Problem with reversing checksum algorithm of protocol messages
grandnew opened this issue · comments
Hi, I have several ICMP messages and want to reverse the checksum algorithm of these messages using delsum. Here are some messages, shown in hex
08004ab69c480007648b1224000eaf3908090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
080038fa9c480008648b1225000ec0f308090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
080027409c480009648b1226000ed2ab08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
Since the checksum file of ICMP is 2-3 bytes (starting from 0).
First, I tried to convert each hex stream to a file, e.g., echo "08004ab69c480007648b1224000eaf3908090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637" | xxd -r -p > file1.
Then, I tried delsum by command
delsum reverse -m 'crc width=16 init=0' -c b64a,fa38,4027 file1 file2 file3
But there is no output. I'm not sure if I'm using delsum correctly. Could you please help me? Thanks so much.
So two things that prevent this from working:
- the icmp checksum is actually not a crc, but a modular sum which requires replacing
crcwithmodsum(if the checksum is not known i would just try all types of checksum) - the checksum is embedded in the file itself so that the final checksum is 0, so
-c 0000,0000,0000would actually be the checksum right parameter. another way to typically deal with embedded checksums is to remove them from the file (in this case, replace them with zeroes), but i don't currently have inversion of the final checksum implemented which would be necessary for this, so for now the zero checksum is the way
now when running
delsum reverse -m 'crc width=16 init=0' -c b64a,fa38,4027 file1 file2 file3
i do get a whole bunch of results:
modsum width=16 module=0x1 init=0x0 out_endian=little
modsum width=16 module=0x3 init=0x0 out_endian=little
modsum width=16 module=0x5 init=0x0 out_endian=little
modsum width=16 module=0xf init=0x0 out_endian=little
modsum width=16 module=0x11 init=0x0 out_endian=little
modsum width=16 module=0x33 init=0x0 out_endian=little
modsum width=16 module=0x55 init=0x0 out_endian=little
modsum width=16 module=0xff init=0x0 out_endian=little
modsum width=16 module=0x1 init=0x0 out_endian=big
modsum width=16 module=0x3 init=0x0 out_endian=big
modsum width=16 module=0x5 init=0x0 out_endian=big
modsum width=16 module=0xf init=0x0 out_endian=big
modsum width=16 module=0x11 init=0x0 out_endian=big
modsum width=16 module=0x33 init=0x0 out_endian=big
modsum width=16 module=0x55 init=0x0 out_endian=big
modsum width=16 module=0xff init=0x0 out_endian=big
modsum width=16 module=0x1 init=0x0 out_endian=little
modsum width=16 module=0x3 init=0x0 out_endian=little
modsum width=16 module=0x5 init=0x0 out_endian=little
modsum width=16 module=0xf init=0x0 out_endian=little
modsum width=16 module=0x11 init=0x0 out_endian=little
modsum width=16 module=0x33 init=0x0 out_endian=little
modsum width=16 module=0x55 init=0x0 out_endian=little
modsum width=16 module=0xff init=0x0 out_endian=little
modsum width=16 module=0x1 init=0x0 out_endian=big
modsum width=16 module=0x3 init=0x0 out_endian=big
modsum width=16 module=0x5 init=0x0 out_endian=big
modsum width=16 module=0xf init=0x0 out_endian=big
modsum width=16 module=0x11 init=0x0 out_endian=big
modsum width=16 module=0x33 init=0x0 out_endian=big
modsum width=16 module=0x55 init=0x0 out_endian=big
modsum width=16 module=0xff init=0x0 out_endian=big
modsum width=16 module=0x1 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x3 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x5 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0xf init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x11 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x33 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x55 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0xff init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x101 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x303 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x505 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0xf0f init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x1111 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x3333 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x5555 init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0xffff init=0x0 in_endian=little wordsize=16 out_endian=little
modsum width=16 module=0x1 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x3 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x5 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0xf init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x11 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x33 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x55 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0xff init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x101 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x303 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x505 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0xf0f init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x1111 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x3333 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x5555 init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0xffff init=0x0 in_endian=little wordsize=16 out_endian=big
modsum width=16 module=0x1 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x3 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x5 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0xf init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x11 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x19 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x33 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x4b init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x55 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0xff init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x101 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x1a9 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x303 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x4fb init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x505 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0xf0f init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x1111 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x1919 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x3333 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x4b4b init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x5555 init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0xffff init=0x0 in_endian=big wordsize=16 out_endian=little
modsum width=16 module=0x1 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x3 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x5 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0xf init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x11 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x19 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x33 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x4b init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x55 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0xff init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x101 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x1a9 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x303 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x4fb init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x505 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0xf0f init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x1111 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x1919 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x3333 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x4b4b init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0x5555 init=0x0 in_endian=big wordsize=16 out_endian=big
modsum width=16 module=0xffff init=0x0 in_endian=big wordsize=16 out_endian=big
now the reason there are so many results is that they are actually all valid checksum parameters that would always lead to a checksum of 0: the modulus just has to divide 0xffff for the checksum to be 0. the endian of the checksum is also not relevant, as it is 0, so it tries both.
Thanks!