From 93ac81b8357634b2ab52c7c2fead34864c69c0d9 Mon Sep 17 00:00:00 2001
From: sunbeam <fcb1995@163.com>
Date: Tue, 17 May 2022 14:11:10 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 default.aproj            |   3 +
 user/CanThread.aardio    |  41 +++++-
 user/Diag10code.aardio   |  17 ++-
 user/Diag27code.aardio   |  49 +++++--
 user/Diag28code.aardio   |   8 +-
 user/Diag2Ecode.aardio   |  43 ++++++
 user/Diag31code.aardio   |  26 ++++
 user/Diag7Fcode.aardio   |   9 +-
 user/DiagBootcode.aardio |  76 ++++++++++-
 user/securety.aardio     | 281 +++++++++++++++++++++++++++++++++++++++
 10 files changed, 517 insertions(+), 36 deletions(-)
 create mode 100644 user/Diag2Ecode.aardio
 create mode 100644 user/Diag31code.aardio
 create mode 100644 user/securety.aardio

diff --git a/default.aproj b/default.aproj
index e5a8044..e1b1a89 100644
--- a/default.aproj
+++ b/default.aproj
@@ -12,5 +12,8 @@
 		<file name="Diag7Fcode.aardio" path="user\Diag7Fcode.aardio" comment="user\Diag7Fcode.aardio"/>
 		<file name="Diag27code.aardio" path="user\Diag27code.aardio" comment="user\Diag27code.aardio"/>
 		<file name="DiagBootcode.aardio" path="user\DiagBootcode.aardio" comment="user\DiagBootcode.aardio"/>
+		<file name="securety.aardio" path="user\securety.aardio" comment="user\securety.aardio"/>
+		<file name="Diag2Ecode.aardio" path="user\Diag2Ecode.aardio" comment="user\Diag2Ecode.aardio"/>
+		<file name="Diag31code.aardio" path="user\Diag31code.aardio" comment="user\Diag31code.aardio"/>
 	</folder>
 </project>
diff --git a/user/CanThread.aardio b/user/CanThread.aardio
index bf17d0f..2b68a25 100644
--- a/user/CanThread.aardio
+++ b/user/CanThread.aardio
@@ -24,7 +24,7 @@ FuncLoopMsg = function(msg){
 			FuncStartBoot();
 		}
 		case 103 {
-			FuncStop();
+			FuncStopBoot();
 		}
 		case 110 {//readDID
 			FuncReadDID(msg.wParam);
@@ -81,7 +81,7 @@ loadcodex("\user\Diag85code.aardio");
 loadcodex("\user\Diag28code.aardio");
 loadcodex("\user\Diag7Fcode.aardio");
 loadcodex("\user\Diag27code.aardio");
-
+loadcodex("\user\Diag2Ecode.aardio");
 loadcodex("\user\DiagBootcode.aardio");
 
 RespState = 0;
@@ -97,6 +97,7 @@ FuncDiagPro = function(diagmsg){
 			FuncDiag22Pro(table.slice(diagmsg.data,1,diagmsg.len))
 		}
 		case 0x67 {
+			FuncDiag27Pro(table.slice(diagmsg.data,1,diagmsg.len))
 		}
 		case 0x74 {
 		}
@@ -131,6 +132,31 @@ FuncStartBoot = function(){
 
 }
 
+var PackNext = 0x21;
+var Packdata = {};
+var PackID = 0;
+FuncSendPackage = function(){
+	while(#Packdata > 0)
+	{
+		var data = {PackNext,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC};
+		var max = #Packdata > 7 ? 7 : #Packdata;
+		for(i=1;max;1){
+			data[i+1] = table.remove(Packdata);
+		}
+		CANHw.SendMsg(PackID,data);
+		sleep(1);
+		PackNext += 1;
+		if(PackNext > 0x2f){
+			PackNext = 0x20;
+		}
+	}
+	
+}
+FuncPushPackage = function(ID,data){
+	PackNext = 0x21;
+	Packdata = data;
+	PackID = ID;
+}
 
 
 
@@ -153,7 +179,7 @@ timer1.onTimer = function(){
 	ret = CANHw.GetMsg();
 	for(i=1;#ret;1){
 		//console.log("id = " + tostring(ret[i].id))
-		if(ret[i].id&0x7FFFFFFF ==  DiagRespID){
+		if(ret[i].id & 0x7FFFFFFF ==  DiagRespID){
 			if(ret[i].data[1] == 0x10){//首帧
 				var data = {0x30,0x00,0x14,0x00,0,0,0,0};
 				CANHw.SendMsg(DiagReqID,data);
@@ -163,15 +189,15 @@ timer1.onTimer = function(){
 				diagresp["next"] = 0x21;
 				table.append(diagresp["data"],table.slice(ret[i].data,4));
 			}
-			elseif(ret[i].data[1] <= 0x06){
+			elseif(ret[i].data[1] <= 0x06){//单帧
 				//console.dumpJson()
 				diagresp["sid"] = ret[i].data[2];
 				diagresp["len"] = ret[i].data[1]-1;
 				diagresp["data"] = table.slice(ret[i].data,3);
 				FuncDiagPro(diagresp);
 			}
-			elseif(ret[i].data[1] >= 0x21){
-				if(ret[i].data[1] == diagresp["next"]){
+			elseif(ret[i].data[1] >= 0x21 && ret[i].data[1] <= 0x2f){
+				if(ret[i].data[1] == diagresp["next"]){//多帧
 					diagresp["next"] += 1;
 					if(diagresp["next"] >= 0x2F){
 						diagresp["next"] = 0x20;
@@ -182,6 +208,9 @@ timer1.onTimer = function(){
 					}
 				}
 			}
+			elseif(ret[i].data[1] == 0x30){//
+				FuncSendPackage();
+			}
 			
 			
 		}
diff --git a/user/Diag10code.aardio b/user/Diag10code.aardio
index b1cde35..a266389 100644
--- a/user/Diag10code.aardio
+++ b/user/Diag10code.aardio
@@ -1,9 +1,16 @@
 
 //发送	
-FuncReq10 = function(num){
+FuncReq10 = function(Addr,num){
 	if(num >= 1 && num <= 3){
 		var data = {0x02,0x10,num,0,0,0,0,0};
-		CANHw.SendMsg(DiagReqID,data);
+		if(Addr == true){
+			CANHw.SendMsg(DiagGloableID,data);
+		}
+		else {
+			CANHw.SendMsg(DiagReqID,data);
+		}
+		
+		
 	}
 	
 }
@@ -12,13 +19,13 @@ FuncDiag10Pro = function(data){
 	//console.dumpJson(data);
 	select(data[1]) {
 		case 1 {
-			FuncDisplay("进入默认会话")
+			FuncDisplay("进入默认会话成功")
 		}
 		case 2 {
-			FuncDisplay("进入boot会话")
+			FuncDisplay("进入编程会话成功")
 		}
 		case 3 {
-			FuncDisplay("进入扩展会话")
+			FuncDisplay("进入扩展会话成功")
 		}
 		else {
 		}
diff --git a/user/Diag27code.aardio b/user/Diag27code.aardio
index 0c647e9..571e950 100644
--- a/user/Diag27code.aardio
+++ b/user/Diag27code.aardio
@@ -1,25 +1,52 @@
+
+var SecuretySeed = {0,0,0,0,};
+var SecuretyKey = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
 //发送	
-FuncReq27 = function(num){
-	if(num >= 1 && num <= 3){
-		var data = {0x02,0x28,num,0,0,0,0,0};
-		CANHw.SendMsg(DiagReqID,data);
+FuncReq27 = function(num,key){
+	if(num >= 1 && num <= 0x0C){
+		if(key == null){
+			var data = {0x02,0x27,num,0,0,0,0,0};
+			CANHw.SendMsg(DiagReqID,data);
+		}
+		else {
+			var data = {0x10,0X12,0x27,num,key[1],key[2],key[3],key[4]};
+			CANHw.SendMsg(DiagReqID,data);
+			
+			FuncPushPackage(DiagReqID,table.slice(key,5));
+		}
+		
+		
+		
 	}
 	
 }
+
+loadcodex("\user\securety.aardio");
 //接收
 FuncDiag27Pro = function(data){
 	//console.dumpJson(data);
 	select(data[1]) {
-		case 1 {
-			FuncDisplay("使能接收，禁能发送")
+		case 1,3,5,7,9,11 {
+			var str = "收到种子 "; 
+			for(i=1;4;1){
+				SecuretySeed[i] = data[i+1];
+				str += tostring(SecuretySeed[i],16);
+			}
+			FuncDisplay(str)
+			SecuretyKey = GenerateKeyEx(SecuretySeed,data[1]);
+			if(#SecuretyKey >= 16){
+				FuncReq27(data[1]+1,SecuretyKey);
+			}
+			else {
+				FuncDisplay("计算失败");
+			}
+			
 		}
-		case 2 {
-			FuncDisplay("28 - TDB02")
-		}
-		case 3 {
-			FuncDisplay("28 - TDB03")
+		case 2,4,6,8,10,12 {
+			FuncDisplay("解锁成功");
 		}
 		else {
+			FuncDisplay("27服务未知子服务");
 		}
 	}
 }
\ No newline at end of file
diff --git a/user/Diag28code.aardio b/user/Diag28code.aardio
index c6a9883..453b493 100644
--- a/user/Diag28code.aardio
+++ b/user/Diag28code.aardio
@@ -1,9 +1,9 @@
 
 //发送	
-FuncReq28 = function(num){
-	if(num >= 1 && num <= 3){
-		var data = {0x02,0x28,num,0,0,0,0,0};
-		CANHw.SendMsg(DiagGloableID,data);
+FuncReq28 = function(num1,num2){
+	if(num1 >= 1 && num1 <= 3){
+		var data = {0x03,0x28,num1,num2,0,0,0,0};
+		var ret = CANHw.SendMsg(DiagGloableID,data);
 	}
 	
 }
diff --git a/user/Diag2Ecode.aardio b/user/Diag2Ecode.aardio
new file mode 100644
index 0000000..b99b246
--- /dev/null
+++ b/user/Diag2Ecode.aardio
@@ -0,0 +1,43 @@
+
+var diag22state = 0; 
+//发送	
+FuncDIDWriteStr = function(did,str){
+	var data = {}
+	for(i=1;string.len(str);1){
+		data[i] = string.unpack(str,i);
+	}
+	FuncReq2E(did,data)
+	return data;
+}
+
+//FuncDIDWriteStr(0xf198,"0123456789abcdef1234");
+
+FuncReq2E = function(did,data){
+	if(CANHw.isConnected() == false){
+		return; 
+	}
+	if(#data > 4){
+		//多帧
+		var txdata = {0x10,3+#data,0x2E,did>>8,did&0xff,data[1],data[2],data[3]};
+		CANHw.SendMsg(DiagReqID,txdata);
+		//等待发送
+		FuncPushPackage(DiagReqID,table.slice(data,3));
+	}
+	else {
+		var txdata = {3+#data,0x2E,did>>8,did&0xff,0,0,0,0};
+		for(i=1;#data;1){
+			txdata[5+i] = data[i];
+		}
+		CANHw.SendMsg(DiagReqID,txdata);
+		
+	}
+	
+}
+
+
+//接收
+FuncDiag2EPro = function(data){
+	var did = (data[1]<<8) + data[2];
+	FuncDisplay("写入" + tostring(did,16) + "成功");
+	
+}
\ No newline at end of file
diff --git a/user/Diag31code.aardio b/user/Diag31code.aardio
new file mode 100644
index 0000000..3c84d48
--- /dev/null
+++ b/user/Diag31code.aardio
@@ -0,0 +1,26 @@
+
+
+//发送	
+FuncReq31 = function(data){
+	if(#data > 6){//多帧
+		
+	}
+	
+}
+//接收
+FuncDiag28Pro = function(data){
+	//console.dumpJson(data);
+	select(data[1]) {
+		case 1 {
+			FuncDisplay("使能接收，禁能发送")
+		}
+		case 2 {
+			FuncDisplay("28 - TDB02")
+		}
+		case 3 {
+			FuncDisplay("28 - TDB03")
+		}
+		else {
+		}
+	}
+}
\ No newline at end of file
diff --git a/user/Diag7Fcode.aardio b/user/Diag7Fcode.aardio
index d1d9fe5..0c935fa 100644
--- a/user/Diag7Fcode.aardio
+++ b/user/Diag7Fcode.aardio
@@ -12,14 +12,15 @@ FuncClrNrc = function(){
 //接收
 FuncDiag7FPro = function(data){
 	//console.dumpJson(data);
-	select(data[2]) {
+	errSID = data[1];
+	errNRC = data[2];
+	select(errNRC) {
 		case 0x78 {
 			FuncDisplay("服务正忙")
 		}
 		else {
-			FuncDisplay("错误")
+			FuncDisplay("错误 - NRC:" + tostring(errNRC,16))
 		}
 	}
-	errSID = data[1];
-	errNRC = data[2];
+	
 }
\ No newline at end of file
diff --git a/user/DiagBootcode.aardio b/user/DiagBootcode.aardio
index b0986b8..3d5aff0 100644
--- a/user/DiagBootcode.aardio
+++ b/user/DiagBootcode.aardio
@@ -16,7 +16,7 @@ FuncWait = function(sid){
 			return 0xff; 
 		}
 		else {
-			FuncDisplay("错误");
+			FuncDisplay("刷写错误");
 			boottimer.disable();
 			return 1; //负响应
 		}
@@ -29,7 +29,7 @@ FuncWait = function(sid){
 	}
 	bootcount += 1;
 	if(bootcount >= 400){
-		FuncDisplay("超时");
+		FuncDisplay("超时 " + tostring(sid,16));
 		boottimer.disable();
 		return 3;//超时 
 	}
@@ -58,6 +58,13 @@ nextstate = function(val){
 	}
 }
 
+BCD_Conv = function(num){
+	if(num > 99){
+		return 0;
+	}
+	return (num/10)*16 + (num%10);
+}
+
 
 FuncBootSeq = function(){
 	select(bootstate) {
@@ -94,7 +101,7 @@ FuncBootSeq = function(){
 		}
 		case 3 {
 			if(sendstate == 0){
-				FuncReq10(0x03);//进入扩展会话
+				FuncReq10(true,0x03);//进入扩展会话
 				FuncClearState();
 			}
 			else {
@@ -104,7 +111,7 @@ FuncBootSeq = function(){
 		}
 		case 4 {
 			if(sendstate == 0){
-				FuncReq85(0x02);//进入扩展会话
+				FuncReq85(0x02);//关闭DTC
 				FuncClearState();
 			}
 			else {
@@ -114,7 +121,7 @@ FuncBootSeq = function(){
 		}
 		case 5 {
 			if(sendstate == 0){
-				FuncReq28(0x01);//进入扩展会话
+				FuncReq28(0x01,0x01);//禁止发送
 				FuncClearState();
 			}
 			else {
@@ -122,8 +129,65 @@ FuncBootSeq = function(){
 				nextstate(ret);
 			}
 		}
+		case 6 {
+			if(sendstate == 0){
+				FuncReq10(false,0x02);//进入编程会话
+				FuncClearState();
+			}
+			else {
+				var ret = FuncWait(0x10);
+				nextstate(ret);
+			}
+		}
+		case 7 {
+			if(sendstate == 0){
+				FuncReq27(01);//解密
+				FuncClearState();
+			}
+			else {
+				var ret = FuncWait(0x27);
+				nextstate(ret);
+			}
+		}
+		case 8 {
+			if(sendstate == 0){
+				//FuncReq27(02);//发送key
+				FuncClearState();
+			}
+			else {
+				var ret = FuncWait(0x27);
+				nextstate(ret);
+			}
+		}
+		case 9 {
+			if(sendstate == 0){
+				FuncDIDWriteStr(0xf198,"0123456789abcdef1234");
+				FuncClearState();
+			}
+			else {
+				var ret = FuncWait(0x2E);
+				nextstate(ret);
+			}
+		}
+		
+		case 10 {
+			if(sendstate == 0){
+				var year1 = BCD_Conv(time.now().year/100);
+				var year2 = BCD_Conv(time.now().year%100);
+				var month = BCD_Conv(time.now().month);
+				var day   = BCD_Conv(time.now().day); 
+				FuncReq2E(0XF199,{year1,year2,month,day})
+				FuncClearState();
+				
+			}
+			else {
+				var ret = FuncWait(0x2E);
+				nextstate(ret);
+			}
+		}
+		
 		else {
-			FuncDisplay("停止")
+			FuncDisplay("刷写完成")
 			boottimer.disable();
 		}
 	}
diff --git a/user/securety.aardio b/user/securety.aardio
new file mode 100644
index 0000000..c5e83c3
--- /dev/null
+++ b/user/securety.aardio
@@ -0,0 +1,281 @@
+import console; 
+
+
+var g_aes128_cbc_mask =
+{
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x31,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //level1
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x33,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //level3
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x35,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //level5
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x37,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //level7
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x39,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //level9
+	{0x53,	0x57,	0x53,	0x45,	0x4D,	0x33,	0x42,	0x20,	0x20,	0x20,	0x20,	0x20} ,  //levelb
+};
+
+var g_aes128_cbc_encrcon = 
+{
+	0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
+	0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
+	0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
+	0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
+	0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
+	0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
+	0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
+	0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
+	0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
+	0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
+	0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
+	0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
+	0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
+	0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
+	0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
+	0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb  
+};
+
+var g_aes12_cbc_sbox =
+{
+	/*0     1    2      3     4    5     6     7      8    9     A      B    C     D     E     F
+	*/
+	0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+	0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+	0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+	0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+	0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+	0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+	0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+	0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+	0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+	0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+	0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+	0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+	0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+	0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+	0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+	0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
+};
+var g_dll_Key_str = "56 44 4B 66 62 45 66 61 44 48 33 39 52 61 52 68";
+var g_dll_Key = string.map(g_dll_Key_str,"\x\x",lambda(v) tonumber(v,16));
+
+
+aes128_cbc_make_iv = function(seed,mask){
+	var ret = {}; 
+	for(i=1;4;1){
+		ret[i] = (seed[i] + 0x55)&0xff;
+	}
+	
+	for(i=1;16-4;1){
+		ret[i+4] = mask[i];
+	}
+	return ret; 
+}
+
+aes128_cbc_pcks7 = function(input,ouputsize){
+	var l_offset = 0;
+	var output = {};
+	if(#input <= ouputsize){
+		l_offset = ouputsize - #input;
+	} 
+	for(i=1;#input;1){
+		output[i] = input[i];
+	}
+	for(i=1;l_offset;1){
+		output[i+#input] = l_offset;
+	}
+	return output; 
+}
+
+aes128_cbc_encrypt_ext = function(iv,plain,key){
+	var l_out = {};
+	
+	for(i=1;16;1){
+		plain[i]=plain[i] ^ iv[i];
+	}
+	
+	g_aes128_cbc_enckey_expansion(key);
+	l_out = g_aes128_cbc_cipher(plain);
+	return l_out;
+}
+g_aes12_cbc_roundkey = {};
+g_aes128_cbc_enckey_expansion = function(key){
+	var temp = {0,0,0,0};
+	for(i=1;16;1){
+		g_aes12_cbc_roundkey[i] = key[i];
+	}
+	
+	for(i=5;(4*11);1){
+		for(j=1;4;1){
+			temp[j] = g_aes12_cbc_roundkey[(i-2) * 4 + j]
+		}
+		//showtab(temp,string.format("i=%d,temp=",i ));
+		if((i-1)&0x03 == 0){
+			var k = temp[1];
+			temp[1] = temp[2];
+			temp[2] = temp[3];
+			temp[3] = temp[4];
+			temp[4] = k;
+			//showtab(temp,string.format("i=%d,temp=",i ));
+			
+			temp[1]=g_aes12_cbc_sbox[temp[1]+1];
+			temp[2]=g_aes12_cbc_sbox[temp[2]+1];
+			temp[3]=g_aes12_cbc_sbox[temp[3]+1];
+			temp[4]=g_aes12_cbc_sbox[temp[4]+1];
+			
+			temp[1] =  temp[1] ^ g_aes128_cbc_encrcon[((i-1)>>2) + 1];
+		}
+		g_aes12_cbc_roundkey[(i-1)*4+1] = g_aes12_cbc_roundkey[(i-5)*4+1] ^ temp[1];
+		g_aes12_cbc_roundkey[(i-1)*4+2] = g_aes12_cbc_roundkey[(i-5)*4+2] ^ temp[2];
+		g_aes12_cbc_roundkey[(i-1)*4+3] = g_aes12_cbc_roundkey[(i-5)*4+3] ^ temp[3];
+		g_aes12_cbc_roundkey[(i-1)*4+4] = g_aes12_cbc_roundkey[(i-5)*4+4] ^ temp[4];
+	}
+	//showtab(g_aes12_cbc_roundkey,"g_aes12_cbc_roundkey");
+}
+g_aes12_cbc_state = {{0,0,0,0},{0,0,0,0},{0,0,0,0},{0,0,0,0}};
+g_aes128_cbc_cipher = function(input){
+	var output = {}; 
+	for(i=1;4;1){
+		for(j=1;4;1){
+			g_aes12_cbc_state[j][i] = input[(i-1)*4 + j]
+		}
+	}
+
+	g_aes128_cbc_encadd_roundkey(0);
+	
+	for(i=1;9;1){
+		g_aes128_cbc_enc_subbytes();
+		g_aes128_cbc_shift_rows();
+		g_aes128_cbc_mix_columns();
+		g_aes128_cbc_encadd_roundkey(i);
+	}
+	g_aes128_cbc_enc_subbytes();
+	g_aes128_cbc_shift_rows();
+	g_aes128_cbc_encadd_roundkey(10);
+	for(i=1;4;1){
+		for(j=1;4;1){
+			output[(i-1)*4+j]=g_aes12_cbc_state[j][i];
+		}
+	}
+	return output; 
+}
+g_aes128_cbc_encadd_roundkey = function(round){
+	for(i=1;4;1){
+		for(j=1;4;1){
+			g_aes12_cbc_state[j][i] ^= g_aes12_cbc_roundkey[round * 16 + (i-1) * 4 + j];
+		}
+	}
+	
+}
+g_aes128_cbc_enc_subbytes = function(){
+	for(i=1;4;1){
+		for(j=1;4;1){
+			//console.log("g_aes12_cbc_state[i][j] + 1 = " + (g_aes12_cbc_state[i][j] + 1))
+			g_aes12_cbc_state[i][j] = g_aes12_cbc_sbox[g_aes12_cbc_state[i][j] + 1];
+		}
+	}
+	
+}
+g_aes128_cbc_shift_rows = function(){
+	var temp=0;
+
+	/* Rotate first row 1 columns to left
+	*/
+	temp=g_aes12_cbc_state[2][1];
+	g_aes12_cbc_state[2][1]=g_aes12_cbc_state[2][2];
+	g_aes12_cbc_state[2][2]=g_aes12_cbc_state[2][3];
+	g_aes12_cbc_state[2][3]=g_aes12_cbc_state[2][4];
+	g_aes12_cbc_state[2][4]=temp;
+
+	/* Rotate second row 2 columns to left
+	*/
+	temp=g_aes12_cbc_state[3][1];
+	g_aes12_cbc_state[3][1]=g_aes12_cbc_state[3][3];
+	g_aes12_cbc_state[3][3]=temp;
+
+	temp=g_aes12_cbc_state[3][2];
+	g_aes12_cbc_state[3][2]=g_aes12_cbc_state[3][4];
+	g_aes12_cbc_state[3][4]=temp;
+
+	/* Rotate third row 3 columns to left
+	*/
+	temp=g_aes12_cbc_state[4][1];
+	g_aes12_cbc_state[4][1]=g_aes12_cbc_state[4][4];
+	g_aes12_cbc_state[4][4]=g_aes12_cbc_state[4][3];
+	g_aes12_cbc_state[4][3]=g_aes12_cbc_state[4][2];
+	g_aes12_cbc_state[4][2]=temp;
+}
+
+g_aes128_cbc_mix_columns = function(){
+	var Tmp,Tm,t;
+	
+	for(i=1;4;1)
+	{
+		t=g_aes12_cbc_state[1][i];
+		//console.dumpJson(g_aes12_cbc_state)
+		Tmp = g_aes12_cbc_state[1][i] ^ g_aes12_cbc_state[2][i] ^ g_aes12_cbc_state[3][i] ^ g_aes12_cbc_state[4][i] ;
+		Tm = g_aes12_cbc_state[1][i] ^ g_aes12_cbc_state[2][i] ;
+		Tm = AES128_CBC_XTIME(Tm);
+		
+		g_aes12_cbc_state[1][i] ^= Tm ^ Tmp ;
+		Tm = g_aes12_cbc_state[2][i] ^ g_aes12_cbc_state[3][i] ;
+		Tm = AES128_CBC_XTIME(Tm);
+		
+		g_aes12_cbc_state[2][i] ^= Tm ^ Tmp ;
+		Tm = g_aes12_cbc_state[3][i] ^ g_aes12_cbc_state[4][i] ;
+		Tm = AES128_CBC_XTIME(Tm);
+		g_aes12_cbc_state[3][i] ^= Tm ^ Tmp ;
+		Tm = g_aes12_cbc_state[4][i] ^ t ;
+		Tm = AES128_CBC_XTIME(Tm);
+		g_aes12_cbc_state[4][i] ^= Tm ^ Tmp ;
+		
+	}
+}
+AES128_CBC_XTIME = function(x){
+	var ret = 0;
+	ret = (x<<1) ^ (((x>>7) & 1) * 0x1b);
+	
+	return (ret&0xff); 
+}
+
+
+showtab = function(tab,name){
+	console.log(name);
+	var str = name + " = ";
+	for(k,v in tab){
+		//console.log(tostring(v,16));
+		//str += tostring(v,16);
+		//str += " "
+		str = string.format("[%d] = %x",k,v );
+		console.log(str);
+	}
+	//console.log(str);
+}
+
+
+g_aes128_seed = {};
+g_aes128_cbc_iv = {};
+GenerateKeyEx = function(seed,level){
+	var l_id = 0;
+	if(level >= 0x01 && level <= 0x0C){
+		l_id = math.floor((level - 1)/2) + 1 ;
+	}
+	g_aes128_seed = {};
+	g_aes128_cbc_iv = {};
+	for(i=1;4;1){
+		g_aes128_seed[i] = seed[i];
+	}
+
+	g_aes128_cbc_iv = aes128_cbc_make_iv(g_aes128_seed,g_aes128_cbc_mask[l_id]);
+	
+	var l_text = aes128_cbc_pcks7(g_aes128_seed,16);
+
+	var l_res = aes128_cbc_encrypt_ext(g_aes128_cbc_iv,l_text,g_dll_Key)
+	
+	return l_res; 
+	
+	//console.log("l_id = " + l_id)
+}
+
+/*
+var ret = GenerateKeyEx({0xff,0xff,0xff,0xff},0x01);
+console.log("结果")
+showtab(ret,"key");
+console.pause(true);
+*/
\ No newline at end of file