| Author | Message | Time |
|---|---|---|
| rob | The 20 lockdown libs function the same. There are 2 seed values that differ between each lib. [code] struct seed_table { DWORD seed1; DWORD seed2; }; struct seed_table seeds[] = { { 0xA1F3055A , 0x4551FB8F }, //00 { 0x5657124C , 0x81776C47 }, //01 { 0x1780AB47 , 0x0511663A }, //02 { 0x80B3A410 , 0x8839FDF0 }, //03 { 0xAF2179EA , 0xEE60E7D6 }, //04 { 0x0837B808 , 0xB43A6490 }, //05 { 0x6F2516C6 , 0x246A64BA }, //06 { 0xE3178148 , 0x6F6536F1 }, //07 { 0x0FCF90B6 , 0x3D2C22F0 }, //08 { 0xF2F09516 , 0x8624FC60 }, //09 { 0x378D8D8C , 0x9F30D4E7 }, //10 { 0x07F8E083 , 0x24A7F246 }, //11 { 0xB0EE9741 , 0x5AE1F560 }, //12 { 0x7923C9AF , 0x3026FF25 }, //13 { 0xCA11A05E , 0x0ED32EBF }, //14 { 0xD723C016 , 0xFB88CB39 }, //15 { 0xFD545590 , 0x12BF7406 }, //16 { 0xFB600C2E , 0x8B38612E }, //17 { 0x684C8785 , 0x95F19E77 }, //18 { 0x58BEDE0B , 0x2C0F3DCF }, //19 { NULL , NULL } }; [/code] These values are used during the file hashing. These values along with the lib hashing itself are responsible for each lib producing different results. | May 19, 2007, 3:37 AM |
| iago | I threw together a quick program to extract the seed values for my own purposes. I'd might as well share it here. It's somewhat inefficient, running in like O(n*r), but it's designed to work on small files so I don't see a point in improving it. It can also be modified fairly easily to search fiels for any sequence of bytes. [code]#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> typedef enum { FALSE = 0, TRUE = 1 } BOOL; unsigned char *values = "\x81\xf1\xFF\xFF\xFF\xFF\x35\xFF\xFF\xFF\xFF\x89\x4d\x0c\x89\x45\x10\x6a\x08"; unsigned char *check = "\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01"; size_t length = 19; unsigned int offset1 = 2; unsigned int offset2 = 7; void find_seeds(char *filename) { struct stat filestat; FILE *f; unsigned char *data; size_t i, j; size_t actual; BOOL found; if(stat(filename, &filestat) < 0 ) { fprintf(stderr, "Error: couldn't stat file %s\n", filename); return; } fopen_s(&f, filename, "rb"); if(!f) { fprintf(stderr, "Error: couldn't open file %s\n", filename); return; } data = malloc(filestat.st_size); actual = fread(data, 1, filestat.st_size, f); for(i = 0; i < actual - 0x1c; i++) { found = TRUE; for(j = 0; j < length && found; j++) { if(check[j] && (data[i + j] != values[j])) found = FALSE; } if(found) { int *val1 = (int*) (data + i + offset1); int *val2 = (int*) (data + i + offset2); printf("%s: %08x, %08x\n", filename, *val1, *val2); // break; } } free(data); fclose(f); } int main(int argc, char *argv[]) { int i; if(argc < 2) { fprintf(stderr, "Error: please specify files on the commandline (%s file1 file2 ...)\n", argv[0]); } else { for(i = 1; i < argc; i++) find_seeds(argv[i]); } system("pause"); return 0; }[/code] Output (for all the .dll files): [code]C:\Temp\lockdown-IX86-00.dll: a1f3055a, 4551fb8f C:\Temp\lockdown-IX86-01.dll: 5657124c, 81776c47 C:\Temp\lockdown-IX86-02.dll: 1780ab47, 0511663a C:\Temp\lockdown-IX86-03.dll: 80b3a410, 8839fdf0 C:\Temp\lockdown-IX86-04.dll: af2179ea, ee60e7d6 C:\Temp\lockdown-IX86-05.dll: 0837b808, b43a6490 C:\Temp\lockdown-IX86-06.dll: 6f2516c6, 246a64ba C:\Temp\lockdown-IX86-07.dll: e3178148, 6f6536f1 C:\Temp\lockdown-IX86-08.dll: 0fcf90b6, 3d2c22f0 C:\Temp\lockdown-IX86-09.dll: f2f09516, 8624fc60 C:\Temp\lockdown-IX86-10.dll: 378d8d8c, 9f30d4e7 C:\Temp\lockdown-IX86-11.dll: 07f8e083, 24a7f246 C:\Temp\lockdown-IX86-12.dll: b0ee9741, 5ae1f560 C:\Temp\lockdown-IX86-13.dll: 7923c9af, 3026ff25 C:\Temp\lockdown-IX86-14.dll: ca11a05e, 0ed32ebf C:\Temp\lockdown-IX86-15.dll: d723c016, fb88cb39 C:\Temp\lockdown-IX86-16.dll: fd545590, 12bf7406 C:\Temp\lockdown-IX86-17.dll: fb600c2e, 8b38612e C:\Temp\lockdown-IX86-18.dll: 684c8785, 95f19e77 C:\Temp\lockdown-IX86-19.dll: 58bede0b, 2c0f3dcf [/code] | May 28, 2007, 8:33 PM |