Other Software > Developer's Corner

Microsoft's "Rich Signature"

<< < (3/5) > >>

Ehtyar:
Wow, i seem to be neglecting to mention pieces of information I've already found. Asterix's removal tool no longer works as the bytes that require patching have changed (a different register is used in the targeted piece of code) as of vc 05, but thank you for the link. Naturally woodmann is being a b**ch to me, so i will have to wait to pass judgment on the attachment, but I'm salivating right now.

Ehtyar.

Lashiec:
Interesting, I've seen that the English version of the second link does not include some information that is present in the Spanish one. Now which is the original version (English, Spanish or Russian?), which is correctly translated and which one is (maybe) omitting or adding original research? Hmmmm.... Anyway, the original Spanish text, for native speakers or advanced students :)

Hay otro asunto interesante relacionado con el linker de MS. link.exe introduce cierta información innecesaria entre el DOS stub y el inicio de la cabecera PE. Resulta sencillo localizar estos datos en un editor hexa, porque empiezan con la palabra 'Rich'. A continuación de esta palabra se encuentra el compid codificado de su PC. Si no desea que sus aplicaciones resulten firmadas de esta manera o simplemente prefiere no gastar unos cuantos bytes extra (en realidad, ¡medio Kb!) en la firma, existen 2 formas de evitarlo. En primer lugar, puede cambiar de linker. Como alternativa, puede buscar el la red un artículo sobre cómo modificar link.exe. Por cierto, el artículo en ruso se puede encontrar en wasm.ru.

--- End quote ---

And my English translation (I'll try my best):

There's another interesting issue related to Microsoft's linker. link.exe inserts certain useless information between the DOS stub and the beginning of the PE header. It's easy to locate this data using an hex editor, as it starts with the word 'Rich'. After this word, you can find the encoded compid of your PC. If you don't want your applications to be signed in such way or simply prefer not to waste a few bytes more (actually, half of a KB!) in the signature, there are 2 ways to avoid this. First, you can use another linker. As an alternative, you can search the Web for an article that explains how to modify link.exe. By the way, the article in Russian can be found at wasm.ru

--- End quote ---

Ehtyar:
Well, after discovering that Verizon is the b**ch and not woodmann, i wget'd the attachment off my site shell and did some very interesting reading. Contrary to my assumptions "compid" is compiler ID, or version number. It would seem that the rich signature contains relatively benign information compared to what i first suspected. For those who wish to read further into it, I have attached the woodmann attachment to this post, and if I in future decide to pack my linkers (I have 6,7,8 and 9) I will be sure to post the details for everyone.

Ehtyar.

f0dder:
This goes back to 2003/2004. Unfortunately "lingo" edited out the post where he described the whole thing >_<, and I don't know if anybody has that old backups of the forum. A shame, really.

http://www.asmcommunity.net/board/index.php?topic=11182.0
http://www.asmcommunity.net/board/index.php?topic=14699.0

Ehtyar:
Well thank you for trying f0dder, I don't suppose spook keeps backups from that long ago eh?  8)

Ehtyar.

Navigation

[0] Message Index

[#] Next page

[*] Previous page