[求助]爆破XTEA的KEY-密码应用-看雪-安全社区|安全招聘|kanxue.com

最新回复 (17)
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 2 楼 xtea.c /* LibTomCrypt, modular cryptographic library -- Tom St Denis * * LibTomCrypt is a library that provides various cryptographic * algorithms in a highly modular and flexible manner. * * The library is free for all purposes without any express * guarantee it works. * * Tom St Denis, tomstdenis@iahu.ca, http://libtomcrypt.org / #include "mycrypt.h" #ifdef XTEA const struct _cipher_descriptor xtea_desc = { "xtea", 1, 16, 16, 8, 32, &xtea_setup, &xtea_ecb_encrypt, &xtea_ecb_decrypt, &xtea_test, &xtea_keysize }; int xtea_setup(const unsigned char key, int keylen, int num_rounds, symmetric_key skey) { unsigned long x, sum, K[4]; _ARGCHK(key != NULL); _ARGCHK(skey != NULL); / check arguments / if (keylen != 16) { return CRYPT_INVALID_KEYSIZE; } if (num_rounds != 0 && num_rounds != 32) { return CRYPT_INVALID_ROUNDS; } / load key / LOAD32L(K[0], key+0); LOAD32L(K[1], key+4); LOAD32L(K[2], key+8); LOAD32L(K[3], key+12); for (x = sum = 0; x < 32; x++) { skey->xtea.A[x] = (sum + K[sum&3]) & 0xFFFFFFFFUL; sum = (sum + 0x9E3779B9UL) & 0xFFFFFFFFUL; skey->xtea.B[x] = (sum + K[(sum>>11)&3]) & 0xFFFFFFFFUL; } #ifdef CLEAN_STACK zeromem(&K, sizeof(K)); #endif return CRYPT_OK; } void xtea_ecb_encrypt(const unsigned char pt, unsigned char ct, symmetric_key key) { unsigned long y, z; int r; _ARGCHK(pt != NULL); _ARGCHK(ct != NULL); _ARGCHK(key != NULL); LOAD32L(y, &pt[0]); LOAD32L(z, &pt[4]); for (r = 0; r < 32; r += 4) { y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r])) & 0xFFFFFFFFUL; z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r])) & 0xFFFFFFFFUL; y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+1])) & 0xFFFFFFFFUL; z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+1])) & 0xFFFFFFFFUL; y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+2])) & 0xFFFFFFFFUL; z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+2])) & 0xFFFFFFFFUL; y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+3])) & 0xFFFFFFFFUL; z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+3])) & 0xFFFFFFFFUL; } STORE32L(y, &ct[0]); STORE32L(z, &ct[4]); } void xtea_ecb_decrypt(const unsigned char ct, unsigned char pt, symmetric_key key) { unsigned long y, z; int r; _ARGCHK(pt != NULL); _ARGCHK(ct != NULL); _ARGCHK(key != NULL); LOAD32L(y, &ct[0]); LOAD32L(z, &ct[4]); for (r = 31; r >= 0; r -= 4) { z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r])) & 0xFFFFFFFFUL; y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r])) & 0xFFFFFFFFUL; z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-1])) & 0xFFFFFFFFUL; y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-1])) & 0xFFFFFFFFUL; z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-2])) & 0xFFFFFFFFUL; y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-2])) & 0xFFFFFFFFUL; z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-3])) & 0xFFFFFFFFUL; y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-3])) & 0xFFFFFFFFUL; } STORE32L(y, &pt[0]); STORE32L(z, &pt[4]); } int xtea_test(void) { #ifndef LTC_TEST return CRYPT_NOP; #else static const unsigned char key[16] = { 0x78, 0x56, 0x34, 0x12, 0xf0, 0xcd, 0xcb, 0x9a, 0x48, 0x37, 0x26, 0x15, 0xc0, 0xbf, 0xae, 0x9d }; static const unsigned char pt[8] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; static const unsigned char ct[8] = { 0x75, 0xd7, 0xc5, 0xbf, 0xcf, 0x58, 0xc9, 0x3f }; unsigned char tmp[2][8]; symmetric_key skey; int err, y; if ((err = xtea_setup(key, 16, 0, &skey)) != CRYPT_OK) { return err; } xtea_ecb_encrypt(pt, tmp[0], &skey); xtea_ecb_decrypt(tmp[0], tmp[1], &skey); if (memcmp(tmp[0], ct, 8) != 0 \|\| memcmp(tmp[1], pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } / now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started / for (y = 0; y < 8; y++) tmp[0][y] = 0; for (y = 0; y < 1000; y++) xtea_ecb_encrypt(tmp[0], tmp[0], &skey); for (y = 0; y < 1000; y++) xtea_ecb_decrypt(tmp[0], tmp[0], &skey); for (y = 0; y < 8; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR; return CRYPT_OK; #endif } int xtea_keysize(int desired_keysize) { _ARGCHK(desired_keysize != NULL); if (desired_keysize < 16) { return CRYPT_INVALID_KEYSIZE; } desired_keysize = 16; return CRYPT_OK; } #endif Source from http://www.koders.com/c/fid97A9E9DC3E5AC3A084FEC06203AF3B58F4909658.aspx?s=rsa 2010-1-25 19:26 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 3 楼 ANSI C void encipher(unsigned long const v,unsigned long const w, const unsigned long const k) { register unsigned long y=v[0],z=v[1],sum=0,delta=0x9E3779B9, a=k[0],b=k[1],c=k[2],d=k[3],n=32; while(n-->0) { sum += delta; y += (z << 4)+a ^ z+sum ^ (z >> 5)+b; z += (y << 4)+c ^ y+sum ^ (y >> 5)+d; } w[0]=y; w[1]=z; } void decipher(unsigned long const v,unsigned long const w, const unsigned long const k) { register unsigned long y=v[0],z=v[1],sum=0xC6EF3720, delta=0x9E3779B9,a=k[0],b=k[1], c=k[2],d=k[3],n=32; /* sum = delta<<5, in general sum = delta * n */ while(n-->0) { z -= (y << 4)+c ^ y+sum ^ (y >> 5)+d; y -= (z << 4)+a ^ z+sum ^ (z >> 5)+b; sum -= delta; } w[0]=y; w[1]=z; } 2010-1-25 19:33 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 4 楼 Motorola PowerPC (Metrowerks CodeWarrior Style) asm void encipher(register const unsigned long * const v, register unsigned long * const w, register const unsigned long * const k) { // On entry, v = r3, w = r4, k = r5 // use r3 and r5 as scratch // r0 = v[0] // r6 = v[1] // r7 - r10 = k[0] - k[3] // r11 = sum // r12 = delta li r11,0 // sum = 0 li r12,0x79B9 // delta =0x9E3779B9 addis r12,r12,0x9E37 li r0,16 // loop counter into count register mtctr r0 lwz r0,0(r3) // put the contents of v and k into the registers lwz r6,4(r3) lwz r7,0(r5) lwz r8,4(r5) lwz r9,8(r5) lwz r10,12(r5) loop: add r11,r11,r12 // sum += delta slwi r5,r6,4 // z << 4 add r5,r5,r7 // (z << 4) + a add r3,r6,r11 // z + sum xor r3,r5,r3 // ((z << 4) + a) ^ (z + sum) srwi r5,r6,5 // z >> 5 add r5,r5,r8 // (z >> 5) + b xor r3,r5,r3 // ((z << 4)+a)^(z+sum)^((z >> 5)+b); add r0,r0,r3 // y += result slwi r5,r0,4 // y << 4 add r5,r5,r9 // (y << 4) +c add r3,r0,r11 // y + sum xor r3,r5,r3 // ((y << 4) +c) ^ (y + sum) srwi r5,r0,5 // y >> 5 add r5,r5,r10 // (y >> 5) + d xor r3,r5,r3 // ((y << 4)+c)^(y+sum)^((y >> 5)+d); add r6,r6,r3 // z += result bdnz+ loop // decrement CTR and branch stw r0,0(r4) // store result back in w stw r6,4(r4) blr } asm void decipher(register const unsigned long * const v, register unsigned long * const w, register const unsigned long * const k) { // On entry, v = r3, w = r4, k = r5 // use r3 and r5 as scratch // r0 = v[0] // r6 = v[1] // r7 - r10 = k[0] - k[3] // r11 = sum // r12 = delta li r11,0x9B90; // sum =0xE3779B90 addis r11,r11,0xE378; li r12,0x79B9 // delta =0x9E3779B9 addis r12,r12,0x9E37 li r0,16 // loop counter into count register mtctr r0 lwz r0,0(r3) // put the contents of v and k into the registers lwz r6,4(r3) lwz r7,0(r5) lwz r8,4(r5) lwz r9,8(r5) lwz r10,12(r5) loop: slwi r5,r0,4 // y << 4 add r5,r5,r9 // (y << 4) + c add r3,r0,r11 // y + sum xor r3,r5,r3 // ((y << 4) + c) ^ (y + sum) srwi r5,r0,5 // y >> 5 add r5,r5,r10 // (y >> 5) + d xor r3,r5,r3 // ((y << 4)+c)^(y+sum)^((y >> 5)+d) sub r6,r6,r3 // z -= result slwi r5,r6,4 // z << 4 add r5,r5,r7 // (z << 4) + a add r3,r6,r11 // z + sum xor r3,r5,r3 // ((z << 4) + a) ^ (z + sum) srwi r5,r6,5 // z >> 5 add r5,r5,r8 // (z >> 5) + b xor r3,r5,r3 // ((z << 4)+a)^(z+sum)^((z >> 5)+b); sub r0,r0,r3 // y -= result sub r11,r11,r12 // sum -= delta bdnz+ loop // decrement CTR and branch stw r0,0(r4) // store result back in w stw r6,4(r4) blr } 2010-1-25 19:33 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 5 楼 Motorola 680x0 (Metrowerks CodeWarrior style) asm void encipher(const unsigned long* const v,unsigned long* const w, const unsigned long* const k) { fralloc movem.l d3-d7/a2,-(a7) /* load initial registers d0: y = v[0] d1: z = v[1] d2: a = k[0] d3: b = k[1] d4: c = k[2] d5: loop counter (k[3] in a2) d6: scratch register 1 d7: scratch register 2 a0: sum a1: delta = 0x9E3779B9; a2: d = k[3] / move.l v,a0 move.l (a0),d0 move.l 4(a0),d1 move.l k,a0 move.l (a0),d2 move.l 4(a0),d3 move.l 8(a0),d4 move.l 12(a0),a2 move.l #0x9E3779B9,a0 move.l #0x9E3779B9,a1 moveq.l #15,d5 // sixteen rounds // d6 = (z<<4)+a loop: move.l d1,d6 lsl.l #4,d6 add.l d2,d6 // d7 = z+sum move.l d1,d7 add.l a0,d7 // d7 = ((z<<4)+a)^(z+sum) eor.l d6,d7 // d6 = (z>>5)+b move.l d1,d6 lsr.l #5,d6 add.l d3,d6 // d7 = ((z<<4)+a)^(z+sum)^((z>>5)+b) eor.l d6,d7 // add back into y add.l d7,d0 // d6 = (y<<4)+c move.l d0,d6 lsl.l #4,d6 add.l d4,d6 // d7 = y+sum move.l d0,d7 add.l a0,d7 // d7 = ((y<<4)+c)^(y+sum) eor.l d6,d7 // d6 = (y>>5)+d move.l d0,d6 lsr.l #5,d6 add.l a2,d6 // d7 = ((y<<4)+c)^(y+sum)^((y>>5)+d) eor.l d6,d7 // add back into z add.l d7,d1 // sum+=delta adda.l a1,a0 // branch back and do it again dbra d5,loop // place the result back into w move.l w,a0 move.l d0,(a0) move.l d1,4(a0) movem.l (a7)+,d3-d7/a2 frfree rts } asm void decipher(const unsigned long const v,unsigned long const w, const unsigned long const k) { fralloc movem.l d3-d7/a2,-(a7) /* load initial registers d0: y = v[0] d1: z = v[1] d2: a = k[0] d3: b = k[1] d4: c = k[2] d5: loop counter (k[3] in a2) d6: scratch register 1 d7: scratch register 2 a0: sum = 0xE3779B90 (delta * 16) a1: delta = 0x9E3779B9; a2: d = k[3] */ move.l v,a0 move.l (a0),d0 move.l 4(a0),d1 move.l k,a0 move.l (a0),d2 move.l 4(a0),d3 move.l 8(a0),d4 move.l 12(a0),a2 move.l #0xE3779B90,a0 move.l #0x9E3779B9,a1 moveq.l #15,d5 // sixteen rounds // d6 = (y<<4)+c loop: move.l d0,d6 lsl.l #4,d6 add.l d4,d6 // d7 = y+sum move.l d0,d7 add.l a0,d7 // d7 = ((y<<4)+c)^(y+sum) eor.l d6,d7 // d6 = (y>>5)+d move.l d0,d6 lsr.l #5,d6 add.l a2,d6 // d7 = ((y<<4)+c)^(y+sum)^((y>>5)+d) eor.l d6,d7 // subtract from z sub.l d7,d1 // d6 = (z<<4)+a move.l d1,d6 lsl.l #4,d6 add.l d2,d6 // d7 = z+sum move.l d1,d7 add.l a0,d7 // d7 = ((z<<4)+a)^(z+sum) eor.l d6,d7 // d6 = (z>>5)+b move.l d1,d6 lsr.l #5,d6 add.l d3,d6 // d7 = ((z<<4)+a)^(z+sum)^((z>>5)+b) eor.l d6,d7 // subtract from y sub.l d7,d0 // sum-=delta suba.l a1,a0 // branch back and do it again dbra d5,loop // place the result back into w move.l w,a0 move.l d0,(a0) move.l d1,4(a0) movem.l (a7)+,d3-d7/a2 frfree rts } 2010-1-25 19:34 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 6 楼 ANSI C (New Variant) void encipher(const unsigned long const v,unsigned long const w, const unsigned long * const k) { register unsigned long y=v[0],z=v[1],sum=0,delta=0x9E3779B9,n=32; while(n-->0) { y += (z << 4 ^ z >> 5) + z ^ sum + k[sum&3]; sum += delta; z += (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3]; } w[0]=y; w[1]=z; } void decipher(const unsigned long const v,unsigned long const w, const unsigned long * const k) { register unsigned long y=v[0],z=v[1],sum=0xC6EF3720, delta=0x9E3779B9,n=32; /* sum = delta<<5, in general sum = delta * n */ while(n-->0) { z -= (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3]; sum -= delta; y -= (z << 4 ^ z >> 5) + z ^ sum + k[sum&3]; } w[0]=y; w[1]=z; } 2010-1-25 19:34 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 7 楼 16-bit x86 (New Variant) ;; ;; An implementation of the XTEA algorithm in 16-bit 80x86 assembly ;; language. This should work on any processor in the 80x86 family ;; but works best with the 16-bit members of the family (80x86 for ;; x <= 2). This assembly language is suitable for use with linux-86 ;; and the as86 assembler, but should be fairly trivial to convert ;; so it will assemble with some other assembler easily. It has been ;; tested with 16-bit objects for Linux-8086 (ELKS), and should work ;; under DOS with the tiny and small memory models. To make it ;; work with the large and huge memory models, it will probably be ;; necessary to reset the parameters (bp+4 becomes bp+6 and so on), ;; and segment loads may need to be done as well (les and lds). ;; ;; Wasn't so easy to write because the number of registers available ;; on the 80x86 is kinda small...and they're 16-bit registers too! ;; ;; Placed in the Public Domain by Rafael R. Sevilla ;; ;; .text export _xtea_encipher_asm _xtea_encipher_asm: push bp mov bp,sp sub sp,#14 ; space for y, z, sum, and n push si push di ;; bp+8 = pointer to key information ;; bp+6 = pointer to ciphertext to return to caller ;; bp+4 = pointer to plaintext ;; bp+2 = return address from caller ;; bp = pushed bp ;; bp-2 = y high word ;; bp-4 = y low word ;; bp-6 = z high word ;; bp-8 = z low word ;; bp-10 = sum high word ;; bp-12 = sum low word ;; bp-14 = n ;; bp-16 = pushed si ;; bp-18 = pushed di mov bx,[bp+4] ; get address of plaintext mov ax,[bx] ; low word of first dword of plaintext mov [bp-4],ax mov ax,[bx+2] ; high word mov [bp-2],ax mov ax,[bx+4] ; second dword of plaintext (low) mov [bp-8],ax mov ax,[bx+6] ; (high) mov [bp-6],ax xor ax,ax ; zero the sum initially mov [bp-10],ax mov [bp-12],ax mov byte ptr [bp-14],#32 ; set n (just 8 bits), # rounds ;; begin encryption encipher_rounds: ;; compute new y mov ax,[bp-8] ; low word z mov bx,[bp-6] ; high word z mov cx,ax ; copy to the rest of the registers mov dx,bx mov si,ax mov di,bx ;; (z<<4) ^ (z>>5) shl ax,#1 ; shift left once rcl bx,#1 shl ax,#1 ; shift twice rcl bx,#1 shl ax,#1 ; shift three times rcl bx,#1 shl ax,#1 ; shift four times rcl bx,#1 shr dx,#1 ; shift right once rcr cx,#1 shr dx,#1 ; shift right twice rcr cx,#1 shr dx,#1 ; shift right three times rcr cx,#1 shr dx,#1 ; shift right four times rcr cx,#1 shr dx,#1 ; shift right five times rcr cx,#1 xor ax,cx ; combine xor dx,bx ; dx:ax has result xor si,[bp-12] ; combine to sum xor di,[bp-10] add ax,si ; add them together adc dx,di mov bx,[bp-12] ; get low word of sum (all we need for this) and bx,#3 ; get low two bits (modulo 4) shl bx,#1 ; convert to dword offset shl bx,#1 add bx,[bp+8] ; add to base address of key info add ax,[bx] ; low word of key adc dx,[bx+2] ; high word of key add [bp-4],ax ; add back to y adc [bp-2],dx ;; update sum mov ax,#0x79b9 ; low word of delta add [bp-12],ax mov ax,#0x9e37 ; high word of delta adc [bp-10],ax ;; compute new z mov ax,[bp-4] ; low word of y mov bx,[bp-2] ; high word of y mov cx,ax ; copy to the rest of the registers mov dx,bx mov si,ax mov di,bx ;; (y<<4) ^ (y>>5) shl ax,#1 ; shift left once rcl bx,#1 shl ax,#1 ; shift twice rcl bx,#1 shl ax,#1 ; shift three times rcl bx,#1 shl ax,#1 ; shift four times rcl bx,#1 shr dx,#1 ; shift right once rcr cx,#1 shr dx,#1 ; shift right twice rcr cx,#1 shr dx,#1 ; shift right three times rcr cx,#1 shr dx,#1 ; shift right four times rcr cx,#1 shr dx,#1 ; shift right five times rcr cx,#1 xor ax,cx ; combine xor dx,bx ; dx:ax has result xor si,[bp-12] ; combine to sum xor di,[bp-10] add ax,si ; add them together adc dx,di mov bx,[bp-12] ; get sum low word mov cx,[bp-10] ; get sum high word shr cx,#1 ; shift right once rcr bx,#1 shr cx,#1 ; shift right twice rcr bx,#1 shr cx,#1 ; shift right three times rcr bx,#1 shr cx,#1 ; shift right four times rcr bx,#1 shr cx,#1 ; shift right five times rcr bx,#1 shr cx,#1 ; shift right six times rcr bx,#1 shr cx,#1 ; shift right seven times rcr bx,#1 shr cx,#1 ; shift right eight times rcr bx,#1 shr cx,#1 ; shift right nine times rcr bx,#1 shr cx,#1 ; shift right ten times rcr bx,#1 shr cx,#1 ; shift right eleven times rcr bx,#1 and bx,#3 shl bx,#1 ; convert to dword offset shl bx,#1 add bx,[bp+8] ; add to base address of key add ax,[bx] ; low word of key adc dx,[bx+2] ; high word of key add [bp-8],ax ; add back to z adc [bp-6],dx dec byte ptr [bp-14] ; decrement rounds counter jz finish_encipher jmp near encipher_rounds finish_encipher: mov bx,[bp+6] ; get address of ciphertext storage mov ax,[bp-4] ; y, low word mov [bx],ax mov ax,[bp-2] ; y, high word mov [bx+2],ax mov ax,[bp-8] ; z, low word mov [bx+4],ax mov ax,[bp-6] ; z, high word mov [bx+6],ax pop di pop si add sp,#14 ; discard local vars pop bp ret export _xtea_decipher_asm _xtea_decipher_asm: push bp mov bp,sp sub sp,#14 ; space for y, z, sum, and n push si push di ;; bp+8 = pointer to key information ;; bp+6 = pointer to plaintext to return to caller ;; bp+4 = pointer to ciphertext ;; bp+2 = return address from caller ;; bp = pushed bp ;; bp-2 = y high word ;; bp-4 = y low word ;; bp-6 = z high word ;; bp-8 = z low word ;; bp-10 = sum high word ;; bp-12 = sum low word ;; bp-14 = n ;; bp-16 = pushed si ;; bp-18 = pushed di mov bx,[bp+4] ; get address of ciphertext mov ax,[bx] ; low word of first dword of ciphertext mov [bp-4],ax mov ax,[bx+2] ; high word mov [bp-2],ax mov ax,[bx+4] ; second dword of ciphertext (low) mov [bp-8],ax mov ax,[bx+6] ; (high) mov [bp-6],ax mov ax,#0x3720 ; low word of initial sum mov [bp-12],ax mov ax,#0xc6ef mov [bp-10],ax mov byte ptr [bp-14],#32 ; set n (just 8 bits), # rounds ;; begin decryption decipher_rounds: mov ax,[bp-4] ; low word of y mov bx,[bp-2] ; high word of y mov cx,ax ; copy to the rest of the registers mov dx,bx mov si,ax mov di,bx ;; (y<<4) ^ (y>>5) shl ax,#1 ; shift left once rcl bx,#1 shl ax,#1 ; shift twice rcl bx,#1 shl ax,#1 ; shift three times rcl bx,#1 shl ax,#1 ; shift four times rcl bx,#1 shr dx,#1 ; shift right once rcr cx,#1 shr dx,#1 ; shift right twice rcr cx,#1 shr dx,#1 ; shift right three times rcr cx,#1 shr dx,#1 ; shift right four times rcr cx,#1 shr dx,#1 ; shift right five times rcr cx,#1 xor ax,cx ; combine xor dx,bx ; dx:ax has result xor si,[bp-12] ; combine to sum xor di,[bp-10] add ax,si ; add them together adc dx,di mov bx,[bp-12] ; get sum low word mov cx,[bp-10] ; get sum high word shr cx,#1 ; shift right once rcr bx,#1 shr cx,#1 ; shift right twice rcr bx,#1 shr cx,#1 ; shift right three times rcr bx,#1 shr cx,#1 ; shift right four times rcr bx,#1 shr cx,#1 ; shift right five times rcr bx,#1 shr cx,#1 ; shift right six times rcr bx,#1 shr cx,#1 ; shift right seven times rcr bx,#1 shr cx,#1 ; shift right eight times rcr bx,#1 shr cx,#1 ; shift right nine times rcr bx,#1 shr cx,#1 ; shift right ten times rcr bx,#1 shr cx,#1 ; shift right eleven times rcr bx,#1 and bx,#3 shl bx,#1 ; convert to dword offset shl bx,#1 add bx,[bp+8] ; add to base address of key add ax,[bx] ; low word of key adc dx,[bx+2] ; high word of key sub [bp-8],ax ; subtract from z sbb [bp-6],dx ;; update sum mov ax,#0x79b9 ; low word of delta sub [bp-12],ax mov ax,#0x9e37 ; high word of delta sbb [bp-10],ax ;; compute new y mov ax,[bp-8] ; low word z mov bx,[bp-6] ; high word z mov cx,ax ; copy to the rest of the registers mov dx,bx mov si,ax mov di,bx ;; (z<<4) ^ (z>>5) shl ax,#1 ; shift left once rcl bx,#1 shl ax,#1 ; shift twice rcl bx,#1 shl ax,#1 ; shift three times rcl bx,#1 shl ax,#1 ; shift four times rcl bx,#1 shr dx,#1 ; shift right once rcr cx,#1 shr dx,#1 ; shift right twice rcr cx,#1 shr dx,#1 ; shift right three times rcr cx,#1 shr dx,#1 ; shift right four times rcr cx,#1 shr dx,#1 ; shift right five times rcr cx,#1 xor ax,cx ; combine xor dx,bx ; dx:ax has result xor si,[bp-12] ; combine to sum xor di,[bp-10] add ax,si ; add them together adc dx,di mov bx,[bp-12] ; get low word of sum (all we need for this) and bx,#3 ; get low two bits (modulo 4) shl bx,#1 ; convert to dword offset shl bx,#1 add bx,[bp+8] ; add to base address of key info add ax,[bx] ; low word of key adc dx,[bx+2] ; high word of key sub [bp-4],ax ; subtract from y sbb [bp-2],dx dec byte ptr [bp-14] ; decrement rounds counter jz finish_decipher jmp near decipher_rounds finish_decipher: mov bx,[bp+6] ; get address of ciphertext storage mov ax,[bp-4] ; y, low word mov [bx],ax mov ax,[bp-2] ; y, high word mov [bx+2],ax mov ax,[bp-8] ; z, low word mov [bx+4],ax mov ax,[bp-6] ; z, high word mov [bx+6],ax pop di pop si add sp,#14 ; discard local vars pop bp ret 2010-1-25 19:36 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 8 楼從 3 F 至 7F 的文章階轉載自 http://143.53.36.235:8080/source.htm，希望樓主多花點時間找找看，會找得到。研究之後若有心得，歡迎再分享給大眾。謝謝。 2010-1-25 19:40 0
sungy 雪币： 547 活跃值： (2200) 能力值： ( LV7，RANK：100 ) 在线值：发帖 146 回帖 665 粉丝 31 关注私信	sungy 1 9 楼谢谢版主支持！那个算法链接很好！虽然爆破出key的可能性很小，不过研究一下还是有好处的。要是谁能写出来，就去用超级计算机去算一下， 2010-1-25 21:29 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 10 楼就等你寫出來呀，自然就會有人去驗證。 2010-1-25 21:52 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 11 楼給 sungy 參考的 information. 上传的附件： 20100125221600781.jpg （589.39kb，314次下载） 20100125221726046.jpg （296.02kb，300次下载） 2010-1-25 22:25 0
blueapplez 雪币： 458 活跃值： (421) 能力值： ( LV9，RANK：610 ) 在线值：发帖 90 回帖 1047 粉丝 6 关注私信	blueapplez 14 12 楼 to 楼主：楼主的意思这样的吗？我们已知一个明文和密文（这里默认指 8 bytes）,然后我们通过暴力的碰撞来碰出16bytes的 Key 吗？这样计算量太大太大我们是PC无法完成的，但是写碰撞的函数还是很简单的还是说有特殊的算法呢 ps.今天看了这个帖子才知道XTEA算法，对密码学还是很感兴趣，但是确实是懂的太少，假如一个明文和密文分别为 unsigned long szV[2] = {0xaaaa1111, 0xbbbb9999}; unsigned long szV[2] = {0x32bf0f93, 0xf50ad826}; 是否可以这样写 int main(int argc, char* argv[]) { unsigned long szulKey[4]; unsigned long szV[2] = {0x32bf0f93, 0xf50ad826}; for (unsigned long i1=0x0; i1<0xffffffff; i1++) { printf("%f", (float)(i1/0xffffffff)*100); for (unsigned long i2=0x0; i2<0xffffffff; i2++) { for (unsigned long i3=0x0; i3<0xffffffff; i3++) { for (unsigned long i4=0x0; i4<0xffffffff; i4++) { szulKey[0] = i1; szulKey[1] = i2; szulKey[2] = i3; szulKey[3] = i4; decrypt(szV, szulKey); if (szV[0] == 0xaaaa1111 && szV[1] == 0xbbbb9999) { printf("找到咯"); return 0; } } } } } return 0; } 2010-1-26 12:51 0
sungy 雪币： 547 活跃值： (2200) 能力值： ( LV7，RANK：100 ) 在线值：发帖 146 回帖 665 粉丝 31 关注私信	sungy 1 13 楼谢谢‘blueapplez’正是这个意思，这样的计算量不知道现在的超级计算机快的多久能算出来，如果有128位的CPU是不是会快些，我也不太懂这些，现在不是128位的显卡吗？是不是用GPU去算会快些啊。 2010-1-29 22:00 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 14 楼 Related-key rectangle attack on 36 rounds of the XTEA block cipher.pdf (249.0 KB) 上传的附件： Related-key rectangle attack on 36 rounds of the XTEA block cipher.pdf （249.05kb，172次下载） 2010-1-30 23:10 0
sungy 雪币： 547 活跃值： (2200) 能力值： ( LV7，RANK：100 ) 在线值：发帖 146 回帖 665 粉丝 31 关注私信	sungy 1 15 楼有个加密狗中用到了标准XTEA算法，有人做了一个dump程序，据说可以找到KEY，可以看到这个程序用狗进行了128次的加密运行，加密数据的格式是： 00000000000000000000000000000000-00000000000000000000000000000001 00000000000000000000000000000000-00000000000000000000000000000010 00000000000000000000000000000000-00000000000000000000000000000100 00000000000000000000000000000000-00000000000000000000000000001000 。。。 10000000000000000000000000000000-00000000000000000000000000000000 64次 11111111111111111111111111111111-11111111111111111111111111111110 11111111111111111111111111111111-11111111111111111111111111111101 11111111111111111111111111111111-11111111111111111111111111111011 11111111111111111111111111111111-11111111111111111111111111110111 。。。 01111111111111111111111111111111-11111111111111111111111111111111 又64次他这样做看起来应该有什么原因吧？难道这样可以减少算KEY的时间复杂度？那个高手研究过啊，能不能说一下？或者是XTEA算法本身并没有对于这种攻击的缺陷，只是那种狗可以通过这样的尝试方便地找狗？还是说这样的攻击方法确实有它的高明之处，可以快速地定位KEY的范围，降低运算复杂度？ 2010-2-9 16:33 0
rockinuk 雪币： 2096 活跃值： (100) 能力值： (RANK：420 ) 在线值：发帖 613 回帖 1939 粉丝 7 关注私信	rockinuk 8 16 楼 To sungy, 你何不去研究TEA /XTEA 它本身的算法，然後再把你的研究心得及成果放上來？這樣，自然就會有人回應你了。 For example，我現在討論一個算法叫 FEAL，我想，可能很少人會參與討論。 Why? 因為大家對 FEAL 這樣的 cryptosystem 及其算法陌生；再者，它也不是很普及的為 indrustrial standard. 如果我把 FEAL 詳細介紹一遍，那這樣能參與討論的人是不是會變多了！？ 2010-2-9 17:06 0
luzhmu 雪币： 86 活跃值： (1183) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 650 粉丝 7 关注私信	luzhmu 17 楼很强。。有VB代码的没 2010-2-12 12:26 0
没有姓名雪币： 67 活跃值： (30) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 227 粉丝 0 关注私信	没有姓名 18 楼旁路攻击? 加密狗是个硬件设备，如果不是做得很好的话，其加密用的key应该是保存在这个设备里了，dump出来再分析的想法是不错的，不过这已经跟XTEA算法没什么关系了。 2010-2-12 16:35 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 2 楼

xtea.c

/* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 *
 * Tom St Denis, tomstdenis@iahu.ca, http://libtomcrypt.org
 */

#include "mycrypt.h"

#ifdef XTEA

const struct _cipher_descriptor xtea_desc =
{
    "xtea",
    1,
    16, 16, 8, 32,
    &xtea_setup,
    &xtea_ecb_encrypt,
    &xtea_ecb_decrypt,
    &xtea_test,
    &xtea_keysize
};

int xtea_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey)
{
   unsigned long x, sum, K[4];
   
   _ARGCHK(key != NULL);
   _ARGCHK(skey != NULL);

   /* check arguments */
   if (keylen != 16) {
      return CRYPT_INVALID_KEYSIZE;
   }

   if (num_rounds != 0 && num_rounds != 32) {
      return CRYPT_INVALID_ROUNDS;
   }

   /* load key */
   LOAD32L(K[0], key+0);
   LOAD32L(K[1], key+4);
   LOAD32L(K[2], key+8);
   LOAD32L(K[3], key+12);
   
   for (x = sum = 0; x < 32; x++) {
       skey->xtea.A[x] = (sum + K[sum&3]) & 0xFFFFFFFFUL;
       sum = (sum + 0x9E3779B9UL) & 0xFFFFFFFFUL;
       skey->xtea.B[x] = (sum + K[(sum>>11)&3]) & 0xFFFFFFFFUL;
   }
   
#ifdef CLEAN_STACK
   zeromem(&K, sizeof(K));
#endif   
   
   return CRYPT_OK;
}

void xtea_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *key)
{
   unsigned long y, z;
   int r;

   _ARGCHK(pt != NULL);
   _ARGCHK(ct != NULL);
   _ARGCHK(key != NULL);

   LOAD32L(y, &pt[0]);
   LOAD32L(z, &pt[4]);
   for (r = 0; r < 32; r += 4) {
       y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r])) & 0xFFFFFFFFUL;
       z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r])) & 0xFFFFFFFFUL;

       y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+1])) & 0xFFFFFFFFUL;
       z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+1])) & 0xFFFFFFFFUL;

       y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+2])) & 0xFFFFFFFFUL;
       z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+2])) & 0xFFFFFFFFUL;

       y = (y + ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r+3])) & 0xFFFFFFFFUL;
       z = (z + ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r+3])) & 0xFFFFFFFFUL;
   }
   STORE32L(y, &ct[0]);
   STORE32L(z, &ct[4]);
}

void xtea_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *key)
{
   unsigned long y, z;
   int r;

   _ARGCHK(pt != NULL);
   _ARGCHK(ct != NULL);
   _ARGCHK(key != NULL);

   LOAD32L(y, &ct[0]);
   LOAD32L(z, &ct[4]);
   for (r = 31; r >= 0; r -= 4) {
       z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r])) & 0xFFFFFFFFUL;
       y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r])) & 0xFFFFFFFFUL;

       z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-1])) & 0xFFFFFFFFUL;
       y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-1])) & 0xFFFFFFFFUL;

       z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-2])) & 0xFFFFFFFFUL;
       y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-2])) & 0xFFFFFFFFUL;

       z = (z - ((((y<<4)^(y>>5)) + y) ^ key->xtea.B[r-3])) & 0xFFFFFFFFUL;
       y = (y - ((((z<<4)^(z>>5)) + z) ^ key->xtea.A[r-3])) & 0xFFFFFFFFUL;
   }
   STORE32L(y, &pt[0]);
   STORE32L(z, &pt[4]);
}

int xtea_test(void)
{
 #ifndef LTC_TEST
    return CRYPT_NOP;
 #else    
   static const unsigned char key[16] = 
      { 0x78, 0x56, 0x34, 0x12, 0xf0, 0xcd, 0xcb, 0x9a,
        0x48, 0x37, 0x26, 0x15, 0xc0, 0xbf, 0xae, 0x9d };
   static const unsigned char pt[8] = 
      { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
   static const unsigned char ct[8] = 
      { 0x75, 0xd7, 0xc5, 0xbf, 0xcf, 0x58, 0xc9, 0x3f };
   unsigned char tmp[2][8];
   symmetric_key skey;
   int err, y;

   if ((err = xtea_setup(key, 16, 0, &skey)) != CRYPT_OK)  {
      return err;
   }
   xtea_ecb_encrypt(pt, tmp[0], &skey);
   xtea_ecb_decrypt(tmp[0], tmp[1], &skey);

   if (memcmp(tmp[0], ct, 8) != 0 || memcmp(tmp[1], pt, 8) != 0) { 
      return CRYPT_FAIL_TESTVECTOR;
   }

      /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
      for (y = 0; y < 8; y++) tmp[0][y] = 0;
      for (y = 0; y < 1000; y++) xtea_ecb_encrypt(tmp[0], tmp[0], &skey);
      for (y = 0; y < 1000; y++) xtea_ecb_decrypt(tmp[0], tmp[0], &skey);
      for (y = 0; y < 8; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;

   return CRYPT_OK;
 #endif
}

int xtea_keysize(int *desired_keysize)
{
   _ARGCHK(desired_keysize != NULL);
   if (*desired_keysize < 16) {
      return CRYPT_INVALID_KEYSIZE; 
   }
   *desired_keysize = 16;
   return CRYPT_OK;
}


#endif

Source from http://www.koders.com/c/fid97A9E9DC3E5AC3A084FEC06203AF3B58F4909658.aspx?s=rsa

2010-1-25 19:26

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 3 楼

ANSI C

void encipher(unsigned long *const v,unsigned long *const w,
   const unsigned long *const k)
{
   register unsigned long       y=v[0],z=v[1],sum=0,delta=0x9E3779B9,
				a=k[0],b=k[1],c=k[2],d=k[3],n=32;

   while(n-->0)
      {
      sum += delta;
      y += (z << 4)+a ^ z+sum ^ (z >> 5)+b;
      z += (y << 4)+c ^ y+sum ^ (y >> 5)+d;
      }

   w[0]=y; w[1]=z;
}

void decipher(unsigned long *const v,unsigned long *const w,
   const unsigned long *const k)
{
   register unsigned long       y=v[0],z=v[1],sum=0xC6EF3720,
				delta=0x9E3779B9,a=k[0],b=k[1],
				c=k[2],d=k[3],n=32;

   /* sum = delta<<5, in general sum = delta * n */

   while(n-->0)
      {
      z -= (y << 4)+c ^ y+sum ^ (y >> 5)+d;
      y -= (z << 4)+a ^ z+sum ^ (z >> 5)+b;
      sum -= delta;
      }
   
   w[0]=y; w[1]=z;
}

2010-1-25 19:33

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 4 楼

Motorola PowerPC (Metrowerks CodeWarrior Style)

asm void encipher(register const unsigned long * const v,
   register unsigned long * const w,
   register const unsigned long * const k)
{
      // On entry, v = r3, w = r4, k = r5
      // use r3 and r5 as scratch
      
      // r0 = v[0]
      // r6 = v[1]
      // r7 - r10 = k[0] - k[3]
      // r11 = sum
      // r12 = delta
      
      li    r11,0 // sum = 0
      
      li    r12,0x79B9  // delta =0x9E3779B9
      addis r12,r12,0x9E37
            
      li    r0,16 // loop counter into count register
      mtctr r0
      
      lwz   r0,0(r3) // put the contents of v and k into the registers
      lwz   r6,4(r3)
      lwz   r7,0(r5)
      lwz   r8,4(r5)
      lwz   r9,8(r5)
      lwz   r10,12(r5)

loop: add   r11,r11,r12 // sum += delta
      slwi  r5,r6,4     // z << 4
      add   r5,r5,r7    // (z << 4) + a
      add   r3,r6,r11   // z + sum
      xor   r3,r5,r3    // ((z << 4) + a) ^ (z + sum)
      srwi  r5,r6,5     // z >> 5
      add   r5,r5,r8    // (z >> 5) + b
      xor   r3,r5,r3    // ((z << 4)+a)^(z+sum)^((z >> 5)+b);
      add   r0,r0,r3    // y += result
      
      slwi  r5,r0,4     // y << 4
      add   r5,r5,r9    // (y << 4) +c
      add   r3,r0,r11   // y + sum
      xor   r3,r5,r3    // ((y << 4) +c) ^ (y + sum)
      srwi  r5,r0,5     // y >> 5
      add   r5,r5,r10   // (y >> 5) + d
      xor   r3,r5,r3    // ((y << 4)+c)^(y+sum)^((y >> 5)+d);
      add   r6,r6,r3    // z += result
      
      bdnz+ loop        // decrement CTR and branch
      
      stw   r0,0(r4)    // store result back in w
      stw   r6,4(r4)
      
      blr
}
   
asm void decipher(register const unsigned long * const v,
   register unsigned long * const w,
   register const unsigned long * const k)
{
      // On entry, v = r3, w = r4, k = r5
      // use r3 and r5 as scratch
      
      // r0 = v[0]
      // r6 = v[1]
      // r7 - r10 = k[0] - k[3]
      // r11 = sum
      // r12 = delta
      
      li    r11,0x9B90;       // sum =0xE3779B90
      addis r11,r11,0xE378;
      
      li    r12,0x79B9  // delta =0x9E3779B9
      addis r12,r12,0x9E37
      
      li    r0,16 // loop counter into count register
      mtctr r0
      
      lwz   r0,0(r3) // put the contents of v and k into the registers
      lwz   r6,4(r3)
      lwz   r7,0(r5)
      lwz   r8,4(r5)
      lwz   r9,8(r5)
      lwz   r10,12(r5)
      
loop: slwi  r5,r0,4     // y << 4
      add   r5,r5,r9    // (y << 4) + c
      add   r3,r0,r11   // y + sum
      xor   r3,r5,r3    // ((y << 4) +  c) ^ (y + sum)
      srwi  r5,r0,5     // y >> 5
      add   r5,r5,r10   // (y >> 5) + d
      xor   r3,r5,r3    // ((y << 4)+c)^(y+sum)^((y >> 5)+d)
      sub   r6,r6,r3    // z -= result
      
      slwi  r5,r6,4     // z << 4
      add   r5,r5,r7    // (z << 4) + a
      add   r3,r6,r11   // z + sum
      xor   r3,r5,r3    // ((z << 4) + a) ^ (z + sum)
      srwi  r5,r6,5     // z >> 5
      add   r5,r5,r8    // (z >> 5) + b
      xor   r3,r5,r3    // ((z << 4)+a)^(z+sum)^((z >> 5)+b);
      sub   r0,r0,r3    // y -= result
      
      sub   r11,r11,r12 // sum -= delta
      
      bdnz+ loop        // decrement CTR and branch
      
      stw   r0,0(r4)    // store result back in w
      stw   r6,4(r4)

      blr
}

2010-1-25 19:33

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 5 楼

Motorola 680x0 (Metrowerks CodeWarrior style)

asm void encipher(const unsigned long* const v,unsigned long* const w,
   const unsigned long* const k)
{
      fralloc 
      movem.l  d3-d7/a2,-(a7)
   
      /* load initial registers
         d0:   y = v[0]
         d1:   z = v[1]
         d2:   a = k[0]
         d3:   b = k[1]
         d4:   c = k[2]
         d5:   loop counter (k[3] in a2)
         d6:   scratch register 1
         d7:   scratch register 2
         a0:   sum
         a1:   delta = 0x9E3779B9;
         a2:   d = k[3] */
               
      move.l   v,a0
      move.l   (a0),d0
      move.l   4(a0),d1
      
      move.l   k,a0
      move.l   (a0),d2
      move.l   4(a0),d3
      move.l   8(a0),d4
      move.l   12(a0),a2
      
      move.l   #0x9E3779B9,a0
      move.l   #0x9E3779B9,a1
      
      moveq.l  #15,d5      // sixteen rounds
      
      // d6 = (z<<4)+a
loop: move.l   d1,d6
      lsl.l    #4,d6
      add.l    d2,d6
      
      // d7 = z+sum
      move.l   d1,d7
      add.l    a0,d7
      
      // d7 = ((z<<4)+a)^(z+sum)
      eor.l    d6,d7
      
      // d6 = (z>>5)+b
      move.l   d1,d6
      lsr.l    #5,d6
      add.l    d3,d6
      
      // d7 = ((z<<4)+a)^(z+sum)^((z>>5)+b)
      eor.l    d6,d7
      
      // add back into y
      add.l    d7,d0
      
      // d6 = (y<<4)+c 
      move.l   d0,d6
      lsl.l    #4,d6
      add.l    d4,d6
      
      // d7 = y+sum
      move.l   d0,d7
      add.l    a0,d7
      
      // d7 = ((y<<4)+c)^(y+sum)
      eor.l    d6,d7
      
      // d6 = (y>>5)+d
      move.l   d0,d6
      lsr.l    #5,d6
      add.l    a2,d6
      
      // d7 = ((y<<4)+c)^(y+sum)^((y>>5)+d)
      eor.l    d6,d7
      
      // add back into z
      add.l    d7,d1
      
      // sum+=delta
      adda.l   a1,a0
               
      // branch back and do it again
      dbra     d5,loop
      
      // place the result back into w
      move.l   w,a0
      move.l   d0,(a0)
      move.l   d1,4(a0)
      
      movem.l  (a7)+,d3-d7/a2
      
      frfree
      rts
}

asm void decipher(const unsigned long *const v,unsigned long *const w,
   const unsigned long *const k)
{
   fralloc
   movem.l  d3-d7/a2,-(a7)
   
     /* load initial registers
         d0:   y = v[0]
         d1:   z = v[1]
         d2:   a = k[0]
         d3:   b = k[1]
         d4:   c = k[2]
         d5:   loop counter (k[3] in a2)
         d6:   scratch register 1
         d7:   scratch register 2
         a0:   sum = 0xE3779B90 (delta * 16)
         a1:   delta = 0x9E3779B9;
         a2:   d = k[3] */
      
      move.l   v,a0
      move.l   (a0),d0
      move.l   4(a0),d1
      
      move.l   k,a0
      move.l   (a0),d2
      move.l   4(a0),d3
      move.l   8(a0),d4
      move.l   12(a0),a2
      
      move.l   #0xE3779B90,a0
      move.l   #0x9E3779B9,a1
      
      moveq.l  #15,d5      // sixteen rounds
      
      // d6 = (y<<4)+c 
loop: move.l   d0,d6
      lsl.l    #4,d6
      add.l    d4,d6
      
      // d7 = y+sum
      move.l   d0,d7
      add.l    a0,d7
      
      // d7 = ((y<<4)+c)^(y+sum)
      eor.l    d6,d7
      
      // d6 = (y>>5)+d
      move.l   d0,d6
      lsr.l    #5,d6
      add.l    a2,d6
      
      // d7 = ((y<<4)+c)^(y+sum)^((y>>5)+d)
      eor.l    d6,d7
      
      // subtract from z
      sub.l    d7,d1
      
      // d6 = (z<<4)+a
      move.l   d1,d6
      lsl.l    #4,d6
      add.l    d2,d6
      
      // d7 = z+sum
      move.l   d1,d7
      add.l    a0,d7
      
      // d7 = ((z<<4)+a)^(z+sum)
      eor.l    d6,d7
      
      // d6 = (z>>5)+b
      move.l   d1,d6
      lsr.l    #5,d6
      add.l    d3,d6
      
      // d7 = ((z<<4)+a)^(z+sum)^((z>>5)+b)
      eor.l    d6,d7
      
      // subtract from y
      sub.l    d7,d0
      
      // sum-=delta
      suba.l   a1,a0
      
      // branch back and do it again
      dbra     d5,loop
      
      // place the result back into w
      move.l   w,a0
      move.l   d0,(a0)
      move.l   d1,4(a0)
      
      movem.l  (a7)+,d3-d7/a2
      
      frfree
      rts
}

2010-1-25 19:34

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 6 楼

ANSI C (New Variant)

void encipher(const unsigned long *const v,unsigned long *const w,
   const unsigned long * const k)
{
   register unsigned long       y=v[0],z=v[1],sum=0,delta=0x9E3779B9,n=32;

   while(n-->0)
      {
      y += (z << 4 ^ z >> 5) + z ^ sum + k[sum&3];
      sum += delta;
      z += (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3];
      }

   w[0]=y; w[1]=z;
}

void decipher(const unsigned long *const v,unsigned long *const w,
   const unsigned long * const k)
{
   register unsigned long       y=v[0],z=v[1],sum=0xC6EF3720,
				delta=0x9E3779B9,n=32;

   /* sum = delta<<5, in general sum = delta * n */

   while(n-->0)
      {
      z -= (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3];
      sum -= delta;
      y -= (z << 4 ^ z >> 5) + z ^ sum + k[sum&3];
      }
   
   w[0]=y; w[1]=z;
}

2010-1-25 19:34

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 7 楼

16-bit x86 (New Variant)

;; 
	;; An implementation of the XTEA algorithm in 16-bit 80x86 assembly
	;; language.  This should work on any processor in the 80x86 family
	;; but works best with the 16-bit members of the family (80x86 for
	;; x <= 2).  This assembly language is suitable for use with linux-86
	;; and the as86 assembler, but should be fairly trivial to convert
	;; so it will assemble with some other assembler easily.  It has been
	;; tested with 16-bit objects for Linux-8086 (ELKS), and should work
	;; under DOS with the tiny and small memory models.  To make it
	;; work with the large and huge memory models, it will probably be
	;; necessary to reset the parameters (bp+4 becomes bp+6 and so on),
	;; and segment loads may need to be done as well (les and lds).
	;;
	;; Wasn't so easy to write because the number of registers available
	;; on the 80x86 is kinda small...and they're 16-bit registers too!
	;;
	;; Placed in the Public Domain by Rafael R. Sevilla
	;;				  
	;; 

	.text

	export _xtea_encipher_asm
_xtea_encipher_asm:
	push	bp
	mov	bp,sp
	sub	sp,#14		; space for y, z, sum, and n
	push	si
	push	di
	;; bp+8 = pointer to key information
	;; bp+6 = pointer to ciphertext to return to caller
	;; bp+4 = pointer to plaintext
	;; bp+2 = return address from caller
	;; bp = pushed bp
	;; bp-2 = y high word
	;; bp-4 = y low word
	;; bp-6 = z high word
	;; bp-8 = z low word
	;; bp-10 = sum high word
	;; bp-12 = sum low word
	;; bp-14 = n
	;; bp-16 = pushed si
	;; bp-18 = pushed di
	mov	bx,[bp+4]	; get address of plaintext
	mov	ax,[bx]		; low word of first dword of plaintext
	mov	[bp-4],ax
	mov	ax,[bx+2]	; high word
	mov	[bp-2],ax
	mov	ax,[bx+4]	; second dword of plaintext (low)
	mov	[bp-8],ax
	mov	ax,[bx+6]	; (high)
	mov	[bp-6],ax
	xor	ax,ax		; zero the sum initially
	mov	[bp-10],ax
	mov	[bp-12],ax
	mov	byte ptr [bp-14],#32 ; set n (just 8 bits), # rounds
	;; begin encryption
encipher_rounds:
	;; compute new y
	mov	ax,[bp-8]	; low word z
	mov	bx,[bp-6]	; high word z
	mov	cx,ax		; copy to the rest of the registers
	mov	dx,bx
	mov	si,ax
	mov	di,bx
	;; (z<<4) ^ (z>>5)
	shl	ax,#1		; shift left once
	rcl	bx,#1
	shl	ax,#1		; shift twice
	rcl	bx,#1
	shl	ax,#1		; shift three times
	rcl	bx,#1
	shl	ax,#1		; shift four times
	rcl	bx,#1
	shr	dx,#1		; shift right once
	rcr	cx,#1
	shr	dx,#1		; shift right twice
	rcr	cx,#1
	shr	dx,#1		; shift right three times
	rcr	cx,#1
	shr	dx,#1		; shift right four times
	rcr	cx,#1
	shr	dx,#1		; shift right five times
	rcr	cx,#1
	xor	ax,cx		; combine
	xor	dx,bx		; dx:ax has result
	xor	si,[bp-12]	; combine to sum
	xor	di,[bp-10]
	add	ax,si		; add them together
	adc	dx,di
	mov	bx,[bp-12]	; get low word of sum (all we need for this)
	and	bx,#3		; get low two bits (modulo 4)
	shl	bx,#1		; convert to dword offset
	shl	bx,#1
	add	bx,[bp+8]	; add to base address of key info
	add	ax,[bx]		; low word of key
	adc	dx,[bx+2]	; high word of key
	add	[bp-4],ax	; add back to y
	adc	[bp-2],dx
	;; update sum
	mov	ax,#0x79b9	; low word of delta
	add	[bp-12],ax
	mov	ax,#0x9e37	; high word of delta
	adc	[bp-10],ax
	;; compute new z
	mov	ax,[bp-4]	; low word of y
	mov	bx,[bp-2]	; high word of y
	mov	cx,ax		; copy to the rest of the registers
	mov	dx,bx
	mov	si,ax
	mov	di,bx
	;; (y<<4) ^ (y>>5)
	shl	ax,#1		; shift left once
	rcl	bx,#1
	shl	ax,#1		; shift twice
	rcl	bx,#1
	shl	ax,#1		; shift three times
	rcl	bx,#1
	shl	ax,#1		; shift four times
	rcl	bx,#1
	shr	dx,#1		; shift right once
	rcr	cx,#1
	shr	dx,#1		; shift right twice
	rcr	cx,#1
	shr	dx,#1		; shift right three times
	rcr	cx,#1
	shr	dx,#1		; shift right four times
	rcr	cx,#1
	shr	dx,#1		; shift right five times
	rcr	cx,#1
	xor	ax,cx		; combine
	xor	dx,bx		; dx:ax has result
	xor	si,[bp-12]	; combine to sum
	xor	di,[bp-10]
	add	ax,si		; add them together
	adc	dx,di
	mov	bx,[bp-12]	; get sum low word
	mov	cx,[bp-10]	; get sum high word
	shr	cx,#1		; shift right once
	rcr	bx,#1
	shr	cx,#1		; shift right twice
	rcr	bx,#1
	shr	cx,#1		; shift right three times
	rcr	bx,#1
	shr	cx,#1		; shift right four times
	rcr	bx,#1
	shr	cx,#1		; shift right five times
	rcr	bx,#1
	shr	cx,#1		; shift right six times
	rcr	bx,#1
	shr	cx,#1		; shift right seven times
	rcr	bx,#1
	shr	cx,#1		; shift right eight times
	rcr	bx,#1
	shr	cx,#1		; shift right nine times
	rcr	bx,#1
	shr	cx,#1		; shift right ten times
	rcr	bx,#1
	shr	cx,#1		; shift right eleven times
	rcr	bx,#1
	and	bx,#3
	shl	bx,#1		; convert to dword offset
	shl	bx,#1
	add	bx,[bp+8]	; add to base address of key
	add	ax,[bx]		; low word of key
	adc	dx,[bx+2]	; high word of key
	add	[bp-8],ax	; add back to z
	adc	[bp-6],dx
	dec	byte ptr [bp-14] ; decrement rounds counter
	jz	finish_encipher
	jmp	near encipher_rounds
finish_encipher:	
	mov	bx,[bp+6]	; get address of ciphertext storage
	mov	ax,[bp-4]	; y, low word
	mov	[bx],ax
	mov	ax,[bp-2]	; y, high word
	mov	[bx+2],ax
	mov	ax,[bp-8]	; z, low word
	mov	[bx+4],ax
	mov	ax,[bp-6]	; z, high word
	mov	[bx+6],ax
	pop	di
	pop	si
	add	sp,#14		; discard local vars
	pop	bp
	ret

	export _xtea_decipher_asm
_xtea_decipher_asm:
	push	bp
	mov	bp,sp
	sub	sp,#14		; space for y, z, sum, and n
	push	si
	push	di
	;; bp+8 = pointer to key information
	;; bp+6 = pointer to plaintext to return to caller
	;; bp+4 = pointer to ciphertext
	;; bp+2 = return address from caller
	;; bp = pushed bp
	;; bp-2 = y high word
	;; bp-4 = y low word
	;; bp-6 = z high word
	;; bp-8 = z low word
	;; bp-10 = sum high word
	;; bp-12 = sum low word
	;; bp-14 = n
	;; bp-16 = pushed si
	;; bp-18 = pushed di
	mov	bx,[bp+4]	; get address of ciphertext
	mov	ax,[bx]		; low word of first dword of ciphertext
	mov	[bp-4],ax
	mov	ax,[bx+2]	; high word
	mov	[bp-2],ax
	mov	ax,[bx+4]	; second dword of ciphertext (low)
	mov	[bp-8],ax
	mov	ax,[bx+6]	; (high)
	mov	[bp-6],ax
	mov	ax,#0x3720	; low word of initial sum
	mov	[bp-12],ax
	mov	ax,#0xc6ef
	mov	[bp-10],ax
	mov	byte ptr [bp-14],#32 ; set n (just 8 bits), # rounds
	;; begin decryption
decipher_rounds:	
	mov	ax,[bp-4]	; low word of y
	mov	bx,[bp-2]	; high word of y
	mov	cx,ax		; copy to the rest of the registers
	mov	dx,bx
	mov	si,ax
	mov	di,bx
	;; (y<<4) ^ (y>>5)
	shl	ax,#1		; shift left once
	rcl	bx,#1
	shl	ax,#1		; shift twice
	rcl	bx,#1
	shl	ax,#1		; shift three times
	rcl	bx,#1
	shl	ax,#1		; shift four times
	rcl	bx,#1
	shr	dx,#1		; shift right once
	rcr	cx,#1
	shr	dx,#1		; shift right twice
	rcr	cx,#1
	shr	dx,#1		; shift right three times
	rcr	cx,#1
	shr	dx,#1		; shift right four times
	rcr	cx,#1
	shr	dx,#1		; shift right five times
	rcr	cx,#1
	xor	ax,cx		; combine
	xor	dx,bx		; dx:ax has result
	xor	si,[bp-12]	; combine to sum
	xor	di,[bp-10]
	add	ax,si		; add them together
	adc	dx,di
	mov	bx,[bp-12]	; get sum low word
	mov	cx,[bp-10]	; get sum high word
	shr	cx,#1		; shift right once
	rcr	bx,#1
	shr	cx,#1		; shift right twice
	rcr	bx,#1
	shr	cx,#1		; shift right three times
	rcr	bx,#1
	shr	cx,#1		; shift right four times
	rcr	bx,#1
	shr	cx,#1		; shift right five times
	rcr	bx,#1
	shr	cx,#1		; shift right six times
	rcr	bx,#1
	shr	cx,#1		; shift right seven times
	rcr	bx,#1
	shr	cx,#1		; shift right eight times
	rcr	bx,#1
	shr	cx,#1		; shift right nine times
	rcr	bx,#1
	shr	cx,#1		; shift right ten times
	rcr	bx,#1
	shr	cx,#1		; shift right eleven times
	rcr	bx,#1
	and	bx,#3
	shl	bx,#1		; convert to dword offset
	shl	bx,#1
	add	bx,[bp+8]	; add to base address of key
	add	ax,[bx]		; low word of key
	adc	dx,[bx+2]	; high word of key
	sub	[bp-8],ax	; subtract from z
	sbb	[bp-6],dx
	;; update sum
	mov	ax,#0x79b9	; low word of delta
	sub	[bp-12],ax
	mov	ax,#0x9e37	; high word of delta
	sbb	[bp-10],ax
	;; compute new y
	mov	ax,[bp-8]	; low word z
	mov	bx,[bp-6]	; high word z
	mov	cx,ax		; copy to the rest of the registers
	mov	dx,bx
	mov	si,ax
	mov	di,bx
	;; (z<<4) ^ (z>>5)
	shl	ax,#1		; shift left once
	rcl	bx,#1
	shl	ax,#1		; shift twice
	rcl	bx,#1
	shl	ax,#1		; shift three times
	rcl	bx,#1
	shl	ax,#1		; shift four times
	rcl	bx,#1
	shr	dx,#1		; shift right once
	rcr	cx,#1
	shr	dx,#1		; shift right twice
	rcr	cx,#1
	shr	dx,#1		; shift right three times
	rcr	cx,#1
	shr	dx,#1		; shift right four times
	rcr	cx,#1
	shr	dx,#1		; shift right five times
	rcr	cx,#1
	xor	ax,cx		; combine
	xor	dx,bx		; dx:ax has result
	xor	si,[bp-12]	; combine to sum
	xor	di,[bp-10]
	add	ax,si		; add them together
	adc	dx,di
	mov	bx,[bp-12]	; get low word of sum (all we need for this)
	and	bx,#3		; get low two bits (modulo 4)
	shl	bx,#1		; convert to dword offset
	shl	bx,#1
	add	bx,[bp+8]	; add to base address of key info
	add	ax,[bx]		; low word of key
	adc	dx,[bx+2]	; high word of key
	sub	[bp-4],ax	; subtract from y
	sbb	[bp-2],dx
	dec	byte ptr [bp-14] ; decrement rounds counter
	jz	finish_decipher
	jmp	near decipher_rounds
finish_decipher:	
	mov	bx,[bp+6]	; get address of ciphertext storage
	mov	ax,[bp-4]	; y, low word
	mov	[bx],ax
	mov	ax,[bp-2]	; y, high word
	mov	[bx+2],ax
	mov	ax,[bp-8]	; z, low word
	mov	[bx+4],ax
	mov	ax,[bp-6]	; z, high word
	mov	[bx+6],ax
	pop	di
	pop	si
	add	sp,#14		; discard local vars
	pop	bp
	ret

2010-1-25 19:36

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 8 楼

從 3 F 至 7F 的文章階轉載自 http://143.53.36.235:8080/source.htm，希望樓主多花點時間找找看，會找得到。
研究之後若有心得，歡迎再分享給大眾。
謝謝。

2010-1-25 19:40

0

sungy

雪币： 547

活跃值： (2200)

能力值：

( LV7，RANK：100 )

在线值：

发帖

146

回帖

665

粉丝

31

关注

私信

sungy 1: 9 楼

谢谢版主支持！那个算法链接很好！
虽然爆破出key的可能性很小，不过研究一下还是有好处的。要是谁能写出来，就去用超级计算机去算一下，

2010-1-25 21:29

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 10 楼

就等你寫出來呀，自然就會有人去驗證。

2010-1-25 21:52

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 11 楼

給 sungy 參考的 information.

上传的附件：

20100125221600781.jpg （589.39kb，314次下载）
20100125221726046.jpg （296.02kb，300次下载）

2010-1-25 22:25

0

blueapplez

雪币： 458

活跃值： (421)

能力值：

( LV9，RANK：610 )

在线值：

发帖

90

回帖

1047

粉丝

6

关注

私信

blueapplez 14: 12 楼

to 楼主：
楼主的意思这样的吗？
我们已知一个明文和密文（这里默认指 8 bytes）,然后我们通过暴力的碰撞来碰出16bytes的 Key 吗？
这样计算量太大太大我们是PC无法完成的，但是写碰撞的函数还是很简单的
还是说有特殊的算法呢

ps.今天看了这个帖子才知道XTEA算法，对密码学还是很感兴趣，但是确实是懂的太少，
假如一个明文和密文分别为
unsigned long szV[2] = {0xaaaa1111, 0xbbbb9999};
unsigned long szV[2] = {0x32bf0f93, 0xf50ad826};

是否可以这样写

int main(int argc, char* argv[])
{
	unsigned long szulKey[4];
	unsigned long szV[2] = {0x32bf0f93, 0xf50ad826};

	for (unsigned long i1=0x0; i1<0xffffffff; i1++)
	{
		printf("%f", (float)(i1/0xffffffff)*100);
		for (unsigned long i2=0x0; i2<0xffffffff; i2++)
		{
			for (unsigned long i3=0x0; i3<0xffffffff; i3++)
			{
				for (unsigned long i4=0x0; i4<0xffffffff; i4++)
				{
					szulKey[0] = i1;
					szulKey[1] = i2;
					szulKey[2] = i3;
					szulKey[3] = i4;

					decrypt(szV, szulKey);
					if (szV[0] == 0xaaaa1111 && szV[1] == 0xbbbb9999)
					{
						printf("找到咯");
						return 0;
					}
				}
			}


		}
	}

	return 0;
}

2010-1-26 12:51

0

sungy

雪币： 547

活跃值： (2200)

能力值：

( LV7，RANK：100 )

在线值：

发帖

146

回帖

665

粉丝

31

关注

私信

sungy 1: 13 楼

谢谢‘blueapplez’正是这个意思，这样的计算量不知道现在的超级计算机快的多久能算出来，如果有128位的CPU是不是会快些，我也不太懂这些，现在不是128位的显卡吗？是不是用GPU去算会快些啊。

2010-1-29 22:00

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 14 楼

Related-key rectangle attack on 36 rounds of the XTEA block cipher.pdf (249.0 KB)

上传的附件：

Related-key rectangle attack on 36 rounds of the XTEA block cipher.pdf （249.05kb，172次下载）

2010-1-30 23:10

0

sungy

雪币： 547

活跃值： (2200)

能力值：

( LV7，RANK：100 )

在线值：

发帖

146

回帖

665

粉丝

31

关注

私信

sungy 1: 15 楼

有个加密狗中用到了标准XTEA算法，有人做了一个dump程序，据说可以找到KEY，可以看到这个程序用狗进行了128次的加密运行，加密数据的格式是：
00000000000000000000000000000000-00000000000000000000000000000001
00000000000000000000000000000000-00000000000000000000000000000010
00000000000000000000000000000000-00000000000000000000000000000100
00000000000000000000000000000000-00000000000000000000000000001000
。。。
10000000000000000000000000000000-00000000000000000000000000000000
64次
11111111111111111111111111111111-11111111111111111111111111111110
11111111111111111111111111111111-11111111111111111111111111111101
11111111111111111111111111111111-11111111111111111111111111111011
11111111111111111111111111111111-11111111111111111111111111110111
。。。
01111111111111111111111111111111-11111111111111111111111111111111
又64次

他这样做看起来应该有什么原因吧？难道这样可以减少算KEY的时间复杂度？那个高手研究过啊，能不能说一下？
或者是XTEA算法本身并没有对于这种攻击的缺陷，只是那种狗可以通过这样的尝试方便地找狗？还是说这样的攻击方法确实有它的高明之处，可以快速地定位KEY的范围，降低运算复杂度？

2010-2-9 16:33

0

rockinuk

雪币： 2096

活跃值： (100)

能力值： (RANK：420 )

在线值：

发帖

613

回帖

1939

粉丝

7

关注

私信

rockinuk 8: 16 楼

To sungy,
你何不去研究TEA /XTEA 它本身的算法，然後再把你的研究心得及成果放上來？
這樣，自然就會有人回應你了。

For example，我現在討論一個算法叫 FEAL，我想，可能很少人會參與討論。
Why?
因為大家對 FEAL 這樣的 cryptosystem 及其算法陌生；再者，它也不是很普及的為 indrustrial standard.
如果我把 FEAL 詳細介紹一遍，那這樣能參與討論的人是不是會變多了！？

2010-2-9 17:06

0