-
June 29th, 2009, 03:22 PM
#1
Calculate DLL 4Byte Hash Checksum
Code:
// CalcDLLHash.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
#include <iostream.h>
#include <mbstring.h>
char * CalcHash(unsigned char * MyString)
{
unsigned int h;
unsigned char *c=MyString;
while(*c)
{
h=((h<<5)|(h>>27))+*c++;
}
printf("Done");
return 0;
}
int main(int argc, char* argv[])
{
//unsigned char* MyStr = new unsigned char [16];
//*_mbscpy(MyStr, unsigned char *("LoadLibraryA"));
unsigned char* MyStr = (unsigned char *)"LoadLibraryA";
//MyStr = MyStringA;
CalcHash(MyStr);
printf("Hello World!\n");
return 0;
}
LoadLibraryA was supposed to come back
;LoadLibraryA
;db 0x8e
;db 0x4e
;db 0x0e
;db 0xec
but im getting h = 0xFFE7AAA8 =(
Anyone know why?
Edit: I also tryed writing this in MASM
Code:
include \masm32\include\masm32rt.inc
includelib \masm32\lib\masm32rt.lib
.486
.model flat, stdcall
option casemap :none
.const
LL db "LoadLibraryA", 0
.code
start:
xor edi, edi
xor eax, eax
cld ;Clear Direction Flags For LoadStringByte
mov esi, OFFSET LL
push esi
compute_hash_again:
lodsb
test al, al
jz compute_hash_finished
ror edi, 0dh
add edi, eax
jmp compute_hash_again
compute_hash_finished:
pop esi
print hex$([esi])
;ret
;DEFINE CONSTANTS
;locate_kernel32_hashes:
; call locate_kernel32_hashes_return
;LoadLibraryA
;db 0x8e
;db 0x4e
;db 0x0e
;db 0xec
I created this code to see if I can calculate DLL hashes the same way PE headers do and My results came wrong, The "Correct" Results for LoadLibraryA were supposed be
;db 0x8e
;db 0x4e
;db 0x0e
;db 0xec
I get
0x64616F4C
No go =(
Last edited by AgentSmithers; June 29th, 2009 at 03:29 PM.
-
June 30th, 2009, 06:27 AM
#2
Re: Calculate DLL 4Byte Hash Checksum
Here is the problem:
unsigned char* MyStr = (unsigned char *)"LoadLibraryA";
should be:
char * CalcHash(char * MyString)
{
unsigned int h;
unsigned char *c=(unsigned char*)MyString;
while(*c)
{
h=((h<<5)|(h>>27))+*c++;
}
printf("Done");
return 0;
}
char MyStr[] = "LoadLibraryA";
CalcHash(MyStr);
-
June 30th, 2009, 01:45 PM
#3
Re: Calculate DLL 4Byte Hash Checksum
I got 0x331adddc
Code:
// CalcDLLHash.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
#include <iostream.h>
#include <mbstring.h>
char * CalcHash(char * MyString)
{
unsigned int h = 0;
unsigned char *c=(unsigned char*)MyString;
while(*c)
{
h=((h<<5)|(h>>27))+*c++;
}
printf("Done");
return 0;
}
int main(int argc, char* argv[])
{
//unsigned char* MyStr = new unsigned char [16];
//*_mbscpy(MyStr, unsigned char *("LoadLibraryA"));
//unsigned char* MyStr = (unsigned char *)"LoadLibraryA\0";
char MyStr[] = "LoadLibraryA";
//MyStr = MyStringA;
CalcHash(MyStr);
printf("Hello World!\n");
return 0;
}
Last edited by AgentSmithers; June 30th, 2009 at 01:56 PM.
-
July 1st, 2009, 06:40 PM
#4
Re: Calculate DLL 4Byte Hash Checksum
Code:
// FunctionHashInShellcodes.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
unsigned long hash_by(void *key, unsigned long num)
{
unsigned long hash = 0;
char *c = (char *)key;
while (*c != 0)
{
hash = hash << (32-num) | hash >> (num);
hash += *c;
c++;
}
return hash;
}
int main(int argc, char* argv[])
{
printf(" %s 0x%08x\n","accept",hash_by("accept",0xd));
printf(" %s 0x%08x\n","LoadLibraryA",hash_by("LoadLibraryA",0xd));
printf(" %s 0x%08x\n","loadlibrarya",hash_by("loadlibrarya",0xd));
//LoadLibraryA = 0xec0e4e8e
return 0;
}
This works! I converted it from the Linux version src:http://nepenthes.carnivore.it/cnsi:function_hashes
It is cap sensitive LoadLibraryA will produce a different result then loadlibrarya, But why 0xD?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|