Results 1 to 5 of 5

Thread: Similar to XTEA ?

  1. #1
    s1mmie
    Guest

    Question Similar to XTEA ?

    In a malware, I found a code that makes use of the constant 0x9E3779B9 which is used by TEA, XTEA, XXTEA algorithms.

    But the assembly (ARM) does not really match XTEA.
    Would somebody have a clue what this could be ?

    Thanks !

    Code:
    PUSH    {R1-R7,LR}
    MOVS    R0, #0
    MOVS    R3, #0
    MOVS    R5, #0x20
    LDRB    R4, [R1]
    LDR     R6, [R2]
    ORRS    R0, R4
    LDRB    R4, [R1,#1]     ; R4 = *(R1 + 1)
    LDR     R7, [R2,#4]
    LSLS    R4, R4, #8
    ORRS    R0, R4
    LDRB    R4, [R1,#2]
    MOV     LR, R6
    LSLS    R4, R4, #0x10 ; none of this in XTEA !
    ORRS    R0, R4
    LDRB    R4, [R1,#3]
    LSLS    R4, R4, #0x18
    ORRS    R0, R4
    LDRB    R4, [R1,#4]
    ORRS    R3, R4
    LDRB    R4, [R1,#5]
    LSLS    R4, R4, #8
    ORRS    R3, R4
    LDRB    R4, [R1,#6]
    LSLS    R4, R4, #0x10
    ORRS    R3, R4
    LDRB    R4, [R1,#7]
    STR     R7, [SP,#0x20+var_18]
    LSLS    R4, R4, #0x18
    LDR     R6, [R2,#8]
    ORRS    R4, R3
    LDR     R3, =0x9E3779B9 ; TEA magic constant
    STR     R6, [SP,#0x20+var_1C]
    LDR     R7, [R2,#0xC]
    LSLS    R2, R3, #5
    MOV     R12, R3
    STR     R7, [SP,#0x20+var_20]
    B       loc_9086
    ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Looks like similar code to

    http://burtleburtle.net/bob/c/lookup2.c

    which is a hash (for a lookup table construction, not a cryptographic hash)

    But I haven't seen the context or the complete code...
    (but the shifts etc are similar)

  3. #3
    Registered User
    Join Date
    Mar 2003
    Location
    NetsVille
    Posts
    30
    What about RC5 or RC6 ? that constant is used in those, perhaps other algos ?

  4. #4
    Like I said, the code as posted (a short snippet only) shows some endian-shuffle plus
    addition with that constant. That's much too short information too say what algorithm it is. Post the whole code of the function, somewhere online, maybe.
    More code!

  5. #5
    s1mmie
    Guest

    Lightbulb Not lookup.c, not RC5, not XTEA ...

    Hi all,
    Thanks for your suggestions. I checked them up.
    - I don't think it is lookup2.c because 1/ I don't see shifts by 24 2/ I know it is decoding a file and would hardly see the use.
    - RC5: wouldn't I see other constants such as 0xb7e151628aed2a6b ?

    Ok, so here's the entire code if it helps, with my comments inside:

    Code:
    ; takes 2 arguments
    ; R0: an argument
    ; R1: a string too - this is the buffer read/written from file to decode
    
    Downsis_CallingDecoding                 ; CODE XREF: Downsis_DoDecode15cd+98
    PUSH    {R3-R7,LR}
    MOVS    R4, R1          ; buffer read/written
    MOVS    R7, R0          ; first argument
    MOVS    R0, R1          ; buffer read written in r0
    BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
    MOVS    R6, R0          ; R6 contains the TDesC8 ptr for buffer read/written
    LDR     R0, [R4]
    LSLS    R5, R0, #4
    LSRS    R5, R5, #4      ; this is like doing: r5 = r0 << 8?
    LSLS    R0, R5, #0x1D   ; R0 = R5 << 0x1d
    BEQ     loc_90D2
    ADDS    R0, R7, #4      ; R7+4
    BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
    ADDS    R1, R6, R5      ; R1 = R6 + R5
    SUBS    R1, #8          ; R1 = R1 - 8
    MOVS    R2, R0
    MOVS    R0, R7          ; pass first argument (stored in r7)
    BL      Downsis_Decoding
    
    loc_90D2                                ; CODE XREF: Downsis_CallingDecoding+16
    MOVS    R4, #0
    B       loc_90EA
    ; ---------------------------------------------------------------------------
    
    loc_90D6                                ; CODE XREF: Downsis_CallingDecoding+48
    ADDS    R0, R7, #4      ; r0 = r7 + 4
    BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
    MOVS    R2, R0
    LSLS    R0, R4, #3      ; r0 = r4 << 3
    ADDS    R1, R0, R6      ; r1 = r0 + r6
    MOVS    R0, R7          ; pass this function's first argument as 1st argument
    ; to Downsis_decoding. This argument is stored in r7
    BL      Downsis_Decoding
    ADDS    R4, R4, #1      ; increment r4 (counter)
    
    loc_90EA                                ; CODE XREF: Downsis_CallingDecoding+2C
    ADDS    R0, R4, #1      ; r0 = r4 + 1
    LSLS    R0, R0, #3      ; r0 = r0 << 3
    CMP     R0, R5          ; compare r0 to r5
    BLE     loc_90D6        ; loop
    
    TheEnd
    POP     {R3-R7,PC}
    ; End of function Downsis_CallingDecoding
    
    
    
    Downsis_Decoding                        ; CODE XREF: Downsis_CallingDecoding+26p
    ; Downsis_CallingDecoding+3C
    
    var_20          = -0x20
    var_1C          = -0x1C
    var_18          = -0x18
    
    PUSH    {R1-R7,LR}
    MOVS    R0, #0
    MOVS    R3, #0
    MOVS    R5, #0x20
    LDRB    R4, [R1]
    LDR     R6, [R2]
    ORRS    R0, R4
    LDRB    R4, [R1,#1]     ; R4 = *(R1 + 1)
    LDR     R7, [R2,#4]
    LSLS    R4, R4, #8
    ORRS    R0, R4
    LDRB    R4, [R1,#2]
    MOV     LR, R6
    LSLS    R4, R4, #0x10
    ORRS    R0, R4
    LDRB    R4, [R1,#3]
    LSLS    R4, R4, #0x18
    ORRS    R0, R4
    LDRB    R4, [R1,#4]
    ORRS    R3, R4
    LDRB    R4, [R1,#5]
    LSLS    R4, R4, #8
    ORRS    R3, R4
    LDRB    R4, [R1,#6]
    LSLS    R4, R4, #0x10
    ORRS    R3, R4
    LDRB    R4, [R1,#7]
    STR     R7, [SP,#0x20+var_18]
    LSLS    R4, R4, #0x18
    LDR     R6, [R2,#8]
    ORRS    R4, R3
    LDR     R3, =0x9E3779B9 ; magic constant used in XTEA for eg
    STR     R6, [SP,#0x20+var_1C]
    LDR     R7, [R2,#0xC]
    LSLS    R2, R3, #5
    MOV     R12, R3
    STR     R7, [SP,#0x20+var_20]
    B       loc_9086
    ; ---------------------------------------------------------------------------
    
    loc_905C                                ; CODE XREF: Downsis_Decoding+78
    LDR     R6, [SP,#0x20+var_1C]
    LSLS    R3, R0, #4
    ADDS    R3, R3, R6
    ADDS    R6, R0, R2
    LDR     R7, [SP,#0x20+var_20]
    EORS    R3, R6
    LSRS    R6, R0, #5
    ADDS    R6, R6, R7
    EORS    R3, R6
    SUBS    R4, R4, R3
    LSLS    R3, R4, #4
    ADDS    R6, R4, R2
    ADD     R3, LR
    LDR     R7, [SP,#0x20+var_18]
    EORS    R3, R6
    LSRS    R6, R4, #5
    ADDS    R6, R6, R7
    EORS    R3, R6
    SUBS    R0, R0, R3
    MOV     R3, R12
    SUBS    R2, R2, R3
    
    loc_9086                                ; CODE XREF: Downsis_Decoding+4A
    SUBS    R5, R5, #1
    BCS     loc_905C
    LSRS    R2, R0, #8
    STRB    R0, [R1]
    STRB    R2, [R1,#1]
    LSRS    R2, R0, #0x10
    LSRS    R0, R0, #0x18
    STRB    R2, [R1,#2]
    STRB    R0, [R1,#3]
    LSRS    R0, R4, #8
    STRB    R4, [R1,#4]
    STRB    R0, [R1,#5]
    LSRS    R0, R4, #0x10
    STRB    R0, [R1,#6]
    LSRS    R0, R4, #0x18
    STRB    R0, [R1,#7]
    POP     {R1-R7,PC}
    ; End of function Downsis_Decoding
    Thanks for your help !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •