• Welcome to Valhalla Legends Archive.
 

The difference between lockdown libs

Started by Rob, May 18, 2007, 10:37 PM

Previous topic - Next topic

Rob

The 20 lockdown libs function the same.   There are 2 seed values that differ between each lib.   


struct seed_table {
DWORD seed1;
DWORD seed2;
};
struct seed_table seeds[] =
{
{ 0xA1F3055A , 0x4551FB8F }, //00
{ 0x5657124C , 0x81776C47 }, //01
{ 0x1780AB47 , 0x0511663A }, //02
{ 0x80B3A410 , 0x8839FDF0 }, //03
{ 0xAF2179EA , 0xEE60E7D6 }, //04
{ 0x0837B808 , 0xB43A6490 }, //05
{ 0x6F2516C6 , 0x246A64BA }, //06
{ 0xE3178148 , 0x6F6536F1 }, //07
{ 0x0FCF90B6 , 0x3D2C22F0 }, //08
{ 0xF2F09516 , 0x8624FC60 }, //09
{ 0x378D8D8C , 0x9F30D4E7 }, //10
{ 0x07F8E083 , 0x24A7F246 }, //11
{ 0xB0EE9741 , 0x5AE1F560 }, //12
{ 0x7923C9AF , 0x3026FF25 }, //13
{ 0xCA11A05E , 0x0ED32EBF }, //14
{ 0xD723C016 , 0xFB88CB39 }, //15
{ 0xFD545590 , 0x12BF7406 }, //16
{ 0xFB600C2E , 0x8B38612E }, //17
{ 0x684C8785 , 0x95F19E77 }, //18
{ 0x58BEDE0B , 0x2C0F3DCF }, //19
{ NULL          , NULL }
};


These values are used during the file hashing.   These values along with the lib hashing itself are responsible for each lib producing different results.
Rob@USEast

iago

#1
I threw together a quick program to extract the seed values for my own purposes. I'd might as well share it here. It's somewhat inefficient, running in like O(n*r), but it's designed to work on small files so I don't see a point in improving it. It can also be modified fairly easily to search fiels for any sequence of bytes.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>

typedef enum { FALSE = 0, TRUE = 1 } BOOL;

unsigned char *values = "\x81\xf1\xFF\xFF\xFF\xFF\x35\xFF\xFF\xFF\xFF\x89\x4d\x0c\x89\x45\x10\x6a\x08";
unsigned char *check  = "\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01";
size_t length = 19;
unsigned int offset1 = 2;
unsigned int offset2 = 7;

void find_seeds(char *filename)
{
struct stat filestat;
FILE *f;
unsigned char *data;
size_t i, j;
size_t actual;
BOOL found;

if(stat(filename, &filestat) < 0 )
{
fprintf(stderr, "Error: couldn't stat file %s\n", filename);
return;
}

fopen_s(&f, filename, "rb");

if(!f)
{
fprintf(stderr, "Error: couldn't open file %s\n", filename);
return;
}

data = malloc(filestat.st_size);
actual = fread(data, 1, filestat.st_size, f);

for(i = 0; i < actual - 0x1c; i++)
{
found = TRUE;

for(j = 0; j < length && found; j++)
{
if(check[j] && (data[i + j] != values[j]))
found = FALSE;
}

if(found)
{
int *val1 = (int*) (data + i + offset1);
int *val2 = (int*) (data + i + offset2);

printf("%s: %08x, %08x\n", filename, *val1, *val2);

// break;
}
}

free(data);
fclose(f);
}

int main(int argc, char *argv[])
{
int i;

if(argc < 2)
{
fprintf(stderr, "Error: please specify files on the commandline (%s file1 file2 ...)\n", argv[0]);
}
else
{
for(i = 1; i < argc; i++)
find_seeds(argv[i]);
}

system("pause");

return 0;
}


Output (for all the .dll files):
C:\Temp\lockdown-IX86-00.dll: a1f3055a, 4551fb8f
C:\Temp\lockdown-IX86-01.dll: 5657124c, 81776c47
C:\Temp\lockdown-IX86-02.dll: 1780ab47, 0511663a
C:\Temp\lockdown-IX86-03.dll: 80b3a410, 8839fdf0
C:\Temp\lockdown-IX86-04.dll: af2179ea, ee60e7d6
C:\Temp\lockdown-IX86-05.dll: 0837b808, b43a6490
C:\Temp\lockdown-IX86-06.dll: 6f2516c6, 246a64ba
C:\Temp\lockdown-IX86-07.dll: e3178148, 6f6536f1
C:\Temp\lockdown-IX86-08.dll: 0fcf90b6, 3d2c22f0
C:\Temp\lockdown-IX86-09.dll: f2f09516, 8624fc60
C:\Temp\lockdown-IX86-10.dll: 378d8d8c, 9f30d4e7
C:\Temp\lockdown-IX86-11.dll: 07f8e083, 24a7f246
C:\Temp\lockdown-IX86-12.dll: b0ee9741, 5ae1f560
C:\Temp\lockdown-IX86-13.dll: 7923c9af, 3026ff25
C:\Temp\lockdown-IX86-14.dll: ca11a05e, 0ed32ebf
C:\Temp\lockdown-IX86-15.dll: d723c016, fb88cb39
C:\Temp\lockdown-IX86-16.dll: fd545590, 12bf7406
C:\Temp\lockdown-IX86-17.dll: fb600c2e, 8b38612e
C:\Temp\lockdown-IX86-18.dll: 684c8785, 95f19e77
C:\Temp\lockdown-IX86-19.dll: 58bede0b, 2c0f3dcf


This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*