Results 1 to 3 of 3

Thread: 32Bit Hash reverse engineering

  1. #1
    Member
    Join Date
    Jan 2017
    Location
    belgium
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    32Bit Hash reverse engineering

    Guys,
    I got this string (hex) which actually is a protobuf

    080110b0d60118d8e1f2bc860220d9033a5f08b0d60110d8e1 f2bc860218002098910f2800300040e4b3fd04480058006000 68c1ea8b02708692407803800100980194800ca0018f9e8010 a80100b80101c00100cd010e0eacc8d501d6d8ad47dd019447 b746e001b0d601e80100f801004001480150a8def2bc860260 c08d87300b270b4c

    Only the first 129 bytes of this string is actually the Protobuf, the last 4 bytes represent a hash. (echo "string" | xxd r -p | protoc --decode_raw > decodes the protobuf - without the last 4 bytes)
    I need to find the method to generate this hash. I tried MurMur32, xxHash, CRC32, a ton of others, ... looks like it's proprietary. Any idea on how to reverse engineer it? I have a log full of those strings, so I could do some stats, but that won't reveal the algorithm
    Thanks for the help!
    -FJ

  2. #2
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,976
    Thanks
    296
    Thanked 1,304 Times in 740 Posts
    1. You can try hashing the data with only 1 bit changed, etc.
    2. You can try finding hash values with only 1 bit changed
    3. For string pairs, see how xor affects it: s1^s2 -?- crc1^crc2 (see https://en.wikipedia.org/wiki/Differ..._cryptanalysis)

    It could be a crc32 with bytes in BE order, or a different polynomial, in which case you might be able to reproduce it.
    But if there's something more complicated (eg. first 4 bytes of md5), it would be impossible to do like this.

    Don't you have any information about the app which produced that?
    Maybe you'd find a reference implementation (i've seen a couple in google output), or app sources?
    And what about reverse-engineering the app itself?

  3. Thanks (2):

    PSHUFB (18th January 2017),snowcat (17th January 2017)

  4. #3
    Member
    Join Date
    Feb 2014
    Location
    Canada
    Posts
    17
    Thanks
    23
    Thanked 0 Times in 0 Posts
    You can also try something like Espresso to try to find a simple underlying representation of the function, which would probably lead directly to the hash function. It would work best with small input sizes though - if all your inputs are 129 bytes I'm not sure if it would work or just choke.

Similar Threads

  1. Perfect Hash Function to Hash Strings
    By joey in forum Data Compression
    Replies: 18
    Last Post: 22nd March 2016, 10:59
  2. identification/reverse engineer of possible lz compression
    By patr0805 in forum Data Compression
    Replies: 4
    Last Post: 2nd March 2014, 23:45
  3. Extremely fast hash
    By Bulat Ziganshin in forum Data Compression
    Replies: 36
    Last Post: 23rd August 2013, 21:25
  4. Directory hash as one string
    By FatBit in forum The Off-Topic Lounge
    Replies: 6
    Last Post: 16th January 2012, 23:29
  5. Hash Zip
    By Black_Fox1 in forum Forum Archive
    Replies: 6
    Last Post: 4th March 2007, 17:12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •