5

I would be interested in whether it is possible in some way to check my application against modifications by checking its checksum.

So, for example:

int main()
{
     const std::string checksum = "98123abc1239";
     std::string myChecksum = calculateChecksumOfThisApp();
     if(checksum != myChecksum)
         std::cerr << "This application is invalid. Please check if the download has been successful." << std::endl;
 }

Clearly, the issue here is that compiling my application, getting the executable's checksum and inserting it into my checksum changes the checksum of the application.

I could store the checksum externally in some file, but I would like to have the side-benefit of others not being able to manipulate the exe. They could just calculate the checksum once again and put it into the checksum file, so nothing would be gained from that.

Is there any way to create such a self-check?

IceFire
  • 4,016
  • 2
  • 31
  • 51
  • This may give you some ideas: http://stackoverflow.com/a/16349686/4323 - perhaps you can sort out how to overwrite the checksum with zeros before self-checksumming. – John Zwinck Mar 12 '17 at 12:06
  • 3
    What'd be the point of that? If you're worried about someone messing with your binary this does literally nothing. Someone with the capability to change your application could just recompute the checksum... or skip this check entirely. – Cubic Mar 12 '17 at 12:08
  • Good point by @Cubic. I guess, it'd be better if the checksum is calculated external to the application, probably calculating the checksum periodically and matching it against the initial expected checksum. – akaHuman Mar 12 '17 at 12:13
  • You are right, does not make sense, then... I'll keep it open, maybe there are other use cases for what I desire, but does not seem like it – IceFire Mar 12 '17 at 12:14
  • The "secure apps" and "secure os" works via some special memory that is used to store the checksum. Of course, that requires special hardware, which limits the useability of this process. And of course, you also need to ensure that the checksum calculation/checking itself can be trusted... This is a complex chain of trust issue. It's a really hard problem to solve if you want to protect against more than amateur hacking. – Mats Petersson Mar 12 '17 at 12:26

1 Answers1

2

The easiest workaround is to make the checksumming routine aware of the position where the checksum itself is stored, and skip the bytes when calculating the checksum.

If calculating the position is too much hassle, you can prefix the checksum with a magic string and recognize that. Just make sure that the checksumming procedure doesn't store the magic string literally, as you don't want to escape that copy.

Rafał Dowgird
  • 43,216
  • 11
  • 77
  • 90