unregistered,

checksums and crcs are useless. if you wanna take this approach, you must use a hash that is proved without collisions, as SHA1 and like

crc is so useless, that i found this snippet that reverse crc16. get the file crc16, infect it, call this routine, and no modification detected.

``````
;input:EDX=buffer,ECX=size,EBX=offs,ESI=wantcrc16

_buffer                 =       5*4
_size                   =       6*4
_offs                   =       4*4
_wantcrc16              =       1*4

fuckcrc16:              pusha
mov     ecx, ebx
xor     eax, eax
call    xcrc16
mov     edi, edx
mov     [edi], ax
lea edx,[esp+_wantcrc16]
mov     cl, 2
xor     eax, eax
call    rcrc16
lea     edx, [edi+2]
mov     ecx, [esp+_size]
sub     ecx, [esp+_offs]
dec     ecx
dec     ecx
call    rcrc16
xor     [edi], ax
popa
ret

; input:  EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0

rcrc16:                 jecxz   @@4
@@1:                    xor     ah, [edx][ecx-1]
mov     bl, 8
@@2:                    shl     ax, 1
jnc     @@3
xor     ax, 4003h
@@3:                    dec     bl
jnz     @@2
loop    @@1
@@4:                    ret

; input:  EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0

xcrc16:                 jecxz   @@4
@@1:                    xor     al, [edx]
inc     edx
mov     bl, 8
@@2:                    shr     eax, 1
jnc     @@3
xor     ax, 0A001h
@@3:                    dec     bl
jnz     @@2
loop    @@1
@@4:                    ret

``````

crc32 and crc48 are reversed easily too, and a couple of virus already do this.

ancev

hutch: hehe... relax, i will not pervert young coders :cool:

ps: code (c) by zhengxi, conversion c->asm by z0mbie
Posted on 2001-07-24 17:38:47 by ancev
why should a checksum be useless??? betov has the advantage of his own spasm compiler so he can store the checksum (at
compile time) in the exe (NOT in the header or NOT in the
header.checksum pos). sure a virus can compute the new
checksum but the spasm ide will compare the new one with
the old one stored inside a hidden place. if the loaded file is
infected (cavity whatever...) the spasm ide will then print
out a error msg (crc error).
Posted on 2001-07-25 08:43:15 by Unregistered
Once again, guys, thanks to all, but this is done and applied.
In fact very simple, because it"s based on the idea that
nobody will ever (i hope) take the pain of writting a Virus
sepecifically designed to target SpAsm produced PEs (what
for?).

Anyway, as it is open source, polluating on purpose would be
to much easy for a game.

And again, the goal is not to make SpAsm produced PEs
unpossible to contaminate at the final user point of vue.
This is just a security for programmers who will exchange files.

At this point of vue, i thinks it is now the perfect solution. The
pseudo checksum is stored in the Dos Header. Just written