Log in

View Full Version : Similar to XTEA ?


s1mmie
November 18th, 2010, 11:35
In a malware, I found a code that makes use of the constant 0x9E3779B9 which is used by TEA, XTEA, XXTEA algorithms.

But the assembly (ARM) does not really match XTEA.
Would somebody have a clue what this could be ?

Thanks !

Code:

PUSH {R1-R7,LR}
MOVS R0, #0
MOVS R3, #0
MOVS R5, #0x20
LDRB R4, [R1]
LDR R6, [R2]
ORRS R0, R4
LDRB R4, [R1,#1] ; R4 = *(R1 + 1)
LDR R7, [R2,#4]
LSLS R4, R4, #8
ORRS R0, R4
LDRB R4, [R1,#2]
MOV LR, R6
LSLS R4, R4, #0x10 ; none of this in XTEA !
ORRS R0, R4
LDRB R4, [R1,#3]
LSLS R4, R4, #0x18
ORRS R0, R4
LDRB R4, [R1,#4]
ORRS R3, R4
LDRB R4, [R1,#5]
LSLS R4, R4, #8
ORRS R3, R4
LDRB R4, [R1,#6]
LSLS R4, R4, #0x10
ORRS R3, R4
LDRB R4, [R1,#7]
STR R7, [SP,#0x20+var_18]
LSLS R4, R4, #0x18
LDR R6, [R2,#8]
ORRS R4, R3
LDR R3, =0x9E3779B9 ; TEA magic constant
STR R6, [SP,#0x20+var_1C]
LDR R7, [R2,#0xC]
LSLS R2, R3, #5
MOV R12, R3
STR R7, [SP,#0x20+var_20]
B loc_9086
...

sikke
November 18th, 2010, 14:49
Looks like similar code to

http://burtleburtle.net/bob/c/lookup2.c

which is a hash (for a lookup table construction, not a cryptographic hash)

But I haven't seen the context or the complete code...
(but the shifts etc are similar)

Darren
November 23rd, 2010, 12:45
What about RC5 or RC6 ? that constant is used in those, perhaps other algos ?

sikke
November 23rd, 2010, 16:50
Like I said, the code as posted (a short snippet only) shows some endian-shuffle plus
addition with that constant. That's much too short information too say what algorithm it is. Post the whole code of the function, somewhere online, maybe.
More code!

s1mmie
November 26th, 2010, 04:44
Hi all,
Thanks for your suggestions. I checked them up.
- I don't think it is lookup2.c because 1/ I don't see shifts by 24 2/ I know it is decoding a file and would hardly see the use.
- RC5: wouldn't I see other constants such as 0xb7e151628aed2a6b ?

Ok, so here's the entire code if it helps, with my comments inside:

Code:
; takes 2 arguments
; R0: an argument
; R1: a string too - this is the buffer read/written from file to decode

Downsis_CallingDecoding ; CODE XREF: Downsis_DoDecode15cd+98
PUSH {R3-R7,LR}
MOVS R4, R1 ; buffer read/written
MOVS R7, R0 ; first argument
MOVS R0, R1 ; buffer read written in r0
BLX _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
MOVS R6, R0 ; R6 contains the TDesC8 ptr for buffer read/written
LDR R0, [R4]
LSLS R5, R0, #4
LSRS R5, R5, #4 ; this is like doing: r5 = r0 << 8?
LSLS R0, R5, #0x1D ; R0 = R5 << 0x1d
BEQ loc_90D2
ADDS R0, R7, #4 ; R7+4
BLX _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
ADDS R1, R6, R5 ; R1 = R6 + R5
SUBS R1, #8 ; R1 = R1 - 8
MOVS R2, R0
MOVS R0, R7 ; pass first argument (stored in r7)
BL Downsis_Decoding

loc_90D2 ; CODE XREF: Downsis_CallingDecoding+16
MOVS R4, #0
B loc_90EA
; ---------------------------------------------------------------------------

loc_90D6 ; CODE XREF: Downsis_CallingDecoding+48
ADDS R0, R7, #4 ; r0 = r7 + 4
BLX _ZNK6TDesC83PtrEv ; TDesC8::Ptr(void)
MOVS R2, R0
LSLS R0, R4, #3 ; r0 = r4 << 3
ADDS R1, R0, R6 ; r1 = r0 + r6
MOVS R0, R7 ; pass this function's first argument as 1st argument
; to Downsis_decoding. This argument is stored in r7
BL Downsis_Decoding
ADDS R4, R4, #1 ; increment r4 (counter)

loc_90EA ; CODE XREF: Downsis_CallingDecoding+2C
ADDS R0, R4, #1 ; r0 = r4 + 1
LSLS R0, R0, #3 ; r0 = r0 << 3
CMP R0, R5 ; compare r0 to r5
BLE loc_90D6 ; loop

TheEnd
POP {R3-R7,PC}
; End of function Downsis_CallingDecoding



Downsis_Decoding ; CODE XREF: Downsis_CallingDecoding+26p
; Downsis_CallingDecoding+3C

var_20 = -0x20
var_1C = -0x1C
var_18 = -0x18

PUSH {R1-R7,LR}
MOVS R0, #0
MOVS R3, #0
MOVS R5, #0x20
LDRB R4, [R1]
LDR R6, [R2]
ORRS R0, R4
LDRB R4, [R1,#1] ; R4 = *(R1 + 1)
LDR R7, [R2,#4]
LSLS R4, R4, #8
ORRS R0, R4
LDRB R4, [R1,#2]
MOV LR, R6
LSLS R4, R4, #0x10
ORRS R0, R4
LDRB R4, [R1,#3]
LSLS R4, R4, #0x18
ORRS R0, R4
LDRB R4, [R1,#4]
ORRS R3, R4
LDRB R4, [R1,#5]
LSLS R4, R4, #8
ORRS R3, R4
LDRB R4, [R1,#6]
LSLS R4, R4, #0x10
ORRS R3, R4
LDRB R4, [R1,#7]
STR R7, [SP,#0x20+var_18]
LSLS R4, R4, #0x18
LDR R6, [R2,#8]
ORRS R4, R3
LDR R3, =0x9E3779B9 ; magic constant used in XTEA for eg
STR R6, [SP,#0x20+var_1C]
LDR R7, [R2,#0xC]
LSLS R2, R3, #5
MOV R12, R3
STR R7, [SP,#0x20+var_20]
B loc_9086
; ---------------------------------------------------------------------------

loc_905C ; CODE XREF: Downsis_Decoding+78
LDR R6, [SP,#0x20+var_1C]
LSLS R3, R0, #4
ADDS R3, R3, R6
ADDS R6, R0, R2
LDR R7, [SP,#0x20+var_20]
EORS R3, R6
LSRS R6, R0, #5
ADDS R6, R6, R7
EORS R3, R6
SUBS R4, R4, R3
LSLS R3, R4, #4
ADDS R6, R4, R2
ADD R3, LR
LDR R7, [SP,#0x20+var_18]
EORS R3, R6
LSRS R6, R4, #5
ADDS R6, R6, R7
EORS R3, R6
SUBS R0, R0, R3
MOV R3, R12
SUBS R2, R2, R3

loc_9086 ; CODE XREF: Downsis_Decoding+4A
SUBS R5, R5, #1
BCS loc_905C
LSRS R2, R0, #8
STRB R0, [R1]
STRB R2, [R1,#1]
LSRS R2, R0, #0x10
LSRS R0, R0, #0x18
STRB R2, [R1,#2]
STRB R0, [R1,#3]
LSRS R0, R4, #8
STRB R4, [R1,#4]
STRB R0, [R1,#5]
LSRS R0, R4, #0x10
STRB R0, [R1,#6]
LSRS R0, R4, #0x18
STRB R0, [R1,#7]
POP {R1-R7,PC}
; End of function Downsis_Decoding


Thanks for your help !