At 02:41 AM 6/25/2009, Rob Cameron wrote:
Sid, that's a good thought. However I would have thought that it
would have worked the same in both cases, since the file that is
being hashed is nominally the same, before and after encryption/decryption.
Is the hash calculated by different code than does the
decryption? If so, they could be using different mechanisms to get
the file size. Also, if the decryption code decrypts bytes past the
logical end of the EXE, it won't affect the EXE.
For example, say the EXE is 3,000 bytes long and is in a 4K
cluster. This means that the first 3,000 bytes are part of the EXE,
and the next 1,096 bytes are wasted space. If the wasted space gets
decrypted, it won't affect the EXE. But if the hash algorithm looks
at that wasted space and uses it, the hash will be off.
I'm of course not saying that this is what's happening, but it's all
I can think of given your symptoms.
Some more info:
I've been experimenting with a lot more files and in different
locations. I get the same results whether the files are stored in:
C:\Users\Rob\Temp\<folder>
or
C:\Temp\<folder>
or
F:\<folder>
where <folder> is my holding folder and F is a USB stick.
However it doesn't do this with all files and so far I haven't been
able to figure out which files are vulnerable. It doesn't seem to
depend on file size or file type. I'll do some more expts.
Rob
Sid Gudes wrote:
>Could it be that XP returns the actual EXE size, while Vista rounds
>up to the next cluster size, so you're hashing some garbage bytes
>past the end of the EXE?
At 12:02 PM 6/24/2009, Rob Cameron wrote:
>>I wrote a program (in Delphi 7) and have been using it for ages to
>>encrypt then decrypt an executable file, then compare the hash of
>>the decrypted file with the original. Specifically:
>>
>>Compute the hash of a file, save it. Let's call it "OldHash"
>>Encrypt the file in place
>>Decrypt the file in place
>>Compute the hash of the file, let's call it "NewHash"
>>Compare OldHash and NewHash.
>>
>>In XP (SP3 now, but all SPs AFAIK): OldHash = NewHash.
>>In Vista: OldHash <> NewHash.
>>
>>In both cases the decrypted file appears to be in good order - i.e.
>>it executes OK and shows no practial differences.
>>
>>To make the comparisons, I have prepared a folder which contains
>>only the Launcher (which does the encrypt/decrypt) the target exe
>>file and a couple of files which are needed for the exe to run (they
>>are, in fact untouched in these tests). Then I copy this folder from
>>a machine running XP to a machine running Vista Business and get
>>different results.
__________________________________________________
Delphi-Talk mailing list -> [email protected]
http://lists.elists.org/cgi-bin/mailman/listinfo/delphi-talk
Regards,
Sid Gudes
PIA Systems Corporation
[email protected]
__________________________________________________
Delphi-Talk mailing list -> [email protected]
http://lists.elists.org/cgi-bin/mailman/listinfo/delphi-talk
