I'm sorry, but if anything changes in the file, the full file's hash will completely change. Jason's right, they must be applying a technique such as ignoring all data after the end of the .code section. Recompiling only fixes the issue because, as HellSpider stated, the hash would change due to the time stamp in the PE headers.
Oh no! Vortex is gay!
who told you that information? Although I 100% agree pumping random bytes to EOF is not the correct way to do it. What you need to do is pump random byte into the the resource section of image, or if enough space allows it pump random bytes into the end of the code section of image,, also to make it complete you would modify the crc value in the image header. Ohh back to my point SHA1 MD5 ect.. is all similar by hashing a given amount of bytes, what makes you think SHA1 is just for some reason automatically knows not to include EOF bytes?
https://www.codeprojec*****m/Articles/...ksum-Algorithm
Last edited by Departure; 08-25-2012 at 09:09 AM.
Saltine (08-25-2012)
All of that "pumping" is rubbish. You can't just pump random bytes into the resource section, some programs actually USE their resources, and overwriting them with rubbish data can cause instability. You *can* overwrite the padding of each section (each section is page aligned, so you can compute the difference between VirtualSize and SizeOfRawData and overwrite the difference), but there a multitude of safe places in an executable image that you can overwrite.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
No one said to overwrite resources, I said pump... meaning to add new resources into the resource section of the image.. and yes I 100% agree with the page alignment hence the reason why I stated "if" enough space(aka padding) allows you to write random byte to the end of the code section(or any other section for that matter). to add new resources is a simple process using windows API UpdateResource UpdateResource function
A small example in Delphi would be something like....
szData is just a string generated randomly, SaveDialog1.Filename is the file you want to add resources to... simple 3 lines of code to add resourcesCode:ResourceHandle := BeginUpdateResourceW(PWideChar(WideString(SaveDialog1.Filename)) , False); //File name UpdateResourceW(ResourceHandle,PWideChar(RT_RCDATA),(PWideChar(WideString('DATA'))),0,@szData[1],Length(szData)); EndUpdateResourceW(ResourceHandle, False);
Last edited by Departure; 08-26-2012 at 11:34 PM.
Saltine (08-27-2012)