De1CTF WP (week 3)

5.5日更新

昨天和前天都进行了De1ctf的比赛，有幸一次RE ak了👴就是这么的强大(装一下，不要打我，呜呜呜，兴奋嘛)

直接开始写WP了

parser

打开程序找到主要的逻辑后，可以看到有一个很重要的输入的点位，我们直接过去看一下

这个题其实动态调式的时候，会把所有的符号表变的特别的难看，所以，我这边就不动态了，自己已经做完了，所以直接去写了

这里可发现他们的流程是差不多的，我们们在分析一下这里的sun_51CC函数

这边可以看到这个sub_75A2是RC4加密，我这里找一下，RC4加密的代码，我们对一下看一下

#include<stdio.h>
#include<random>
#include<time.h>
#include<string.h>
#define MAX 65534

int S[256]; //向量S
char T[256];    //向量T
int Key[256];   //随机生成的密钥
int KeyStream[MAX]; //密钥
char PlainText[MAX];
char CryptoText[31MAX];
const char *WordList = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
void init_S()
// 初始化S;
{
    for(int i = 0; i < 256; i++){
        S[i] = i;
    }
}

void init_Key(){
    // 初始密钥
    int index;
    srand(time(NULL));  //根据当前时间，作为种子
    int keylen = int(double(random())/double(RAND_MAX)*256);    //随机获取一个密钥的长度
    for(int i = 0; i < keylen; i++){
        index = int(double(random())/double(RAND_MAX)*63);  //生产密钥数组
        Key[i] = WordList[index];
    }
    int d;
    for(int i = 0; i < 256; i++){   //初始化T[]
        T[i] = Key[i%keylen];
    }

    
}

void  permute_S()
{
    // 置换S;
    int temp;
    int j = 0;
    for(int i = 0; i < 256; i++){
        j = (j + S[i] + T[i]) % 256;
        temp = S[i];
        S[i] = S[j];
        S[j] = temp;
    }
}

void create_key_stream(char *text, int textLength)
{
    // 生成密钥流
    int i,j;
    int temp, t, k;
    int index = 0;
    i = j = 0;
    while(textLength --){   //生成密钥流
        i = (i+1)%256;
        j = (j + S[i]) % 256;
        temp = S[i];
        S[i] = S[j];
        S[j] = temp;
        t = (S[i] + S[j]) % 256;
        KeyStream[index] = S[t];
        index ++;
    }
 
}


 void Rc4EncryptText(char *text)
{
    //加密 && 解密
    int textLength = strlen(text);
    init_S();
    init_Key();
    permute_S();
    create_key_stream(text, textLength);
    int plain_word;
    printf("============开始加密============:\n 密文：");
    for(int i = 0; i < textLength; i++){
        CryptoText[i] = char(KeyStream[i] ^ text[i]); //加密
    }
    for(int i = 0; i < textLength; i++){
        printf("%c", CryptoText[i]);
    }
    printf("\n============加密完成============\n============开始解密============\n明文：");
    for(int i = 0; i < textLength; i++){
        PlainText[i] = char(KeyStream[i] ^ CryptoText[i]);   //解密
    }
    for(int i = 0; i < textLength; i++){
        printf("%c", PlainText[i]);
    }
    printf("\n============解密完成============\n");
    printf("\n");
    
}



int main()
{   
    char text[] = " ";
    Rc4EncryptText(text);
    return 0;
}

我是直接把>>31 >>24当作是0，那么我们直接可以看到这个就是原生的RC4代码，我们继续看

这里满足的是des加密，看看上面的和这个雷同的东西

这里满足的是aes加密

我们往前看，可以找到一个最重要的数据的地方

我们不难去分析出，+控制的是 aes _控制的是des

我们在调试的时候，不难知道des加密的时候，密钥是De1CTF22，aes加密的时候，密钥是De1CTF 0A 0A(10个)，RC4的加密的密钥是De1CTF，当我看到 02 0A的时候，想到了padding

其实这个题卡了👴很久，最后想明白了

那么我们进行分析，在64后 我们进行aes 是有padding的，直接贴数据了0B827A9E002E076DE2D84CACB123BC1EB08EBEC1A454E0F550C65D37C58C7DAF2D4827342D3B13D9730F25C17689198B10101010101010101010101010101010

那么我们去掉这个padding的数据，就是0B827A9E002E076DE2D84CACB123BC1EB08EBEC1A454E0F550C65D37C58C7DAF2D4827342D3B13D9730F25C17689198B，就是48位，我假设了一下 32+16=48 后面的16位是des，前面的32位是aes，那么我们去网上有个在线网站搞一下

https://gchq.github.io/CyberChef/#recipe=DES_Decrypt(%7B’option’:‘Hex’,‘string’:’’%7D,%7B’option’:‘Hex’,‘string’:’’%7D,‘ECB’,‘Hex’,‘Hex’)

这个网站不错的！👴很是推荐

cdc535 899f23f0b22e 我们直接去解一下rc4

我们前面的32位的数据去解一下aes

91983da9b13a31ef0472b502073b68ddbddb3cc17d 一共是21位 5+16=21

这里得到是因为，前面的最开始进行的是RC4，那么我直接去拿这个数据解RC4，不对的字符的剩下的位数就是我们的Des加密

所以还有16位，解一下des，rc4就是答案

直接拼接就可以了：De1CTF{h3ll0+w0rld_l3x3r+4nd_p4r53r}

Flw

这里我直接丢源码吧，大家就懂了

#include<iostream>
#include<string>
#include<algorithm>
#include<cstring>
#include<fstream>
#include<cstdlib>
using namespace std;

unsigned char table[] = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm+/=";
unsigned char testCode[] = {
    0x3a,
    0x14,28,
    0x34,
    0xff,
    0x41,
    0x20,0x19,//d
    0x20,0x1a,//e
    0x20,0x1b,//1
    0x20,0x1c,//c
    0x20,0x1d,//t
    0x20,0x1e,//f
    0x20,0x1f,//{
    0x20,0x20,
    0x20,0x21,
    0x20,0x22,
    0x20,0x23,
    0x20,0x24,
    0x20,0x25,
    0x20,0x26,
    0x20,0x27,
    0x20,0x28,
    0x20,0x29,
    0x20,0x2a,
    0x20,0x2b,
    0x20,0x2c,
    0x20,0x2d,
    0x20,0x2e,
    0x20,0x2f,
    0x20,0x30,
    0x20,0x31,
    0x20,0x32,
    0x20,0x33,
    0x20,0x34,//}

    0x2a,0x19,
    0x14,'D',
    0x34,
    0xff,
    //int i = 0
    0x14,0x0,
    0x20,0xff,

    0x2a,0x1a,
    0x14,'e',
    0x34,
    0xff,
    //reg = (reg<<8)+memSpace[i+i+0x20]
    0x14,0x20,
    0x2a,0xff,
    0x2a,0xff,
    0x33,
    0x33,
    0x2b,
    0x30,

    //reg = (reg<<8)+memSpace[i+0x21]
    0x14,0x21,
    0x2a,0xff,
    0x2a,0xff,
    0x33,
    0x33,
    0x2b,
    0x30,

    //int j = 3
    0x14,0x3,
    0x20,0xfe,
    //push( 0x3f+i*3+j )
    0x2a,0xff,
    0x14,3,
    0x35,
    0x2a,0xfe,
    0x14,0x3f,
    0x33,
    0x33,
    //base58(reg)
    0x31,58,
    //memSpace[0x3f+i*3+j] = base58(reg)
    0x2c,
    //j--
    0x14,0x1,
    0x2a,0xfe,
    0x34,
    0x20,0xfe,
    //if(j == 0)jumpout
    0x2a,0xfe,
    0x40,23,
    //i+=2
    0x2a,0xff,
    0x14,1,
    0x33,
    0x20,0xff,
    //if(i==20)jumpout
    0x2a,0xff,
    0x14,10,
    0x34,
    0x40,61,
    0x2a,0x1d,
    0x14,'T',
    0x34,
    0xff,
    0x2a,0x1e,
    0x14,'F',
    0x34,
    0xff,
    0x2a,0x1f,
    0x14,'{',
    0x34,
    0xff,
    //转化为base58字符串

    //int i = 0
    0x14,0x0,
    0x20,0xff,
    //reg = 0
    0x36,
    0x15,
    //memspace[0x40+i] = table[memSpace[0x40+i]]
    0x2a,0xff,
    0x14,0x40,
    0x33,
    0x2b,
    0x32,
    0x30,
    0x2a,0xff,
    0x14,0x40,
    0x33,
    0x36,
    0x2c,
    //i+=1
    0x2a,0xff,
    0x14,0x1,
    0x33,
    0x20,0xff,
    0x2a,0xff,
    0x14,30,
    0x34,
    0x40,29,
    0x2a,0x1c,
    0x14,'C',
    0x34,
    0xff,
    0x2a,0x1b,
    0x14,'1',
    0x34,
    0xff,
    //混淆化加密
    //int i = 0;
    0x14,0x0,
    0x20,0xff,
    //reg = 0
    0x14,0x0,
    0x14,0x0,
    0x30,
    0x30,
    //memSpace[0x40+i+1] -= memSpace[0x40+i+0]
    0x2a,0xff,
    0x14,0x40,
    0x2a,0xff,
    0x14,0x41,
    0x33,
    0x33,
    0x2b,
    0x2b,
    0x34,
    0x30,
    0x2a,0xff,
    0x14,0x41,
    0x33,
    0x36,
    0x2c,
    //memSpace[0x40+i+2] += memSpace[0x40+i+1]
    0x2a,0xff,
    0x14,0x41,
    0x2a,0xff,
    0x14,0x42,
    0x33,0x33,
    0x2b,
    0x2b,
    0x33,
    0x30,
    0x2a,0xff,
    0x14,0x42,
    0x33,
    0x36,
    0x2c,
    //memSpace[0x40+i] ^= memSpace[0x40+i+2]
    0x2a,0xff,
    0x14,0x40,
    0x2a,0xff,
    0x14,0x42,
    0x33,0x33,
    0x2b,
    0x2b,
    0x37,
    0x30,
    0x2a,0xff,
    0x14,0x40,
    0x33,
    0x36,
    0x2c,
    //i+=3
    0x2a,0xff,
    0x14,0x3,
    0x33,
    0x20,0xff,
    //if(i = 30)jumpout
    0x2a,0xff,
    0x14,30,
    0x34,
    0x40,81,



    0x2a,0x34,
    0x14,'}',
    0x34,
    0xff,
    //检测手段
    0x2a,0x40,
    0x14,0x7a,
    0x34,
    0xff,
    0x2a,0x41,
    0x14,0x19,
    0x34,
    0xff,
    0x2a,0x42,
    0x14,0x4f,
    0x34,
    0xff,
    0x2a,0x43,
    0x14,0x6e,
    0x34,
    0xff,
    0x2a,0x44,
    0x14,0xe,
    0x34,
    0xff,
    0x2a,0x45,
    0x14,0x56,
    0x34,
    0xff,
    0x2a,0x46,
    0x14,0xaf,
    0x34,
    0xff,
    0x2a,0x47,
    0x14,0x1f,
    0x34,
    0xff,
    0x2a,0x48,
    0x14,0x98,
    0x34,
    0xff,
    0x2a,0x49,
    0x14,0x58,
    0x34,
    0xff,
    0x2a,0x4a,
    0x14,0xe,
    0x34,
    0xff,
    0x2a,0x4b,
    0x14,0x60,
    0x34,
    0xff,
    0x2a,0x4c,
    0x14,0xbd,
    0x34,
    0xff,
    0x2a,0x4d,
    0x14,0x42,
    0x34,
    0xff,
    0x2a,0x4e,
    0x14,0x8a,
    0x34,
    0xff,
    0x2a,0x4f,
    0x14,0xa2,
    0x34,
    0xff,
    0x2a,0x50,
    0x14,0x20,
    0x34,
    0xff,
    0x2a,0x51,
    0x14,0x97,
    0x34,
    0xff,
    0x2a,0x52,
    0x14,0xb0,
    0x34,
    0xff,
    0x2a,0x53,
    0x14,0x3d,
    0x34,
    0xff,
    0x2a,0x54,
    0x14,0x87,
    0x34,
    0xff,
    0x2a,0x55,
    0x14,0xa0,
    0x34,
    0xff,
    0x2a,0x56,
    0x14,0x22,
    0x34,
    0xff,
    0x2a,0x57,
    0x14,0x95,
    0x34,
    0xff,
    0x2a,0x58,
    0x14,0x79,
    0x34,
    0xff,
    0x2a,0x59,
    0x14,0xf9,
    0x34,
    0xff,
    0x2a,0x5a,
    0x14,0x41,
    0x34,
    0xff,
    0x2a,0x5b,
    0x14,0x54,
    0x34,
    0xff,
    0x2a,0x5c,
    0x14,0xc,
    0x34,
    0xff,
    0x2a,0x5d,
    0x14,0x6d,
    0x34,
    0xff,
    0xab,

    0x0
};

class QueueVirtualMachine {
public:
    QueueVirtualMachine();
    QueueVirtualMachine(unsigned char*);
    ~QueueVirtualMachine();
    //void printQueueMemSpace();
    bool run();
    //unsigned char* get_encrypted_0x40();
    //void printMemSpace();
private:
    int head, tail;
    unsigned short reg;
    unsigned char* queueMemSpace;
    unsigned char* memSpace;
    unsigned char* codeSpace;
    unsigned char* tempString;
};
void fw1()
{
    _asm
    {
        call _P1
        _P1 :
        add[esp], 5
            retn
    }
_P2:
    cout << "Welcome 2 de1ctf\n";
    return;
}

int main() {
    fw1();
    _asm
    {
        mov eax, _PE1
        push eax
        push fs : [0]
        mov fs : [0] , esp
        xor ecx, ecx
        div ecx
        retn
        _PE1 :
        mov esp, [esp + 8]
            mov eax, fs : [0]
            mov eax, [eax]
            mov eax, [eax]
            mov fs : [0] , eax
            add esp, 8
    }
    cout << "Please input:";
    QueueVirtualMachine* vm = new QueueVirtualMachine(testCode);
    _asm
    {
        jz _P2
        jnz _P2
        _P1 :
        __emit 0xE8
    }
_P2:
    bool mark = vm->run();
    _asm
    {
        __emit 0xEB
        __emit 0xFF
        __emit 0xC0
        __emit 0x48
    }
    if (mark)
        cout << "Well Done!\n";
    else {
        _asm
        {
            __emit 0xEB
            __emit 0xFF
            __emit 0xC0
            __emit 0x48
        }
        cout << "Try again!\n";
    }
    system("pause");
    //vm->printQueueMemSpace();
    //system("pause");
    //vm->printMemSpace();
    //system("pause");
    //unsigned char* encrypted = vm->get_encrypted_0x40();
    //for(int i = 0;i < 30;++i){
    //	cout<<"0x"<<hex<<(int)encrypted[i]<<",";
    //}
    delete vm;
    return 0;
}

QueueVirtualMachine::QueueVirtualMachine() {
    cout << "ERROR!";
    return;
}

QueueVirtualMachine::QueueVirtualMachine(unsigned char* codes) :
    queueMemSpace(nullptr),
    head(0),
    tail(0),
    reg(0),
    memSpace(nullptr),
    codeSpace(codes) {
    queueMemSpace = new unsigned char[0x100];
    memSpace = new unsigned char[0x100];
    tempString = new unsigned char[512];
    memset(queueMemSpace, 0, 0x100);
    memset(memSpace, 0, 0x100);
    memset(tempString, 0, 512);
    return;
};

QueueVirtualMachine::~QueueVirtualMachine() {
    delete[] queueMemSpace;
    delete[] memSpace;
    delete[] tempString;
    return;
}

bool QueueVirtualMachine::run() {
    for (unsigned int op = 0;codeSpace[op] != 0;) {
        tail = tail == 0x100 ? 0 : tail;
        head = head == 0x100 ? 0 : head;
        //cout<<(int) op<<": "<<hex<<(int)codeSpace[op]<<'\n';
        switch (codeSpace[op]) {
        case 0x14: {
            queueMemSpace[tail++] = codeSpace[op + 1];
            op += 2;
            break;
        }
        case 0x15: {
            ++head;
            ++op;
            break;
        }
        case 0x20: {
            memSpace[codeSpace[op + 1]] = queueMemSpace[head++];
            op += 2;
            break;
        }

        case 0x2a: { 
            queueMemSpace[tail++] = memSpace[codeSpace[op + 1]];
            op += 2;
            break;
        }

        case 0x2b: {
            queueMemSpace[tail++] = memSpace[queueMemSpace[head++]];
            op++;
            break;
        }
        case 0x2c: {
            unsigned char idx = queueMemSpace[head++];
            head = head == 0x100 ? 0 : head;
            memSpace[idx] = queueMemSpace[head++];
            op++;
            break;
        }

        case 0x30: {
            reg = (reg << 8) + queueMemSpace[head++];
            ++op;
            break;
        }

        case 0x31: {
            queueMemSpace[tail++] = reg % codeSpace[op + 1];
            reg = reg / codeSpace[op + 1];
            op += 2;
            break;
        }

        case 0x32: {
            queueMemSpace[tail++] = table[queueMemSpace[head++]];
            ++op;
            break;
        }

        case 0x33: {
            unsigned char first = queueMemSpace[head++];
            head = head == 0x100 ? 0 : head;
            queueMemSpace[tail++] = first + queueMemSpace[head++];
            op++;
            break;
        }
        case 0x34: {
            unsigned char first = queueMemSpace[head++];
            head = head == 0x100 ? 0 : head;
            queueMemSpace[tail++] = queueMemSpace[head++] - first;
            op++;
            break;
        }
        case 0x35: {
            unsigned char first = queueMemSpace[head++];
            head = head == 0x100 ? 0 : head;
            queueMemSpace[tail++] = first * queueMemSpace[head++];
            op++;
            break;
        }
        case 0x37: {
            unsigned char first = queueMemSpace[head++];
            head = head == 0x100 ? 0 : head;
            queueMemSpace[tail++] = first ^ queueMemSpace[head++];
            op++;
            break;
        }
        case 0x3a: {
            cin >> tempString;
            if (strlen((const char*)tempString) >= 0x100)
                return false;
            queueMemSpace[tail++] = strlen((const char*)tempString);
            op++;
            break;
        }

        case 0x40: {
            unsigned char temp = 0;
            temp = queueMemSpace[head++];
            if (temp != 0)
                op -= codeSpace[op + 1];
            else
                op += 2;
            break;
        }
        case 0x41: {
            for (int i = 0;i < strlen((const char*)tempString);++i) {
                queueMemSpace[tail++] = tempString[i];
                tail = tail == 0x100 ? 0 : tail;
            }
            memset(tempString, 0, 512);
            op++;
            break;
        }
        case 0xab: {
            return true;
        }
        case 0xff: {
            unsigned char temp = 0;
            temp = queueMemSpace[head++];
            if (temp != 0)
                return false;
            else
                op++;
            break;
        }
        case 0x36: {
            queueMemSpace[tail++] = reg & 0xff;
            reg = 0;
            ++op;
            break;
        }
        default:
            _asm
            {
                xor eax, eax
                add eax, 2
                ret 0xff
            }       //测试的时候把这个注释掉
        }
    }
}

/*void QueueVirtualMachine::printMemSpace() {
    for (int i = 0;i < 0x100;++i) {
        if (memSpace[i] >= 0x20 && memSpace[i] < 0x7f) {
            cout << i << "     " << (char)memSpace[i] << '\n';
        }
        else {
            cout << i << " (int)" << (int)memSpace[i] << '\n';
        }
    }
    return;
}

void QueueVirtualMachine::printQueueMemSpace() {
    for (int i = 0;i < 0x100;++i) {
        if (queueMemSpace[i] >= 0x20 && queueMemSpace[i] < 0x7f) {
            cout << i << "     " << (char)queueMemSpace[i] << '\n';
        }
        else {
            cout << i << " (int)" << (int)queueMemSpace[i] << '\n';
        }
    }
    cout << "head:" << head << '\n';
    cout << "tail:" << tail << '\n';
    return;
}

unsigned char* QueueVirtualMachine::get_encrypted_0x40(){
    return &memSpace[0x40];
}*/

这里我用了几个花指令，详情看我前面的学习笔记 会有讲解，这里队友做出来的，膜就完事！👍

小精灵

这个打开后，发现ida不能反编译，仔细考虑了一下，这个是出题人手写的汇编代码！膜就完事😁

虽然我不能反编译，但是ida还是很厉害的

我们有attach的功能，只要这个程序可以跑，我们就可以调试，u1s1，在这里我原来认为的是elf文件结构的问题，我还上网学习了一波结构的问题，因为自己本身是了解pe的，elf的东西还是一次见

typedef struct {
unsigned char e_ident[16];  /* ELF魔数，ELF字长，字节序，ELF文件版本等 */
Elf32_Half e_type;         /*ELF文件类型，REL, 可执行文件，共享目标文件等 */
Elf32_Half e_machine;     /* ELF的CPU平台属性 */
Elf32_Word e_version;     /* ELF版本号 */
Elf32_Addr e_entry;       /* ELF程序的入口虚拟地址，REL一般没有入口地址为0 */
Elf32_Off  e_phoff;      
Elf32_Off  e_shoff;        /* 段表在文件中的偏移 */
Elf32_Word e_flags;       /* 用于标识ELF文件平台相关的属性 */
Elf32_Half e_ehsize;       /* 本文件头的长度 */
Elf32_Half e_phentsize;   
Elf32_Half e_phnum;
Elf32_Half e_shentsize;    /* 段表描述符的大小 */
Elf32_Half e_shnum;      /* 段表描述符的数量 */
Elf32_Half e_shstrndx;     /* 段表字符串表所在的段在段表中的下标 */
} Elf32_Ehdr;

这里记录一下吧，毕竟第一次见过，直接用attach的功能进行调试

可以直接调试，这里发现有很多很多的花指令，我直接去除了，然后发现可以f5了(这里，尝试了无数次去除变成很好看的)

这边进行分析，发现调用的第二次，逻辑和第一次是一样的

当时感觉这个一直在循环，把这个流程整理出来，看一下逻辑：

reg = 0
usr_input = [ord('a')]*44
#用户输入，随便整
data = ["设定好的十六进制数"]*44
#每组data44个字节，一共44组
for d in range(44):
    usr = usr_input[d]
    t_data = data[d]
    for s in range(8):
        if t_data & 1 != 0:
            reg = reg ^ usr
        if usr & 0x80 != 0:
            usr = (usr<<1)&0xff
            usr = usr^0x39
        else:
            usr = (usr<<1)&0xff
        t_data = t_data>>1

#和data一样，reg == 0x?? 也有44组
if reg == 0xC8:
    print("Success!")
else:
    print("fail")

反汇编有些在f5时候不显示，直接拿出来分析了，这里的算法u1s1，我直接问了祥哥！祥哥跟我说是GF(2,8)算法，我这里记录一下，学习一下：https://blog.csdn.net/hunyxv/article/details/89033227

GF§，这里的p代表的一个有限域，一般来说p代表的是prime素数，GF代表是个有限域，这里代表了一个多项式运算，GF(2^8)，是一组0x00到0xff的256个值组成，加上加法和乘法，因此是2^8，GF代表伽罗瓦域，这个是数学家的名字命名，GF(2^8)的一个特性是一个加法或乘法的操作的结果是在(0x00…0xff)中，GF(2^8)的加法就是异或的操作，GF(2^n)，要明白多项式运算，他们的形式都是f(x)=x^6+x^4+x^2+x+1

多项式特点：

• 多项式的系数只能是0或者1，对于GF(p^n)，如果p等于3，系数可以取：0，1，2
• 合并同类项时，系数们进行异或操作，不是平常的加法操作，这里问了一下Aryb1n师傅这边的知识，抽象代数实际上就像是自己定义了一套运算系统
• 无所谓的减法(减法就等于加法)，或者负系数，负系数等于正数

GF(2^8)进行四则运算了，计算起来相当麻烦，加法减法就不用说了，是个经典的异或运算

一般在密码学中会经常用到有限域乘法，一般的AES中用到的就是GF(2,8)有限域内乘法，有限域就是里面有个最大值，超过这个数值都会用一定的办法，让他回到这个域，我们的2^8域的最大值就是256

在我们二进制中，所有的数都可用0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80异或得到，后一个是前一个的2倍，假设一个数a，他的二进制表示为10101101，有下面的组合组成：10101101=0x80^0x20^0x08^0x04^0x01，所以x * a = x * (0x80^0x20^0x08^0x04^0x01)，所以一切的乘法结果我们都可以得到， XTIME函数的含义是求一个数x与0x02的乘积，一般求一个数的2倍，都是作移一位，在有限域内，要计算有限域的乘法，必须先确定一个GF上的8次不可约多项式，Rijndael密码中，这个多项式确定为x^8+x^4+x^3+x+1，如果最高位是1的话，左移一位的同时要异或0x1B，是因为最高位是1的话，再继续左移会超出域的最大值，这个时候需要取除以同余式，也就是异或0x1B，在我们这个式子中，异或的是0x39

多项式，也就是x^8+x^5+x^4+x^3+x^1，这里祥哥给我讲明白的！谢谢祥哥！

这一个整数的乘法，我们做这个乘法的时候，第一位开始乘，然后加起来，再看看计算机的

我们末位用0开始乘，然后这边都是0，如果是1，乘数1不会变，然后把 11001010右移1位变成1100101，继续看右边的那个位置 如果是1 那么就结果为res = res ^ [(01010011) << 1]，res初始值为0

也就是这段代码，我们循环8次的原因是因为我们一个字节8bit，一共有256种取值可能，跟我们乘数乘法刚才一样，我们需要乘8次，我们的相乘只有两种可能 在计算机里 要么就是0 要不是就是1

他看的是 第二个乘数 也就是v3的最低位是不是1，如果是1 那么就直接下来了，如果不是1 就相当于没操作，也就是相当于0下来的，这里算法是GF(2^8)，加法的操作也就是异或的操作，比如说 x^5+x^5 = 0 就是0010 0000 ^ 0010 0000 = 0，因为GF(2^8)是GF(2)的扩展，GF(2)里面只有两个元素0，1

也就是这个表，因为 1+1 = 2 % 2 = 0，我们想要扩展这个GF(2)用到的就是多项式表示，x^i有8种形式，也就是x^0…x^7，每一bit，表示对应的x^i的系数，0x39 = 0011 1001，那么就是x^5+x^4+x^3+1，回到代码中，v2是我们保存后的结果，第一次是 res += 0，第二次是 res += 01010011 << 1，第三次是 res += 0，最后就是

我们去mod 也就是 %那个不可约多项式，让我们mod后的东西可以回到这个域里

因为第二个乘数他会有一个v3 >>= 1，进行一个右移，所以为了保持第一个乘数和第二个乘数的结果不变，他会有一个 2*v0，也就是 (v0 << 1)，就是v0 * v3 = (v0 << 1) * (v3 >> 1)，但是GF(2^8)里面，他最高次不能超过7，也就是我们的v0想要左移的时候，要考虑 我们的最高位是不是0x80，所以在这里我们要 mod一个不可约多项式

也就是这个操作，因为我们计算机，假设我们是 1000 0000，左移变成 0000 0000，发现计算机帮我们减去了一个 1，也就是x^8，为了要满足最后的结果 ? = x^8 mod (x^8 + x^5 + x^4 + x^3 + 1)也就是说 ? = x^8 - (x^8 + x^5 + x^4 + x^3 + 1)直接变成了 x^5+x^4+x^3+1

这个0x39应该是0x139，但是我们计算机 直接把x^8搞没了，所以它变成了 0x39，这就是整个的GF(2,8)算法

所以我们直接回来看这个题，我们都懂了，v2是我们最后的值，会有一个比较也就是res，那么我们的v3又都在，我整理出来的数据是

byte_008880A9=[0xA6,0x08,0x74,0xBB,0x30,0x4F,0x31,0x8F,0x58,0xC2,0x1B,0x83,0x3A,0x4B,0xFB,0xC3,0xC0,0xB9,0x45,0x3C,0x54,0x18,0x7C,0x21,0xD3,0xFB,0x8C,0x7C,0xA1,0x09,0x2C,0xD0,0x14,0x2A,0x08,0x25,0x3B,0x93,0x4F,0xE8,0x39,0x10,0x0C,0x54]
byte_0088812C=[0x49,0xFC,0x51,0x7E,0x32,0x57,0xB8,0x82,0xC4,0x72,0x1D,0x6B,0x99,0x5B,0x3F,0xD9,0x1F,0xBF,0x4A,0xB0,0xD0,0xFC,0x61,0xFD,0x37,0xE7,0x52,0xA9,0xB9,0xEC,0xAB,0x56,0xD0,0x9A,0xC0,0x6D,0xFF,0x3E,0x23,0x8C,0x5B,0x31,0x8B,0xFF]
byte_008881B4=[0x39,0x12,0x2B,0x66,0x60,0x1A,0x32,0xBB,0x81,0xA1,0x07,0x37,0x0B,0x1D,0x97,0xDB,0xCB,0x8B,0x38,0x0C,0xB0,0xA0,0xFA,0xED,0x01,0xEE,0xEF,0xD3,0xF1,0xFE,0x12,0x0D,0x4B,0x2F,0xD7,0xA8,0x95,0x9A,0x21,0xDE,0x4D,0x8A,0xF0,0x2A]
byte_0088823B=[0x60,0xC6,0xE6,0x0B,0x31,0x3E,0x2A,0x0A,0xA9,0x4D,0x07,0xA4,0xC6,0xF1,0x83,0x9D,0x4B,0x93,0xC9,0x67,0x78,0x85,0xA1,0x0E,0xD6,0x9D,0x1C,0xDC,0xA5,0xE8,0x14,0x84,0x10,0x4F,0x09,0x01,0x21,0xC2,0xC0,0x37,0x6D,0xA6,0x65,0x6E]
byte_008882C0=[0x6C,0x9F,0xA7,0xB7,0xA5,0xB4,0x4A,0xC2,0x95,0x3F,0xD3,0x99,0xAE,0x61,0x66,0x7B,0x9D,0x8E,0x2F,0x1E,0xB9,0xD1,0x39,0x6C,0xAA,0xA1,0x7E,0xF8,0xCE,0xEE,0x8C,0x69,0xC0,0xE7,0xED,0x24,0x2E,0xB9,0x7B,0xA1,0x61,0xC0,0xA8,0x81]
byte_00888341=[0x48,0x12,0x84,0x25,0x25,0x2A,0xE0,0x63,0x5C,0x9F,0x5F,0x1B,0x12,0xAC,0x2B,0xFB,0x61,0x2C,0xEE,0x6A,0x2A,0x56,0x7C,0x01,0xE7,0x3F,0x63,0x93,0xEF,0xB4,0xD9,0xC3,0xCB,0x6A,0x15,0x04,0xEE,0xE5,0x2B,0xE8,0xC1,0x1F,0x74,0xD5]
byte_008883C4=[0x11,0x85,0x74,0x07,0x39,0x4F,0x14,0x13,0xC5,0x92,0x05,0x28,0x67,0x38,0x87,0xB9,0xA8,0x49,0x03,0x71,0x76,0x66,0xD2,0x63,0x1D,0x0C,0x22,0xF9,0xED,0x84,0x39,0x47,0x2C,0x29,0x01,0x41,0x88,0x70,0x14,0x8E,0xA2,0xE8,0xE1,0x0F]
byte_00888449=[0xE0,0xC0,0x05,0x66,0xDC,0x2A,0x12,0xDD,0x7C,0xAD,0x55,0x57,0x70,0xAF,0x9D,0x48,0xA0,0xCF,0xE5,0x23,0x88,0x9D,0xE5,0x0A,0x60,0xBA,0x70,0x9C,0x45,0xC3,0x59,0x56,0xEE,0xA7,0xA9,0x9A,0x89,0x2F,0xCD,0xEE,0x16,0x31,0xB1,0x53]
byte_008884CE=[0xEA,0xE9,0xBD,0xBF,0xD1,0x6A,0xFE,0xDC,0x2D,0x0C,0xF2,0x84,0x5D,0x0C,0xE2,0x33,0xD1,0x72,0x83,0x04,0x33,0x77,0x75,0xF7,0x13,0xDB,0xE7,0x88,0xFB,0x8F,0xCB,0x91,0xCB,0xD4,0x47,0xD2,0x0C,0xFF,0x2B,0xBD,0x94,0xE9,0xC7,0xE0]
byte_0088854E=[0x05,0x3E,0x7E,0xD1,0xF2,0x88,0x5F,0xBD,0x4F,0xCB,0xF4,0xC4,0x02,0xFB,0x96,0x23,0xB6,0x73,0xCD,0x4E,0xD7,0xB7,0x58,0xF6,0xD0,0xD3,0xA1,0x23,0x27,0xC6,0xAB,0x98,0xE7,0x39,0x2C,0x5B,0x51,0x3A,0xA3,0xE6,0xB3,0x95,0x72,0x69]
byte_008885CE=[0x48,0xA9,0x6B,0x74,0x38,0xCD,0xBB,0x75,0x02,0x9D,0x27,0x1C,0x95,0x5E,0x7F,0xFF,0x3C,0x2D,0x3B,0xFE,0x1E,0x90,0xB6,0x9C,0x9F,0x1A,0x27,0x2C,0x81,0x22,0x6F,0xAE,0xB0,0xE6,0xFD,0x18,0x8B,0xB2,0xC8,0x57,0x2C,0x47,0x43,0x43]
byte_00888655=[0x05,0x62,0x97,0x53,0x2B,0x08,0x6D,0x3A,0xCC,0xFA,0x7D,0x98,0xF6,0xCB,0x87,0xC3,0x08,0xA4,0xC3,0x45,0x94,0x0E,0x47,0x5E,0x51,0x25,0xBB,0x40,0x30,0x32,0xE6,0xA5,0x14,0xA7,0xFE,0x99,0xF9,0x49,0xC9,0x28,0x6A,0x03,0x5D,0xB2]
byte_008886D9=[0x68,0xD4,0xB7,0xC2,0xB5,0xC4,0xE1,0x82,0xD0,0x9F,0xFF,0x20,0x5B,0x3B,0xAA,0x2C,0x47,0x22,0x63,0x9D,0xC2,0xB6,0x56,0xA7,0x94,0xCE,0xED,0xC4,0xFA,0x71,0x16,0xF4,0x64,0xB9,0x2F,0xFA,0x21,0xFD,0xCC,0x2C,0xBF,0x32,0x92,0xB5]
byte_0088875D=[0x8F,0x05,0xEC,0xD2,0x88,0x50,0xFC,0x68,0x9C,0x64,0xD1,0x6D,0x67,0x86,0x7D,0x8A,0x73,0xD7,0x6C,0x9B,0xBF,0xA0,0xE4,0xB7,0x15,0x9D,0xE1,0x3D,0x59,0xC6,0xFA,0x39,0xBD,0x59,0xCD,0x98,0xB8,0x56,0xCF,0x48,0x41,0x14,0xD1,0x9B]
byte_008887E3=[0x67,0x33,0x76,0xA7,0x6F,0x98,0xB8,0x61,0xD5,0xBE,0xAF,0x5D,0xED,0x8D,0x5C,0x1E,0x52,0x88,0x10,0xD4,0x63,0x15,0x69,0xA6,0xA1,0xD6,0x67,0x15,0x74,0xA1,0x94,0x84,0x5F,0x36,0x3C,0xA1,0xCF,0xB7,0xFA,0x2D,0x9C,0x51,0xD0,0x0F]
byte_00888865=[0x96,0x41,0x04,0x25,0xCA,0x04,0x36,0x6A,0x71,0x37,0x33,0xB5,0xE1,0x78,0xAD,0x3D,0xFB,0x2A,0x99,0x95,0x58,0xA0,0x4F,0xC5,0xCC,0x14,0x41,0x4F,0xA5,0x55,0xCB,0xC1,0xCB,0x61,0x09,0x8E,0x35,0x32,0x7F,0xC1,0xE1,0x0B,0x79,0x94]
byte_008888E9=[0x63,0x1B,0x14,0x34,0xF8,0xC5,0x75,0xD2,0xD8,0xF9,0x7A,0x30,0xE1,0x75,0xD3,0x02,0x21,0xAC,0x3C,0x8C,0x54,0x2C,0x47,0xBB,0xA0,0xC6,0x1A,0x64,0xA2,0x5C,0x59,0xB5,0x52,0x37,0xB8,0x98,0x70,0x33,0xF8,0xFF,0xCD,0x91,0x1F,0x89]
byte_00888977=[0xD1,0x4E,0xDB,0x5E,0xBD,0x92,0x5C,0xAC,0xD6,0x6A,0x7A,0x79,0x5A,0x3C,0xAE,0x06,0x52,0x1C,0xA6,0xCE,0xF8,0x56,0x1C,0x71,0x9F,0xB7,0xC4,0x0C,0xB7,0x92,0xE1,0x6B,0xA9,0x80,0x43,0xDD,0xE4,0xF4,0xD4,0x42,0x76,0x88,0xA2,0xDA]
byte_008889F9=[0xA3,0x8F,0x70,0x7B,0x62,0x57,0x00,0x8F,0xC6,0xB0,0xC4,0xF6,0xE7,0xC9,0x9D,0xA9,0xF4,0x7B,0x6A,0xD2,0x32,0x9F,0x2F,0x37,0x1C,0xCB,0xEB,0x5B,0x4A,0x10,0xAF,0x7D,0x35,0x36,0x52,0x02,0x70,0x9F,0x7A,0xFB,0x76,0x8A,0x78,0xB8]
byte_00888A7F=[0xBB,0x51,0x80,0x37,0xDD,0xDF,0x2C,0x25,0xA6,0xA8,0x20,0xA9,0x16,0xFF,0xA9,0xFB,0x65,0x9E,0xA1,0x99,0x59,0x01,0xF4,0x57,0xF6,0xED,0x9D,0xE8,0xB4,0x03,0xF8,0x17,0x3A,0xA2,0x90,0x9F,0xAD,0x1C,0x75,0xC4,0xBA,0xE1,0x51,0x53]
byte_00888B05=[0xA9,0x2D,0xE5,0xAD,0x11,0xF8,0x53,0xC9,0xF2,0x26,0x74,0xC9,0x0C,0x57,0x03,0xE7,0xC8,0x8F,0xA6,0x3F,0x92,0x56,0xF0,0xC5,0x1A,0xC6,0x15,0x22,0xCA,0xC0,0x1A,0xBC,0xCB,0x03,0x0D,0xEE,0x6D,0xB3,0xD6,0x92,0xC1,0xFF,0xE2,0xBD]
byte_00888B8B=[0x10,0x3F,0x26,0xB2,0xB8,0x19,0x33,0x51,0x8E,0xBD,0x02,0x25,0xA3,0xF4,0x9D,0xC1,0x95,0x15,0x06,0xD7,0xB9,0x0D,0xCD,0x38,0x9E,0x2D,0x30,0xF3,0x62,0xF8,0x81,0xDF,0x44,0x6F,0x58,0x3E,0x77,0x1C,0xFF,0xF3,0x84,0xEE,0x95,0x4B]
byte_00888C0D=[0xB9,0x8D,0x31,0xAD,0x56,0x09,0x96,0x63,0xB7,0x72,0xE2,0x85,0xAA,0x02,0x41,0x7C,0x02,0xA4,0x02,0x9B,0x99,0x59,0x6D,0xDC,0x8A,0x7F,0x96,0xD5,0x72,0x06,0x97,0xE3,0xF8,0xAC,0x1C,0x00,0x5C,0x3F,0x29,0xE5,0xD6,0x78,0x31,0xA4]
byte_00888C92=[0xF2,0x30,0x93,0xFC,0xCC,0x59,0x6F,0xA8,0xFB,0x88,0xA0,0x6A,0x05,0x9B,0x89,0xC6,0xFA,0xFA,0x39,0xB4,0xFC,0x76,0xA5,0x15,0xFE,0x9B,0x9A,0xF7,0xF2,0xD9,0x83,0x41,0x23,0xCF,0x70,0x4D,0xD1,0xB0,0x7A,0xC0,0x93,0x6B,0x50,0x25]
byte_00888D14=[0x34,0xB7,0xFB,0x1D,0xE2,0xAF,0x27,0x4B,0x22,0xFE,0xE9,0x60,0x9B,0x90,0x09,0xFE,0xBD,0x29,0xA9,0xB8,0x5B,0x61,0x57,0x58,0xFB,0x8A,0x72,0x76,0x5B,0x9C,0xC6,0x4B,0xDE,0x13,0xB7,0x34,0x51,0xC2,0x90,0x0D,0xF9,0x6F,0x03,0x49]
byte_00888D9D=[0x15,0x6B,0xDE,0x6A,0xDE,0x62,0xBE,0x04,0xF4,0xE1,0x70,0x85,0x78,0xFD,0x8D,0x30,0x34,0x9A,0x3F,0xEB,0xBE,0x4E,0x21,0xD1,0x04,0xAC,0x9E,0xBB,0xDB,0x97,0x11,0xE9,0xD6,0x20,0x78,0x26,0x1A,0x00,0xFA,0x81,0xFB,0x28,0x59,0x27]
byte_00888E21=[0x19,0x42,0x75,0x6B,0xC8,0x50,0x58,0x5A,0x18,0xB0,0xF7,0x5F,0x3B,0x79,0x76,0x43,0x38,0x85,0x91,0xA7,0x18,0x2E,0xB4,0x91,0x80,0xDC,0xC8,0x1D,0xAC,0x9D,0x64,0x09,0x61,0xFD,0x08,0xC8,0x34,0xE5,0x93,0xDA,0xFE,0xFF,0xB6,0xAA]
byte_00888EA2=[0xAC,0x4F,0xD6,0x1A,0x55,0xE6,0xE4,0xDF,0x20,0xE3,0x54,0x4A,0x6D,0xD1,0xDE,0x2D,0x30,0x42,0x17,0xC5,0x34,0xD4,0xB3,0xB8,0x5A,0x95,0xC7,0x80,0x99,0x46,0x03,0x49,0xA0,0x27,0x31,0xA5,0x58,0xFC,0x87,0x09,0x9D,0x8C,0x20,0x21]
byte_00888F29=[0x48,0xE9,0xC4,0xAD,0x23,0xA6,0x92,0xBA,0x3D,0x56,0x40,0x2A,0x19,0x56,0x42,0x5D,0x0C,0xFF,0x3F,0x53,0x5F,0xDB,0x6C,0x98,0xCD,0x1F,0xEE,0x4D,0x4A,0x9C,0x95,0xE4,0x44,0xF4,0xB2,0x4E,0xB5,0xAD,0xFB,0xF8,0xB9,0x63,0xB5,0xCD]
byte_00888FAF=[0x6A,0x56,0xE0,0x33,0x5B,0xC2,0x9E,0x53,0x90,0x4D,0xD9,0x5F,0x7D,0x77,0x90,0x2F,0x55,0xDC,0x18,0x28,0x3B,0x4D,0x46,0xBE,0xBC,0x14,0x69,0x96,0x4F,0x55,0xC2,0xA8,0x40,0xD7,0xEA,0xE2,0x04,0x63,0x9D,0x00,0xBA,0x4A,0x12,0x5E]
byte_00889036=[0x24,0x17,0x33,0x4E,0xBF,0xFE,0x01,0xA6,0xAE,0x3E,0xDE,0xF3,0x83,0xCF,0x25,0x04,0xC7,0x23,0xA9,0x07,0xD8,0x2A,0xBE,0xF1,0x78,0x0B,0xA6,0x81,0x75,0x5D,0xB8,0x32,0xED,0x54,0x7A,0x43,0xFA,0xF8,0x3C,0x60,0x75,0x5B,0xBB,0x4F]
byte_008890BD=[0xF8,0x11,0xAD,0x7F,0x62,0xB8,0x0B,0x14,0x32,0x8C,0xF9,0xF8,0x18,0xDE,0x22,0x56,0x47,0x00,0xED,0x8A,0x94,0x6B,0x73,0x68,0x3E,0xBF,0x27,0xDD,0x7B,0x73,0x83,0xE5,0x7F,0x38,0x40,0xB1,0x6A,0xEF,0x1A,0xFF,0x64,0x58,0x01,0x4B]
byte_00889142=[0x90,0x12,0x55,0x67,0x03,0x1F,0x9D,0x2C,0x43,0x18,0xE4,0xE2,0x52,0xD0,0x45,0x11,0xBD,0xD8,0xCD,0x8C,0x06,0x01,0x21,0x0B,0x3D,0xDF,0x0C,0x74,0x7B,0xA7,0x97,0x3A,0xA7,0x4F,0x60,0xBD,0x97,0xE9,0x5C,0x5E,0x16,0x3C,0xFE,0xFE]
byte_008891C5=[0xD8,0xA7,0x52,0xF4,0x8F,0xE7,0xC0,0x3F,0x4F,0x31,0x83,0xB0,0xD4,0x2E,0x8D,0x6B,0x7D,0xCF,0xC9,0x05,0x67,0x9B,0x6B,0xA6,0xD2,0x31,0xB6,0x3C,0x22,0x1A,0xDC,0xC6,0xE1,0xA0,0x39,0x34,0x8A,0x1B,0xF7,0xB5,0x00,0x43,0x01,0xCD]
byte_0088924D=[0x13,0xF3,0xD7,0xCB,0x9C,0x9D,0x47,0xBB,0x8E,0xC6,0xF4,0x34,0x64,0xC3,0x81,0x86,0x26,0xE3,0x9B,0xF1,0x7A,0xC0,0x91,0xB3,0xC3,0x10,0xB4,0x46,0x56,0xDB,0xFA,0x43,0x7F,0x2F,0xB2,0xF9,0x13,0x24,0xB7,0x32,0x9A,0xBA,0xEF,0x0F]
byte_008892CC=[0xA3,0xE0,0x5F,0x0A,0xAB,0x6A,0x31,0x39,0x1C,0xB2,0x77,0x06,0x28,0xE4,0x5C,0xA3,0x5D,0xE1,0x17,0x25,0x18,0xD3,0x48,0x69,0xD1,0x46,0x00,0xA5,0x46,0xE2,0x2B,0xBB,0xA7,0x3C,0x8F,0xE9,0xCF,0xD1,0x0C,0xCF,0x40,0xF6,0xDE,0x10]
byte_0088934D=[0xF5,0x8C,0xED,0xFA,0x59,0x63,0xD7,0x70,0x55,0xB6,0x33,0x1A,0x3E,0xDC,0x74,0x11,0xC4,0xF7,0xAC,0x79,0x16,0x6A,0x5B,0xC8,0x73,0xF0,0x1F,0x4E,0x2F,0x7E,0x32,0x72,0x6D,0x58,0x53,0x78,0x11,0x5F,0xC6,0xCE,0x47,0x70,0xAC,0x31]
byte_008893CF=[0xFE,0xC6,0xBD,0xAF,0x79,0x7B,0xF8,0x26,0xA3,0xAA,0x5B,0xAB,0x7D,0x42,0x5E,0x25,0xB5,0xCF,0x0D,0x3C,0xD2,0xB2,0xFC,0x27,0xAF,0x12,0x6A,0x5E,0xAB,0xC4,0xB6,0x81,0x65,0xA5,0x67,0xA4,0xEA,0x6E,0x92,0x45,0x24,0x4B,0x3A,0x62]
byte_00889456=[0xB8,0xA2,0xA0,0x18,0x47,0xD6,0x18,0x0E,0xC4,0xDE,0x43,0xB2,0xA3,0x96,0xCE,0x68,0x26,0xB0,0xF5,0x62,0xB4,0xD5,0x5D,0x86,0x19,0xC6,0xA6,0x0A,0xB7,0x63,0xCF,0x7F,0xA3,0x0A,0x8D,0x69,0x34,0x44,0x12,0x79,0xD9,0xD1,0x7C,0x7F]
byte_008894DC=[0x8E,0x99,0xF5,0x82,0xB6,0x37,0xD3,0xFA,0xD9,0x0A,0xAC,0x77,0xD4,0xAB,0xF4,0x63,0x63,0x29,0xDF,0xDD,0x80,0x42,0x1F,0x81,0xC3,0x91,0xF1,0x32,0x4D,0x8B,0x1D,0xE8,0x3C,0xA7,0x6E,0x8B,0x7C,0x87,0x12,0xC5,0xC8,0x55,0x0F,0x9F]
byte_0088955E=[0xE1,0x9F,0x56,0x37,0x9E,0x89,0xE5,0xFA,0x81,0xC2,0xC8,0x1F,0x93,0x1E,0xDB,0xE9,0x93,0x1C,0x06,0xDB,0x51,0xAC,0x84,0xA2,0xD4,0x73,0xE8,0x3C,0x98,0x69,0x92,0x4D,0xBB,0x09,0x14,0xBF,0x9D,0x60,0x83,0xBE,0x7D,0xAF,0x8D,0x04]
byte_008895E0=[0x6E,0x4B,0xE8,0x3A,0x66,0x0D,0xDE,0x89,0x89,0x0E,0xBF,0x9B,0x30,0x64,0xA9,0xB8,0x31,0xF9,0x31,0x27,0x8A,0x7C,0x3F,0x49,0xED,0x96,0xF4,0x7E,0x7F,0xCE,0x5B,0xFC,0x6E,0x2D,0xBD,0x74,0xBC,0x2A,0x12,0x44,0xC2,0xF4,0x35,0x02]
byte_00889662=[0x6D,0x74,0x57,0xF1,0x80,0x79,0xE3,0xBC,0x02,0x06,0x51,0xC2,0x04,0xE1,0xB0,0x30,0x08,0x3B,0xF3,0x32,0xEA,0xE4,0xC0,0xB0,0xA8,0xBB,0xF8,0xF4,0x1B,0xBC,0x6B,0xCC,0xDE,0xCA,0x49,0x8D,0xA0,0x8B,0x97,0xCE,0x01,0xE3,0x98,0x51]
byte_008896E1=[0x0D,0x95,0x55,0x9E,0xA4,0x77,0x95,0x24,0x8A,0x54,0xAD,0x84,0x27,0xE6,0x60,0xE5,0x54,0xDA,0x0E,0x99,0xB8,0x62,0xA0,0x81,0x02,0xA1,0x63,0x29,0x11,0x72,0x37,0x43,0xC0,0x66,0xF1,0xA8,0x95,0xBF,0xD8,0x12,0xE5,0x99,0x5E,0xAB]
allbytelist=[byte_008880A9,byte_0088812C,byte_008881B4,byte_0088823B,byte_008882C0,byte_00888341,byte_008883C4,byte_00888449,byte_008884CE,byte_0088854E,byte_008885CE,byte_00888655,byte_008886D9,byte_0088875D,byte_008887E3,byte_00888865,byte_008888E9,byte_00888977,byte_008889F9,byte_00888A7F,byte_00888B05,byte_00888B8B,byte_00888C0D,byte_00888C92,byte_00888D14,byte_00888D9D,byte_00888E21,byte_00888EA2,byte_00888F29,byte_00888FAF,byte_00889036,byte_008890BD,byte_00889142,byte_008891C5,byte_0088924D,byte_008892CC,byte_0088934D,byte_008893CF,byte_00889456,byte_008894DC,byte_0088955E,byte_008895E0,byte_00889662,byte_008896E1]
resultlist= [200, 201, 204, 116, 124, 94, 129, 127, 211, 85, 61, 154, 50, 51, 27, 28, 19, 134, 121, 70, 100, 219, 1, 132, 93, 252, 152, 87, 32, 171, 228, 156, 43, 98, 203, 2, 24, 63, 215, 186, 201, 128, 103, 52]

这个满足了一个矩阵

我们知道res知道data求inp，但是我们要基于的是GF(2,8)的算法

byte_008880A9=[0xA6,0x08,0x74,0xBB,0x30,0x4F,0x31,0x8F,0x58,0xC2,0x1B,0x83,0x3A,0x4B,0xFB,0xC3,0xC0,0xB9,0x45,0x3C,0x54,0x18,0x7C,0x21,0xD3,0xFB,0x8C,0x7C,0xA1,0x09,0x2C,0xD0,0x14,0x2A,0x08,0x25,0x3B,0x93,0x4F,0xE8,0x39,0x10,0x0C,0x54]
byte_0088812C=[0x49,0xFC,0x51,0x7E,0x32,0x57,0xB8,0x82,0xC4,0x72,0x1D,0x6B,0x99,0x5B,0x3F,0xD9,0x1F,0xBF,0x4A,0xB0,0xD0,0xFC,0x61,0xFD,0x37,0xE7,0x52,0xA9,0xB9,0xEC,0xAB,0x56,0xD0,0x9A,0xC0,0x6D,0xFF,0x3E,0x23,0x8C,0x5B,0x31,0x8B,0xFF]
byte_008881B4=[0x39,0x12,0x2B,0x66,0x60,0x1A,0x32,0xBB,0x81,0xA1,0x07,0x37,0x0B,0x1D,0x97,0xDB,0xCB,0x8B,0x38,0x0C,0xB0,0xA0,0xFA,0xED,0x01,0xEE,0xEF,0xD3,0xF1,0xFE,0x12,0x0D,0x4B,0x2F,0xD7,0xA8,0x95,0x9A,0x21,0xDE,0x4D,0x8A,0xF0,0x2A]
byte_0088823B=[0x60,0xC6,0xE6,0x0B,0x31,0x3E,0x2A,0x0A,0xA9,0x4D,0x07,0xA4,0xC6,0xF1,0x83,0x9D,0x4B,0x93,0xC9,0x67,0x78,0x85,0xA1,0x0E,0xD6,0x9D,0x1C,0xDC,0xA5,0xE8,0x14,0x84,0x10,0x4F,0x09,0x01,0x21,0xC2,0xC0,0x37,0x6D,0xA6,0x65,0x6E]
byte_008882C0=[0x6C,0x9F,0xA7,0xB7,0xA5,0xB4,0x4A,0xC2,0x95,0x3F,0xD3,0x99,0xAE,0x61,0x66,0x7B,0x9D,0x8E,0x2F,0x1E,0xB9,0xD1,0x39,0x6C,0xAA,0xA1,0x7E,0xF8,0xCE,0xEE,0x8C,0x69,0xC0,0xE7,0xED,0x24,0x2E,0xB9,0x7B,0xA1,0x61,0xC0,0xA8,0x81]
byte_00888341=[0x48,0x12,0x84,0x25,0x25,0x2A,0xE0,0x63,0x5C,0x9F,0x5F,0x1B,0x12,0xAC,0x2B,0xFB,0x61,0x2C,0xEE,0x6A,0x2A,0x56,0x7C,0x01,0xE7,0x3F,0x63,0x93,0xEF,0xB4,0xD9,0xC3,0xCB,0x6A,0x15,0x04,0xEE,0xE5,0x2B,0xE8,0xC1,0x1F,0x74,0xD5]
byte_008883C4=[0x11,0x85,0x74,0x07,0x39,0x4F,0x14,0x13,0xC5,0x92,0x05,0x28,0x67,0x38,0x87,0xB9,0xA8,0x49,0x03,0x71,0x76,0x66,0xD2,0x63,0x1D,0x0C,0x22,0xF9,0xED,0x84,0x39,0x47,0x2C,0x29,0x01,0x41,0x88,0x70,0x14,0x8E,0xA2,0xE8,0xE1,0x0F]
byte_00888449=[0xE0,0xC0,0x05,0x66,0xDC,0x2A,0x12,0xDD,0x7C,0xAD,0x55,0x57,0x70,0xAF,0x9D,0x48,0xA0,0xCF,0xE5,0x23,0x88,0x9D,0xE5,0x0A,0x60,0xBA,0x70,0x9C,0x45,0xC3,0x59,0x56,0xEE,0xA7,0xA9,0x9A,0x89,0x2F,0xCD,0xEE,0x16,0x31,0xB1,0x53]
byte_008884CE=[0xEA,0xE9,0xBD,0xBF,0xD1,0x6A,0xFE,0xDC,0x2D,0x0C,0xF2,0x84,0x5D,0x0C,0xE2,0x33,0xD1,0x72,0x83,0x04,0x33,0x77,0x75,0xF7,0x13,0xDB,0xE7,0x88,0xFB,0x8F,0xCB,0x91,0xCB,0xD4,0x47,0xD2,0x0C,0xFF,0x2B,0xBD,0x94,0xE9,0xC7,0xE0]
byte_0088854E=[0x05,0x3E,0x7E,0xD1,0xF2,0x88,0x5F,0xBD,0x4F,0xCB,0xF4,0xC4,0x02,0xFB,0x96,0x23,0xB6,0x73,0xCD,0x4E,0xD7,0xB7,0x58,0xF6,0xD0,0xD3,0xA1,0x23,0x27,0xC6,0xAB,0x98,0xE7,0x39,0x2C,0x5B,0x51,0x3A,0xA3,0xE6,0xB3,0x95,0x72,0x69]
byte_008885CE=[0x48,0xA9,0x6B,0x74,0x38,0xCD,0xBB,0x75,0x02,0x9D,0x27,0x1C,0x95,0x5E,0x7F,0xFF,0x3C,0x2D,0x3B,0xFE,0x1E,0x90,0xB6,0x9C,0x9F,0x1A,0x27,0x2C,0x81,0x22,0x6F,0xAE,0xB0,0xE6,0xFD,0x18,0x8B,0xB2,0xC8,0x57,0x2C,0x47,0x43,0x43]
byte_00888655=[0x05,0x62,0x97,0x53,0x2B,0x08,0x6D,0x3A,0xCC,0xFA,0x7D,0x98,0xF6,0xCB,0x87,0xC3,0x08,0xA4,0xC3,0x45,0x94,0x0E,0x47,0x5E,0x51,0x25,0xBB,0x40,0x30,0x32,0xE6,0xA5,0x14,0xA7,0xFE,0x99,0xF9,0x49,0xC9,0x28,0x6A,0x03,0x5D,0xB2]
byte_008886D9=[0x68,0xD4,0xB7,0xC2,0xB5,0xC4,0xE1,0x82,0xD0,0x9F,0xFF,0x20,0x5B,0x3B,0xAA,0x2C,0x47,0x22,0x63,0x9D,0xC2,0xB6,0x56,0xA7,0x94,0xCE,0xED,0xC4,0xFA,0x71,0x16,0xF4,0x64,0xB9,0x2F,0xFA,0x21,0xFD,0xCC,0x2C,0xBF,0x32,0x92,0xB5]
byte_0088875D=[0x8F,0x05,0xEC,0xD2,0x88,0x50,0xFC,0x68,0x9C,0x64,0xD1,0x6D,0x67,0x86,0x7D,0x8A,0x73,0xD7,0x6C,0x9B,0xBF,0xA0,0xE4,0xB7,0x15,0x9D,0xE1,0x3D,0x59,0xC6,0xFA,0x39,0xBD,0x59,0xCD,0x98,0xB8,0x56,0xCF,0x48,0x41,0x14,0xD1,0x9B]
byte_008887E3=[0x67,0x33,0x76,0xA7,0x6F,0x98,0xB8,0x61,0xD5,0xBE,0xAF,0x5D,0xED,0x8D,0x5C,0x1E,0x52,0x88,0x10,0xD4,0x63,0x15,0x69,0xA6,0xA1,0xD6,0x67,0x15,0x74,0xA1,0x94,0x84,0x5F,0x36,0x3C,0xA1,0xCF,0xB7,0xFA,0x2D,0x9C,0x51,0xD0,0x0F]
byte_00888865=[0x96,0x41,0x04,0x25,0xCA,0x04,0x36,0x6A,0x71,0x37,0x33,0xB5,0xE1,0x78,0xAD,0x3D,0xFB,0x2A,0x99,0x95,0x58,0xA0,0x4F,0xC5,0xCC,0x14,0x41,0x4F,0xA5,0x55,0xCB,0xC1,0xCB,0x61,0x09,0x8E,0x35,0x32,0x7F,0xC1,0xE1,0x0B,0x79,0x94]
byte_008888E9=[0x63,0x1B,0x14,0x34,0xF8,0xC5,0x75,0xD2,0xD8,0xF9,0x7A,0x30,0xE1,0x75,0xD3,0x02,0x21,0xAC,0x3C,0x8C,0x54,0x2C,0x47,0xBB,0xA0,0xC6,0x1A,0x64,0xA2,0x5C,0x59,0xB5,0x52,0x37,0xB8,0x98,0x70,0x33,0xF8,0xFF,0xCD,0x91,0x1F,0x89]
byte_00888977=[0xD1,0x4E,0xDB,0x5E,0xBD,0x92,0x5C,0xAC,0xD6,0x6A,0x7A,0x79,0x5A,0x3C,0xAE,0x06,0x52,0x1C,0xA6,0xCE,0xF8,0x56,0x1C,0x71,0x9F,0xB7,0xC4,0x0C,0xB7,0x92,0xE1,0x6B,0xA9,0x80,0x43,0xDD,0xE4,0xF4,0xD4,0x42,0x76,0x88,0xA2,0xDA]
byte_008889F9=[0xA3,0x8F,0x70,0x7B,0x62,0x57,0x00,0x8F,0xC6,0xB0,0xC4,0xF6,0xE7,0xC9,0x9D,0xA9,0xF4,0x7B,0x6A,0xD2,0x32,0x9F,0x2F,0x37,0x1C,0xCB,0xEB,0x5B,0x4A,0x10,0xAF,0x7D,0x35,0x36,0x52,0x02,0x70,0x9F,0x7A,0xFB,0x76,0x8A,0x78,0xB8]
byte_00888A7F=[0xBB,0x51,0x80,0x37,0xDD,0xDF,0x2C,0x25,0xA6,0xA8,0x20,0xA9,0x16,0xFF,0xA9,0xFB,0x65,0x9E,0xA1,0x99,0x59,0x01,0xF4,0x57,0xF6,0xED,0x9D,0xE8,0xB4,0x03,0xF8,0x17,0x3A,0xA2,0x90,0x9F,0xAD,0x1C,0x75,0xC4,0xBA,0xE1,0x51,0x53]
byte_00888B05=[0xA9,0x2D,0xE5,0xAD,0x11,0xF8,0x53,0xC9,0xF2,0x26,0x74,0xC9,0x0C,0x57,0x03,0xE7,0xC8,0x8F,0xA6,0x3F,0x92,0x56,0xF0,0xC5,0x1A,0xC6,0x15,0x22,0xCA,0xC0,0x1A,0xBC,0xCB,0x03,0x0D,0xEE,0x6D,0xB3,0xD6,0x92,0xC1,0xFF,0xE2,0xBD]
byte_00888B8B=[0x10,0x3F,0x26,0xB2,0xB8,0x19,0x33,0x51,0x8E,0xBD,0x02,0x25,0xA3,0xF4,0x9D,0xC1,0x95,0x15,0x06,0xD7,0xB9,0x0D,0xCD,0x38,0x9E,0x2D,0x30,0xF3,0x62,0xF8,0x81,0xDF,0x44,0x6F,0x58,0x3E,0x77,0x1C,0xFF,0xF3,0x84,0xEE,0x95,0x4B]
byte_00888C0D=[0xB9,0x8D,0x31,0xAD,0x56,0x09,0x96,0x63,0xB7,0x72,0xE2,0x85,0xAA,0x02,0x41,0x7C,0x02,0xA4,0x02,0x9B,0x99,0x59,0x6D,0xDC,0x8A,0x7F,0x96,0xD5,0x72,0x06,0x97,0xE3,0xF8,0xAC,0x1C,0x00,0x5C,0x3F,0x29,0xE5,0xD6,0x78,0x31,0xA4]
byte_00888C92=[0xF2,0x30,0x93,0xFC,0xCC,0x59,0x6F,0xA8,0xFB,0x88,0xA0,0x6A,0x05,0x9B,0x89,0xC6,0xFA,0xFA,0x39,0xB4,0xFC,0x76,0xA5,0x15,0xFE,0x9B,0x9A,0xF7,0xF2,0xD9,0x83,0x41,0x23,0xCF,0x70,0x4D,0xD1,0xB0,0x7A,0xC0,0x93,0x6B,0x50,0x25]
byte_00888D14=[0x34,0xB7,0xFB,0x1D,0xE2,0xAF,0x27,0x4B,0x22,0xFE,0xE9,0x60,0x9B,0x90,0x09,0xFE,0xBD,0x29,0xA9,0xB8,0x5B,0x61,0x57,0x58,0xFB,0x8A,0x72,0x76,0x5B,0x9C,0xC6,0x4B,0xDE,0x13,0xB7,0x34,0x51,0xC2,0x90,0x0D,0xF9,0x6F,0x03,0x49]
byte_00888D9D=[0x15,0x6B,0xDE,0x6A,0xDE,0x62,0xBE,0x04,0xF4,0xE1,0x70,0x85,0x78,0xFD,0x8D,0x30,0x34,0x9A,0x3F,0xEB,0xBE,0x4E,0x21,0xD1,0x04,0xAC,0x9E,0xBB,0xDB,0x97,0x11,0xE9,0xD6,0x20,0x78,0x26,0x1A,0x00,0xFA,0x81,0xFB,0x28,0x59,0x27]
byte_00888E21=[0x19,0x42,0x75,0x6B,0xC8,0x50,0x58,0x5A,0x18,0xB0,0xF7,0x5F,0x3B,0x79,0x76,0x43,0x38,0x85,0x91,0xA7,0x18,0x2E,0xB4,0x91,0x80,0xDC,0xC8,0x1D,0xAC,0x9D,0x64,0x09,0x61,0xFD,0x08,0xC8,0x34,0xE5,0x93,0xDA,0xFE,0xFF,0xB6,0xAA]
byte_00888EA2=[0xAC,0x4F,0xD6,0x1A,0x55,0xE6,0xE4,0xDF,0x20,0xE3,0x54,0x4A,0x6D,0xD1,0xDE,0x2D,0x30,0x42,0x17,0xC5,0x34,0xD4,0xB3,0xB8,0x5A,0x95,0xC7,0x80,0x99,0x46,0x03,0x49,0xA0,0x27,0x31,0xA5,0x58,0xFC,0x87,0x09,0x9D,0x8C,0x20,0x21]
byte_00888F29=[0x48,0xE9,0xC4,0xAD,0x23,0xA6,0x92,0xBA,0x3D,0x56,0x40,0x2A,0x19,0x56,0x42,0x5D,0x0C,0xFF,0x3F,0x53,0x5F,0xDB,0x6C,0x98,0xCD,0x1F,0xEE,0x4D,0x4A,0x9C,0x95,0xE4,0x44,0xF4,0xB2,0x4E,0xB5,0xAD,0xFB,0xF8,0xB9,0x63,0xB5,0xCD]
byte_00888FAF=[0x6A,0x56,0xE0,0x33,0x5B,0xC2,0x9E,0x53,0x90,0x4D,0xD9,0x5F,0x7D,0x77,0x90,0x2F,0x55,0xDC,0x18,0x28,0x3B,0x4D,0x46,0xBE,0xBC,0x14,0x69,0x96,0x4F,0x55,0xC2,0xA8,0x40,0xD7,0xEA,0xE2,0x04,0x63,0x9D,0x00,0xBA,0x4A,0x12,0x5E]
byte_00889036=[0x24,0x17,0x33,0x4E,0xBF,0xFE,0x01,0xA6,0xAE,0x3E,0xDE,0xF3,0x83,0xCF,0x25,0x04,0xC7,0x23,0xA9,0x07,0xD8,0x2A,0xBE,0xF1,0x78,0x0B,0xA6,0x81,0x75,0x5D,0xB8,0x32,0xED,0x54,0x7A,0x43,0xFA,0xF8,0x3C,0x60,0x75,0x5B,0xBB,0x4F]
byte_008890BD=[0xF8,0x11,0xAD,0x7F,0x62,0xB8,0x0B,0x14,0x32,0x8C,0xF9,0xF8,0x18,0xDE,0x22,0x56,0x47,0x00,0xED,0x8A,0x94,0x6B,0x73,0x68,0x3E,0xBF,0x27,0xDD,0x7B,0x73,0x83,0xE5,0x7F,0x38,0x40,0xB1,0x6A,0xEF,0x1A,0xFF,0x64,0x58,0x01,0x4B]
byte_00889142=[0x90,0x12,0x55,0x67,0x03,0x1F,0x9D,0x2C,0x43,0x18,0xE4,0xE2,0x52,0xD0,0x45,0x11,0xBD,0xD8,0xCD,0x8C,0x06,0x01,0x21,0x0B,0x3D,0xDF,0x0C,0x74,0x7B,0xA7,0x97,0x3A,0xA7,0x4F,0x60,0xBD,0x97,0xE9,0x5C,0x5E,0x16,0x3C,0xFE,0xFE]
byte_008891C5=[0xD8,0xA7,0x52,0xF4,0x8F,0xE7,0xC0,0x3F,0x4F,0x31,0x83,0xB0,0xD4,0x2E,0x8D,0x6B,0x7D,0xCF,0xC9,0x05,0x67,0x9B,0x6B,0xA6,0xD2,0x31,0xB6,0x3C,0x22,0x1A,0xDC,0xC6,0xE1,0xA0,0x39,0x34,0x8A,0x1B,0xF7,0xB5,0x00,0x43,0x01,0xCD]
byte_0088924D=[0x13,0xF3,0xD7,0xCB,0x9C,0x9D,0x47,0xBB,0x8E,0xC6,0xF4,0x34,0x64,0xC3,0x81,0x86,0x26,0xE3,0x9B,0xF1,0x7A,0xC0,0x91,0xB3,0xC3,0x10,0xB4,0x46,0x56,0xDB,0xFA,0x43,0x7F,0x2F,0xB2,0xF9,0x13,0x24,0xB7,0x32,0x9A,0xBA,0xEF,0x0F]
byte_008892CC=[0xA3,0xE0,0x5F,0x0A,0xAB,0x6A,0x31,0x39,0x1C,0xB2,0x77,0x06,0x28,0xE4,0x5C,0xA3,0x5D,0xE1,0x17,0x25,0x18,0xD3,0x48,0x69,0xD1,0x46,0x00,0xA5,0x46,0xE2,0x2B,0xBB,0xA7,0x3C,0x8F,0xE9,0xCF,0xD1,0x0C,0xCF,0x40,0xF6,0xDE,0x10]
byte_0088934D=[0xF5,0x8C,0xED,0xFA,0x59,0x63,0xD7,0x70,0x55,0xB6,0x33,0x1A,0x3E,0xDC,0x74,0x11,0xC4,0xF7,0xAC,0x79,0x16,0x6A,0x5B,0xC8,0x73,0xF0,0x1F,0x4E,0x2F,0x7E,0x32,0x72,0x6D,0x58,0x53,0x78,0x11,0x5F,0xC6,0xCE,0x47,0x70,0xAC,0x31]
byte_008893CF=[0xFE,0xC6,0xBD,0xAF,0x79,0x7B,0xF8,0x26,0xA3,0xAA,0x5B,0xAB,0x7D,0x42,0x5E,0x25,0xB5,0xCF,0x0D,0x3C,0xD2,0xB2,0xFC,0x27,0xAF,0x12,0x6A,0x5E,0xAB,0xC4,0xB6,0x81,0x65,0xA5,0x67,0xA4,0xEA,0x6E,0x92,0x45,0x24,0x4B,0x3A,0x62]
byte_00889456=[0xB8,0xA2,0xA0,0x18,0x47,0xD6,0x18,0x0E,0xC4,0xDE,0x43,0xB2,0xA3,0x96,0xCE,0x68,0x26,0xB0,0xF5,0x62,0xB4,0xD5,0x5D,0x86,0x19,0xC6,0xA6,0x0A,0xB7,0x63,0xCF,0x7F,0xA3,0x0A,0x8D,0x69,0x34,0x44,0x12,0x79,0xD9,0xD1,0x7C,0x7F]
byte_008894DC=[0x8E,0x99,0xF5,0x82,0xB6,0x37,0xD3,0xFA,0xD9,0x0A,0xAC,0x77,0xD4,0xAB,0xF4,0x63,0x63,0x29,0xDF,0xDD,0x80,0x42,0x1F,0x81,0xC3,0x91,0xF1,0x32,0x4D,0x8B,0x1D,0xE8,0x3C,0xA7,0x6E,0x8B,0x7C,0x87,0x12,0xC5,0xC8,0x55,0x0F,0x9F]
byte_0088955E=[0xE1,0x9F,0x56,0x37,0x9E,0x89,0xE5,0xFA,0x81,0xC2,0xC8,0x1F,0x93,0x1E,0xDB,0xE9,0x93,0x1C,0x06,0xDB,0x51,0xAC,0x84,0xA2,0xD4,0x73,0xE8,0x3C,0x98,0x69,0x92,0x4D,0xBB,0x09,0x14,0xBF,0x9D,0x60,0x83,0xBE,0x7D,0xAF,0x8D,0x04]
byte_008895E0=[0x6E,0x4B,0xE8,0x3A,0x66,0x0D,0xDE,0x89,0x89,0x0E,0xBF,0x9B,0x30,0x64,0xA9,0xB8,0x31,0xF9,0x31,0x27,0x8A,0x7C,0x3F,0x49,0xED,0x96,0xF4,0x7E,0x7F,0xCE,0x5B,0xFC,0x6E,0x2D,0xBD,0x74,0xBC,0x2A,0x12,0x44,0xC2,0xF4,0x35,0x02]
byte_00889662=[0x6D,0x74,0x57,0xF1,0x80,0x79,0xE3,0xBC,0x02,0x06,0x51,0xC2,0x04,0xE1,0xB0,0x30,0x08,0x3B,0xF3,0x32,0xEA,0xE4,0xC0,0xB0,0xA8,0xBB,0xF8,0xF4,0x1B,0xBC,0x6B,0xCC,0xDE,0xCA,0x49,0x8D,0xA0,0x8B,0x97,0xCE,0x01,0xE3,0x98,0x51]
byte_008896E1=[0x0D,0x95,0x55,0x9E,0xA4,0x77,0x95,0x24,0x8A,0x54,0xAD,0x84,0x27,0xE6,0x60,0xE5,0x54,0xDA,0x0E,0x99,0xB8,0x62,0xA0,0x81,0x02,0xA1,0x63,0x29,0x11,0x72,0x37,0x43,0xC0,0x66,0xF1,0xA8,0x95,0xBF,0xD8,0x12,0xE5,0x99,0x5E,0xAB]
allbytelist=[byte_008880A9,byte_0088812C,byte_008881B4,byte_0088823B,byte_008882C0,byte_00888341,byte_008883C4,byte_00888449,byte_008884CE,byte_0088854E,byte_008885CE,byte_00888655,byte_008886D9,byte_0088875D,byte_008887E3,byte_00888865,byte_008888E9,byte_00888977,byte_008889F9,byte_00888A7F,byte_00888B05,byte_00888B8B,byte_00888C0D,byte_00888C92,byte_00888D14,byte_00888D9D,byte_00888E21,byte_00888EA2,byte_00888F29,byte_00888FAF,byte_00889036,byte_008890BD,byte_00889142,byte_008891C5,byte_0088924D,byte_008892CC,byte_0088934D,byte_008893CF,byte_00889456,byte_008894DC,byte_0088955E,byte_008895E0,byte_00889662,byte_008896E1]
for i in range(44):    
	for j in range(44):        
		allbytelist[i][j] = F(allbytelist[i][j].bits())
data = matrix(F, allbytelist); data.str()
results = [200, 201, 204, 116, 124, 94, 129, 127, 211, 85, 61, 154, 50, 51, 27, 28, 19, 134, 121, 70, 100, 219, 1, 132, 93, 252, 152, 87, 32, 171, 228, 156, 43, 98, 203, 2, 24, 63, 215, 186, 201, 128, 103, 52]
for i in range(44)：
	results[i] = F(results[i].bits())

R = matrix(F, results).transpose()

inp = data^-1 * R
print inp

table = dict()
for i in range(128):
	 table[F(Integer(i).bits())] = i

for i in inp.transpose()[0]:
	print chr(table[i])

mic_ticktock

拿到题目后，直接去看一下流程，看不懂，这是个啥， 不过可以大概看出来这个是个go逆向，直接用插件，恢复的很好

大部分都恢复了，我们可以知道这个是个webserver，那么webserver可以考虑到路由表，也看到了这里有github router，直接想一下router的问题，那么根据路由表来去看函数，这里还是我的p3教我的

这种前面是路由 后面是对应的函数，index.php是我的路由，访问index.php就会映射到index函数，这里p3给我举了一些例子

他命名main模块统一的，go里main模块是主模块，基本开发自己写的逻辑都在main里

调试也是，通过attach进行的，运行程序开启服务，然后我们调试一下然后看看功能都是什么，我大概试了两个就找了输入，运气比较好？也许0000000000692730 webproxy的处理函数0000000000693580 ticktock的所以我们ticktock直接在本地测试一下，发现可以获取我们输入的字符直接在693580下断点，进行调试分析，根据恢复的表

直接看看关键点加密这里，不难分析出这是一个SM4 CFB模式经过调试发现，因为恢复的很好，而且他都告诉我们了CFB模式

这里我发现了，我们去不到这里，这里进行了分析，那么我们就是一个在输入我们在浏览器看到的还有一个是进行了比较

这里有56个数据，但是自己想了想怎么不满足sm4的模式少了8个，那么这里卡了一下看了文献CFB模式，54可以的，因为消息无需进行填充，所以可以进行爆破的形式

# coding=utf-8
import requests
import base64
s = "Here is a FLAG: De1CTF{t1Ck-t0ck_Tlck-1ocK_MC2O20_:)SM4}"
kk = " 0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{|}~()_[\]^`!\"$%'*+,-./;<=>?#:"
flag = [0xA4,0xA3,0x04,0xB9,0x1E,0xF1,0x96,0xC6,0x0A,0x26,0x4D,0xE9,0xAF,0xFD,0xB1,0xFF,0x06,0xEE,0xE5,0xCF,0x6B,0x2E,0x0C,0x02,0x17,0x6A,0x97,0xB7,0x95,0xAC,0xB8,0x11,0x1A,0x8F,0x13,0x83,0xE5,0xAF,0x67,0xC9,0x6A,0x26,0x99,0x2B,0x1C,0xAD,0x3F,0x41,0xDF,0xAA,0x36,0x36,0x08,0xA2,0x04,0x9D]
for i in flag[len(s):]:
    for j in kk:
        url = "http://127.0.0.1/ticktock?text=" + s + j
        response = requests.get(url)
        content = response.content
        # print content
        res = content.replace("TickTock: ","")

        if i == ord(base64.b64decode(res)[-1] ):
            s = s + j
            print j,i,ord(base64.b64decode(res)[-1] )
            break
print s

好啦，总结完了！告辞！👴去休息啦！下次RCTF一定加油！奥里给！这个比赛学到不少东西，也告诉自己要去学go了，安排在日程上啦！