Hydan: Steganography in Executables
An anonymous reader says "Ever wanted to hide a message into an executable? Now you can with Hydan. Presented recently by Rakan El-Khalil at Defcon and Blackhat, this tool lets you embed data into an application without changing its functionality or filesize! Check it out. Use includes steganography as well as embedding a program's signature into itself to verify it's not been tampered with."
Many executable formats include unused space for alignment purposes. For example, I've been working on a Mach-O equivalent of the super-tiny ELF executable mentioned a few days back. The executable produced by GCC includes 300 bytes of code and headers, and 8000 bytes of padding.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Unless you do it like this (an example is always easy to understand).
Say you have an executable:
1337PROGRAM
Your signature checking routine then does this:
1_3_3_7_P_R_O_G_R_A_M
and computes the hash
deadbabeca
And then sends:
1d3e3a7dPbRaObGeRcAaM
To reverse, we extract the hash (deadbabeca) and the "original" executable.
Then we compute the hash (of 1_3_3_7...) and check if it matches...
In summary, we embedded a checksum, but we removed it before we checked it. Simple, really.
My other car is first.
To decode.
I would still recommend publishing a separate public key, however, and include an encrypted signature in the program. As you say, it can always be changed and re-encoded.
On the other hand, this might be useful on a server, by encoding a public key and checker on a CD-R and checking all your programs periodically against the CD-R key. You could encode signatures in each program and be able to upgrade programs from a central encoding server without having to write a new cd each time.