**Previously the Hubble analysis of the system describes about the modified MBR for disk encryption extortion Trojan Petya's. Recently Leo Stone gives crack Petya key full blasting code and decrypt tool, and noted that Petya author is using a variant of the Salsa20 algorithm to perform key verification. By now it is given the source code and combined with the Salsa algorithm Description, You can restore the Petya for algorithm changes, as well as its process-specific logic.**

**To Salsa20
Salsa20 is composed of Daniel J. Bernstein invention, a packet encryption algorithm, can be for a maximum of 2^7 0 Byte data to be encrypted, where the packet length is 2^6=6 4 bytes. This algorithm is a symmetric encryption algorithm, and the encryption and decryption operations are equivalent, i.e., the plaintext using the same key for 2 times the encryption can be obtained to restore the plaintext.
Salsa input
Salsa requires the following input data:
Key: Key, 1 6 or 3 2 bytes;
IV: initial vector, 8 bytes;
Round: calculate the number of rounds, values of 8, 1 2 or 2 0; the
Message: plaintext, no more than 2^7 0 bytes.
Salsa the output Ciphertext is the Message length of the encrypted data.
The official website references a Python language Demo, which gives the usage is as follows:
!
The Key parameter
The Key is by Petya for disk encryption key conversion. When the user enter the key after that Petya will use this key class Salsa calculations, the results with the disk 5 of 5 the sector stored in 5 1 2-byte reserved data for comparison, if the result is consistent with the description of the key effective.
Salsa, Key requirements Minimum 1 to 6 bytes, but Petya valid key is only 8 bytes. This key has three forms of transformation: the
1. Original key: that 8-bit key. In order to facilitate user input, the character must be from digits and upper and lowercase letters choose to crack the source code defines 5 4 valid characters;
!
2. Terminal key: the user input key, a total of 1 to 6 characters, is in the original key for each character after the addition of the letter“x”is formed;
!
3. Salsa key: the original key is expanded into a 1 6-byte form, for the Salsa algorithm of the Key. The extension method is the original key of each byte of b extended to 2 bytes, the low bit of b with the character“z”correspond to ASCII 1 of 2 2 of and, high is b*2。 （Salsa algorithm in the data is little endian, the same below it.
!
In addition it is worth noting that, the original Salsa algorithm requires a group of 8 DWORD 3 2 byte of the Key, when the input of the Key parameters of only 1 to 6 bytes, the Key a copy of the extension to 3 2 bytes; but Petya variants of the algorithm, the 1 6-byte Key directly divided into 8 groups of WORD are calculated.
IV parameters
The initial vector, and this vector is Petya stored in the disk 5 4 Sector 3 3 offset at the beginning of the 8 bytes, in the hack source code called a Nonce. Although the storage of 8 bytes, but Petya is only used where 0, 1, 4, and 5 for a total of 4 bytes, i.e. two DWORD low WORD bits.
!
Parameter expansion
Crack the source code in the structure body is a good description of the Salsa algorithm for computing the data structure:
!
With the original version of the algorithm, Petya variants of the algorithm the largest difference is that each field into a 2 byte. Wherein the Key and the Nounce IV has already been discussed, and the Const and the Counter is the input parameter for extension.
Const is the constant data in the Salsa algorithm is defined as follows:
!
Its meaning by translation into a corresponding ASCII character seen:
!
And Petya at the time of use, the same just take their low-WORD-bit operation.
!
Counter is a counter, the initial value is 0, the means for recording the current packet and participate in the operation. In the original algorithm, the Counter is a 6 4-bit integer value, you can encrypt up to 2^6 to 4 packet, and then multiplied by each set of 6 4-byte length in total can encrypt the data amount can be up to 2^7 0 bytes. Similarly, in Petya variants in the packet upper limit is also subject to a limit of 2^3 to 2, but in fact Petya only 8 packets.
Calculate the number of rounds
Leo Stone thought Petya only 1 0 wheel operation, the amount of computation is the original algorithm is that this is actually a misconception. In the official reference of the Salsa20 implementation, the standard number of cycles only 1 0:
!
This is because, each time the cycle actually conducted two rounds of operations, in the official document is called a row operation of the wheel and the column operation wheel rowround, the columnround, so 1 0 times the loop has reached the Salsa20 computing the number of rounds.
!
!
The output data
After the calculations are complete, the Salsa algorithm for each set of results before and after stitching together, and then take the plaintext as long as the data, and plaintext XOR operation, to obtain output ciphertext. This is also the Salsa of the encryption and decryption operations why is the equivalence of cause: the operation result with the ciphertext XOR, it is possible to obtain the plaintext data.
In the decryption code, can be seen in the reading of the disk 5 of 5 sectors reserved for after the results, it will be bitwise AND 0×3 7 to do the XOR operation:
!
And this step really means is that Petya use Salsa variants of the algorithm and the parameters specified for each bit are 0×3 7 5 1 2-byte plaintext for the encryption operation, and then the ciphertext is written to a disk sector.
Interestingly, Petya, although in the previous step, most use a 2-byte WORD as the basic data length, but in the output set of results, they retain a packet length of 6 4-byte set. This means that the front of the petya_matrix structure, each field must be from the 2-byte extended to 4 bytes, the upper WORD is filled with 0, and in the next exclusive-or operation, it will expose the clear text of the feature:
!
Written in the last
Perhaps it is in order to be in MBR in the smooth running of sake, Petya for the Salsa20 algorithm has been very much simplified, including many of the DWORD instead of WORD. And one of the most important changes, is the key to space limitations in 5 4^8 range, and the plaintext and ciphertext are known, this is a brute-force key provides favorable conditions.
References
https://github.com/leo-stone/hack-petya
https://cr.yp.to/snuffle/spec.pdf
http://www.seanet.com/~bugbee/crypto/salsa20/
**