Page 1 of 1

Similar to XTEA ?

Posted: Thu Nov 18, 2010 11:35 am
by s1mmie
In a malware, I found a code that makes use of the constant 0x9E3779B9 which is used by TEA, XTEA, XXTEA algorithms.

But the assembly (ARM) does not really match XTEA.
Would somebody have a clue what this could be ?

Thanks !

Code: Select all

PUSH    {R1-R7,LR}
MOVS    R0, #0
MOVS    R3, #0
MOVS    R5, #0x20
LDRB    R4, [R1]
LDR     R6, [R2]
ORRS    R0, R4
LDRB    R4, [R1,#1]     ; R4 = *(R1 + 1)
LDR     R7, [R2,#4]
LSLS    R4, R4, #8
ORRS    R0, R4
LDRB    R4, [R1,#2]
MOV     LR, R6
LSLS    R4, R4, #0x10 ; none of this in XTEA !
ORRS    R0, R4
LDRB    R4, [R1,#3]
LSLS    R4, R4, #0x18
ORRS    R0, R4
LDRB    R4, [R1,#4]
ORRS    R3, R4
LDRB    R4, [R1,#5]
LSLS    R4, R4, #8
ORRS    R3, R4
LDRB    R4, [R1,#6]
LSLS    R4, R4, #0x10
ORRS    R3, R4
LDRB    R4, [R1,#7]
STR     R7, [SP,#0x20+var_18]
LSLS    R4, R4, #0x18
LDR     R6, [R2,#8]
ORRS    R4, R3
LDR     R3, =0x9E3779B9 ; TEA magic constant
STR     R6, [SP,#0x20+var_1C]
LDR     R7, [R2,#0xC]
LSLS    R2, R3, #5
MOV     R12, R3
STR     R7, [SP,#0x20+var_20]
B       loc_9086
...

Posted: Thu Nov 18, 2010 2:49 pm
by sikke
Looks like similar code to

http://burtleburtle.net/bob/c/lookup2.c

which is a hash (for a lookup table construction, not a cryptographic hash)

But I haven't seen the context or the complete code...
(but the shifts etc are similar)

Posted: Tue Nov 23, 2010 12:45 pm
by Darren
What about RC5 or RC6 ? that constant is used in those, perhaps other algos ?

Posted: Tue Nov 23, 2010 4:50 pm
by sikke
Like I said, the code as posted (a short snippet only) shows some endian-shuffle plus
addition with that constant. That's much too short information too say what algorithm it is. Post the whole code of the function, somewhere online, maybe.
More code!

Not lookup.c, not RC5, not XTEA ...

Posted: Fri Nov 26, 2010 4:44 am
by s1mmie
Hi all,
Thanks for your suggestions. I checked them up.
- I don't think it is lookup2.c because 1/ I don't see shifts by 24 2/ I know it is decoding a file and would hardly see the use.
- RC5: wouldn't I see other constants such as 0xb7e151628aed2a6b ?

Ok, so here's the entire code if it helps, with my comments inside:

Code: Select all

; takes 2 arguments
; R0: an argument
; R1: a string too - this is the buffer read/written from file to decode

Downsis_CallingDecoding                 ; CODE XREF: Downsis_DoDecode15cd+98
PUSH    {R3-R7,LR}
MOVS    R4, R1          ; buffer read/written
MOVS    R7, R0          ; first argument
MOVS    R0, R1          ; buffer read written in r0
BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
MOVS    R6, R0          ; R6 contains the TDesC8 ptr for buffer read/written
LDR     R0, [R4]
LSLS    R5, R0, #4
LSRS    R5, R5, #4      ; this is like doing: r5 = r0 << 8?
LSLS    R0, R5, #0x1D   ; R0 = R5 << 0x1d
BEQ     loc_90D2
ADDS    R0, R7, #4      ; R7+4
BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
ADDS    R1, R6, R5      ; R1 = R6 + R5
SUBS    R1, #8          ; R1 = R1 - 8
MOVS    R2, R0
MOVS    R0, R7          ; pass first argument (stored in r7)
BL      Downsis_Decoding

loc_90D2                                ; CODE XREF: Downsis_CallingDecoding+16
MOVS    R4, #0
B       loc_90EA
; ---------------------------------------------------------------------------

loc_90D6                                ; CODE XREF: Downsis_CallingDecoding+48
ADDS    R0, R7, #4      ; r0 = r7 + 4
BLX     _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
MOVS    R2, R0
LSLS    R0, R4, #3      ; r0 = r4 << 3
ADDS    R1, R0, R6      ; r1 = r0 + r6
MOVS    R0, R7          ; pass this function's first argument as 1st argument
; to Downsis_decoding. This argument is stored in r7
BL      Downsis_Decoding
ADDS    R4, R4, #1      ; increment r4 (counter)

loc_90EA                                ; CODE XREF: Downsis_CallingDecoding+2C
ADDS    R0, R4, #1      ; r0 = r4 + 1
LSLS    R0, R0, #3      ; r0 = r0 << 3
CMP     R0, R5          ; compare r0 to r5
BLE     loc_90D6        ; loop

TheEnd
POP     {R3-R7,PC}
; End of function Downsis_CallingDecoding



Downsis_Decoding                        ; CODE XREF: Downsis_CallingDecoding+26p
; Downsis_CallingDecoding+3C

var_20          = -0x20
var_1C          = -0x1C
var_18          = -0x18

PUSH    {R1-R7,LR}
MOVS    R0, #0
MOVS    R3, #0
MOVS    R5, #0x20
LDRB    R4, [R1]
LDR     R6, [R2]
ORRS    R0, R4
LDRB    R4, [R1,#1]     ; R4 = *(R1 + 1)
LDR     R7, [R2,#4]
LSLS    R4, R4, #8
ORRS    R0, R4
LDRB    R4, [R1,#2]
MOV     LR, R6
LSLS    R4, R4, #0x10
ORRS    R0, R4
LDRB    R4, [R1,#3]
LSLS    R4, R4, #0x18
ORRS    R0, R4
LDRB    R4, [R1,#4]
ORRS    R3, R4
LDRB    R4, [R1,#5]
LSLS    R4, R4, #8
ORRS    R3, R4
LDRB    R4, [R1,#6]
LSLS    R4, R4, #0x10
ORRS    R3, R4
LDRB    R4, [R1,#7]
STR     R7, [SP,#0x20+var_18]
LSLS    R4, R4, #0x18
LDR     R6, [R2,#8]
ORRS    R4, R3
LDR     R3, =0x9E3779B9 ; magic constant used in XTEA for eg
STR     R6, [SP,#0x20+var_1C]
LDR     R7, [R2,#0xC]
LSLS    R2, R3, #5
MOV     R12, R3
STR     R7, [SP,#0x20+var_20]
B       loc_9086
; ---------------------------------------------------------------------------

loc_905C                                ; CODE XREF: Downsis_Decoding+78
LDR     R6, [SP,#0x20+var_1C]
LSLS    R3, R0, #4
ADDS    R3, R3, R6
ADDS    R6, R0, R2
LDR     R7, [SP,#0x20+var_20]
EORS    R3, R6
LSRS    R6, R0, #5
ADDS    R6, R6, R7
EORS    R3, R6
SUBS    R4, R4, R3
LSLS    R3, R4, #4
ADDS    R6, R4, R2
ADD     R3, LR
LDR     R7, [SP,#0x20+var_18]
EORS    R3, R6
LSRS    R6, R4, #5
ADDS    R6, R6, R7
EORS    R3, R6
SUBS    R0, R0, R3
MOV     R3, R12
SUBS    R2, R2, R3

loc_9086                                ; CODE XREF: Downsis_Decoding+4A
SUBS    R5, R5, #1
BCS     loc_905C
LSRS    R2, R0, #8
STRB    R0, [R1]
STRB    R2, [R1,#1]
LSRS    R2, R0, #0x10
LSRS    R0, R0, #0x18
STRB    R2, [R1,#2]
STRB    R0, [R1,#3]
LSRS    R0, R4, #8
STRB    R4, [R1,#4]
STRB    R0, [R1,#5]
LSRS    R0, R4, #0x10
STRB    R0, [R1,#6]
LSRS    R0, R4, #0x18
STRB    R0, [R1,#7]
POP     {R1-R7,PC}
; End of function Downsis_Decoding
Thanks for your help !