Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Collection of external Sigs for PEID (https://forum.exetools.com/showthread.php?t=8374)

redbull 10-25-2005 17:59
Collection of external Sigs for PEID
 
1 Attachment(s)
Hi Guys,

I went onto PEID's web site and compiled a bit of a list of PEID external signatures.

Now I just checked the file and it seems to contain a few duplicates (my bad) but this does not affect the operation of PEID.

Also I was not choosy about which Sigs I added (I just milked all the ones since Jan-2005). Some of the sigs might give false positives. What I did do though was to try to order the sigs to perform version specific checks before generic checks.

Perhaps we can share more external sigs.

As usual replace or append this file onto userdb.txt in the PEID folder

Problem Sigs with UPolyX:

I think the sigs for UPolyX are not cool.

I tested by scanning Delphi 2005 install folder.

This is the biggest culprit:

[UPolyX v0.5]
signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00
ep_only = false

But there are other problem sigs for UPolyX

WinRAR SFX is badly detected too!

NimDa2k 10-29-2005 13:44
user Sig for DB
 
1 Attachment(s)
This is My USERDB fo PEiD ;)

diablo2oo2 10-30-2005 01:20
my userdb.txt is very big and there are a lot of double signatures.

i started today to write an optimizing tool.i will release the first version next week on my homepage.

shall i sort the signatures by the entry "ep_only" ? means ep_only=true as first signatures in the userdb.txt

alephz 10-31-2005 20:50
1 Attachment(s)
Quote:
Originally Posted by diablo2oo2
i started today to write an optimizing tool.i will release the first version next week on my homepage.
Nice idea. I start some job too, but don't finish due permanent timeout :-(

For now only view/sort and remove dups (automatically)

diablo2oo2 10-31-2005 21:06
how do you remove dupes? by name or by signature pattern? its nice idea to make a syslist view, where you can edit each signature. i also thought about add a feature which allows you to import signatures from a other signature file.
i also dont have many time to code this. maybe its also a good idea to release such a tool as plugin for peid...

redbull 10-31-2005 23:06
Ok Im coding a stand-alone tool as we speak.

It will allow you to sort by name or by ep-type

It will highlight duplicates (names or signatures)
But simple duplicates eg (notice the spaces in the file before the field names)

Code:
[test1]
ep_only = true
signature = BE 88 00 ?? ?? 00 00
Code:
[test2]
ep_only=true
signature=BE 88 00 ?? ?? 00 00
not complex ones like

Code:
[test3]
ep_only=true
signature=BE ?? 00 ?? ?? 00 00
Even tho test2 and test3 are very similar I wont be doing that level of signature parsing.

I see that NimDa2k's file is 300KB uncompressed so my little proggie needs to be able to cater for this.

The idea to make it handle import / merging of new files is a nice idea.

Just got to think through the interface properly.

Lets see!

Nice job on your tool alephz, I like that interface..

NeOXOeN 11-01-2005 07:35
thx to Redbull and all which contributed sigs...

bye NeOXOeN

alephz 11-01-2005 13:27
PEiD Signature Manager
 
Quote:
Originally Posted by diablo2oo2
how do you remove dupes? by name or by signature pattern?
For me, the Name is not so important (may be variable), so i check dups by Pattern only (just str compare).

Quote:
maybe its also a good idea to release such a tool as plugin for peid
Not sure. Solely thing PEiD got to plugin (as support) is a filename. In standalone tool u get filename in oneclick, in plugin - go to menu, select plugin ... a few extra movs. More than, Signature Manage is relative rare work (in most cases u append a new sign just in the any text editor), so keep the menu shortest :-)

P.S.

One more signature

Code:
[VMProtect 1.06..1.07 -> PolyTech]
signature = 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8
ep_only = false
Unfortunately, PEiD check for EP first and neglect with this one.

redbull 11-01-2005 16:42
2 Attachment(s)
Hi Guys,

An early Alpha version of my editing / sorting / duplicate searching tool

Code:
       
PS2 := PPEIDSig(PEIDSigs.Items[tmp2]);
 if PS1.Name = PS2.Name then
    if (PS1.Sig = PS2.Sig) and (PS1.isEPTrue = PS2.isEPTrue) then
      lstItems.Checked[tmp2] := true;
Currently I detect duplicates if the Name, Signature and EP_Only fields are
all the same, but obviously this will be configurable. (and the list has to be sorted)

Dupes.txt is a test file with three types of duplicates. I currently only detect it as two duplicates.

alephz 11-02-2005 14:13
1 Attachment(s)
Quote:
Originally Posted by redbull
An early Alpha version of my editing / sorting / duplicate searching tool
I think, you need redesign smth in the main form - i can't even see any button on the form with any size of dialog.

redbull 11-02-2005 21:08
alephz, thanks ... strange one ... What o/s is that on ??

Busy fixing and registering a sourceforge project for this program.

alephz 11-02-2005 21:48
Quote:
Originally Posted by redbull
What o/s is that on ??
Win'2K + SP3, 1280x1024, 32bits, large font (150%)

redbull 11-02-2005 22:15
shit will have to test the large font story


All times are GMT +8. The time now is 17:06.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX