Why is recalculation of PE header checksums recommended?

[creopard]

I've seen in various threads that users modding/hacking Windows 9x files recalculate the PE header checksums of the modded file.

What's the purpose of that?

[jumper]

An invalid checksum indicates a PE file has been hacked or otherwise corrupted. Correcting it hides the fact it was hacked, but provides the ability to detect later corruption. I believe the checksum only needs to be valid for system drivers.

[creopard]

I guess it's not a good idea to fix the checksums of .vxd files?

After fixing all files with "PEChecksum" (from n7Epsilon) Windows 98 prompts me with a "protection error" "while initializing device CONFIGMS".

 

[jumper]

Usually it is a good idea, even necessary. Can you list the "all files" you fixed and give us a hint as to why you are patching them?

[creopard]

I'm patching them because I'm currently updating the outdated German "Windows 98 SE SP 3.0 beta4" to a new/fully tested version 3.1.
As you can imagine this requires replacing/editing quite some files with the German equivalents...

Based on PROBLEMCHYLD's "U98SESP3" Pack, I'm recreating the German version, hence the question about the checksums.

Here is the list of files that had the checksum updated:

Quote

SP3\CBSS.VXD     Checksum updated     from 0x0000014C to 0x0001937E
SP3\CDFS.VXD     Checksum updated     from 0x0000015C to 0x000143AE
SP3\CDTSD.VXD     Checksum updated     from 0x00000134 to 0x0000AC9A
SP3\CDVSD.VXD     Checksum updated     from 0x00000164 to 0x0000D749
SP3\COMPOBJ.DLL     Checksum updated     from 0x048A0718 to 0x00015B10
SP3\CONFIGMG.VXD     Checksum updated     from 0x0000023C to 0x0002C62C
SP3\CONTROL.EXE     Checksum updated     from 0x00600000 to 0x0000EA0A
SP3\DEFRAG.EXE     Checksum updated     from 0x00A82458 to 0x0003B43B
SP3\DISKTSD.VXD     Checksum updated     from 0x00000120 to 0x00012428
SP3\DISKVSD.VXD     Checksum updated     from 0x00000130 to 0x00009CD5
SP3\DSKMAINT.DLL     Checksum updated     from 0xEEFE0B00 to 0x0003AA50
SP3\ESDI_506.PDR     Checksum updated     from 0x0000013C to 0x00009B6A
SP3\FDISK.EXE     Checksum updated     from 0xECFFFF01 to 0x00016B69
SP3\GDI.EXE     Checksum updated     from 0x220D120F to 0x000593EF
SP3\GROUPPOL.DLL     Checksum updated     from 0x00000000 to 0x0001210C
SP3\HSFLOP.PDR     Checksum updated     from 0x000001E4 to 0x00012171
SP3\IFSMGR.VXD     Checksum updated     from 0x00000274 to 0x00037D24
SP3\IO.SYS     Checksum updated     from 0x00000000 to 0x0003DDF7
SP3\IOS.VXD     Checksum updated     from 0x000001C4 to 0x0001136B
SP3\IRENUM.VXD     Checksum updated     from 0x00000200 to 0x00017C54
SP3\KBDHID.VXD     Checksum updated     from 0x0000011C to 0x0000A5ED
SP3\KBDSP.KBD     Checksum updated     from 0x455E415E to 0x0000259A
SP3\KEYB.COM     Checksum updated     from 0xE703EE03 to 0x0000F3D2
SP3\KRNL386.EXE     Checksum updated     from 0x2D921B34 to 0x0002CC01
SP3\MOUHID.VXD     Checksum updated     from 0x00000118 to 0x00003640
SP3\MPRSERV.DLL     Checksum updated     from 0x00000000 to 0x0002B5A5
SP3\MSAATEXT.DLL     Checksum updated     from 0x00000000 to 0x0007D974
SP3\MSAB32.DLL     Checksum updated     from 0x00000000 to 0x00022199
SP3\MSAFD.DLL     Checksum updated     from 0x00000000 to 0x0000894E
SP3\MSMOUSE.VXD     Checksum updated     from 0x00000164 to 0x000139FF
SP3\MSWSOSP.DLL     Checksum updated     from 0x00000000 to 0x0000CBEB
SP3\NDIS.VXD     Checksum updated     from 0x000005E8 to 0x00037D2D
SP3\NTKERN.VXD     Checksum updated     from 0x0000025C to 0x0002FFCA
SP3\NTMAPHLP.PDR     Checksum updated     from 0x00000118 to 0x0000C331
SP3\NWLINK.VXD     Checksum updated     from 0x00000150 to 0x00019B5A
SP3\NWPP32.DLL     Checksum updated     from 0x00000000 to 0x00010217
SP3\NWREDIR.VXD     Checksum updated     from 0x0000023C to 0x0002C383
SP3\OLEACC.DLL     Checksum updated     from 0x00000000 to 0x00066FA3
SP3\OLEACCRC.DLL     Checksum updated     from 0x00000000 to 0x0005DD04
SP3\PCI.VXD     Checksum updated     from 0x00000190 to 0x000152E1
SP3\PPPMAC.VXD     Checksum updated     from 0x00000808 to 0x0004040F
SP3\RICHED.DLL     Checksum updated     from 0x9F52199F to 0x0004063B
SP3\RNR20.DLL     Checksum updated     from 0x00000000 to 0x00014511
SP3\RPCLTCCM.DLL     Checksum updated     from 0x00000000 to 0x0001135C
SP3\SCANDISK.EXE     Checksum updated     from 0x0030001E to 0x00044C93
SP3\SCANDSKW.EXE     Checksum updated     from 0x00F90000 to 0x00002FF3
SP3\SCSI1HLP.VXD     Checksum updated     from 0x00000138 to 0x00010AAA
SP3\SCSIPORT.PDR     Checksum updated     from 0x0000013C to 0x000134BC
SP3\SECUR32.DLL     Checksum updated     from 0x00000000 to 0x0001B27F
SP3\SMARTVSD.VXD     Checksum updated     from 0x00000150 to 0x00007527
SP3\SPOOLSS.DLL     Checksum updated     from 0x00000000 to 0x000248B9
SP3\START.WAV     Checksum updated     from 0x00A0016F to 0x000080D6
SP3\STDOLE2.TLB     Checksum updated     from 0x00000000 to 0x00004810
SP3\SYSDM.CPL     Checksum updated     from 0x34C7152B to 0x0006D053
SP3\TIMEDATE.CPL     Checksum updated     from 0x00000000 to 0x0000CA67
SP3\TSHOOT98.CHM     Checksum updated     from 0x000010CC to 0x00045922
SP3\TWAIN.DLL     Checksum updated     from 0x80050004 to 0x0001B638
SP3\TWUNK_16.EXE     Checksum updated     from 0x800E0004 to 0x0001000D
SP3\UDF.VXD     Checksum updated     from 0x0000025C to 0x0000ABCE
SP3\USER.EXE     Checksum updated     from 0x1DA708ED to 0x0009397C
SP3\USER32.DLL     Checksum updated     from 0x00000000 to 0x0001AF2A
SP3\VCACHE.VXD     Checksum updated     from 0x00000190 to 0x0000DA48
SP3\VCOMM.VXD     Checksum updated     from 0x0000018C to 0x0000DD50
SP3\VDHCP.386     Checksum updated     from 0x000002EC to 0x00014CB6
SP3\VFAT.VXD     Checksum updated     from 0x00000184 to 0x00013DA8
SP3\VFWWDM32.DLL     Checksum updated     from 0x00000000 to 0x0001292E
SP3\VIP.386     Checksum updated     from 0x00000158 to 0x000220D9
SP3\VMCPD.VXD     Checksum updated     from 0x0000016C to 0x000107F4
SP3\VMM.VXD     Checksum updated     from 0x00000450 to 0x00076354
SP3\VMOUSE.VXD     Checksum updated     from 0x0000015C to 0x00013986
SP3\VNBT.386     Checksum updated     from 0x00000388 to 0x000252BE
SP3\VNETBIOS.VXD     Checksum updated     from 0x000001A8 to 0x00009A55
SP3\VOLTRACK.VXD     Checksum updated     from 0x00000150 to 0x000140AF
SP3\VPICD.VXD     Checksum updated     from 0x000001C8 to 0x000192C9
SP3\VPOWERD.VXD     Checksum updated     from 0x000001A8 to 0x0001508F
SP3\VSERVER.VXD     Checksum updated     from 0x000001A0 to 0x0002B7BE
SP3\VTCP.386     Checksum updated     from 0x0000012C to 0x00019580
SP3\WDMAUD.DRV     Checksum updated     from 0x80100009 to 0x0000642C
SP3\WDMMDMLD.VXD     Checksum updated     from 0x00000110 to 0x00006E41
SP3\WINFILE.EXE     Checksum updated     from 0x09C00B8B to 0x0002EE10
SP3\WINMM.DLL     Checksum updated     from 0x00000000 to 0x0000E692

However I didn't narrow the list down yet to specific files, that might provoke the protection error...

 

 

Edited October 17, 2019 by swgreed

[dencorso]

11 hours ago, swgreed said:

I guess it's not a good idea to fix the checksums of .vxd files?
After fixing all files with "PEChecksum" (from n7Epsilon) Windows 98 prompts me with a "protection error" "while initializing device CONFIGMS".

Obviously. .VxDs are LE executables, not PE executables. To "fix" the "PE checksum" of a file which is *not* a PE executable may destroy it. One needs to know what one's doing before actually going ahead and doing it...  
.PDRs are also LE executables, and there are plenty NE executables, too, in 9x/Me...

[creopard]

Obviously I chose the way "learning by doing" - I was not yet familiar to linear executables and new executables...
But thanks for pointing at the right direction.

I was assuming that "PEChecksum" would have a look at offset 80h and check for "PE" before calculating a new checksum.

Would it also make senseo to correct the checksum of NE and LE executables?

[dencorso]

5 hours ago, swgreed said:

Would it also make sense to correct the checksum of NE and LE executables?

NEs do have a checksum field, but not even MS ever gave it any use, so better let it alone (it may have been used for some purpose by the author of the particular file in question, although usually it's not); LEs don't have any global checksum, except in the DOS header (which is just a dummy in PEs, NEs and LEs, and normally set to 0). So, no. Not really. Do fix the checksums of all PEs only, all other file formats you'll work with don't need that.

 
  BTW, you may find this useful:

 

[creopard]

Very helpfull, indeed. Currently, there are only PE files with zero headers left