
  
   PESum v0.01  Updates the Checksum of a PE file (c) [eGIS!/CORE '98]
   Registered to: Public Domain.                   All rights reserved.
  

                                Document
                                   by
                              [eGIS!/CORE]

   1. Introduction
   ---------------
   It seems that some very good coders began to write PE encryptor
   and compressor. Lots of them are successfully to write their own
   ones. But sometimes when we run the encrypted/compressed EXEs, a
   virus-monitor alerts us: the files have been infected.

   Why? It is generally because of the PE file checksum has been
   changed during the encryption or compression process. But the
   author of the encryptor/compressor forgets to update that value.
   Windows 9x will ignore that value. But Windows NT will not, and
   some anti-virus program will not.


   2. What is PESum?
   -----------------
   PESum will check if a PE file has a correct checksum in its header.
   If it does not have, PESum will compute the checksum and update
   the PE file.


   3. How to use?
   --------------
   PESum is easy to use. If you want to check a PE named BLA.EXE, just
   type:

         PESUM BLA.EXE

   and PESum will do the rest.


   4. Update or not?
   -----------------
   PESum will always update the checksum if it finds a PE does not have
   the correct value. That will not do any harm to the EXE.


   5. Known buggy encryptors/compressors
   -------------------------------------

   PETite Version 1.00, 1.01, 1.02 by Ian Luck
   PE-Pack Version 0.99 by ANAKiN
   PEShield 0.1, 0.2a~0.2d by ANAKiN
   WWPack32 1.00, 1.01, 1.10, 1.11 by R.W. & P.W.
   PE-Crypt32 1.00, 1.01, 1.02 by Random, ACP & Killa
   BJFnt 1.1, 1.2, 1.3, 1.4 by MARQUIS
   STONE's encryptor 1.13 by STONE

   Only PELockNT does not has this problem.


   6. Known anti-virus programs which report this error
   ----------------------------------------------------
   AVP Version 3.0 will report this error. I have not found other AV
   programs report it including NAV 5.0.1.

   BTW: I strongly recommend you not to use AVP. AVP monitors conflicts
   with a lot of utilities, e.g. Norton SpeedStart which boosts up
   the startup time of a program up to 300%. AVP monitors slows down
   your Windows 9x. I personally use Norton AntiVirus 5, it simply
   rules. Maybe you are using TBAV or F-PROT, if the same error occurs,
   please tell me.
   
   7. How to contact me
   --------------------
   You can contact me by:
   
   E-Mail:      egis@163.net
   IRC   :      egis in EFNet, channel #cracking
   
   If you find bugs, please feel free to contact me.


   8. Greetings
   ------------

   All CORE members esp. katie, DrRhui, pSI and SiraX

   All PCE members

   mARQUIS, random, ANAKiN, acpizer, G-ROM & STONE for your hard work
   on PE file exploring

   dEVIL: you introduced me to UCF   :)

   djHD, Dr. Arab, Prophecy, llLibRa


   9. Technique Notes
   ------------------
   This little program only uses MapFileAndCheckSum function to get the
   correct checksum and writes it back to the original EXE file. In order
   to use this API function, you must import IMAGEHLP.H & IMAGEHLP.LIB
   to your project.
   
   API details:
   
   MapFileAndCheckSum(
       BYTE* szName,
       DWORD* dwHeaderSum,
       DWORD* dwCheckSum )
       
   szName: file name specification, length up to 260 characters (Win95)
   dwHeaderSum: buffer that receives the current header checksum
   dwCheckSum: buffer that receives the correct header checksum

   This is the struct of PE file header.
   
[PEHEADER.H]
------------
typedef unsigned char BYTE;
typedef unsigned int  WORD;
typedef unsigned long DWORD;

typedef struct {
	DWORD	PESign;
	WORD	Machine;
	WORD	NumofSections;
	DWORD	TimeStamp;
	DWORD	PointerToSymbolTable;
	DWORD	NumofSymbols;
	WORD	SizeofOptionalHeader;
	WORD	Characteristics;
} PEHeader;

typedef struct {
	WORD	Magic;
	BYTE	MajorLinkerVer;
	BYTE	MinorLinkerVer;
	DWORD	SizeofCode;
	DWORD	SizeofIData;
	DWORD	SizeofUIData;
	DWORD	AddressofEntryPointer;
	DWORD	BaseofCode;
	DWORD	BaseofData;
	DWORD	ImageBase;
	DWORD	SectionAlignment;
	DWORD	FileAlignment;
	WORD	MajorOSVer;
	WORD	MinorOSVer;
	WORD	MajorImageVer;
	WORD	MinorImageVer;
	WORD	MajorSubSysVer;
	WORD	MinorSubSysVer;
	DWORD	Reserved;
	DWORD	SizeofImages;
	DWORD	SizeofHeaders;
	DWORD	CheckSum;
	WORD	SubSys;
	WORD	DLLChars;
	DWORD	SizeofStackReserve;
	DWORD	SizeofStackCommit;
	DWORD	SizeofHeapReserve;
	DWORD	SizeofHeapCommit;
	DWORD	LoaderFlags;
	DWORD	NumofRVAAndSizes;
} PEOptionalHeader;

typedef struct {
	BYTE	szObjName[ 8 ];
	DWORD	VirtualSize;
	DWORD	RVA;
	DWORD	PhysicalSize;
	DWORD	Offset;
	DWORD	Reserved[ 3 ];
	DWORD	Flags;
} ObjectHeader;
