Error in Checksum calculation #30
Assignees
Labels
bug
Something isn't working
Comments
|
After the patch, the valid checksum is calculated:
The test build including the patch is available to download from AppVeyor build server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
reported by Matthew (x86matthew):
The issue relates to the checksum field within the NT Optional Header. I have recently been generating some custom binaries and noticed that PE-Bear was reporting the checksum being incorrect (highlighted in red). Microsoft's MapFileAndCheckSum function confirmed that my original checksum was correct, so I did some investigating.
My results showed that PE-Bear was validating the checksum incorrectly when the total file size was not a multiple of 2. I have uploaded a simple set of minimal PE files to reproduce the issue at the following URL:
http://www.x86matthew.com/other/PeBearChecksum.zip
Checksum_0_Byte_Overlay.exe -> Basic PE file with 1024 total bytes, PE-Bear validates checksum correctly (0xAB91)
Checksum_1_Byte_Overlay.exe -> Basic PE file with 1025 total bytes, PE-Bear says checksum is invalid despite being correct (correct checksum: 0xAC0A)
Checksum_2_Byte_Overlay.exe -> Basic PE file with 1026 total bytes, PE-Bear validates checksum correctly (0x240C)
I believe the problem originates within the following function:
https://github.com/hasherezade/bearparser/blob/c059bcb25c6e9137cd1a4f1a97ae53f1a0a250b8/parser/pe/PEFile.cpp#L50
The code appears to be dividing the file size by 2 and discarding the additional byte if it exists. Of course, PE file sizes are usually multiples of 2 already so this will rarely be an issue in the real world.
The text was updated successfully, but these errors were encountered: