resolve function by FIN8 fasthash

rule:
  meta:
    name: resolve function by FIN8 fasthash
    namespace: linking/runtime-linking
    authors:
      - "@r3c0nst (Frank Boldewin)"
    description: APIHashing algorithm derived from a fasthash implementation in OpenCPN using seeds
    scopes:
      static: function
      dynamic: unsupported
    mbc:
      - Cryptography::Cryptographic Hash [C0029]
    references:
      - https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf
      - https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Shellcode.APIHashing.FIN8.yar
    examples:
      - B43FCA5283BFC7022553EFF663683834:0x12F
      - 4BF70EA92979DD88C9761EE848370050:0x28b
  features:
    - or:
      - basic block:
        - and:
          - description: 64-bit constants
          - mnemonic: mov
          - number: 0x880355F21E6D1965
          - number: 0x2127599BF4325C37
          - mnemonic: add
      - basic block:
        - and:
          - description: 32-bit constants
          - mnemonic: push
          - number: 0x880355F2
          - number: 0x1E6D1965
          - mnemonic: shr
          - mnemonic: xor
      - basic block:
        - and:
          - mnemonic: push
          - number: 0x2127599B
          - mnemonic: shr
          - mnemonic: xor
          - number: 0xF4325C37