Hi All, I just wanted to post the general results. Nothing in too much detail just in case (I glossed over some linear transformations). This does not appear to be a CRC at all. It is a Summation of DWORDs accumulated in EAX.
My BaseLine File Statistics: Base Address: 0xB70000 File Size: 0x010E00 The Library is ImageHlp.dll, Functions of interest: CheckSumMappedFile ChkSum (called by CheckSumMappedFile) PIMAGE_NT_HEADERS CheckSumMappedFile( PVOID BaseAddress, DWORD FileLength, PDWORD HeaderSum, PDWORD CheckSum ); ****************************** Setup ****************************** imagehlp!CheckSumMappedFile: 76c96f01 - 76c946c9 SEH Setup... 76c96f13 8b450c mov eax,dword ptr [ebp+0Ch] 76c96f16 d1e8 shr eax,1 76c96f18 50 push eax 76c96f19 ff7508 push dword ptr [ebp+8] 76c96f1c 6a00 push 0 76c96f1e e856d6ffff call imagehlp!ChkSum (76c94579) 76c96f18 (push eax) pushes the file's length. For some reason it came in as File Size/2 (hence shr eax, 1). 76c96f19 (push dword ptr [ebp+8] ) pushes the Base Address 76c96f1c (push 0) pushes the Intialized Sum Below is Cleanup from calling ChkSum. ****************************** Return/Cleanup ****************************** 76c96f23 8bf8 mov edi,eax 76c96f25 897de4 mov dword ptr [ebp-1Ch],edi 76c96f28 8365fc00 and dword ptr [ebp-4],0 76c96f2c ff7508 push dword ptr [ebp+8] 76c96f2f e81ed2ffff call imagehlp!RtlpImageNtHeader (76c94152) 76c96f34 8945e0 mov dword ptr [ebp-20h],eax 76c96f37 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 76c96f3b eb1d jmp imagehlp!CheckSumMappedFile+0x4f (76c96f5a) And Mr. ChkSum: ****************************** ChkSum ****************************** 76c94579 56 push esi 76c9457a 8b4c2410 mov ecx,dword ptr [esp+10h] 76c9457e 8b74240c mov esi,dword ptr [esp+0Ch] 76c94582 8b442408 mov eax,dword ptr [esp+8] 76c94586 d1e1 shl ecx,1 Save ESI ECX: Size of File ESI: Base Address EAX: Running Total Next, ECX is tested against values 2, 4, ... 0x20, 0x40. None of the tests triggered code execution other that a jump to the next test. Perhaps this is an obfuscation??? To be determined. Next, some meat and potatoes: 76c94661 0306 add eax,dword ptr [esi] 76c94663 134604 adc eax,dword ptr [esi+4] 76c94666 134608 adc eax,dword ptr [esi+8] 76c94669 13460c adc eax,dword ptr [esi+0Ch] 76c9466c 134610 adc eax,dword ptr [esi+10h] ... 76c946b1 13466c adc eax,dword ptr [esi+6Ch] 76c946b4 134670 adc eax,dword ptr [esi+70h] 76c946b7 134674 adc eax,dword ptr [esi+74h] 76c946ba 134678 adc eax,dword ptr [esi+78h] 76c946bd 13467c adc eax,dword ptr [esi+7Ch] Get the Flags Register in Order: c946c0 83d000 adc eax,0 And Finally, adjust some Counters (to account for consumption of DWORDS): 76c946c3 81c680000000 add esi,80h // Base Address += 0x80 76c946c9 81e980000000 sub ecx,80h // File Size -= 0x80 A jump again occured into _SAME_ summation routine: 76c94661 0306 add eax,dword ptr [esi] 76c94663 134604 adc eax,dword ptr [esi+4] 76c94666 134608 adc eax,dword ptr [esi+8] 76c94669 13460c adc eax,dword ptr [esi+0Ch] 76c9466c 134610 adc eax,dword ptr [esi+10h] ... 76c946b1 13466c adc eax,dword ptr [esi+6Ch] 76c946b4 134670 adc eax,dword ptr [esi+70h] 76c946b7 134674 adc eax,dword ptr [esi+74h] 76c946ba 134678 adc eax,dword ptr [esi+78h] 76c946bd 13467c adc eax,dword ptr [esi+7Ch] Set Flags/Adjust Counter and Pointer 76c946c0 83d000 adc eax,0 76c946c3 81c680000000 add esi,80h 76c946c9 81e980000000 sub ecx,80h Jump Again: 76c946cf 7590 jne imagehlp!ChkSum+0xe8 (76c94661) Basically, this is summing 0x80 bytes at a time. Finally, return EAX & 0xFFFF (discard high order 2 bytes). Later, after returning from ChkSum: 76c96f73 754b jne imagehlp!CheckSumMappedFile+0xb5 (76c96fc0) 76c96f75 8d4858 lea ecx,[eax+58h] 76c96f78 8b11 mov edx,dword ptr [ecx] 76c96f7a 8916 mov dword ptr [esi],edx 76c96f75 (lea ecx,[eax+58h]) loads the effective address of the Checksum Header Field. In this example, Base Address = B70000, so ECX = B70138. So, this is fetching HeaderSum and writing it to the PDWORD HeaderSum. And the following writes the calculated (ECX=0 from the prologue) to PDWORD CheckSum: 76c96fb1 03d1 add edx,ecx 76c96fb3 8b4d14 mov ecx,dword ptr [ebp+14h] 76c96fb6 8911 mov dword ptr [ecx],edx Finally, PIMAGE_NT_HEADERS is returned in EAX. Jeff --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [EMAIL PROTECTED] More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---