Re: Editors
From: Betov (betov_at_free.fr)
Date: 03/07/04
- Next message: R.Wieser: "Re: Editors"
- Previous message: The Half A Wannabee: "Re: Editors"
- In reply to: R.Wieser: "Re: Editors"
- Next in thread: R.Wieser: "Re: Editors"
- Reply: R.Wieser: "Re: Editors"
- Reply: Beth: "Re: Editors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 07 Mar 2004 15:29:38 GMT
"R.Wieser" <rwieser-killthis-@xs4all.nl> écrivait
news:404b0621$0$564$e4fe514c@news.xs4all.nl:
> Roy Jones <mhca12@sbcglobal.net> schreef in berichtnieuws
> opr4gqxlnqjw3stx@news.la.sbcglobal.net...
>> On 06 Mar 2004 22:36:35 GMT, Betov <betov@free.fr> wrote:
>
> [Snip]
>
>> Minus the source(via sourcekiller or hex editor), all you
>> have is a standard PE. The answer to Luc's question is
>> that with the source removed one can't easily tell the PE
>> was produced by RosAsm.
>
> Thus, the source-code stripped version of a RosAsm PE file does not
> have any protection.
True.
> It looks like that the CRC/"anti-virus" capabilities are *only*
> activated/effective on the *source-code* contained in a RosAsm-file
> *and* when is loaded into the editor.
No. The "Private" CheckSum applies on the whole PE _including_
the Source.
> The first conclusion degrades RosAsm PE files to the level of a
> simple, plain-text, source-code file (and those are *hard* to infect),
> and the second conclusion tell's us that the *executable part* in a
> RosAsm PE file *is not protected*.
Wrong. The whole PE, with Source inside is de-facto protected.
> While the first part could be called an addition (although a meager
> one), the second part makes the RosAsm file downright dangerous.
> There is a claim of protection that is *not there* where it means the
> most .... And, let's be honest : double-clicking an executable is the
> most natural thing (an a Windows-environment :-) to do. So even
> Developpers could get it wrong sometimes ...
True. RosAsm users should never run a RosAsm produced file
by Double-Clicking on the Icon, and, instead, always do it
from inside RosAsm Menu. The protection is effective _only_
in that case. Notice, nevertheles, that, even in case of
direct run a contaminatin could only come out in cases when
the PE would have been infected between its last Compilation
and the run (not to say "and the Download"). A rather unlikely
taken case. In case of contamination during the developement,
the programmer would see it immidiately. Much better than
nothing at all.
>> RosAsm compiles the source before running within itself, computing
> checksum
>> and verifying with the value from original PE. The checksum routine
>> is
> not
>> in the PE files but in RosAsm.
>
> Thanks for confirming the above (protection only works for source-code
> loaded into the editor) :-)
No. It works even if the "real PE" is infected. The only
real interrest coming with this feature is that, when RosAsm
loads a PE, it first recalculates the Checksum, and, in non-
matching cases, outputs a MessageBox telling so. Being
informed about an infection is the very first point for
keeping free from its extension.
Then, _of course_, in any case, when re-compiling the App,
the virus will be arased, the same way it would also be,
if there was no security at all. The point is that nobody
would ever know that an infection has occured, without the
feature.
> [...]
> FYI, a standard PE has got a checksumming capability (saveguarding
> against accidental change), but it cannot be used as a viri-protection
> : A virus-writer will ofcourse know of it and alter it to an
> acceptable value.
:)
FYI, i am the kind of guy able to write a small PE with an
hexa Editor.
:)
> By the way : did you notice that the actual question remained
> un-answered ? How do you know that a RosAsm PE is self-checking, and
> you not just have started a malicious program claiming to be a RosAsm
> PE ?
>
> As far as I can see, the answer is : you can't.
Sure. ;) RosAsm PEs do _NOT_ perform any self-checking.
> Even when a RosAsm PE would have self-checking capabilities for the
> executable, the only way to start such self-checking would be to start
> the executable. If the self-check would not be present, anything that
> *would* be present (virus ? malicious code ?) would get started
> instead.
True. This is why i recommend, above, to start RosAsm PEs
from RosAsm.
May be i miss-explained:
All of this debate was introduced by a remark saying that
exchanging RosAsm PEs, instead of simple Sources Files
was a danger for _us_ (_us_ = The Programmers). My answers
never addressed, in any way, the Final Users. A PE is a PE.
RosAsm PEs do not perform self checking. They are ordinary
PEs that can be infected as well as any other existing PE.
This protection is for _us_ only, not for end-users, at all.
> And if you're wondering : No, I'm not using Randall's product, and
> neither am I using Betov's.
:)) Well. Only good news. :))
* Not using "Betov's" is not a problem: There are other
great Tools around...
* But, not using "Randall's" is even much better: Whatever else
you could ever use will save yourself from such a ridicoulous
situation, as the one of beeing an HLA victim.
:)) Congratulations.
Betov.
< http://betov.free.fr/RosAsm.html >
- Next message: R.Wieser: "Re: Editors"
- Previous message: The Half A Wannabee: "Re: Editors"
- In reply to: R.Wieser: "Re: Editors"
- Next in thread: R.Wieser: "Re: Editors"
- Reply: R.Wieser: "Re: Editors"
- Reply: Beth: "Re: Editors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
