18.1 Rahash tool

The rahash tool is the used by radare to realize these calculations. It

$ rahash -h
rahash [-action] [-options] [source] [hash-file]
 actions:
  -g           generate (default action)
  -c           check changes between source and hash-file
  -o           shows the contents of the source hash-file
  -A           use all hash algorithms
 options:
  -a [algo]    algorithm to hash (md4, md5, crc16, crc32, sha1, sha256, sha384, sha512, par, xor, xorpair, mod255, hamdist, entropy, all)
  -s [string]  hash this string instead of a file
  -S [offset]  seek initial offset to
  -E [offset]  end hashing at offset
  -L [length]  end hashing at length
  -b [size]    sets the block size (default 32KB)
  -f           block size = file size (!!)
  -q           quite output (can be combined with -v)
  -V           show version information
  -v           be verbose

It permits the calculation of the hashes from strings or files.

$ rahash -a md5 -s 'hello world'
5eb63bbbe01eeed093cb22bb8f5acdc3

It is possible to hash the full contents of a file by giving '-f' as argument. But dont do this for large files like disks or so, because rahash stores the buffer in memory before calculating the checksum instead of doing it progressively.

$ rahash -a all -f /bin/ls
par:     1
xor:     ae
hamdist: 00
xorpair: 11bf
entropy: 6.08
mod255:  ea
crc16:   41a4
crc32:   d34e458d
md4:     f0bfd80cea21ca98cc48aefef8d71f3e
md5:     f58860f27dd2673111083770c9445099
sha1:    bfb9b77a29318fc6a075323c67af74d5e3071232
sha256:  8c0d752022269a8673dc38ef5d548c991bc7913a43fe3f1d4d076052d6a5f0b6
sha384:  1471bd8b14c2e11b3bcedcaa23209f2b87154e0daedf2f3f23053a598685850318ecb363cf07cf48410d3ed8e9921573
sha512:  03c63d38b0286e9a6230ffd39a1470419887ea775823d21dc03a2f2b2762a24b496847724296b45e81a5ff607cc46ef0f46e4eb1b8faa67ea3c463999f7b5864

rahash is designed to work with blocks like radare does. So this way you can generate multiple checksums from a single file, and then make a faster comparision of the blocks to find the part of the file that has changed.

This is useful in forensic tasks, when progressively analyzing memory dumps to find the places where it has changed and then use 'radiff' to get a closer look to these changes.

This is the default work way for rahash. So lets generate a rahash checksumming file and then use it to check if something has changed. The default block size is 32 KBytes. You can change it by using the -b flag.

# generate ls.rahash
$ rahash -g -a sha1 /bin/ls ls.rahash
91c9cc53e7c7204027218ba372e9e738
f5547b7cd016678bebc61b4b0ca3a442
5fd03cecbbad68314bc82f2f7db2f6aa

# show values stored in rahash file:
$ rahash -vo ls.hash 
file_name  /bin/ls
offt_size  8
endian     0 (little)
version    1
block_size 32768
file_size  92376
fragments  3
file_name  /bin/ls
from       0
to         92376
length     92376
algorithm  md5
algo_size  16
0x00000000 91C9CC53E7C7204027218BA372E9E738
0x00008000 F5547B7CD016678BEBC61B4B0CA3A442
0x00010000 5FD03CECBBAD68314BC82F2F7DB2F6AA

# check if something has changed
$ rahash -c -a sha1 /bin/ls ls.rahash

You can also specify some limits when calculating checksummings, so, you can easily tell rahash to start hashing at a certain seek and finish after N bytes or just when reaching another offset.

  -S [offset]  seek initial offset to
  -E [offset]  end hashing at offset
  -L [length]  end hashing at length

f.example:

$ rahash -S 10 -L 20 /bin/ls
4b01adea1951a55cdf05f92cd4b2cf75