Tea轮函数加密逆向笔记

部分加密环节逆向

  • REV R1 R1 //是指对R1的字节进行反转,如R1中本来保存的是744308C2,经过REV反转后,R1保存的字节为C2084374
  • JAVA传入的参数有两个,暂且称之为传参1、传参2
  • 传参1为8位字节长,分别保存在R0、R1两个寄存器中,传参2为16位字节长(疑似加密密钥),分别保存在R5、R6、R7、R12四个寄存器中

关键轮函数加密部分

R0 = C2084374 R1 = C500F400 R2 为栈缓冲区,主要用于字节中转 R3 = 0 R4 = E3779B90 R5 = 574B5A79 R6 = 54446575 R7 = 3146736B R8 = 78486E41

R3 = R3 + 0x9F000000 R8 = R12 + (R1 << 4 ) (左移4位)

R3 = R3 – 0xC80000

R3 = R3 – 0x8600

R3 = R3 – 0x47

R9 = R3 + R1

if (R3 = R4): R8 = R9 ^ R8 (位异或) R9 = R7 + (R1 >> 5) R8 = R8 ^ R9 R0 = R0 + R8 R9 = R6 + (R0 << 4) R8 = R5 + (R0 >> 5) R8 = R0 + R3 R9 = R9 ^ R9 R8 = R8 ^ R9 R1 = R1 + R8

循环结束后,R0 = E980238E (其实是R2反转后写入),R1 = BCDC6241

发表评论

电子邮件地址不会被公开。

This site uses Akismet to reduce spam. Learn how your comment data is processed.