Help Me - CRC Check and FileSize Check
 

Hello

Does some program exist capable to identify the address of a CRC Chek and FileSize Check inserted in a file? :confused:

Does a way exist easy to do those identification processes?? :D
:confused: :confused: :confused:

thanks

best regards

Victor

I'm afraid there is no such program. You can create a loader however which patches the image on the fly. If the program is protected/packed, try manual unpacking or ProcDump.

Does some program exist capable to identify the address of a CRC Chek and FileSize Check inserted in a file?


Could you be more precise?
Zillions of such programs exist.

So far, the program You're talking about doesn't exist. At least not for public. By nature, I doubt it will ever come to existence. Why? Because, similarly, we could ask "where is a program which shows addresses of security checks?" - the answer is NOWHERE.

If we would try to write such a crc check scanner it seems simple:

1. We could trap standard API's calls: CreateFile, ReadFile, ReadProcessMemory, GetFileSize etc.
2. Note VA and show it to the user, so he knows from where the check is called.

Simple, but it works "virtually". Why? For example, look how often programs calls ReadFile function. It could be 50 times. How do You find which call (obviously function can be single) read the file? Suppose we trap only calls with "ourexecutablename.exe" as the offing parameter. Then, how do You know where the checksum is calculated? How do You know how it is calculated? (I assume we aren't talking only about legendary CRC, CRC-32). Even if You find it, what goes next with calculated CRC? Where it's compared? How it's compared? That's just the beginning. What if executable is protected? What if it checks file CRC, then waits for a certain moment and checks memory CRC?

As You can see this is simply impossible :(.

Greetings to all the people reading this forum.

One stupid proggy attached. Try it :-\

CRC
 

First of all...
hxxp://rotter.net/israel/ {DO NOT POST CLICKABLE LINKS}
Very interestiong... I induce other people to visit and think a little about it.

Back to the subject:
Interesting program You showed us. It could be useful at early cracking stage. But as I wrote before, it doesn't change anything. It searches for specific signatures and logs it to the file. Number of supported algos is impressive. But what we have is an OFFSET (or 68(!) offsets in TinyCars example). The same (or sometimes more) i could do with HexWorkshop4. What next? (At this place please re-read my previous post).

Anyway thanks for this interesting prog.

Hmm i had same problem with a dll.....i can browse the resources, disassemble it etc but whenever i patch it although it still runs its faulty..my guess is that theres a CRC check somewhere .i dont have a clue where to begin looking for the check BUT i found a program thats in beta that says it can compare both files original and patched and then patch original keeping the same CRC its called

CRC32 PATCHER 0.9 BY Anarchriz
_http://anarchriz.cjb.net/

Theres also a toot by same author

CRC and how to Reverse it
_http://biw.rult.at/tuts/crctut1.htm

When i used it to compare the 2 files it says theres an overflow between offset and filesize..maybe im putting in the wrong offsets ...dunno

if someone can suss out the toot OR how to use the program correctly please let me know ok :)

paul333

The problem with dll must rely (almost for sure) in a module which calls Yours dll (it could be main executable) - that's the way I would do a check like this. Method for finding check in this case You should chose by Yourself. I suggest You set a breakpoint on ExitProcess or, if it hangs, back-trace to the place where the last (or "few" last) function are called and find the cause. Also, You can always notice correct order of function calling with untouched dll, then change Your dll and notice what's changing.

I agree Dynio but in this case its a plugin so its only the dll i have to play with ...The problem is that once patched although the dll runs and i see main window it doesnt go on to show the 3d image which it should do ..i even patched somewhere outwith the main code just to test and it picks up on that too...on themakers website they do say that in certain instances the program has a bug where it displays a blank 3d worktop....this sounds similar to what happens when i patch it so maybe thats why .still thinks its crc checking though ...no probs as i have now left that project anyway :)

paul333

Re: CRC
 

Of course. But I too lazy to do it with Hiew, so I just code that ...

alephz, man? you are back??? Or am I dreaming???

Return to back
 

Check Ur PM.