flat assembler
Message board for the users of flat assembler.

Index > Main > Self CRC Check.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 23 Oct 2012, 23:52
Hi, I was just thinking and tried to do it like a challenge for me, but I got no success. Is there anyway to check self CRC of executable file? Thanks!
Post 23 Oct 2012, 23:52
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 25 Oct 2012, 13:55
Post 25 Oct 2012, 13:55
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 30 Oct 2012, 02:37

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 30 Oct 2012, 02:37
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 01 Nov 2012, 23:27
Thanks for reply. I think the best method to check CRC is to start checking from PE header to forward..
Post 01 Nov 2012, 23:27
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1900
DOS386 04 Nov 2012, 13:45
Overflowz wrote:
Hi, I was just thinking and tried to do it like a challenge for me, but I got no success. Is there anyway to check self CRC of executable file? Thanks!


Sure ... walk through the memory, peek the Byte's and feed them into the CRC-32 algo ... skip last 4 Byte's holding the should-value.

> On windows, imagehlp.dll MapFileAndCheckSum function
> msdn.microsoft.com/en-us/library/windows/desktop/
> ms680355%28v=vs.85%29.aspx

COOL ... this is NOT CRC-32 nor CRC-whatever, it's the PE/Windows-specific checknumber algo, and there is no point to [ab]use imagehlp.dll because, IIRC, FASM source code has a native implementation of it Smile

PS: CRC-32 is not uncrackable. Use SHA-256 if you need an uncrackable one.

PPSS: make sure to get some reliable self-killing technology too, just in case the self-checking returns "bad" Very Happy
Post 04 Nov 2012, 13:45
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 21 Nov 2012, 16:32
DOS386 wrote:
Sure ... walk through the memory, peek the Byte's and feed them into the CRC-32 algo ... skip last 4 Byte's holding the should-value.
Proper implementation even doesn't need to skip anything. Divide all the bytes, then check for remainder being zero as an indication of success. ;-)
Post 21 Nov 2012, 16:32
View user's profile Send private message Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest 21 Nov 2012, 17:12
Code that counts and checks CRC must be protected by obfuscators or virtualizators, otherwise it will be easy to fill this code by NOPs, change should-value to another or just change "jnz" to "jz" Smile.
Post 21 Nov 2012, 17:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 22 Nov 2012, 01:46
Bargest wrote:
Code that counts and checks CRC must be protected by obfuscators or virtualizators, otherwise it will be easy to fill this code by NOPs, change should-value to another or just change "jnz" to "jz" Smile.
I think it is easier to just not bother with these sorts of pointless integrity checks. It is better to leave it to the OS to do a proper signature check before executing.
Post 22 Nov 2012, 01:46
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 26 Nov 2012, 14:33
I wonder how digital signatures work.. aren't they just full check itself with any hash algo?
Post 26 Nov 2012, 14:33
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 26 Nov 2012, 14:38
Signatures use public key crypto to sign a hash. The OS will have the public keys to check the signature. The private keys are held by the OS maker, or can be a self generated set of keys if you only need stuff working on your own systems.
Post 26 Nov 2012, 14:38
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.