#1
|
||||
|
||||
MD5 Help!
Is there any way to edit the MD5 of a file? or some program that does this?
Thank you for your help! |
#2
|
||||
|
||||
The MD5 of a file is a calculation based upon the data contained within it. Changing one byte in the file will result in a completely different hash. There is no way to predict the result of a hash or change the file in a way to get a specific hash you want. If the program calculates its own MD5 for an integrity check, one way that you can do that would be to patch its MD5 hash routine to return the value you want. To do this, just see what registers or stack addresses the MD5 values are returned on and simply patch the routine to feed in the correct values. There will be 4, 32-bit values in all. The patch code would look something like:
Code:
MOV DWORD PTR DS:[EBP+4], 1E3F44E5 MOV DWORD PTR DS:[EBP+8], E24F563D MOV DWORD PTR DS:[EBP+C], E8697AA3 MOV DWORD PTR DS:[EBP+10], 479834DE
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler |
#3
|
||||
|
||||
@chessgod101,
How do I find the MD5 hash routine and correct it? and what program to use? |
#4
|
|||
|
|||
#5
|
||||
|
||||
There was some work done and a program produced which did much better than brute force. It's on my old computer, I'll try to find it soon.
Git |
The Following User Gave Reputation+1 to Git For This Useful Post: | ||
Youtoo (11-06-2014) |
#6
|
|||
|
|||
@byvs
I believe that when you apply the patch in your app any error message is displayed, it would not be possible for you trace this error using the call stack of olly? |
#7
|
|||
|
|||
Why not to use the excellent cryptochecker by Alephz?
http://forum.exetools.com/showthread.php?t=13569 it can help to find it.
__________________
I like this forum! |
The Following User Gave Reputation+1 to bolo2002 For This Useful Post: | ||
byvs (11-07-2014) |
#8
|
||||
|
||||
@Guys!
To summarize my questions: A file unpacked by MPRESS. After unpacking, the file opens and closes soon after without displaying an error message. I wonder what is happening and may be possible to enlist the help of friends from forum to resolve the problem. Information: File / Header CheckSum: 009C4B55 / 00315E12 + Crypto Check for file '.\Unpacked.exe' [00000000:009B5B5A] (*** sorry my english, because use Google translator) |
#10
|
|||
|
|||
@byvs:
Hi, Try to set a BP on TerminateProcess, MessageBox, ... Or BPs on ALL API... Regards. |
#11
|
||||
|
||||
@LaDidi:
And how do I do that? This is the "X" in the question !. could teach me? Regards. |
#12
|
|||
|
|||
In my opinion,if you want to patch th MD5 value, the best way is to find the original value which hasn't been encrypted.That would be more easy.
|
#13
|
|||
|
|||
1.You must sure what algo CLEAR MD5(without modification init table)
2.You must find programm/procedure WHO calc CheckSum(and find start/length adresses) 3. You must find place,where store original MD5 CheckSum (recalculateand replace ) 4. Also useful procedure check/compare MD5 in you program PS for brutforce MD5 chech sum aloso uses rainbow tables, but i think its noy you way PSS sory for my "GOOD" english Last edited by VodoleY; 12-13-2014 at 13:35. Reason: edit |
#14
|
|||
|
|||
@byvs:
If you use Olly, it's easy. Seach for all intermodular call, BPx on API you need. When you break use Call stack. |
#15
|
|||
|
|||
Are you positive it's caused by an invalid md5 sum?
Perhaps it's something more common like the packed file has an overlay or it is checking a value from the pe header like section size. |
Thread Tools | |
Display Modes | |
|
|