Didier Stevens

Monday 27 January 2020

Update: hash.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

In this new version of hash.py, a tool to calculate hashes, I add “hash” checksum8.

Checksum8 calculates the sum of all bytes contained in the provided file(s), each byte is interpreted as an unsigned, 8-bit integer.

I recently had to validate that the path of a URL was a “valid” Meterpreter identifier. When the least significant byte of the 8-bit checksum of the path is equal to 92 (0x5C), then we have a valid URL for a Windows Meterpreter stager.

Take this URL: http://127.0.0.1/RVdP. Could this be a “Windows Meterpreter” URL? Let’s calculate the checksum of RVdP:

The 8-bit checksum of RVdP is 0x015C. The least significant byte is 0x5C, or 92: this matches URI_CHECKSUM_INITW, e.g. this could indeed be a URL used by a reverse http Meterpreter payload.

Besides this new feature, hash.py comes with other features like “pack expressions” and various bug fixes.

hash_V0_0_8.zip (https)
MD5: 03F928332874447F6198A9FDE46E3AA7
SHA256: 80C493639CA7160D1455FABA38A2A04556240326D4BA78B8207CA8FF8B09E1B2

Blog at WordPress.com.