Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Mz
  Where is Mz?
 Metro Manila
 Philippines
 Mz
 To: Mz
  Where is Mz?
 Metro Manila
 Philippines
 Mz
 Tags
Subject: RE: An adhoc Article... mzhash
Thread ID: 50901 Message ID: 51361 # Views: 2 # Ratings: 0
Version: Unknown Category: Other
Date: Saturday, September 11, 2004 7:00:53 AM         
   


The way MCAfee anti-viri etal do their self checking...

* First... THE GIVEN *
1. Your program can be compiled to EXE.
2. Your program, when edited and you do a recompile the new EXE generated is
totally different from the previous EXE.

* Why? *
1. You would probably insert or edit code. Note that if you change your code the Machine
Instruction, namely OPCODES also changes... im talking ASM here.
2. You would probably recompile it to another PL version.
3. Or perhaps your EXE is infected by a virus.

* The NEAT Trick *
When you're program runs, you could check your running exe if the contents of it had changed.
This means that the CRC was written inside the EXE file. A sample dump of an EXE file is displayed below.
I have dumped a portion of the NOTEPAD.EXE.

-d
134C:0100  4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00   MZ..............
134C:0110  B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00   ........@.......
134C:0120  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
134C:0130  00 00 00 00 00 00 00 00-00 00 00 00 D8 00 00 00   ................
134C:0140  0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68   ........!..L.!Th
134C:0150  69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F   is program canno
134C:0160  74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20   t be run in DOS
134C:0170  6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00   mode....$.......
-d
134C:0180  C8 A4 79 1C 8C C5 17 4F-8C C5 17 4F 8C C5 17 4F   ..y....O...O...O
134C:0190  E6 D9 15 4F 9B C5 17 4F-D5 E6 04 4F 83 C5 17 4F   ...O...O...O...O
134C:01A0  8C C5 16 4F 28 C5 17 4F-A6 CD 11 4F 8D C5 17 4F   ...O(..O...O...O
134C:01B0  8C C5 17 4F 99 C5 17 4F-52 69 63 68 8C C5 17 4F   ...O...ORich...O
134C:01C0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
134C:01D0  00 00 00 00 00 00 00 00-50 45 00 00 4C 01 03 00   ........PE..L...
134C:01E0  7C 65 F6 37 00 00 00 00-00 00 00 00 E0 00 0F 03   |e.7............
134C:01F0  0B 01 05 0C 00 66 00 00-00 6E 00 00 00 00 00 00   .....f...n......
-d
134C:0200  20 64 00 00 00 10 00 00-00 80 00 00 00 00 00 01    d..............
134C:0210  00 10 00 00 00 02 00 00-05 00 00 00 05 00 00 00   ................
134C:0220  04 00 00 00 00 00 00 00-00 00 01 00 00 06 00 00   ................
134C:0230  B4 E8 00 00 02 00 00 80-00 00 04 00 00 10 00 00   ................
134C:0240  00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00   ................
134C:0250  00 00 00 00 00 00 00 00-50 66 00 00 B4 00 00 00   ........Pf......
134C:0260  00 A0 00 00 38 52 00 00-00 00 00 00 00 00 00 00   ....8R..........
134C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
-


you could actually read the whole file... or perhaps pick some portions of it including the
EXE header, data or code sections of it.

then after determining that your CRC is different, then you quit.

IT ONLY MEANS ONE THING
The program DID run. It checks itself if the CRC is valid... and if not it KILLS itself. And thats the trick.

-Mz


ENTIRE THREAD

The strength of Logarithm... Posted by Mz @ 9/7/2004 4:06:53 AM
RE: The strength of Logarithm... Posted by Wild Fire @ 9/7/2004 4:23:00 AM
RE: The strength of Logarithm... Posted by Alexander Federizo @ 9/7/2004 4:56:54 AM
RE: The strength of Logarithm... Posted by Mz @ 9/7/2004 5:07:57 AM
RE: The strength of Logarithm... Posted by Alexander Federizo @ 9/7/2004 6:40:06 AM
RE: The strength of Logarithm... Posted by Mz @ 9/7/2004 7:00:06 AM
RE: The strength of Logarithm... Posted by Alexander Federizo @ 9/7/2004 7:23:24 AM
RE: The strength of Logarithm... Posted by Mz @ 9/10/2004 12:47:34 PM
RE: The strength of Logarithms... Posted by Alexander Federizo @ 9/10/2004 6:07:12 PM
RE: The strength of Logarithm... Posted by Boudewijn Lutgerink @ 9/10/2004 8:43:15 AM
An adhoc Article... mzhash Posted by Mz @ 9/10/2004 9:35:34 AM
RE: An adhoc Article... mzhash Posted by Alexander Federizo @ 9/10/2004 5:53:58 PM
RE: An adhoc Article... mzhash Posted by Mz @ 9/11/2004 4:30:58 AM
RE: An adhoc Article... mzhash Posted by Sergey Karimov @ 9/11/2004 5:10:55 AM
RE: An adhoc Article... mzhash Posted by Mz @ 9/11/2004 6:45:48 AM
RE: An adhoc Article... mzhash Posted by Mz @ 9/11/2004 7:00:53 AM
RE: An adhoc Article... mzhash Posted by Sergey Karimov @ 9/11/2004 3:20:46 PM
RE: An adhoc Article... mzhash Posted by Sergey Karimov @ 9/11/2004 3:42:35 PM
RE: An adhoc Article... mzhash Posted by Mz @ 9/12/2004 10:19:23 AM
RE: An adhoc Article... mzhash Posted by Sergey Karimov @ 9/12/2004 4:13:36 PM
RE: An adhoc Article... mzhash Posted by Mz @ 9/13/2004 3:19:33 AM
An approach for Intelectual Property Protection... Posted by Mz @ 9/11/2004 7:12:08 AM
RE: An approach for Intelectual Property Protec... Posted by Dale Dedoroy @ 9/13/2004 4:14:20 AM
RE: An approach for Intelectual Property Protec... Posted by Mz @ 9/13/2004 5:27:30 AM