How to find a fuction hash when manually resolving in shellcode?

Question

I'm disassembling a shellcode and I found that it resolves adress of some function manually using the hash to find function in kernel32.dll. example :

call findKernel32Base
....
push 0EC0E4E8Eh
call findSymbolByHash
mov [ebp-4], eax

For this example the function resolved is LoadLibraryA, I found it by searching the hash on google but what if I don't find it on google ? How can I find the function related to the hash value without debugging the shellcode ( some manually resolve failed when I debug it so it crash ) ?

Thank you !

score 2 · Accepted Answer · answered Jan 25 '18 at 18:03

iirc you cant go from a constant hash to name but hash an exported name compare the generated hash with the constant

you can see a discussion and an implementation here

a ripped python implementation using the discussion as follows

:\>cat foo.py
def rol32(val, amt):
        return ( (val << amt) & 0xffffffff ) | ( ( val >> (32 - amt) ) & 0xffffffff )

def ror32(val, amt):
        return ( (val >> amt) & 0xffffffff ) | ( ( val << (32 - amt) ) & 0xffffffff )

def add32(val, amt):
        return (val + amt) & 0xffffffff

def hash_export(name):
    result = 0
    index = 0
    while(index < len(name)):
        result  = add32(ror32(result, 13), ord(name[index]) & 0xff)
        index += 1
    return result

print hex(hash_export("LoadLibraryA"))
:\>python foo.py
0xec0e4e8eL

How to find a fuction hash when manually resolving in shellcode?

1 Answers1