Some hashes not resolving via plugin, but are confirmed present in hashdb

[michaeljgoodman]

When processing some hashes from a sample, only half the hashes get hits when using the script. When testing, a number of these have been confirmed to be present in hashdb. example:

hash: 7B334076h
algorithm: add_ror13
transformation: X ^ 0x43013fcc

result in plugin: nothing found, 0 enums added

steps of manual check for reference:
hash hex to dec: 2066956406
xor key hex to dec: 1124155340
xor result: 94283359
[GET] call to hashdb api: https://hashdb.openanalysis.net/hash/add_ror13/942833594

result:

{
  "hashes": [
    {
      "hash": 942833594,
      "string": {
        "string": "ole32.dll",
        "is_api": false
      }
    }
  ]
}

[michaeljgoodman]

{
  "hashes": [
    {
      "hash": 3476597681,
      "string": {
        "string": "advapi32.dll\u0000RegSetValueExW",
        "is_api": true,
        "permutation": "dll_lower_null_api",
        "api": "RegSetValueExW",
        "modules": [
          "advapi32"
        ]
      }
    }
  ]
}

added some verbosity and can see that the plugin is forming an api request of <server>/hash/add_ror13/-818369615 we can see once again that it is getting confused by the signage

[huettenhain]

Hey @michaelgoodman-cr, can you share the hash for the sample? That would probably help to reproduce this.

[larsborn]

I think this was resolved together with #2. @michaelgoodman-cr feel free to reopen if it's not fixed!