rahash2

The rahash2 tool can be used to compute checksums of files, disk devices or strings. By block or entirely using many different hash algorithms.

This tool is also capable of doing some encoding/decoding operations like base64 and xor encryption.

This is an example usage:

  1. $ rahash2 -a md5 -s "hello world"

Note that rahash2 also permits to read from stdin in a stream, so you don’t need 4GB of ram to compute the hash of a 4GB file.

Hashing by blocks

When doing forensics, it is useful to compute partial checksums. The reason for that is because you may want to split a huge file into small portions that are easier to identify by contents or regions in the disk.

This will spot the same hash for blocks containing the same contents. For example, if is filled with zeros.

It can also be used to find which blocks have changed between more than one sample dump.

This can be useful when analyzing ram dumps from a virtual machine for example. Use this command for this:

  1. $ rahash2 -B 1M -b -a sha256 /bin/ls

Hashing with rabin2

The rabin2 tool parses the binary headers of the files, but it also have the ability to use the rhash plugins to compute checksum of sections in the binary.

  1. $ rabin2 -K md5 -S /bin/ls

Obtaining hashes within radare2 session

To calculate a checksum of current block when running radare2, use the ph command. Pass an algorithm name to it as a parameter. An example session:

  1. $ radare2 /bin/ls
  2. [0x08049790]> bf entry0
  3. [0x08049790]> ph md5
  4. d2994c75adaa58392f953a448de5fba7

You can use all hashing algorithms supported by rahash2:

  1. [0x00000000]> ph?
  2. md5
  3. sha1
  4. sha256
  5. sha384
  6. sha512
  7. md4
  8. xor
  9. xorpair
  10. parity
  11. entropy
  12. hamdist
  13. pcprint
  14. mod255
  15. xxhash
  16. adler32
  17. luhn
  18. crc8smbus
  19. crc15can
  20. crc16
  21. crc16hdlc
  22. crc16usb
  23. crc16citt
  24. crc24
  25. crc32
  26. crc32c
  27. crc32ecma267
  28. crc32bzip2
  29. crc32d
  30. crc32mpeg2
  31. crc32posix
  32. crc32q
  33. crc32jamcrc
  34. crc32xfer
  35. crc64
  36. crc64ecma
  37. crc64we
  38. crc64xz
  39. crc64iso

The ph command accepts an optional numeric argument to specify length of byte range to be hashed, instead of default block size. For example:

  1. [0x08049A80]> ph md5 32
  2. 9b9012b00ef7a94b5824105b7aaad83b
  3. [0x08049A80]> ph md5 64
  4. a71b087d8166c99869c9781e2edcf183
  5. [0x08049A80]> ph md5 1024
  6. a933cc94cd705f09a41ecc80c0041def