2024-04-29

Navigation

Skip Navigation Links

Hash algorithms

Asymmetric Algorithms

Symmetric Cipher Algorithms

Encoding Algorithms

Compression Algorithms

Pseudo Random Number Algorithms

Steganography

Library Wrappers

String Comparison

Others

Syntax highlighting by Prism
PBCrypto.com Mirror

W32.SQL-Slammer Pseudo-Random Number Generation

Algorithm creator(s)

Probably the same malicious person who wrote the SQL-Slammer worm that uses the PRNG.

PB author(s)

Wayne Diamond

Description

A very simple but effective PRNG used by the W32.SQL-Slammer worm to attack random IP addresses.

Note

For info on the worm itself, just websearch for SQL Slammer worm

Source

n/a

See also

Source Code

Download source code file slammer-prng.bas (Right-click -> "Save as ...") 

'The W32.SQL-Slammer Pseudo-Random Number Generator
'The worm goes by the names of SQL-Slammer (by anti-virus companies) and Sapphire (by eEye)
'A disassembly of the worm can be found at http://www.techie.hopto.org/sqlworm.html
'Here is a PB implementation of the PRNG algorithm the worm uses. The main difference is
'that the worm uses ebp-4Ch as its seed location (which is the location of the remote
'IP address used by the worm). My implementation simply stores this as a global variable.
'Ive made it show the output as both hexadecimal and IP address formats, as the worm is
'actually generating random IP addresses. The worm uses GetTickCount to initialise its seed.
'###########################################################################################

#COMPILE EXE
#INCLUDE "win32api.inc"

GLOBAL RandSeed AS LONG

UNION ipAddress
   address AS LONG
   octet(1 TO 4) AS BYTE
END UNION

FUNCTION ipAsString$ (BYVAL x AS LONG) AS STRING
    DIM n AS ipAddress
    n.address = x
    FUNCTION = FORMAT$(n.octet(1)) & "." & FORMAT$(n.octet(2)) & "." & _
               FORMAT$(n.octet(3)) & "." & FORMAT$(n.octet(4))
END FUNCTION

SUB SlammerRnd()  'The PRNG algorithm
#REGISTER NONE
 ! mov eax, RandSeed
 ! lea ecx, [eax+eax*2]
 ! lea edx, [eax+ecx*4]
 ! shl edx, 4
 ! add edx, eax
 ! shl edx, 8
 ! sub edx, eax
 ! lea eax, [eax+edx*4]
 ! add eax, ebx
 ! mov RandSeed, eax
END SUB

FUNCTION PBMAIN() AS LONG
ON ERROR RESUME NEXT
DIM I AS LONG, S AS STRING
RandSeed = GetTickCount    'the worm uses GetTickCount to initialise the seed
FOR I = 1 TO 10
    SlammerRnd
    S = S & STR$(I) & " = " & HEX$(RandSeed,8) & " [" & IPAsString(BYVAL RandSeed) & "]" & $CRLF
NEXT
#IF NOT %DEF(%PB_CC32)
 MSGBOX s
#ELSE
 STDOUT s
#ENDIF
END FUNCTION

Mirror provided by Knuth Konrad