开发者

md5sum a file that contain the sum itself?

I have written a small app in C++ consisting of a single EXE file.

I want to put in its "about" dialog the md5sum of the executab开发者_开发知识库le itself. It should be embedded statically into the executable (so that can be seen from hex editor), rather than computed on the fly.


As both @Shi & @matthewdaniel have already said, this can't be done directly.
However a couple of workarounds are possible:

  • Calculating MD5 of your application, and packaging your executable inside a container app that will simply extract it and check it's MD5
  • Compiling your code and hashing only the code segments or other segments (except the Data), and than adding the MD5 check code. This will work as the MD5 string will be stored in the Data segment keeping the validity of the precalculated hash of any other memory segment valid.


This is not possible.

If you enter the md5 hash into the binary, the binary will change, so the md5 hash changes as well. If you create a new one, and try to add it to the binary, the binary will change again.

So best is to put the hash into a file, and read that file and display its content.

Another way could be to create the md5 hash of the binary, and then append it to the executable. In order to fetch the value, you read the last 32 byte of the binary and display it as md5. Of course, if you create a hash of the complete executable, it won't match the hash - you have to create the hash of the executable excluding the last 32 byte.

If you store the 128 bit md5 hash in a raw format (base 256 instead of base 16), you only need 16 byte.


As soon as you add the md5 to the file the file will have a different md5. There is no way to get the md5 in the file itself.


The typical method is a signature. A signature is a hash that is further signed by a public/private key. The application can use the public key to verify the hash contained within.

However, this needs to be separate from the executable. As the other answers state, it is impossible to do this with one file. You can merge the signature and the binary and provide instructions to use tools to separate them to compute the verification.

However, this does not stop in-memory attacks against the application. Ie, you have a buffer overflow and an attacker can re-write code in memory.

md5sum a file that contain the sum itself?

You might not need the hash of the public key. You need to encrypt the hash of the binary so it can not be altered. You might use the hash of the public key to verify instructions to user, etc. The distribution of the public key and verification instruction can not be bundled. Otherwise an attacker can just re-create with an alternate key pair. Including the hash of the public key can prevent some other attack against instruction. Ie, the signature has some verification that the advertised public key is matching what the binary was signed with.

Using established methods is probably better as users can have alternate tools to verify the integrity. Also, this only makes the public key needed to distribute through some other channel.

Reference: Digital signature with OpenSSL


The above fixes another attack. Given that what you said was possible, what would stop someone else from doing the same thing, but with a trojan horse binary. Distribution of the public key is an authentication of the source (legitimate developer). None of the other answers addressed this.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜