Continue to Site

Welcome to EDAboard.com

Welcome to our site! EDAboard.com is an international Electronics Discussion Forum focused on EDA software, circuits, schematics, books, theory, papers, asic, pld, 8051, DSP, Network, RF, Analog Design, PCB, Service Manuals... and a whole lot more! To participate you need to register. Registration is free. Click here to register now.

Register Log in

Hex string checksum

Status
Not open for further replies.
C

crono81

Newbie level 5
Newbie level 5
Joined
Jun 24, 2020
Messages
8
Helped
0
Reputation
0
Reaction score
0
Trophy points
1
Activity points
49
Hello, can some one help me out with this sum, I can´t figure it out:

aa00000000982e00000002007200047109000000000000000471504945524e412050554552434f204148554d414441204348494d45582047524e4c20312e3020756e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200010004000000007590000000000000000000000000003cff0000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000189912300000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000479c
Click to expand...


aa00000000982e00000002007200047109000000000000000471504945524e412050554552434f204148554d414441204348494d45582047524e4c20312e3020756e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200020004000000007590000000000000000000000000003cff0000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000189912300000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bc97
Click to expand...

It only changes in the 299 th digit from 1 to 2, the last 4 digits are the checksum.
Thanks.
I can provide more samples.
 
Last edited by a moderator:

what kind of help would you like?

you called it a checksum - that usually means the bytes are added up, and the checksup is
either the sum, or what needs to be added to get 0, overflows ignored.

sometimes the checksum is a cyclic redundancy check
CRC is based on linear feedback shift registers
HP used them many years ago for signature analysis
(LONG before it split to HP and Agilent)

how was your checksum produced?
 

Since the checksum changes so much for a minimal data change, it is probably a 16-bit CRC.
There are a number of possible polynomials, bit orders, initial data and xor combinations to try.
You can try this with software downloaded from this site:


Your strings are too long for the online tool they have.
 

Thanks.
wwfeldman said:
what kind of help would you like?...
Click to expand...
I need to know how the last 4 digits are calculated, I don't know if it's a checksum.
What I know, it's a package sent through udp protocol to a ethernet scale device.

std_match said:
Since the checksum changes so much for a minimal data change, it is probably a 16-bit CRC.
There are a number of possible polynomials, bit orders, initial data and xor combinations to try.
You can try this with software downloaded from this site:


Your strings are too long for the online tool they have.
Click to expand...
Thanks, I will try it.
 

It's not the cheksum of the udp, it's a checksum of the data itself, I'm trying to debug the assembler code that generates it.
 

crono81 said:
It's not the cheksum of the udp, it's a checksum of the data itself, I'm trying to debug the assembler code that generates it.
Click to expand...
It is easier to help if you post the assembler code for the checksum/CRC calculation here.
 

I'm looking for the specific block of code. Can I send You the program and dll that is used to generate it?

EDIT:
I found this loop on the memory access that contains the data:

Code: 
Address   Hex dump          Command                                  Comments
01287C4E  |>  DD1402        /FST QWORD PTR DS:[EAX+EDX]              ; FLOAT 0.0
01287C51  |.  DD5402 08     |FST QWORD PTR DS:[EAX+EDX+8]
01287C55  |.  83C2 10       |ADD EDX,10
01287C58  |.  7C F4         \JL SHORT 01287C4E
 
Last edited:

That loop is probably only for clearing the memory area. It isn't a checksum calculation.
 

Thanks for Your help.
I found something, in this block the data is read, and computed, kind of
Code: 
CPU Disasm
Address   Hex dump          Command                                           Comments
012D70E3  |>  8B45 FC       /MOV EAX,DWORD PTR SS:[EBP-4]
012D70E6  |.  03C3          |ADD EAX,EBX
012D70E8  |.  FF55 EC       |CALL DWORD PTR SS:[EBP-14]  <<--------------------CALL 1
012D70EB  |.  8BF8          |MOV EDI,EAX
012D70ED  |.  66:83FF 0A    |CMP DI,0A
012D70F1  |.- 0F85 89000000 |JNE 012D7180
012D70F7  |.  837D F4 00    |CMP DWORD PTR SS:[EBP-0C],0
012D70FB  |.- 74 74         |JE SHORT 012D7171
012D70FD  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D70FF  |.  8945 E8       |MOV DWORD PTR SS:[EBP-18],EAX
012D7102  |.  837D E8 00    |CMP DWORD PTR SS:[EBP-18],0
012D7106  |.- 74 0B         |JE SHORT 012D7113
012D7108  |.  8B45 E8       |MOV EAX,DWORD PTR SS:[EBP-18]
012D710B  |.  83E8 04       |SUB EAX,4
012D710E  |.  8B00          |MOV EAX,DWORD PTR DS:[EAX]
012D7110  |.  8945 E8       |MOV DWORD PTR SS:[EBP-18],EAX
012D7113  |>  8B45 E8       |MOV EAX,DWORD PTR SS:[EBP-18]
012D7116  |.  40            |INC EAX
012D7117  |.  50            |PUSH EAX
012D7118  |.  8BC6          |MOV EAX,ESI
012D711A  |.  B9 01000000   |MOV ECX,1
012D711F  |.  8B15 58092D01 |MOV EDX,DWORD PTR DS:[12D0958]
012D7125  |.  E8 0658E5FF   |CALL 0112C930
012D712A  |.  83C4 04       |ADD ESP,4
012D712D  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D712F  |.  8945 E4       |MOV DWORD PTR SS:[EBP-1C],EAX
012D7132  |.  837D E4 00    |CMP DWORD PTR SS:[EBP-1C],0
012D7136  |.- 74 0B         |JE SHORT 012D7143
012D7138  |.  8B45 E4       |MOV EAX,DWORD PTR SS:[EBP-1C]
012D713B  |.  83E8 04       |SUB EAX,4
012D713E  |.  8B00          |MOV EAX,DWORD PTR DS:[EAX]
012D7140  |.  8945 E4       |MOV DWORD PTR SS:[EBP-1C],EAX
012D7143  |>  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D7145  |.  8B55 E4       |MOV EDX,DWORD PTR SS:[EBP-1C]
012D7148  |.  8B4D F8       |MOV ECX,DWORD PTR SS:[EBP-8]
012D714B  |.  894CD0 F8     |MOV DWORD PTR DS:[EDX*8+EAX-8],ECX
012D714F  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D7151  |.  8945 E0       |MOV DWORD PTR SS:[EBP-20],EAX
012D7154  |.  837D E0 00    |CMP DWORD PTR SS:[EBP-20],0
012D7158  |.- 74 0B         |JE SHORT 012D7165
012D715A  |.  8B45 E0       |MOV EAX,DWORD PTR SS:[EBP-20]
012D715D  |.  83E8 04       |SUB EAX,4
012D7160  |.  8B00          |MOV EAX,DWORD PTR DS:[EAX]
012D7162  |.  8945 E0       |MOV DWORD PTR SS:[EBP-20],EAX
012D7165  |>  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D7167  |.  8B55 E0       |MOV EDX,DWORD PTR SS:[EBP-20]
012D716A  |.  8B4D F4       |MOV ECX,DWORD PTR SS:[EBP-0C]
012D716D  |.  894CD0 FC     |MOV DWORD PTR DS:[EDX*8+EAX-4],ECX
012D7171  |>  8BC3          |MOV EAX,EBX
012D7173  |.  0345 F0       |ADD EAX,DWORD PTR SS:[EBP-10]
012D7176  |.  8945 F8       |MOV DWORD PTR SS:[EBP-8],EAX
012D7179  |.  33C0          |XOR EAX,EAX
012D717B  |.  8945 F4       |MOV DWORD PTR SS:[EBP-0C],EAX
012D717E  |.- EB 0C         |JMP SHORT 012D718C
012D7180  |>  66:83FF 0D    |CMP DI,0D
012D7184  |.- 74 06         |JE SHORT 012D718C
012D7186  |.  8B45 F0       |MOV EAX,DWORD PTR SS:[EBP-10]
012D7189  |.  0145 F4       |ADD DWORD PTR SS:[EBP-0C],EAX
012D718C  |>  035D F0       |ADD EBX,DWORD PTR SS:[EBP-10]
012D718F  |>  8B45 FC       |MOV EAX,DWORD PTR SS:[EBP-4]
012D7192  |.  E8 F553E5FF   |CALL 0112C58C    <<-----------------------CALL 2
012D7197  |.  3BD8          |CMP EBX,EAX
012D7199  |.- 0F8C 44FFFFFF \JL 012D70E3
CALL 1
Code: 
CPU Disasm
Address   Hex dump          Command                                           Comments
012D6FEC  /.  0FB700        MOVZX EAX,WORD PTR DS:[EAX]
012D6FEF  \.  C3            RETN
CALL 2
Code: 
CPU Disasm
Address   Hex dump          Command                                           Comments
0112C58C  /$  85C0          TEST EAX,EAX
0112C58E  |.  74 05         JZ SHORT 0112C595
0112C590  |.  83E8 04       SUB EAX,4
0112C593  |.  8B00          MOV EAX,DWORD PTR DS:[EAX]
0112C595  \>  C3            RETN

Other involved loop
Code: 
CPU Disasm
Address   Hex dump          Command                                           Comments
012D52F4  |>  8B45 FC       /MOV EAX,DWORD PTR SS:[EBP-4]
012D52F7  |.  0FB74458 FE   |MOVZX EAX,WORD PTR DS:[EBX*2+EAX-2]
012D52FC  |.  66:3B45 FA    |CMP AX,WORD PTR SS:[EBP-6]
012D5300  |.- 75 47         |JNE SHORT 012D5349
012D5302  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D5304  |.  85C0          |TEST EAX,EAX
012D5306  |.- 74 05         |JZ SHORT 012D530D
012D5308  |.  83E8 04       |SUB EAX,4
012D530B  |.  8B00          |MOV EAX,DWORD PTR DS:[EAX]
012D530D  |>  8945 F0       |MOV DWORD PTR SS:[EBP-10],EAX
012D5310  |.  8B45 F0       |MOV EAX,DWORD PTR SS:[EBP-10]
012D5313  |.  40            |INC EAX
012D5314  |.  50            |PUSH EAX
012D5315  |.  8BC6          |MOV EAX,ESI
012D5317  |.  B9 01000000   |MOV ECX,1
012D531C  |.  8B15 B0072D01 |MOV EDX,DWORD PTR DS:[12D07B0]
012D5322  |.  E8 0976E5FF   |CALL 0112C930
012D5327  |.  83C4 04       |ADD ESP,4
012D532A  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
012D532C  |.  8B55 F0       |MOV EDX,DWORD PTR SS:[EBP-10]
012D532F  |.  8D0490        |LEA EAX,[EDX*4+EAX]
012D5332  |.  50            |PUSH EAX                                         ; /Arg1
012D5333  |.  8BCB          |MOV ECX,EBX                                      ; |
012D5335  |.  2B4D F4       |SUB ECX,DWORD PTR SS:[EBP-0C]                    ; |
012D5338  |.  8B55 F4       |MOV EDX,DWORD PTR SS:[EBP-0C]                    ; |
012D533B  |.  8B45 FC       |MOV EAX,DWORD PTR SS:[EBP-4]                     ; |
012D533E  |.  E8 A95EE5FF   |CALL 0112B1EC                                    ; \AclasSDK.0112B1EC
012D5343  |.  8D43 01       |LEA EAX,[EBX+1]
012D5346  |.  8945 F4       |MOV DWORD PTR SS:[EBP-0C],EAX
012D5349  |>  43            |INC EBX
012D534A  |.  4F            |DEC EDI
012D534B  |.- 75 A7         \JNZ SHORT 012D52F4

KernelBase - loop the data field by field
Code: 
CPU Disasm
Address   Hex dump          Command                                           Comments
763E2200  |> /0FB702        /MOVZX EAX,WORD PTR DS:[EDX]
763E2203  |. |8D76 01       |LEA ESI,[ESI+1]
763E2206  |. |49            |DEC ECX
763E2207  |. |83C2 02       |ADD EDX,2
763E220A  |. |8A0438        |MOV AL,BYTE PTR DS:[EDI+EAX]
763E220D  |. |8846 FF       |MOV BYTE PTR DS:[ESI-1],AL
763E2210  |. |85C9          |TEST ECX,ECX
763E2212  |.^\7F EC         \JG SHORT 763E2200
 
Last edited:

I don't see anything interesting there. The code for some calls are missing.
If you can single-step the code, you should be able to see where the CRC/checksum is calculated.
I expect an "XOR" instruction for a CRC calculation (the "XOR EAX,EAX" is only a way to clear the EAX register).
 

I found a loop that runs through the length of the package:
Code: 
CPU Disasm
Address   Hex dump          Command                                  Comments
0139B483  |>  8B03          /MOV EAX,DWORD PTR DS:[EBX]
0139B485  |.  0FB61430      |MOVZX EDX,BYTE PTR DS:[ESI+EAX]
0139B489  |.  8D45 FC       |LEA EAX,[EBP-4]
0139B48C  |.  E8 6FFBFFFF   |CALL 0139B000      <------------------- Call 1
0139B491  |.  46            |INC ESI
0139B492  |.  4F            |DEC EDI
0139B493  |.- 75 EE         \JNZ SHORT 0139B483

Call 1
Code: 
CPU Disasm
Address   Hex dump          Command                                  Comments
0139B000  /$  53            PUSH EBX
0139B001  |.  66:C1E2 08    SHL DX,8
0139B005  |.  B9 08000000   MOV ECX,8
0139B00A  |>  0FB718        /MOVZX EBX,WORD PTR DS:[EAX]
0139B00D  |.  66:33DA       |XOR BX,DX
0139B010  |.  66:81E3 0080  |AND BX,8000
0139B015  |.  66:81FB 0080  |CMP BX,8000
0139B01A  |.- 75 0F         |JNE SHORT 0139B02B
0139B01C  |.  0FB718        |MOVZX EBX,WORD PTR DS:[EAX]
0139B01F  |.  03DB          |ADD EBX,EBX
0139B021  |.  66:81F3 2110  |XOR BX,1021
0139B026  |.  66:8918       |MOV WORD PTR DS:[EAX],BX
0139B029  |.- EB 03         |JMP SHORT 0139B02E
0139B02B  |>  66:D120       |SHL WORD PTR DS:[EAX],1
0139B02E  |>  03D2          |ADD EDX,EDX
0139B030  |.  49            |DEC ECX
0139B031  |.- 75 D7         \JNZ SHORT 0139B00A
0139B033  |.  5B            POP EBX
0139B034  \.  C3            RETN
 

Ok, I found the algorithm used to the calculation, it's CRC-16/XMODEM, thanks to this page https://crccalc.com/
The calculation is based in a part of the string I posted at the beginning.

With this string:
00047109000000000000000471504945524e412050554552434f204148554d414441204348494d45582047524e4c20312e3020756e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200010004000000007590000000000000000000000000003cff0000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000189912300000189912300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Click to expand...
I get 0x479C, as spected.
Can you guys explain me the algorithm?

Thanks a lot.
 
Last edited by a moderator:

The CRC-16(XMODEM) make use of the same polynomial (0x1021) also used by CRC-16(CCITT), and the only difference between both is that the first one feed 0x0000 as the initial value whereas the last one feed 0xFFFF. BTW, just out of curiosity I did some experiments with some websites, and I would never find the same result as you since the above string is different from the one originally posted.
 

andre_teprom said:
BTW, just out of curiosity I did some experiments with some websites, and I would never find the same result as you since the above string is different from the one originally posted.
Click to expand...
Thanks for the advice.
The original string it's the entire package sent to the device, but the checksum it's calculated from a fraction of that string, I think that the bytes at the beginning are the command, indicating what should the device do with the info sent.
These: aa00000000982e000000020072
 

Status
Not open for further replies.

Similar threads

Part and Inventory Search

Welcome to EDABoard.com

Sponsor

Back
Top