ROR13 — And Its Linkage to API Calls within Modules
ROR13 (rotate right 13) is not a cryptographic hash, but it can be used to take strings of any length, and convert them into an integer value. It is used within executable code to generate an address to an API function within a DLL. The developer, though, must make sure there is no collisions with other functions in other modules. With ROR13 we take each 8-bit character and then convert to a Unicode value (with 16 bits). The result is a 32-bit integer value, and which is used as the address for the API function call. For each character, we then rotate the bits right by thirteen places:
dword >> 13 | dword << (32 - 13)) & 0xFFFFFFFFFor “Load” we get value is 0xE124D840:
python ror13.py test Load
Module: test
Function: Load
ROR13 Hash: 0x927810A
Module ROR13 hash: 0x2802A8CA
Function ROR13 hash: 0xE124D840We can see in the following, that the return from a function is defined with a hex address of 0xA779563A (and which is put on the stack before another call to a function (here):
For this we have a module of wininel.dll and a function of “InternetOpenA”, and which has the return address…
