OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Wednesday, March 5 2008 05:43.30 CST

Printer Friendly ...

Microsoft's Rich Signature (undocumented)

Author: Ntoskrnl

# Views: 2590

In the last days I've been quite sick, so I decided that as long as I had to stay in bed I might at least use the time to do something useful (or quite so). What happened is that someone asked what the Rich Signature was. It might seems strange but in all these years I didn't even notice it, I just overlooked it as part of the dos stub (incredible but true). Unable to answer, I noticed together with this person that the subject was completely undocumented. It might not even be much important, but you might find it an interesting reading after all.

http://ntcore.com/Files/richsign.htm

Since information about this topic is non-existent, the reader might not know what I'm talking about:

Code:

00000070  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......

00000080  E7 B3 9D E7 A3 D2 F3 B4 A3 D2 F3 B4 A3 D2 F3 B4  糝�������

00000090  60 DD AC B4 A8 D2 F3 B4 60 DD AE B4 BE D2 F3 B4  `ݬ����`ݮ����

000000A0  A3 D2 F2 B4 F8 D0 F3 B4 84 14 8E B4 BA D2 F3 B4  �����󴄎����

000000B0  84 14 9E B4 3A D2 F3 B4 84 14 9D B4 3F D2 F3 B4  ���:�󴄝�?��

000000C0  84 14 81 B4 B3 D2 F3 B4 84 14 8F B4 A2 D2 F3 B4  �����󴄏����

000000D0  84 14 8B B4 A2 D2 F3 B4 52 69 63 68 A3 D2 F3 B4  ������Rich���

000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

000000F0  00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00  ........PE..L.

The data between the dos stub and the PE Header. It ends with the word Rich. It is produced by microsoft VC++ compilers only and it is encrypted.

Blog Comments

dennis	Posted: Wednesday, March 5 2008 06:10.43 CST
very thorough analysis and good work. thanks for sharing!

igorsk

Posted: Wednesday, March 5 2008 06:29.45 CST

It's been described before in 29A, among other places.
http://mirror.sweon.net/madchat/vxdevl/vxmags/29a-8/Articles/29A-8.009
http://www.woodmann.com/forum/archive/index.php/t-5398.html
There's also a resident topic at wasm.ru where you can get patches for various versions of link.exe to disable the signature's generation if you're paranoid :)
That article is wrong BTW, Rich signature is produced by VC6's linker too.

Ntoskrnl	Posted: Wednesday, March 5 2008 07:36.56 CST
I said in the article I wasn't sure about when it was introduced. I don't have my VC++ 6 to test any more.

igorsk	Posted: Wednesday, March 5 2008 08:20.06 CST
I had a look at where @comp.id is generated, and its value is basically the compiler's build number (low word) plus some compilation flags (high word). I guess MS puts it into executable to be able to determine which compiler version(s) were used to produce it.

Ntoskrnl

Posted: Wednesday, March 5 2008 08:45.14 CST

To produce the libraries with which the exe was linked you mean. Uhm, yes that sounds very likely to be true, since as I wrote in the article the data seems more like a flag and part of it seems almost never to change. Thanks for sharing, anyway this info would be likely to go into an article about the object file format produced by MS linkers, it needs some further digging.

I fixed the article about the VC++ 6 thing you said.

blimyk	Posted: Thursday, March 6 2008 00:01.57 CST
very good read! thanks!

RolfRolles	Posted: Thursday, March 6 2008 00:37.11 CST
Novel or not, this is a good example of a professional-quality reverse engineering workproduct. Good job.

Ntoskrnl	Posted: Thursday, March 6 2008 11:18.11 CST
Thanks!

Ntoskrnl	Posted: Friday, May 2 2008 12:10.05 CDT
Today I had bit of time and updated the article: http://ntcore.com/Files/richsign.htm Actually the high word is divided in two parts. high byte and low byte. The low byte contains the major version of the compiler. Whereas the minor version is contained in the low word. Just wanted to let you know so that the topic can be closed once and for all.

There are 31,311 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit