EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-05-2014, 20:54
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Portugal
Posts: 63
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 6 Times in 5 Posts
byvs Reputation: 0
Post MD5 Help!

Is there any way to edit the MD5 of a file? or some program that does this?

Thank you for your help!
Reply With Quote
  #2  
Old 11-05-2014, 21:08
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 479
Rept. Given: 2,084
Rept. Rcvd 665 Times in 206 Posts
Thanks Given: 438
Thanks Rcvd at 556 Times in 104 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
The MD5 of a file is a calculation based upon the data contained within it. Changing one byte in the file will result in a completely different hash. There is no way to predict the result of a hash or change the file in a way to get a specific hash you want. If the program calculates its own MD5 for an integrity check, one way that you can do that would be to patch its MD5 hash routine to return the value you want. To do this, just see what registers or stack addresses the MD5 values are returned on and simply patch the routine to feed in the correct values. There will be 4, 32-bit values in all. The patch code would look something like:
Code:
MOV DWORD PTR DS:[EBP+4], 1E3F44E5
MOV DWORD PTR DS:[EBP+8], E24F563D
MOV DWORD PTR DS:[EBP+C], E8697AA3
MOV DWORD PTR DS:[EBP+10], 479834DE
__________________
"Real knowledge is to know the extent of one's ignorance." Confucius
Reply With Quote
The Following 2 Users Gave Reputation+1 to chessgod101 For This Useful Post:
byvs (11-05-2014), Youtoo (11-06-2014)
  #3  
Old 11-05-2014, 23:00
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Portugal
Posts: 63
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 6 Times in 5 Posts
byvs Reputation: 0
@chessgod101,

How do I find the MD5 hash routine and correct it? and what program to use?
Reply With Quote
  #4  
Old 11-05-2014, 23:51
SubzEro
 
Posts: n/a
here is some info

Reply With Quote
  #5  
Old 11-06-2014, 18:50
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,068
Rept. Given: 218
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 68
Thanks Rcvd at 110 Times in 48 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
There was some work done and a program produced which did much better than brute force. It's on my old computer, I'll try to find it soon.

Git
Reply With Quote
The Following User Gave Reputation+1 to Git For This Useful Post:
Youtoo (11-06-2014)
  #6  
Old 11-06-2014, 20:08
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 422
Rept. Given: 470
Rept. Rcvd 437 Times in 179 Posts
Thanks Given: 288
Thanks Rcvd at 112 Times in 60 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
@byvs
I believe that when you apply the patch in your app any error message is displayed, it would not be possible for you trace this error using the call stack of olly?
Reply With Quote
  #7  
Old 11-07-2014, 00:26
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 404
Rept. Given: 99
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 111
Thanks Rcvd at 85 Times in 52 Posts
bolo2002 Reputation: 11
Why not to use the excellent cryptochecker by Alephz?
http://forum.exetools.com/showthread.php?t=13569

it can help to find it.
__________________
I like this forum!
Reply With Quote
The Following User Gave Reputation+1 to bolo2002 For This Useful Post:
byvs (11-07-2014)
  #8  
Old 11-07-2014, 03:51
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Portugal
Posts: 63
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 6 Times in 5 Posts
byvs Reputation: 0
@Guys!
To summarize my questions:
A file unpacked by MPRESS. After unpacking, the file opens and closes soon after without displaying an error message. I wonder what is happening and may be possible to enlist the help of friends from forum to resolve the problem.

Information:
File / Header CheckSum: 009C4B55 / 00315E12

+ Crypto Check for file '.\Unpacked.exe' [00000000:009B5B5A]

(*** sorry my english, because use Google translator)
Reply With Quote
  #9  
Old 11-07-2014, 13:51
SubzEro
 
Posts: n/a
send me file on pm i wanna look
Reply With Quote
The Following User Gave Reputation+1 to For This Useful Post:
byvs (11-09-2014)
  #10  
Old 11-07-2014, 16:21
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 171
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 12
Thanks Rcvd at 17 Times in 11 Posts
LaDidi Reputation: 11
@byvs:
Hi,

Try to set a BP on TerminateProcess, MessageBox, ...
Or BPs on ALL API...

Regards.
Reply With Quote
  #11  
Old 11-09-2014, 01:50
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Portugal
Posts: 63
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 6 Times in 5 Posts
byvs Reputation: 0
@LaDidi:

And how do I do that? This is the "X" in the question !. could teach me?

Regards.
Reply With Quote
  #12  
Old 12-13-2014, 02:37
Ericky
 
Posts: n/a
Post

Quote:
Originally Posted by byvs View Post
@LaDidi:

And how do I do that? This is the "X" in the question !. could teach me?

Regards.
In my opinion,if you want to patch th MD5 value, the best way is to find the original value which hasn't been encrypted.That would be more easy.
Reply With Quote
  #13  
Old 12-13-2014, 13:33
VodoleY VodoleY is offline
Friend
 
Join Date: Dec 2014
Posts: 19
Rept. Given: 6
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 18
Thanks Rcvd at 1 Time in 1 Post
VodoleY Reputation: 1
1.You must sure what algo CLEAR MD5(without modification init table)
2.You must find programm/procedure WHO calc CheckSum(and find start/length adresses)
3. You must find place,where store original MD5 CheckSum (recalculateand replace )
4. Also useful procedure check/compare MD5 in you program
PS for brutforce MD5 chech sum aloso uses rainbow tables, but i think its noy you way
PSS sory for my "GOOD" english

Last edited by VodoleY; 12-13-2014 at 13:35. Reason: edit
Reply With Quote
  #14  
Old 12-14-2014, 01:44
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 171
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 12
Thanks Rcvd at 17 Times in 11 Posts
LaDidi Reputation: 11
@byvs:
If you use Olly, it's easy.
Seach for all intermodular call, BPx on API you need.
When you break use Call stack.
Reply With Quote
  #15  
Old 12-14-2014, 02:32
RedBlkJck RedBlkJck is offline
Family
 
Join Date: Oct 2011
Posts: 98
Rept. Given: 66
Rept. Rcvd 80 Times in 43 Posts
Thanks Given: 19
Thanks Rcvd at 6 Times in 5 Posts
RedBlkJck Reputation: 80
Are you positive it's caused by an invalid md5 sum?
Perhaps it's something more common like the packed file has an overlay or it is checking a value from the pe header like section size.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 04:34.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX