ROR13 (Libary Function)
[Hashing Home][Home]
ROR13 (rotate right 13) is not a cryptographic hash, but it can be used to take strings of any length, and convert them into an integer value. It is used within executable code to generate an address to an API function within a DLL. The developer, thought, must make sure there is no collisions with other functions in other modules. With ROR13 we take each 8-bit character and then convert to a unicode value (with 16 bits). The result is a 32-bit integer value, and which is used as the address for the API function call. ROR13 (Module and Function).
|
Outline
ROR13 (rotate right 13) is not a cryptographic hash, but it can be used to take strings of any length, and convert them into an integer value. It is used within executable code to generate an address to an API function within a DLL. The developer, thought, must make sure there is no collisions with other functions in other modules. With ROR13 we take each 8-bit character and then convert to a unicode value (with 16 bits). The result is a 32-bit integer value, and which is used as the address for the API function call. With ROR13 we take each 8-bit character and then convert to a unicode value (with 16 bits). We then rotate the bits right by thirteen places:
dword >> 13 | dword << (32 - 13)) & 0xFFFFFFFF
Here are some examples of APIs from gdi32.dll [here]:
0x6D0739BB 1011 0 AbortDoc 0xE6636521 1012 1 AbortPath 0x23001A6D 1017 2 AddFontMemResourceEx 0x8DDEAA5D 1018 3 AddFontResourceA 0x7B6A98A4 1019 4 AddFontResourceExA 0x7B6A98BA 1020 5 AddFontResourceExW 0x171398EA 1021 6 AddFontResourceTracking 0x8DDEAA73 1022 7 AddFontResourceW
A sample run is:
== ROR13 hash === Function: AbortDoc ROR13 Hash: 0x6D0739BB
and:
== ROR13 hash === Function: AbortPath ROR13 Hash: 0xE6636521
If we run
Coding
The following is the code. In this case, we convert the name of the module into uppercase for the ROR13 operation:
# Some code extracted from https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/hash.py import sys def ror32(dword, bits): return (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF def add32(val, amt): return (val + amt) & 0xffffffff def hash(function): result = 0 index = 0 while(index < len(function)): result = add32(ror32(result, 13), ord(function[index]) & 0xff) index += 1 return result function="LoadLibraryA" if (len(sys.argv)>1): function=str(sys.argv[1]) print("== ROR13 hash ===\n") print("Function:\t\t",function) print('ROR13 Hash:\t\t0x%X' % hash(function))