Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


mraeryceos

Hashes in Security Catalogs

Recommended Posts

When I take the hash of a file, and compare it with the hash in the Security Catalog, it doesn't match up.  Maybe the hash listed in the catalog is not of the whole file, just important parts of the file?  If so, is there a tool that will calculate the hash in the Microsoft way?  I could use makecat, but it is a pain having to make a text file before getting the hash.  I haven't tried it yet, so neither do I know if it will work.

 

Also, I can see a list of hashes in the cat file, but I don't know the corresponding filenames.  Is there a cat file viewer that lists the filenames that correspond with the hashes?

Share this post


Link to post
Share on other sites

I calculated SHA-1, using a program called Hash.

I searched for the this hash inside the cat files, using a program that searches within files, but can't find it.

If I search with this program for a hash I know is in one of the cat files, I can find it

Edited by mraeryceos

Share this post


Link to post
Share on other sites

I calculated SHA-1, using a program called Hash.

 

Where might one obtain this program?  I get the feeling that checking its output against a known good SHA-1 generator will reveal this "Hash" program to be in error, if you are getting the values right out of the security catalogs.

Share this post


Link to post
Share on other sites

http://www.keir.net/hash.html

I took the hash of shell32.dll.mui, that I pulled from a zh-tw language pack

File Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modified: Saturday, November 20, 2010, 6:21:18 AM
MD5: 20AA0D4DB61152CBC4D9A96964A98A48
SHA1: 33217BEE852DAE99DD89CC62554F74EBAE8A960C
CRC32: 723E04A0

 

I searched for the SHA1 within all the files in the lp.cab.  No result.

I opened one cat file at random, then copied one of the hashes from it, and searched again in lp.cab for this hash string: result is the cat file from which I copied the hash.

 

Maybe they don't include the PE headers in the hash calculation?

Edited by mraeryceos

Share this post


Link to post
Share on other sites

Maybe what shows in the security catalogs, are the encrypted versions of the SHA1 hashes?  They may be encrypted with a public key, and only MS would have the private key.  I don't know, I'm just taking guesses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×