Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-20-2003, 22:50
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Question Help Me - CRC Check and FileSize Check

Hello

Does some program exist capable to identify the address of a CRC Chek and FileSize Check inserted in a file?

Does a way exist easy to do those identification processes??


thanks

best regards

Victor
Reply With Quote
  #2  
Old 07-22-2003, 23:39
koncool
 
Posts: n/a
I'm afraid there is no such program. You can create a loader however which patches the image on the fly. If the program is protected/packed, try manual unpacking or ProcDump.
Reply With Quote
  #3  
Old 07-23-2003, 00:17
volodya
 
Posts: n/a
Does some program exist capable to identify the address of a CRC Chek and FileSize Check inserted in a file?


Could you be more precise?
Zillions of such programs exist.
Reply With Quote
  #4  
Old 07-29-2003, 20:33
dynio
 
Posts: n/a
Exclamation

So far, the program You're talking about doesn't exist. At least not for public. By nature, I doubt it will ever come to existence. Why? Because, similarly, we could ask "where is a program which shows addresses of security checks?" - the answer is NOWHERE.

If we would try to write such a crc check scanner it seems simple:

1. We could trap standard API's calls: CreateFile, ReadFile, ReadProcessMemory, GetFileSize etc.
2. Note VA and show it to the user, so he knows from where the check is called.

Simple, but it works "virtually". Why? For example, look how often programs calls ReadFile function. It could be 50 times. How do You find which call (obviously function can be single) read the file? Suppose we trap only calls with "ourexecutablename.exe" as the offing parameter. Then, how do You know where the checksum is calculated? How do You know how it is calculated? (I assume we aren't talking only about legendary CRC, CRC-32). Even if You find it, what goes next with calculated CRC? Where it's compared? How it's compared? That's just the beginning. What if executable is protected? What if it checks file CRC, then waits for a certain moment and checks memory CRC?

As You can see this is simply impossible .

Greetings to all the people reading this forum.
Reply With Quote
  #5  
Old 07-29-2003, 21:28
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
[/i]Originally posted by dynio [/i]
So far, the program You're talking about doesn't exist. At least not for public.
One stupid proggy attached. Try it :-\
Attached Files
File Type: zip cc.zip (82.5 KB, 51 views)
Reply With Quote
  #6  
Old 07-29-2003, 21:49
dynio
 
Posts: n/a
CRC

First of all...
hxxp://rotter.net/israel/ {DO NOT POST CLICKABLE LINKS}
Very interestiong... I induce other people to visit and think a little about it.

Back to the subject:
Interesting program You showed us. It could be useful at early cracking stage. But as I wrote before, it doesn't change anything. It searches for specific signatures and logs it to the file. Number of supported algos is impressive. But what we have is an OFFSET (or 68(!) offsets in TinyCars example). The same (or sometimes more) i could do with HexWorkshop4. What next? (At this place please re-read my previous post).

Anyway thanks for this interesting prog.
Reply With Quote
  #7  
Old 07-29-2003, 22:08
bunion bunion is offline
Friend
 
Join Date: Apr 2002
Posts: 227
Rept. Given: 45
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
bunion Reputation: 11
Hmm i had same problem with a dll.....i can browse the resources, disassemble it etc but whenever i patch it although it still runs its faulty..my guess is that theres a CRC check somewhere .i dont have a clue where to begin looking for the check BUT i found a program thats in beta that says it can compare both files original and patched and then patch original keeping the same CRC its called

CRC32 PATCHER 0.9 BY Anarchriz
_http://anarchriz.cjb.net/

Theres also a toot by same author

CRC and how to Reverse it
_http://biw.rult.at/tuts/crctut1.htm

When i used it to compare the 2 files it says theres an overflow between offset and filesize..maybe im putting in the wrong offsets ...dunno

if someone can suss out the toot OR how to use the program correctly please let me know ok

paul333
Reply With Quote
  #8  
Old 07-29-2003, 22:32
dynio
 
Posts: n/a
The problem with dll must rely (almost for sure) in a module which calls Yours dll (it could be main executable) - that's the way I would do a check like this. Method for finding check in this case You should chose by Yourself. I suggest You set a breakpoint on ExitProcess or, if it hangs, back-trace to the place where the last (or "few" last) function are called and find the cause. Also, You can always notice correct order of function calling with untouched dll, then change Your dll and notice what's changing.
Reply With Quote
  #9  
Old 07-30-2003, 02:54
bunion bunion is offline
Friend
 
Join Date: Apr 2002
Posts: 227
Rept. Given: 45
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
bunion Reputation: 11
I agree Dynio but in this case its a plugin so its only the dll i have to play with ...The problem is that once patched although the dll runs and i see main window it doesnt go on to show the 3d image which it should do ..i even patched somewhere outwith the main code just to test and it picks up on that too...on themakers website they do say that in certain instances the program has a bug where it displays a blank 3d worktop....this sounds similar to what happens when i patch it so maybe thats why .still thinks its crc checking though ...no probs as i have now left that project anyway

paul333
Reply With Quote
  #10  
Old 07-30-2003, 12:00
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Re: CRC

Quote:
Originally posted by dynio
[B]The same (or sometimes more) i could do with HexWorkshop/B]
Of course. But I too lazy to do it with Hiew, so I just code that ...
Reply With Quote
  #11  
Old 07-31-2003, 00:51
volodya
 
Posts: n/a
alephz, man? you are back??? Or am I dreaming???
Reply With Quote
  #12  
Old 07-31-2003, 13:32
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Return to back

Quote:
Originally posted by volodya
alephz, man? you are back??? Or am I dreaming???
Check Ur PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i check bad pointer on asm? DMichael General Discussion 5 03-22-2014 03:03
CRC Check - Help Me!! byvs General Discussion 1 06-19-2002 13:13
Check CRC !!! byvs General Discussion 1 05-26-2002 05:54


All times are GMT +8. The time now is 16:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )