decrypt data using TEA

rule:
  meta:
    name: decrypt data using TEA
    namespace: data-manipulation/encryption/tea
    authors:
      - william.ballenthin@mandiant.com
      - raymond.leong@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires operand[1].number, characteristic, mnemonic, Not features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
    references:
      - https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
    examples:
      - 5B99FA01C72CEBC53A76CC72E9581189:0x180001027
      - 7FD2E2E3C88675D877190ABAA3002B55:0x010004EC0
  features:
    - and:
      - basic block:
        - and:
          - instruction:
            - mnemonic: shr
            - operand[1].number: 0x5
          - instruction:
            - mnemonic: shl
            - operand[1].number: 0x4
          - count(mnemonic(shr)): 0x2
          - characteristic: nzxor
      - or:
        - operand[1].number: 0x9E3779B9 = key schedule constant
        - operand[1].number: 0x61C88647 = key schedule constant two's complement
      - operand[1].number: 0xC6EF3720 = sum
      - not:
        - basic block:
          - and:
            - description: q setup only in XXTEA
            - instruction:
              - mnemonic: mov
              - operand[1].number: 0x34
            - instruction:
              - mnemonic: add
              - operand[1].number: 0x6
            - instruction:
              - mnemonic: idiv