
  
   PESum v0.02  Updates the Checksum of a PE file (c) [eGIS!/CORE '98]
   Registered to: Public Domain.                   All rights reserved.
  

                                Document
                                   by
                              [eGIS!/CORE]

   1. Introduction
   ---------------
   It seems that some very good coders began to write PE encryptor
   and compressor. Lots of them are successfully to write their own
   ones. But sometimes when we run the encrypted/compressed EXEs, a
   virus-monitor alerts us: the files have been infected.

   Why? It is generally because of the PE file checksum has been
   changed during the encryption or compression process. But the
   author of the encryptor/compressor forgets to update that value.
   Windows 9x will ignore that value. But Windows NT will not, and
   some anti-virus program will not.


   2. What is PESum?
   -----------------
   PESum will check if a PE file has a correct checksum in its header.
   If it does not have, PESum will compute the checksum and update
   the PE file.


   3. How to use?
   --------------
   PESum is easy to use. If you want to check a PE named BLA.EXE, just
   type:

         PESUM BLA.EXE

   and PESum will do the rest.

   If you want PESum to dump the header information, you can add a
   parameter /d:

        PESUM BLA.EXE /d

   If you do not want PESum to update the checksum, add a parameter
   /q:

        PESUM BLA.EXE /q

   You can also type:

        PESUM BLABLA.EXE /d /q


   4. Update or not?
   -----------------
   PESum will always update the checksum if it finds a PE does not have
   the correct value. That will not do any harm to the EXE.

   Some new encryptors/compressors will check if the EXE has been
   modified. If it fails in self-check, it will refuse to run. So
   you can use /n option.
   
   If you have ever modified some Windows NT kernel files, you may feel
   PESum very useful. Once after you modify a NT-kernel file, Windows NT
   will fail to load it, reporting a critical error occurs.


   5. Known buggy encryptors/compressors
   -------------------------------------

   PETite Version 1.00, 1.01, 1.02, 1.03* by Ian Luck
   PE-Pack Version 0.99 by ANAKiN
   PEShield 0.1, 0.2a~0.2d by ANAKiN
   WWPack32 1.00, 1.01, 1.10, 1.11, 1.12a by R.W. & P.W.
   Shrinker 3.0, 3.1, 3.2, 3.3 by Blink Inc.
   PE-Crypt32 1.00, 1.01, 1.02 by Random, ACP & Killa
   BJFnt 1.1, 1.2, 1.3, 1.4 by MARQUIS
   STONE's encryptor 1.13 by STONE

   Only PELockNT does not has this problem.

   * means the program has a self-check code that is to say if it
     finds itself modified, it will refuse to run.


   6. Known anti-virus programs which report this error
   ----------------------------------------------------
   AVP Version 3.0 will report this error. I have not found other AV
   programs report it including NAV 5.0.1.

   BTW: I strongly recommend you not to use AVP. AVP monitors conflicts
   with a lot of utilities, e.g. Norton SpeedStart which boosts up
   the startup time of a program up to 300%. AVP monitors slows down
   your Windows 9x. I personally use Norton AntiVirus 5, it simply
   rules. Maybe you are using TBAV or F-PROT, if the same error occurs,
   please tell me.


   7. How to contact me
   --------------------
   You can contact me by:

   E-Mail:      egis@163.net
   IRC   :      egis in EFNet, channel #cracking

   If you find bugs, please feel free to contact me.


   8. Greetings
   ------------

   All CORE members esp. katie, DrRhui, pSI, atti2d and SiraX

   All PCE members

   mARQUIS, random, ANAKiN, acpizer, G-ROM & STONE for your hard work
   on PE file exploring

   dEVIL: you introduced me to UCF   :)

   djHD, Dr. Arab, Prophecy, llLibRa


   9. History
   ----------

   * Version 0.02:
     + added /d, /q parameters
     ! maybe the last version      :-)

   * Version 0.01:
     + history began


   A. Technique Notes
   ------------------
   PESum v0.02 is written and compiled with Visual C++ 6.0 SP1.   
   
   This little program only uses MapFileAndCheckSum function to get the
   correct checksum and writes it back to the original EXE file. In order
   to use this API function, you must import IMAGEHLP.H & IMAGEHLP.LIB
   to your project.

   API details:

   MapFileAndCheckSum(
       BYTE* szName,
       DWORD* dwHeaderSum,
       DWORD* dwCheckSum )

   szName: file name specification, length up to 260 characters (Win95)
   dwHeaderSum: buffer that receives the current header checksum
   dwCheckSum: buffer that receives the correct header checksum

   This is the struct of PE file header.

[PEHEADER.H]
------------
typedef unsigned char BYTE;
typedef unsigned int  WORD;
typedef unsigned long DWORD;

typedef struct {
	DWORD	PESign;
	WORD	Machine;
	WORD	NumofSections;
	DWORD	TimeStamp;
	DWORD	PointerToSymbolTable;
	DWORD	NumofSymbols;
	WORD	SizeofOptionalHeader;
	WORD	Characteristics;
} PEHeader;

typedef struct {
	WORD	Magic;
	BYTE	MajorLinkerVer;
	BYTE	MinorLinkerVer;
	DWORD	SizeofCode;
	DWORD	SizeofIData;
	DWORD	SizeofUIData;
	DWORD	AddressofEntryPointer;
	DWORD	BaseofCode;
	DWORD	BaseofData;
	DWORD	ImageBase;
	DWORD	SectionAlignment;
	DWORD	FileAlignment;
	WORD	MajorOSVer;
	WORD	MinorOSVer;
	WORD	MajorImageVer;
	WORD	MinorImageVer;
	WORD	MajorSubSysVer;
	WORD	MinorSubSysVer;
	DWORD	Reserved;
	DWORD	SizeofImages;
	DWORD	SizeofHeaders;
	DWORD	CheckSum;
	WORD	SubSys;
	WORD	DLLChars;
	DWORD	SizeofStackReserve;
	DWORD	SizeofStackCommit;
	DWORD	SizeofHeapReserve;
	DWORD	SizeofHeapCommit;
	DWORD	LoaderFlags;
	DWORD	NumofRVAAndSizes;
} PEOptionalHeader;

typedef struct {
	BYTE	szObjName[ 8 ];
	DWORD	VirtualSize;
	DWORD	RVA;
	DWORD	PhysicalSize;
	DWORD	Offset;
	DWORD	Reserved[ 3 ];
	DWORD	Flags;
} ObjectHeader;
