PESum v0.01 by CORE
20031 of 48,116 files
-
This download is a Windows program, but it should only be run on your computer if you trust it.
Instead, run it isolated in Windows Sandbox, VirtualBox or Parallels.
Browsers may flag this download as unwanted or malicious. If unsure, scan it with VirusTotal. -
Last modified Nov 22, 2020 9:31:12 AM
MD5 checksum c67b5c606833d4d6a227fadfc3e50a18
Mime type Zip archive data
Download cr-ps001.zip
Size 68 kB
4 items in the archive
- COREUTiL.NFO
- FILE_ID.DIZ
- pesum.zip
- Core98.exe
─════════════════════════════════════════════════════════════════════─
PESum v0.01 ■ Updates the Checksum of a PE file (c) [eGIS!/CORE '98]
Registered to: Public Domain. All rights reserved.
─════════════════════════════════════════════════════════════════════─
Document
by
[eGIS!/CORE]
1. Introduction
---------------
It seems that some very good coders began to write PE encryptor
and compressor. Lots of them are successfully to write their own
ones. But sometimes when we run the encrypted/compressed EXEs, a
virus-monitor alerts us: the files have been infected.
Why? It is generally because of the PE file checksum has been
changed during the encryption or compression process. But the
author of the encryptor/compressor forgets to update that value.
Windows 9x will ignore that value. But Windows NT will not, and
some anti-virus program will not.
2. What is PESum?
-----------------
PESum will check if a PE file has a correct checksum in its header.
If it does not have, PESum will compute the checksum and update
the PE file.
3. How to use?
--------------
PESum is easy to use. If you want to check a PE named BLA.EXE, just
type:
PESUM BLA.EXE
and PESum will do the rest.
4. Update or not?
-----------------
PESum will always update the checksum if it finds a PE does not have
the correct value. That will not do any harm to the EXE.
5. Known buggy encryptors/compressors
-------------------------------------
PETite Version 1.00, 1.01, 1.02 by Ian Luck
PE-Pack Version 0.99 by ANAKiN
PEShield 0.1, 0.2a~0.2d by ANAKiN
WWPack32 1.00, 1.01, 1.10, 1.11 by R.W. & P.W.
PE-Crypt32 1.00, 1.01, 1.02 by Random, ACP & Killa
BJFnt 1.1, 1.2, 1.3, 1.4 by MARQUIS
STONE's encryptor 1.13 by STONE
Only PELockNT does not has this problem.
6. Known anti-virus programs which report this error
----------------------------------------------------
AVP Version 3.0 will report this error. I have not found other AV
programs report it including NAV 5.0.1.
BTW: I strongly recommend you not to use AVP. AVP monitors conflicts
with a lot of utilities, e.g. Norton SpeedStart which boosts up
the startup time of a program up to 300%. AVP monitors slows down
your Windows 9x. I personally use Norton AntiVirus 5, it simply
rules. Maybe you are using TBAV or F-PROT, if the same error occurs,
please tell me.
7. How to contact me
--------------------
You can contact me by:
E-Mail: [email protected]
IRC : egis in EFNet, channel #cracking
If you find bugs, please feel free to contact me.
8. Greetings
------------
All CORE members esp. katie, DrRhui, pSI and SiraX
All PCE members
mARQUIS, random, ANAKiN, acpizer, G-ROM & STONE for your hard work
on PE file exploring
dEVIL: you introduced me to UCF :)
djHD, Dr. Arab, Prophecy, llLibRa
9. Technique Notes
------------------
This little program only uses MapFileAndCheckSum function to get the
correct checksum and writes it back to the original EXE file. In order
to use this API function, you must import IMAGEHLP.H & IMAGEHLP.LIB
to your project.
API details:
MapFileAndCheckSum(
BYTE* szName,
DWORD* dwHeaderSum,
DWORD* dwCheckSum )
szName: file name specification, length up to 260 characters (Win95)
dwHeaderSum: buffer that receives the current header checksum
dwCheckSum: buffer that receives the correct header checksum
This is the struct of PE file header.
[PEHEADER.H]
------------
typedef unsigned char BYTE;
typedef unsigned int WORD;
typedef unsigned long DWORD;
typedef struct {
DWORD PESign;
WORD Machine;
WORD NumofSections;
DWORD TimeStamp;
DWORD PointerToSymbolTable;
DWORD NumofSymbols;
WORD SizeofOptionalHeader;
WORD Characteristics;
} PEHeader;
typedef struct {
WORD Magic;
BYTE MajorLinkerVer;
BYTE MinorLinkerVer;
DWORD SizeofCode;
DWORD SizeofIData;
DWORD SizeofUIData;
DWORD AddressofEntryPointer;
DWORD BaseofCode;
DWORD BaseofData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOSVer;
WORD MinorOSVer;
WORD MajorImageVer;
WORD MinorImageVer;
WORD MajorSubSysVer;
WORD MinorSubSysVer;
DWORD Reserved;
DWORD SizeofImages;
DWORD SizeofHeaders;
DWORD CheckSum;
WORD SubSys;
WORD DLLChars;
DWORD SizeofStackReserve;
DWORD SizeofStackCommit;
DWORD SizeofHeapReserve;
DWORD SizeofHeapCommit;
DWORD LoaderFlags;
DWORD NumofRVAAndSizes;
} PEOptionalHeader;
typedef struct {
BYTE szObjName[ 8 ];
DWORD VirtualSize;
DWORD RVA;
DWORD PhysicalSize;
DWORD Offset;
DWORD Reserved[ 3 ];
DWORD Flags;
} ObjectHeader;