Windows PE Checksum Algorithm

Jeffrey Walton Thu, 21 Jun 2007 21:10:54 -0700

Hi All,

I just wanted to post the general results. Nothing in too much detail
just in case (I glossed over some linear transformations). This does
not appear to be a CRC at all. It is a Summation of DWORDs accumulated
in EAX.


My BaseLine File Statistics:
Base Address: 0xB70000
File Size: 0x010E00

The Library is ImageHlp.dll, Functions of interest:
CheckSumMappedFile
ChkSum (called by CheckSumMappedFile)

PIMAGE_NT_HEADERS CheckSumMappedFile(
  PVOID BaseAddress,
  DWORD FileLength,
  PDWORD HeaderSum,
  PDWORD CheckSum
);

******************************
Setup
******************************
imagehlp!CheckSumMappedFile:
76c96f01 - 76c946c9 SEH Setup...
76c96f13 8b450c          mov     eax,dword ptr [ebp+0Ch]
76c96f16 d1e8            shr     eax,1
76c96f18 50              push    eax
76c96f19 ff7508          push    dword ptr [ebp+8]
76c96f1c 6a00            push    0
76c96f1e e856d6ffff      call    imagehlp!ChkSum (76c94579)

76c96f18 (push eax) pushes the file's length. For some reason it came
in as File Size/2 (hence shr eax, 1).
76c96f19 (push dword ptr [ebp+8] ) pushes the Base Address
76c96f1c (push 0) pushes the Intialized Sum

Below is Cleanup from calling ChkSum.

******************************
Return/Cleanup
******************************
76c96f23 8bf8            mov     edi,eax
76c96f25 897de4          mov     dword ptr [ebp-1Ch],edi
76c96f28 8365fc00        and     dword ptr [ebp-4],0
76c96f2c ff7508          push    dword ptr [ebp+8]
76c96f2f e81ed2ffff      call    imagehlp!RtlpImageNtHeader (76c94152)
76c96f34 8945e0          mov     dword ptr [ebp-20h],eax
76c96f37 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
76c96f3b eb1d            jmp     imagehlp!CheckSumMappedFile+0x4f (76c96f5a)

And Mr. ChkSum:

******************************
ChkSum
******************************
76c94579 56              push    esi
76c9457a 8b4c2410        mov     ecx,dword ptr [esp+10h]
76c9457e 8b74240c        mov     esi,dword ptr [esp+0Ch]
76c94582 8b442408        mov     eax,dword ptr [esp+8]
76c94586 d1e1            shl     ecx,1

Save ESI
ECX: Size of File
ESI: Base Address
EAX: Running Total

Next, ECX is tested against values 2, 4, ... 0x20, 0x40. None of the
tests triggered code execution other that a jump to the next test.
Perhaps this is an obfuscation??? To be determined.

Next, some meat and potatoes:
76c94661 0306            add     eax,dword ptr [esi]
76c94663 134604          adc     eax,dword ptr [esi+4]
76c94666 134608          adc     eax,dword ptr [esi+8]
76c94669 13460c          adc     eax,dword ptr [esi+0Ch]
76c9466c 134610          adc     eax,dword ptr [esi+10h]
...
76c946b1 13466c          adc     eax,dword ptr [esi+6Ch]
76c946b4 134670          adc     eax,dword ptr [esi+70h]
76c946b7 134674          adc     eax,dword ptr [esi+74h]
76c946ba 134678          adc     eax,dword ptr [esi+78h]
76c946bd 13467c          adc     eax,dword ptr [esi+7Ch]

Get the Flags Register in Order:
c946c0 83d000          adc     eax,0

And Finally, adjust some Counters (to account for consumption of DWORDS):
76c946c3 81c680000000    add     esi,80h  // Base Address += 0x80
76c946c9 81e980000000    sub     ecx,80h // File Size -= 0x80

A jump again occured into _SAME_ summation routine:
76c94661 0306            add     eax,dword ptr [esi]
76c94663 134604          adc     eax,dword ptr [esi+4]
76c94666 134608          adc     eax,dword ptr [esi+8]
76c94669 13460c          adc     eax,dword ptr [esi+0Ch]
76c9466c 134610          adc     eax,dword ptr [esi+10h]
...
76c946b1 13466c          adc     eax,dword ptr [esi+6Ch]
76c946b4 134670          adc     eax,dword ptr [esi+70h]
76c946b7 134674          adc     eax,dword ptr [esi+74h]
76c946ba 134678          adc     eax,dword ptr [esi+78h]
76c946bd 13467c          adc     eax,dword ptr [esi+7Ch]

Set Flags/Adjust Counter and Pointer
76c946c0 83d000          adc     eax,0
76c946c3 81c680000000    add     esi,80h
76c946c9 81e980000000    sub     ecx,80h

Jump Again:
76c946cf 7590 jne     imagehlp!ChkSum+0xe8 (76c94661)

Basically, this is summing 0x80 bytes at a time. Finally, return EAX &
0xFFFF (discard high order 2 bytes).

Later, after returning from ChkSum:
76c96f73 754b            jne     imagehlp!CheckSumMappedFile+0xb5 (76c96fc0)
76c96f75 8d4858          lea     ecx,[eax+58h]
76c96f78 8b11            mov     edx,dword ptr [ecx]
76c96f7a 8916            mov     dword ptr [esi],edx

76c96f75 (lea ecx,[eax+58h]) loads the effective address of the
Checksum Header Field. In this example, Base Address = B70000, so ECX
= B70138. So, this is fetching HeaderSum and writing it to the PDWORD
HeaderSum.

And the following writes the calculated (ECX=0 from the prologue) to
PDWORD CheckSum:
76c96fb1 03d1            add     edx,ecx
76c96fb3 8b4d14          mov     ecx,dword ptr [ebp+14h]
76c96fb6 8911            mov     dword ptr [ecx],edx

Finally, PIMAGE_NT_HEADERS is returned in EAX.

Jeff

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to [EMAIL PROTECTED]
More information about Crypto++ and this group is available at 
http://www.cryptopp.com.
-~----------~----~----~----~------~----~------~--~---

Windows PE Checksum Algorithm

Reply via email to