The Official Radare2 Book

The rahash2 tool can be used to compute checksums of files, disk devices or strings. By block or entirely using many different hash algorithms.

This tool is also capable of doing some encoding/decoding operations like base64 and xor encryption.

This is an example usage:

$ rahash2 -a md5 -s "hello world"

Note that rahash2 also permits to read from stdin in a stream, so you don't need 4GB of ram to compute the hash of a 4GB file.

Hashing by blocks

When doing forensics, it is useful to compute partial checksums. The reason for that is because you may want to split a huge file into small portions that are easier to identify by contents or regions in the disk.

This will spot the same hash for blocks containing the same contents. For example, if is filled with zeros.

It can also be used to find which blocks have changed between more than one sample dump.

This can be useful when analyzing ram dumps from a virtual machine for example. Use this command for this:

$ rahash2 -B 1M -b -a sha256 /bin/ls

Hashing with rabin2

The rabin2 tool parses the binary headers of the files, but it also have the ability to use the rhash plugins to compute checksum of sections in the binary.

$ rabin2 -K md5 -S /bin/ls

Obtaining hashes within radare2 session

To calculate a checksum of current block when running radare2, use the ph command. Pass an algorithm name to it as a parameter. An example session:

$ radare2 /bin/ls

[0x08049790]> bf entry0

[0x08049790]> ph md5

d2994c75adaa58392f953a448de5fba7

You can use all hashing algorithms supported by rahash2:

[0x00000000]> ph?

md5

sha1

sha256

sha384

sha512

md4

xor

xorpair

parity

entropy

hamdist

pcprint

mod255

xxhash

adler32

luhn

crc8smbus

crc15can

crc16

crc16hdlc

crc16usb

crc16citt

crc24

crc32

crc32c

crc32ecma267

crc32bzip2

crc32d

crc32mpeg2

crc32posix

crc32q

crc32jamcrc

crc32xfer

crc64

crc64ecma

crc64we

crc64xz

crc64iso

The ph command accepts an optional numeric argument to specify length of byte range to be hashed, instead of default block size. For example:

[0x08049A80]> ph md5 32

9b9012b00ef7a94b5824105b7aaad83b

[0x08049A80]> ph md5 64

a71b087d8166c99869c9781e2edcf183

[0x08049A80]> ph md5 1024

a933cc94cd705f09a41ecc80c0041def

Examples

The rahash2 tool can be used to calculate checksums and has functions of byte streams, files, text strings.

$ rahash2 -h

Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ...

-a algo comma separated list of algorithms (default is 'sha256')

-b bsize specify the size of the block (instead of full file)

-B show per-block hash

-c hash compare with this hash

-e swap endian (use little endian)

-E algo encrypt. Use -S to set key and -I to set IV

-D algo decrypt. Use -S to set key and -I to set IV

-f from start hashing at given address

-i num repeat hash N iterations

-I iv use give initialization vector (IV) (hexa or s:string)

-S seed use given seed (hexa or s:string) use ^ to prefix (key for -E)

(- will slurp the key from stdin, the @ prefix points to a file

-k show hash using the openssh's randomkey algorithm

-q run in quiet mode (-qq to show only the hash)

-L list all available algorithms (see -a)

-r output radare commands

-s string hash this string instead of files

-t to stop hashing at given address

-x hexstr hash this hexpair string instead of files

-v show version information

To obtain an MD5 hash value of a text string, use the -s option:

$ rahash2 -q -a md5 -s 'hello world'

5eb63bbbe01eeed093cb22bb8f5acdc3

It is possible to calculate hash values for contents of files. But do not attempt to do it for very large files because rahash2 buffers the whole input in memory before computing the hash.

To apply all algorithms known to rahash2, use all as an algorithm name:

$

rahash2 -a all /bin/ls

/bin/ls: 0x00000000-0x000268c7 md5: 767f0fff116bc6584dbfc1af6fd48fc7

/bin/ls: 0x00000000-0x000268c7 sha1:

404303f3960f196f42f8c2c12970ab0d49e28971

/bin/ls: 0x00000000-0x000268c7 sha256:

74ea05150acf311484bddd19c608aa02e6bf3332a0f0805a4deb278e17396354

/bin/ls: 0x00000000-0x000268c7 sha384:

c6f811287514ceeeaabe73b5b2f54545036d6fd3a192ea5d6a1fcd494d46151df4117e1c62de0884cbc174c8db008ed1

/bin/ls:

0x00000000-0x000268c7 sha512:

53e4950a150f06d7922a2ed732060e291bf0e1c2ac20bc72a41b9303e1f2837d50643761030d8b918ed05d12993d9515e1ac46676bc0d15ac94d93d8e446fa09

/bin/ls:

0x00000000-0x000268c7 md4: fdfe7c7118a57c1ff8c88a51b16fc78c

/bin/ls: 0x00000000-0x000268c7 xor: 42

/bin/ls: 0x00000000-0x000268c7 xorpair: d391

/bin/ls: 0x00000000-0x000268c7 parity: 00

/bin/ls: 0x00000000-0x000268c7 entropy: 5.95471783

/bin/ls: 0x00000000-0x000268c7 hamdist: 00

/bin/ls: 0x00000000-0x000268c7 pcprint: 22

/bin/ls: 0x00000000-0x000268c7 mod255: ef

/bin/ls: 0x00000000-0x000268c7 xxhash: 76554666

/bin/ls: 0x00000000-0x000268c7 adler32: 7704fe60

/bin/ls: 0x00000000-0x000268c7 luhn: 01

/bin/ls: 0x00000000-0x000268c7 crc8smbus: 8d

/bin/ls: 0x00000000-0x000268c7 crc15can: 1cd5

/bin/ls: 0x00000000-0x000268c7 crc16: d940

/bin/ls: 0x00000000-0x000268c7 crc16hdlc: 7847

/bin/ls: 0x00000000-0x000268c7 crc16usb: 17bb

/bin/ls: 0x00000000-0x000268c7 crc16citt: 67f7

/bin/ls: 0x00000000-0x000268c7 crc24: 3e7053

/bin/ls: 0x00000000-0x000268c7 crc32: c713f78f

/bin/ls: 0x00000000-0x000268c7 crc32c: 6cfba67c

/bin/ls: 0x00000000-0x000268c7 crc32ecma267: b4c809d6

/bin/ls: 0x00000000-0x000268c7 crc32bzip2: a1884a09

/bin/ls: 0x00000000-0x000268c7 crc32d: d1a9533c

/bin/ls: 0x00000000-0x000268c7 crc32mpeg2: 5e77b5f6

/bin/ls: 0x00000000-0x000268c7 crc32posix: 6ba0dec3

/bin/ls: 0x00000000-0x000268c7 crc32q: 3166085c

/bin/ls: 0x00000000-0x000268c7 crc32jamcrc: 38ec0870

/bin/ls: 0x00000000-0x000268c7 crc32xfer: 7504089d

/bin/ls: 0x00000000-0x000268c7 crc64: b6471d3093d94241

/bin/ls: 0x00000000-0x000268c7 crc64ecma: b6471d3093d94241

/bin/ls: 0x00000000-0x000268c7 crc64we: 8fe37d44a47157bd

/bin/ls: 0x00000000-0x000268c7 crc64xz: ea83e12c719e0d79

/bin/ls: 0x00000000-0x000268c7 crc64iso: d243106d9853221c