s1mmie
November 18th, 2010, 11:35
In a malware, I found a code that makes use of the constant 0x9E3779B9 which is used by TEA, XTEA, XXTEA algorithms.
But the assembly (ARM) does not really match XTEA.
Would somebody have a clue what this could be ?
Thanks !
But the assembly (ARM) does not really match XTEA.
Would somebody have a clue what this could be ?
Thanks !
Code:
PUSH {R1-R7,LR}
MOVS R0, #0
MOVS R3, #0
MOVS R5, #0x20
LDRB R4, [R1]
LDR R6, [R2]
ORRS R0, R4
LDRB R4, [R1,#1] ; R4 = *(R1 + 1)
LDR R7, [R2,#4]
LSLS R4, R4, #8
ORRS R0, R4
LDRB R4, [R1,#2]
MOV LR, R6
LSLS R4, R4, #0x10 ; none of this in XTEA !
ORRS R0, R4
LDRB R4, [R1,#3]
LSLS R4, R4, #0x18
ORRS R0, R4
LDRB R4, [R1,#4]
ORRS R3, R4
LDRB R4, [R1,#5]
LSLS R4, R4, #8
ORRS R3, R4
LDRB R4, [R1,#6]
LSLS R4, R4, #0x10
ORRS R3, R4
LDRB R4, [R1,#7]
STR R7, [SP,#0x20+var_18]
LSLS R4, R4, #0x18
LDR R6, [R2,#8]
ORRS R4, R3
LDR R3, =0x9E3779B9 ; TEA magic constant
STR R6, [SP,#0x20+var_1C]
LDR R7, [R2,#0xC]
LSLS R2, R3, #5
MOV R12, R3
STR R7, [SP,#0x20+var_20]
B loc_9086
...