Other Software > Developer's Corner

Microsoft's "Rich Signature"

<< < (2/5) > >>

Lashiec:
Did someone there got some insight about what it's contained in the signature? Personal information about the owner of the computer in which the program was compiled, or what? And hidden underneath which scheme?

Mmmm, the page is not working at the moment :(

mouser:
someone make a utility that lets us swap our info for that of bill gates.

Ehtyar:
someone make a utility that lets us swap our info for that of bill gates.
-mouser (January 23, 2008, 02:20 PM)
--- End quote ---
Well the rich signature shown in the image in my first post is from cl.exe, so perhaps just substitute your rich signature for the one found there. Make their head spin a little if they ever wanted to know who made it.
Did someone there got some insight about what it's contained in the signature? Personal information about the owner of the computer in which the program was compiled, or what? And hidden underneath which scheme?

Mmmm, the page is not working at the moment :(
-Lashiec (January 23, 2008, 01:54 PM)
--- End quote ---
This was actually mostly what i was looking for. As much as i would like to say I'm an uber reverse engineer, my skills are nowhere near that level. I have picked up hints that the information is hardware-related, so things like MAC address, OS serial number, CPUID etc are likely candidates and the information is then encrypted with, of all things, xor. This information could be discerned by REing link.exe, but as I said, I'm just not that good.
The topic appeared several years ago at the ASM Community, dunno if it's possible to dig up the stuff (should be easier after we installed Wordzillas search mod :)), one of the members iirc reverse-engineered link.exe enough to prevent generation of the information.

I started work on a little tool to nuke the information post-link time, but never really finished it (as in, it nuked a hardcoded amount of bytes at a hardcoded file offset, so it won't work for all EXEs).

-f0dder (January 23, 2008, 05:07 AM)
--- End quote ---
Indeed. I have already found instructions on preventing generation of the signature, at the location mentioned in my last post (google for "disable rich signature") but as i said earlier, my question is simply related more to knowing more about the signature itself, and what it contains and/or is used for.
Thanks for your posts guys, this is getting interesting :)

Ehtyar.

f0dder:
Iirc the post at the asmcommunity did contain a bit of information on what's contained, but it's been quite some years ago :)

Lashiec:
I've put some of my Google-fu to work, and unearthed various sites. First, a post in the EXETOOLS forum, with the tool used to strip the executables from the RICH information. It seems the original information about the signature was posted at wasm.ru, but of course, it's in Russian. The first post there includes some file, and the tool comes with a machine translated version (Russian -> English) of the original RTF file that came with the tool.

Second, in the documentation of a library used to play music in XM format, and co-authored by the same guy (at least with the same screen name) of the above tool, I found this:

There's another MS linker-specific known issue. link.exe attaches some unnecessary data between DOS stub and the beginning of PE header. It's easy to spot the dead weight in a Hex editor - it begins with a magic word 'Rich'. The encoded machine compid follows the magic word. If you don't want your executables being signed this way or just don't like to spend some extra bytes (actually, it's half a Kb!) on the signature, there's a couple of workarounds available. First, you can switch to another linker. Or you can search the web to find an article on patching link.exe. Psst! It's written in russian and available somewhere at wasm.ru.

--- End quote ---

Finally, in another forum, an attachment (do not worry, it's a pure text file), the most interesting document, and one that throws quite some light over what's the purpose of the RICH section. Still, it does not clarifies what's exactly stored there, only makes some suppositions.

Navigation

[0] Message Index

[#] Next page

[*] Previous page