1
Vote

some file hashes not same with ssdeep

description

i use your code to generate malware (EXE) hash, sample from virustotal, and here's the result:
1536:OAcwPf5D8rUTmnX9maQ6SgM5Uob7eBOsZFw40ob7eBOsUMzFRrbqcqz:vBZNMIgTe7eOsZFw5e7eOsxRrbe

when i use original ssdeep and online hash, here's the result:
1536:OAcwPf5D8rUTmnX9maQ6SgM5Uob7eBOsZFw40ob7eBOsUMzFRrbqcqzP:vBZNMIgTe7eOsZFw5e7eOsxRrbeP

there's a different. your code omit last char (P) from first part hash and second part hash.

and here's another example, your code omit last char (V) from first part hash and char (B) from second part hash:
using your code: 768:J/n/s4NzTSD5IZfRrbjOmd2VZX+DNxEUKbO5/Pd4PV2g1Q3qv35BMC:JsgToKHSmdkIDNxfdPy35

using original ssdeep program:
768:J/n/s4NzTSD5IZfRrbjOmd2VZX+DNxEUKbO5/Pd4PV2g1Q3qv35BMCV:JsgToKHSmdkIDNxfdPy35B

Thanks,
Sorry for bad english

file attachments

comments

Hyldahl wrote Apr 2, 2015 at 11:47 AM

Thanks
I have updated the code and moved it to GitHub.

https://github.com/Hyldahl/Fuzzy-Hashing