Welcome Lam Vi...


Wednesday July 12 1995 20:18, Andrew Snow wrote to Vi Lam:


 AS> Now, if they compare differently, then you know either there was a virus
 AS> attack or some idiot has tried to tamper with the EXE.

 AS> After that, all you have to do is open the file in write mode and seek to
 AS> the end, writing the "crc" variable to the end using
fwrite().  That's at
 AS> compilation time.  In the actual program, do the same thing, but DON'T
 AS> count the last four bytes.  Then read in the last four bytes and compare
 AS> it with "crc".  Great!

 A better idea, is to make that four-byte code the initial value fed into
the "crc" routine, and set it such that the resulting CRC
(including the last four bytes if possible) will be equal to something
within the file's EXE header, (or withing the programs code itself) which
is needed for the EXE to be loaded properly.

 This is better for two reasons:

 1) In the original suggestion, a "hacker" could wait until the
CRC was calculated, and then just replace the last four bytes of the file
with that CRC, making the program think it is still valid.  By making the
bytes at the end the INITIAL value fed into the CRC, there is no easy way
for the "hacker" to re-calculate the crc.

 2) The value you're comparing the CRC can't be altered by the
"hacker", since doing so would cause the program to crash.

 This still isn't perfect, since the "hacker" could simply
hard-crack the program to ignore a wrong CRC, or may be able to alter the
address from where you read the correct CRC, so that it is not at the end
of the file.  Doing so would reduce the algorithm to essentially the same
as in the original message.  However, if the appropriate bytes are pulled
out from calculated locations within the file during the CRC process, and
combined to form the CRC to compare against, than this method would become
much harder, and a hard-crack would become the only viable alternative.

 Note however, that all this is irrelevant to anyone who knows what they're
doing, and will only have a chance of catching idiots and viruses, the
latter of which it probably won't catch very many anyway since the ones
worth worrying about are the newer strains which will remove themselves, or
"appear" to have removed themselves from the file.  The rest will
more than likely be detected by any virus scanner in the market, and IMHO,
if someone doesn't have one, then it's their bad luck, and they deserve
anything they get.  Idiots usually aren't a threat, because the most they
can do is change a few bytes so it says their name.  A registration crack
or something would be way out of their league.

 Another idea, is to include the "target" value of the crc within
the registration key rather than the EXE header.  However this will only
work if a registration key is used.


nevets


... Adults are obsolete children
--- FMail/386 1.0g