004022C8 MOV EAX,SS:[ESP+10]
004022CC PUSH ESI
004022CD PUSH 0
004022CF LEA EDX,SS:[ESP+C]
004022D3 PUSH EDX
004022D4 PUSH EAX
004022D5 PUSH 2
004022D7 PUSH ECX
004022D8 MOV DWORD PTR SS:[ESP+1C],10
004022E0 CALL DS:[<&ADVAPI32.CryptGetHashParam>]
004022E6 MOV EDX,SS:[ESP+4]
004022EA PUSH EDX
004022EB MOV ESI,EAX
004022ED CALL DS:[<&ADVAPI32.CryptDestroyHash>]
004022F3 MOV EAX,ESI
004022F5 POP ESI
004022F6 ADD ESP,8
004022F9 RETNListing 6.4 (continued)Deciphering the code in Listing 6.4 is not going to be easy unless you do
some reading and figure out what all of these hash APIs are about. For this
purpose, you can easily go to http://msdn.microsoft.comand lookup
the functions CryptCreateHash, CryptHashData, and so on. A hash is
defined in MSDN as “A fixed-sized result obtained by applying a mathe-
matical function (the hashing algorithm) to an arbitrary amount of data.”
The CryptCreateHashfunction “initiates the hashing of a stream of data,” the
CryptHashData function “adds data to a specified hash object,” while
the CryptGetHashParam“retrieves data that governs the operations of a
hash object.” With this (very basic) understanding, let’s analyze the function in
Listing 6.4 and try to determine what it does.
The code starts out by creating a hash object in the CryptCreateHashcall.
Notice the second parameter in this call; This is how the hashing algorithm is
selected. In this case, the algorithm parameter is hard-coded to 0x8003. Find-
ing out what 0x8003stands for is probably easiest if you look for a popular
hashing algorithm identifier such as CALG_MD2and find it in the Crypto
header file, WinCrypt.H. It turns out that these identifiers are made out of
several identifiers, one specifying the algorithm class (ALG_CLASS_HASH),
another specifying the algorithm type (ALG_TYPE_ANY), and finally one that
specifies the exact algorithm type (ALG_SID_MD2). If you calculate what
0x8003stands for, you can see that the actual algorithm is ALG_SID_MD5.212 Chapter 6