Main » 2011 » Март » 16 » Removing a digital signature pefile
10:49
Removing a digital signature pefile
Signature PE-files (exe, dll, sys, etc.) used in most cases the utility signtool.exe, but what utility to use if the digital signature should be removed from the file? A utility such officially not. You can only sign or re-sign (put my name on top of existing one), but not removed. How can that be when I've found to correct in Hex or PE-editor and do not want to leave the file with deliberately damaged a digital signature?

What does it do

  • If you need to sign a document, such as fix a few bugs or localize. After any change of the digital signature file is damaged and void, so it is best to remove it altogether than to leave that way.
  • To learn more about the mechanism of signature files, and understand his work.
The article describes how to manually remove the digital signature, simple enough that it could understand anyone who at least once in their lives using Hex-editor.

Tools


For work, we need the following tools:
1. Hex-editor. I prefer WinHex.
2. Utility to fix the checksum PE-file ModifyPE.
3. Hex calculator is in the system.

Example


For example, we will remove the digital signature from the distribution wonderful open and free software to encrypt the disk partitions DiskCryptor (an object is selected randomly). This example, incidentally, will be seen that the removal of a digital signature does not affect the efficiency of PE-files.

Open dcrypt_setup.exe a Hex-editor and look for the 4-byte sequence 50450000h (the text is seen as a PE followed by two null bytes). This signature identifies the file as a PE-file format and comes right after the title MS-DOS. In this case, the beginning of the signature at offset 100h:



Next, it will take to fix after the removal of a digital signature - is the checksum file. It is across the 58h bytes after the signature of PE-format, ie 100h + 58h = 158h, hence the current checksum (type dword, ie 4 bytes) of the file - 9F36Ch (byte flipped):



next two values ??are directly to a digital signature. If they consist of zeros - no signature. The first is through 40h bytes after the CRC or 98h bytes after the beginning of the signature - 100h + 98h = 198h:



This is a 4-byte value indicates the shift on which is the beginning of the digital signature. It is now well 8E438h:



The second, again a 4-byte value that is immediately behind the first:



It means the size of a digital signature, which in this case is equal to 1500h, or 5376 bytes. Means the end of the signature is at offset 8E438h + 1500h = 8F938h. As a rule the digital signature is to the end of the file check:



All the same, so this unit can be safely removed, after which the end of the file will 8E437h:



was left one small thing - overwrite with zeros pointers offset and size of digital signatures:



And the correct checksum using the utility ModifyPE:



Check:



Done! Now the package installation is such as it was before the signature byte for byte.

P. S. Do not judge strictly, it is the first time in the future, quality will rise. Constructive criticism is welcome.

P.P.S. Author Topic beginner habrayuzer systracer, who asked me to publish his text. Pluses should be addressed to him, cons leave me.
Views: 1495 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: