capa-rules
capa-rules copied to clipboard
mandiant
[Rule Idea] - Validate CC Number using Luhn's (.NET variation)
Prerequisites
- [x] Put an X between the brackets on this line if you have done all of the following:
- Checked that your rule idea isn't already filed: search
Summary
Currently, the 2 rules for Luhn's algorithm are built using some x86 specific mnemonics. It would be useful to have a .NET version looking for the same algorithm.
Examples
An implementation can be found in the sample 90140a12763b56ffbbefa1a77fb2fbff7988828e61c7b9730d3a8d84b3c5db9f
private bool IsValidCreditCardNumber(string number)
{
number = number.Replace("-", string.Empty);
number = number.Replace(" ", string.Empty);
int[] array = new int[10] {0,1,2,3,4,-4,-3,-2,-1,0};
int num = 0;
char[] array2 = number.ToCharArray();
for (int num2 = array2.Length - 1; num2 > -1; num2--)
{
int num3 = array2[num2] - 48;
num += num3;
if ((num2 - array2.Length) % 2 == 0)
{
num += array[num3];
}
}
return num % 10 == 0;
}
Features
Using dncil:
Method: IsValidCreditCardNumber
16E4 03 ldarg.1
16E5 72 54 04 00 70 ldstr "-"
16EA 7e 33 00 00 0a ldsfld System.String::Empty
16EF 6f a3 00 00 0a callvirt System.String::Replace
16F4 10 01 starg.s argument(0x0001)
16F6 03 ldarg.1
16F7 72 58 04 00 70 ldstr " "
16FC 7e 33 00 00 0a ldsfld System.String::Empty
1701 6f a3 00 00 0a callvirt System.String::Replace
1706 10 01 starg.s argument(0x0001)
1708 1f 0a ldc.i4.s 0xa
170A 8d 6c 00 00 01 newarr System.Int32
170F 25 dup
1710 d0 bb 00 00 04 ldtoken F364C739E7AD18CDC8D2C2142680F4FBFC38EFD9
1715 28 a4 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray
171A 0a stloc.0
171B 16 ldc.i4.0
171C 0b stloc.1
171D 03 ldarg.1
171E 6f a5 00 00 0a callvirt System.String::ToCharArray
1723 0c stloc.2
1724 08 ldloc.2
1725 8e ldlen
1726 69 conv.i4
1727 17 ldc.i4.1
1728 59 sub
1729 0d stloc.3
172A 2b 21 br.s 0x174d
172C 08 ldloc.2
172D 09 ldloc.3
172E 93 ldelem.u2
172F 1f 30 ldc.i4.s 0x30
1731 59 sub
1732 13 04 stloc.s local(0x0004)
1734 07 ldloc.1
1735 11 04 ldloc.s local(0x0004)
1737 58 add
1738 0b stloc.1
1739 09 ldloc.3
173A 08 ldloc.2
173B 8e ldlen
173C 69 conv.i4
173D 59 sub
173E 18 ldc.i4.2
173F 5d rem
1740 2d 07 brtrue.s 0x1749
1742 07 ldloc.1
1743 06 ldloc.0
1744 11 04 ldloc.s local(0x0004)
1746 94 ldelem.i4
1747 58 add
1748 0b stloc.1
1749 09 ldloc.3
174A 17 ldc.i4.1
174B 59 sub
174C 0d stloc.3
174D 09 ldloc.3
174E 15 ldc.i4.m1
174F 30 db bgt.s 0x182c
1751 07 ldloc.1
1752 1f 0a ldc.i4.s 0xa
1754 5d rem
1755 16 ldc.i4.0
1756 fe 01 ceq
1758 2a ret
Additional context
Rule details
Some features that might be leveraged to build a rule:
If the array is exposed as a feature, it should be stored in the form of
.data cil I_000028A0 = bytearray (
00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00
04 00 00 00 fc ff ff ff fd ff ff ff fe ff ff ff
ff ff ff ff 00 00 00 00
)
- Init of newarray that stores the lookup values
170A 8d 6c 00 00 01 newarr System.Int32
- Sub 0x30 to convert string integer to int
172F 1f 30 ldc.i4.s 0x30
1731 59 sub
- Mod 10 before return
1752 1f 0a ldc.i4.s 0xa
1754 5d rem
(optional)
1756 fe 01 ceq
Namespace
data-manipulation/checksum/luhn
References
Other rule meta information
mbc Data::Checksum::Luhn [C0032.002]
