-2

I have a database of 700,000 MD5 virus signatures in the following format:

83968:961ed981485cea5ab3936496966ba0d6:Worm.Gaobot-318
86016:4bed8673ab3d695c52c233306ed3f733:Worm.Gaobot-319

Is there a way to convert the Md5 checksums to valid Hex signatures?
If so, how would (using VB.net) I convert the md5 checksum to hex, remove that first 83968: thing and leave the name in the same format?

So the end product would look like:

{valid hex signature} :Worm.Gaobot-318
Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Seif Shawkat
  • 237
  • 2
  • 15

4 Answers4

1

Your "valid hex signature" isn't an MD5 hash - it's too long. MD5 produces 16 bytes, so 32 hex characters... your Eicar example is 80 characters (40 bytes).

You haven't specified what algorithm is used to come up with that "valid hex signature" in the first place, but assuming there's no redundancy there, you simply don't have enough information to produce it. It's like asking how to produce the synopsis of a play when you only know the first word of each speech.

Jon Skeet
  • 1,421,763
  • 867
  • 9,128
  • 9,194
  • The "Valid Hex signature" i provided doesn't have anything to do with MD5, it is a hex string of some bytes from a virus. The MD5 hashes i provided are also some bytes of a virus but they're encrypted in md5. – Seif Shawkat Feb 12 '11 at 17:35
  • @Seif: So if it doesn't have anything to do with the MD5 hash, why would you try to "convert" the MD5 hash into it? Note that MD5 is *not* encryption... it's hashing. You need to make your question a *lot* clearer - it's entirely unclear where any of this information comes from, or what you're trying to do. – Jon Skeet Feb 12 '11 at 17:38
  • Look, I have some MD5 virus signatures and I want to convert them to Hex virus signatures. – Seif Shawkat Feb 12 '11 at 17:40
  • @Seif: But you've said the two are unrelated: the hex sitnature doesn't have anything to do with the MD5. Therefore you can't perform a conversion. It's like trying to convert the first line of a book into the last line - you can't do it unless you've either got the book, or you've got a mapping of first lines to last lines. – Jon Skeet Feb 12 '11 at 18:00
  • @Seif: Yes, hex isn't MD5 - they're completely different concepts... but your MD5 is actually being *expressed* in hex already. You can't convert from the MD5 you currently have to the hex you need, without extra information. – Jon Skeet Feb 12 '11 at 21:57
  • @Seif: We can't tell, as you still haven't really explained what that "valid hex signature is". – Jon Skeet Feb 13 '11 at 09:20
  • @Jon: the hex signature is just part of a hex dump of a virus. – Seif Shawkat Feb 13 '11 at 15:09
  • @Seif You seem to be missing the point. You can't get from the MD5 hash to the signature unless you've got a lookup table of some sort somewhere. – Jon Skeet Feb 13 '11 at 15:53
1

I understand what you are saying. You've got a large collection of MD5s of viruses from the clam database. But later you came to know that MD5s are not good signatures but hex signatures are good. And now you want to convert the MD5s into hex.Its not possible. You can compute the MD5 of a given string, but you cannot get back the string from a given MD5.

Happy coding!

Mia Clarke
  • 8,134
  • 3
  • 49
  • 62
FarizRahman
  • 26
  • 1
  • I noticed that later, the MD5 is a checksum of the whole file while the Hex signature is only a part found in the file's hex dump. So they cannot be converted to each other. The downside with MD5 signatures is that if the coder of the virus changes anything minor in the code, the virus would have a different signature. – Seif Shawkat Feb 26 '13 at 14:47
1
$string fullStr = "83968:961ed981485cea5ab3936496966ba0d6:Worm.Gaobot-318 ";
$string name = fullStr.Split(":")[2];
$string md5 = fullStr.Split(":")[1];

This will give you the name and the md5 without the "83968" or ":"

Brad Larson
  • 170,088
  • 45
  • 397
  • 571
ben edgar
  • 11
  • 1
0

It looks like your MD5 values are already represented in a hexadecimal format. So you are good to go in that regard. The only thing left is to split the string on the ":" character. Assuming this is your format:

83968:961ed981485cea5ab3936496966ba0d6:Worm.Gaobot-318

Here is some C# psuedo code....

string fullStr = "83968:961ed981485cea5ab3936496966ba0d6:Worm.Gaobot-318 ";
string arr[] = fullStr.Split(":");
for(int i=0; i<arr.length; i++)
{
    Console.WriteLine(arr[i]);
}
Lord Tydus
  • 544
  • 2
  • 7
  • I don't mean to convert it to hex that way, I need to convert it to a hex signature, (you know, like a hex dump of a file...) – Seif Shawkat Feb 12 '11 at 22:13
  • It's already a signature in base 16 (hex). How can you proceed any further when the number is already represented in the desired base? – Lord Tydus Feb 13 '11 at 17:49
  • Yes but it's hashed in MD5 so that won't work, anyway, I don't think it's possible.. But, I just need to get more hex signatures – Seif Shawkat Feb 13 '11 at 22:33
  • What is your definition of "hex signature"? Content is often hashed with MD5 to provide a short identifier. This is the "signature". It can be used to verify downloads were successful, etc. The value resulting from MD5 is just an every day plain number. You can choose to visually display that number in base 2, 10, 16(hex), 64, whatever. The base you choose to display in is just to be friendly on human eyes. If you choose base 2 it will not be easy on the eyes. – Lord Tydus Feb 13 '11 at 22:58
  • what I mean by hex signature is a hex dump of part of a virus, I mean bytes converted to hex – Seif Shawkat Feb 13 '11 at 23:38
  • I may be missing the point, but it sounds like you want to take the bytes from part of a virus, hash it and compare it to the "signatures" you have in order to identify whether or not a virus is present? – Chris Dunaway Feb 14 '11 at 18:18