unregistered,

checksums and crcs are useless. if you wanna take this approach, you must use a hash that is proved without collisions, as SHA1 and like

crc is so useless, that i found this snippet that reverse crc16. get the file crc16, infect it, call this routine, and no modification detected.



;input:EDX=buffer,ECX=size,EBX=offs,ESI=wantcrc16

_buffer = 5*4
_size = 6*4
_offs = 4*4
_wantcrc16 = 1*4

fuckcrc16: pusha
mov ecx, ebx
xor eax, eax
call xcrc16
mov edi, edx
mov [edi], ax
lea edx,[esp+_wantcrc16]
mov cl, 2
xor eax, eax
call rcrc16
lea edx, [edi+2]
mov ecx, [esp+_size]
sub ecx, [esp+_offs]
dec ecx
dec ecx
call rcrc16
xor [edi], ax
popa
ret

; input: EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0

rcrc16: jecxz @@4
@@1: xor ah, [edx][ecx-1]
mov bl, 8
@@2: shl ax, 1
jnc @@3
xor ax, 4003h
@@3: dec bl
jnz @@2
loop @@1
@@4: ret

; input: EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0

xcrc16: jecxz @@4
@@1: xor al, [edx]
inc edx
mov bl, 8
@@2: shr eax, 1
jnc @@3
xor ax, 0A001h
@@3: dec bl
jnz @@2
loop @@1
@@4: ret



crc32 and crc48 are reversed easily too, and a couple of virus already do this.

ancev

hutch: hehe... relax, i will not pervert young coders :cool:

ps: code (c) by zhengxi, conversion c->asm by z0mbie
Posted on 2001-07-24 17:38:47 by ancev
why should a checksum be useless??? betov has the advantage of his own spasm compiler so he can store the checksum (at
compile time) in the exe (NOT in the header or NOT in the
header.checksum pos). sure a virus can compute the new
checksum but the spasm ide will compare the new one with
the old one stored inside a hidden place. if the loaded file is
infected (cavity whatever...) the spasm ide will then print
out a error msg (crc error).
Posted on 2001-07-25 08:43:15 by Unregistered
Once again, guys, thanks to all, but this is done and applied.
In fact very simple, because it"s based on the idea that
nobody will ever (i hope) take the pain of writting a Virus
sepecifically designed to target SpAsm produced PEs (what
for?).

Anyway, as it is open source, polluating on purpose would be
to much easy for a game.

And again, the goal is not to make SpAsm produced PEs
unpossible to contaminate at the final user point of vue.
This is just a security for programmers who will exchange files.

At this point of vue, i thinks it is now the perfect solution. The
pseudo checksum is stored in the Dos Header. Just written
at compile time, just readen at load (in SpAsm) time. Very
simple, no cost, no problem.

bye, betov.
Posted on 2001-07-25 11:55:05 by Betov

because it"s based on the idea that
nobody will ever (i hope) take the pain of writting a Virus
sepecifically designed to target SpAsm produced PEs (what
for?).


and for that comment you can bet your ass somebody will just for the hell of it.. :D hehe J/K
Posted on 2001-07-25 14:03:16 by NervGaz