Yutaka-Sawada
commented
1 year ago My PAR clients (par1j and par2j) check their PE checksum and CRC-32 for self-test. PE checksum was set by compiler. CRC-32 was set by a tool, which can forge CRC-32 to be a favorite value. Because I set the .EXE file's CRC-32 to 0x22222222 or 0x22222A64 before public release, a user will be able to test later. While some ZIP file archiver show CRC-32 of content files, I selected easy noticeable value 0x22222222 for PAR2 and 0x11111111 for PAR1. Some users found the special CRC-32 values.
However,I don't know how to achieve this while keeping the checksum correct
Algorithm of PE checksum is publicly known. CRC-32 is known to forge also. Then, it's possible to set both checksums theoretically. My tool set them instantly. I made the tool to find matching value with brute force by changing some bytes in text area. There is no magic, just 16-bit checksum is too short for brute force attack.
pcbcos
After reading the code of function
par2_checksum,I noticed that the CRC-32 of compiled result will be set to a fixed value0x22222222or0x22222A64.However,I don't know how to achieve this while keeping the checksum correct (there is a checksum stored in the PE's header).