There exists three "hash" options that are each used to check some payload data against a hash value:
Each option requires two arguments: the actual hash enclosed in double quotes and the number of bytes from the payload to get the hash of. Additionally, users can also specify an
offset offset argument to check for bytes at a specific location and/or the
relative argument to hash the bytes relative to the current cursor location.
The offset value can be either an integer from
-65535:65535, or it can be the name of a variable extracted with
Lastly, each hash option can be negated by placing a
! before the hash value.
All three options are structured the same with the only difference being the option name.
Note: Because hash values are typically represented in hex format, the hash values should also be enclosed in vertical bars (
|) inside the quotes.
md5:[!]"|hash|", length length[, offset offset][, relative];
md5:"|7cf2db5ec261a0fa27a502d3196a6f60|", length 100, offset 0, relative;
sha256:[!]"|hash|", length length[, offset offset][, relative];
sha256:"|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e|", \ length 100, offset 0, relative;
sha512:[!]"|hash|", length length[, offset offset][, relative];
sha512:"|d8fefb4255686e6bf365b0f4763fad983f624beb7cbbb59b617c745c346b8db51a870fe0a89cfba036cfbf2d011686b881acd8ab3278b318a304227ac2a99072|", \ length 100, offset 0, relative;