Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILIT...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
"p-0''0-h the cat (ES)" wrote:

Quoted text here. Click to load it

I didn't see that discussion but then I'm reading only in ACAV.
However, I know a bit about executables so now I've read Dustin's and
your code I can say you're both barking up the wrong tree.

Quoted text here. Click to load it

This is completely irrelevant for Windows executables.

The MZ header fields are used only when running under MSDOS. Every
Windows executable from NT3 onwards uses the PE (portable executable)
format which by convention has a small MSDOS stub program prepended to
it (normally prints a message and exits when run under MSDOS). This is
why all Windows executables are expected to have 'M' and 'Z' as the
first 2 bytes but need not (and sometimes do not) actually have the
stub program. The 2nd and 3rd dwords are applicable only to the stub
program size, not the complete Windows executable.

The check being used in exevalid will pass in most cases for PE files
because the stub is always smaller than the whole file. However, there
are many malware and some legitimate packed executables which use the
MZ header fields for other purposes. In these cases the exe is not
corrupt as far as Windows is concerned but obviously is from an MSDOS
point of view.

The correct way to compare file to executable sise is to check for the
presence of the PE header and use values from that when dealing with
Windows executables.

[followups set to ACAV]



Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

"Ant" wrote:

Quoted text here. Click to load it

Correction:- I meant words (16 bit) not dwords (32 bit).



Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

Hmm?
  
Quoted text here. Click to load it

Oh?
  
Quoted text here. Click to load it

What disinformation?
  
Quoted text here. Click to load it

Yes it does.
  
Quoted text here. Click to load it

You're using 00 80 as a result of a bug I pointed out that ASIC has and are  
attempting to mislead people due to my own disclosure of it.
  
Quoted text here. Click to load it

You don't understand what the purpose of the utility is.
  
Quoted text here. Click to load it

Proving me wrong? ASIC has a bug, You can force a normal ASIC integer to  
hold -32768.
  
Quoted text here. Click to load it

if you hit 00 80, abs will not do it's job. the number will remain  
negative. This is corrected by the integer demonstration I provided you  
early this morning. I've never actually seen 00 80 in the field, tho.

And like I told you last night/early this morning, It's okay for the  
filesize on disk to be greater than the reported blocks, but not less.  
In any other case, abs will do it's job and report a positive number for  
the rest of the routine. The *only* time it will fail to do so is if you  
hit 00 80. As *I* previously explained and provided demonstration source  
for causing. Thus, ABS is necessary and you broke the program by removing  
it.  

I haven't tried to discredit you or mislead anyone with anything concerning  
this. You've done just fine without my help there.

most of asics internal functions don't work as I already told you when this  
happens. This isn't a fundamental flaw in my program, tho; Pooh.

--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

See already posted source code that allows you to set an ASIC integer as -
32768 although you should not be able to do so, AND asics internal commands  
will not properly work when this happens. no lie, solid proof. Demo source  
was already provided.

ABS is necessary because ASICs integer range is signed whereas the data  
from the EXE header is unsigned. Just like the timer.
  
Quoted text here. Click to load it

You are missing the point. It's not necessary for the blocks to match  
identical filesize on disk; The exe could have an overlay. Without ABS,  
there's a good possibility that the other calculations would read a  
negative number when they shouldn't. That's your fault, you removed abs.

Quoted text here. Click to load it

Excluding overlays, Pooh. The bytes we're examing in the MZ header aren't  
associated with overlays.
  
Quoted text here. Click to load it

LOL, Nice try. Let's try to remain focused Pooh. :)
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

If you say so.
  
Quoted text here. Click to load it

Most typical malware is created from an HLL compiler/linker. In those  
cases, the stub is usually present. You are correct tho, the stub isn't  
required and windows could care less about it; as it's looking for the PE  
signature anyway. However, some programs could consider a file that has no  
MZ stub to be odd from a hueristics POV.
  
Quoted text here. Click to load it

It will not actually pass in most cases. If a malware sample began a  
download and it was aborted, the executable won't be complete and EXEVALID  
will catch that, without reading anything about the PE header. In some  
cases, this malware sample can still run, but it's not actually complete  
according to the MZ header and isn't suitable for crc/hashing.

You're forgetting? that the MZ stub does contain the correct amount of  
blocks that the entire EXE file *should* be. Which does include PE code at  
that point, obviously. The MZ stubs block size isn't setup just for the  
STUB. it doesn't consider the PE section to be an overlay.


OTH, the same malware sample can have the correct amount of blocks if  
completely downloaded. When pulling massive samples via urls with programs  
like getbot, you do run into issues where the server doesn't send you the  
whole file. EXEVALID can spot those for you.

  
Quoted text here. Click to load it

If I'm looking for an exact size and the MZ stub isn't present, sure.  
However, I'm just looking to make sure I have the same amount of bytes the  
block information reports that I should have. It's okay to have more, but  
not less.

EXEVALID isn't perfect. I could always clean the code up and fine tune it  
and take the recommendations you've provided. You haven't said anything  
wrong per say in your opinion, it's just overkill for EXEVALIDs intended  
purpose in this case.
  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

Dustin why don't just you clean up the code and take on board Ant's
helpful recommendations rather than try and counter all his points? He's
given you help..... accept it!  

--  
Jax    :)

Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

127.0.0.1:

[snip Jax's stupid question that was answered in the last line of my post  
that he replied to]

Reading comprehension is your friend. You really do need to signup for  
classes, AND show up. Does the UK have free rides you can take advantage of?


  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

On Fri, 25 Apr 2014 17:16:56 +0000, Dustin wrote:

Quoted text here. Click to load it

Or at least it would be if the troll actually possessed it.

Quoted text here. Click to load it

The sooner, the better.

Quoted text here. Click to load it

Yeah. The short bus.

:-)


--  
None are so hopelessly enslaved, as those who falsely believe they  
are free. The truth has been kept from the depth of their minds by  
masters who rule them with lies.  
-Johann von Goethe  

Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

"Dustin" wrote:

Quoted text here. Click to load it

No, not for Windows exes. All PE executables made by compilers from
Microsoft, for example, use the same MSDOS stub with the same size
regardless of the actual exe file size. Words 2 and 3 of the MZ
header are always the same with values of 0x90 and 3 respectively.
Similarly, Borland's are always consistent but with slightly different
values from MS.

Quoted text here. Click to load it

Only if the amount downloaded is less than a typically reported stub
progam size (about 1.5 K).



Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

Ayep. Or, the program's MZ stub is reporting accurate data and isn't just  
preset. MS, Borland (mebbe watcom?) is. Unsure about tasm and various other  
executable writing apps.

I don't disagree that EXEVALID could be much more useful if additional  
functionality was added. It served it's intended purpose well for the time  
tho.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

127.0.0.1:

Quoted text here. Click to load it

You're right, you aren't a tech... lol. if anyone thought you are.. well,  
they should know better now. [g]



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***


Quoted text here. Click to load it

Dustin I might actually be a tech who's just pretending not to be one.  
That should make you think! Just saying.    :)

--  
Jax  

Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

127.0.0.1:

Quoted text here. Click to load it

Impossible. Your statement above leaves no doubt that you aren't a tech.  
"supposed to work in windows, but the info it calculates is only valid in  
DOS". Funny shit, tho. [g]

Also, the other discussions you've tried to engage in are telltales. The fact  
you have to ask other people for help and even resorted to having to ask  
another newsgroup outright, is another tell.

You wouldn't make a very good poker player.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Site Timeline