XXTEA算法逆向-软件逆向-看雪论坛-安全社区|非营利性质技术交流社区

XXTEA算法逆向

发表于: 2022-11-28 22:27 7734

XXTEA算法逆向

hekes

2022-11-28 22:27

7734

逆向某个文件加密算法，一直不知道是什么算法，此处附上解密过程

1、密钥初始化,存放密钥的指针申请长度位16位，这里就能想到算法采用是128位加密

char *__cdecl sub_FDB2E0(void *Src, size_t Size)
{
  char *v3; // [esp+4Ch] [ebp-4h]
 
  v3 = (char *)malloc(0x10u);//申请存放密钥的堆栈长度
  memmove(v3, Src, Size);//拷贝密钥的字节数据
  memset(&v3[Size], 0, 16 - Size);//将后面部分清0
  return v3;
}

2、解密过程,算法中包含特殊数值，直接百度了下0x9E3779B9，6acK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4N6W2K9i4S2A6L8W2)9#2k6U0b7K6x3K6j5H3x3e0f1J5i4K6u0r3j5i4u0@1K9h3y4D9k6g2)9J5c8X3c8W2N6r3q4A6L8s2y4Q4x3V1j5I4x3o6l9$3x3o6x3^5y4U0l9`.
根据这篇文章提到了TEA算法，然后尝试TEA算法解密，最终测试出XXTEA解密成功

unsigned int __cdecl sub_FDB330(int *a1, unsigned int a2, int a3)
{
  unsigned int result; // eax
  int v4; // edx
  int v5; // edx
  int v6; // [esp+50h] [ebp-1Ch]
  unsigned int v7; // [esp+54h] [ebp-18h]
  int i; // [esp+5Ch] [ebp-10h]
  unsigned int v9; // [esp+60h] [ebp-Ch]
 
  v9 = *a1;
  result = 0x9E3779B9 * (0x34 / a2 + 6);
  v7 = result;
  if ( a2 != 1 )
  {
    while ( v7 )
    {
      v6 = (v7 >> 2) & 3;
      for ( i = a2 - 1; i; --i )
      {
        v4 = a1[i]
           - (((a1[i - 1] ^ *(_DWORD *)(a3 + 4 * (v6 ^ i & 3))) + (v9 ^ v7)) ^ (((16 * a1[i - 1]) ^ (v9 >> 3))
                                                                              + ((4 * v9) ^ ((unsigned int)a1[i - 1] >> 5))));
        a1[i] = v4;
        v9 = v4;
      }
      v5 = *a1
         - (((a1[a2 - 1] ^ *(_DWORD *)(a3 + 4 * v6)) + (v9 ^ v7)) ^ (((16 * a1[a2 - 1]) ^ (v9 >> 3))
                                                                   + ((4 * v9) ^ ((unsigned int)a1[a2 - 1] >> 5))));
      *a1 = v5;
      v9 = v5;
      result = v7 + 0x61C88647;
      v7 += 0x61C88647;
    }
  }
  return result;
}