9214162a590281d6c513da7a
0119ff6d62f7219f09b893ac82eda272
59283af3b16909790fa13d7a04fd4953
501198207b65933227504949ac68f5c1
f49dde083764e43a5e8ca58732409573
4215cfcad447313a07331c3b9ce1aaef
c171c7663b44d354dcc9c6a8af006020
0437cf0f946b7fd1bbc63c208654e0bb
c171c7663b44d354dcc9c6a8af006020
a46a1f3d0ca17ec2091866dd0a3b94db
0eaeae79fcfe733fecb6a99525ffd721
b61eb4bd03581b68bb50ddc344103de2
66ed33fd8ebb27adc7de028e158ad444
26e3f2b32e9de895a7127d1e88abf98f
c8bb057b8c7a08898a6b7ec045bf33d5
a6fc3d50d875e65bea861aad9670c95c
eec772e31d51c518b0feee7bd9435bac
f10cc096a2ef7b7ce6beebdbfc7aaac1
eec772e31d51c518b0feee7bd9435bac
0b05365cd9131fbb621b973639540164
957d10e99d2094a95f9c6c64e77c2e76
05eafd23fd15774c9b2891a565f3dbc5
eec772e31d51c518b0feee7bd9435bac
65c91b9a69eebe7352f55ada59ec2c18
69d9aa2fc1b5d26fedc5133d69755d67
86ff778af559d39359a9254f3a2bbcb9
db0252074e7bc155d9cc10007cda027b
76742db9994e492d25d8a759979e048d
0eaeae79fcfe733fecb6a99525ffd721
1785f53dad774b5ab1047ef5b2a047e0
7dde739849f114d0059a509800f4f016
fbf0ccedd32c866fd402e4b1dee15094
c171c7663b44d354dcc9c6a8af006020
2e829003de30e886da42aa41efabfcc7
8dc894770866c740c36a65ddc8b98110
89545f5fc93aa92988eb6d211b52763f
c8bb057b8c7a08898a6b7ec045bf33d5
8a373e476a8132dd378ba0324409d651
b24859af5e6c044357f243146f93fb83
483d0b6e5386b74470deddfeb891cb07
69d9aa2fc1b5d26fedc5133d69755d67
5142ffc754fea789cff548a6bb366788
7dde739849f114d0059a509800f4f016
21689dc7047d675be772a22b8aeab959
b24859af5e6c044357f243146f93fb83
2bcda225a2895fe4dc67486d37d3be27
0eaeae79fcfe733fecb6a99525ffd721
9d52a6bf1dcaead7ae962be728c341cf
69d9aa2fc1b5d26fedc5133d69755d67
d590f8dae316da7858a276ef35529c71
b24859af5e6c044357f243146f93fb83
637a2576ea1e3092b083919bb5272bf1
7dde739849f114d0059a509800f4f016
ac9809877ce94627149e7754c3ac56a4
eec772e31d51c518b0feee7bd9435bac
767405d7ad7c9772b0c5efadc21f2ede
b24859af5e6c044357f243146f93fb83
ae7c7470abcae40d02cc7abc39a8f7a6
c171c7663b44d354dcc9c6a8af006020
2e829003de30e886da42aa41efabfcc7
7dde739849f114d0059a509800f4f016
5c8c76e4ed969397d65029a89e04598a
c171c7663b44d354dcc9c6a8af006020
0bb833197f6c3147627cb792e3041092
66ed33fd8ebb27adc7de028e158ad444
21f033b2979ab0cdf4c40e607661489f
db0252074e7bc155d9cc10007cda027b
c7a512c584c2531309430876bae37328
c171c7663b44d354dcc9c6a8af006020
72b524898f045ec12ea136325f384919
f49dde083764e43a5e8ca58732409573
1ed7e3bb6b9a95599e2916c56b2c45c0
66ed33fd8ebb27adc7de028e158ad444
cd344f9b7f25b18efb2bb909cafe0195
f49dde083764e43a5e8ca58732409573
206e382e46a5f787221329264a96374b
db0252074e7bc155d9cc10007cda027b
12994cb0a2afbf3ae51fa3b640163c19
f3c3f073af161f1a25a862a5a2c27950
a6ee71981757ed790c81ddedacc6e1cd
14b285ca9214162a590281d6c513da7a
ad4eb8a175e10a22eef5bc74de0af098
77d736496f45f0192abd352e0e2bb854
b7585d570ded93746a6bbf82be346b46
f3c3f073af161f1a25a862a5a2c27950
e6db05bd70bd48eba0313dd41c702598
14b285ca9214162a590281d6c513da7a
0d71be8e8ae9c5dee4de9db8cfa5136b
db0252074e7bc155d9cc10007cda027b
ae8809ba53edd1b06972e7603eab775b
0eaeae79fcfe733fecb6a99525ffd721
ffe716f5066f45771b4a9173c4294c65
8dc894770866c740c36a65ddc8b98110
427de8553eb99928b5f6d92bbe0e3c5d
66ed33fd8ebb27adc7de028e158ad444
1139ec91f5240aa441b6c835450eccc4
然后使用phoenixAES还原出第十轮的密钥,stark还原出密钥
密钥是A87F1002B7DBC9FF882DC51F8A7DCFAD iv填充16个0就行
Python还原
