Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-25-2005, 17:59
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Collection of external Sigs for PEID

Hi Guys,

I went onto PEID's web site and compiled a bit of a list of PEID external signatures.

Now I just checked the file and it seems to contain a few duplicates (my bad) but this does not affect the operation of PEID.

Also I was not choosy about which Sigs I added (I just milked all the ones since Jan-2005). Some of the sigs might give false positives. What I did do though was to try to order the sigs to perform version specific checks before generic checks.

Perhaps we can share more external sigs.

As usual replace or append this file onto userdb.txt in the PEID folder

Problem Sigs with UPolyX:

I think the sigs for UPolyX are not cool.

I tested by scanning Delphi 2005 install folder.

This is the biggest culprit:

[UPolyX v0.5]
signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00
ep_only = false

But there are other problem sigs for UPolyX

WinRAR SFX is badly detected too!
Attached Files
File Type: txt PEID external sigs.txt (75.0 KB, 75 views)
Reply With Quote
  #2  
Old 10-29-2005, 13:44
NimDa2k's Avatar
NimDa2k NimDa2k is offline
Friend
 
Join Date: Jan 2005
Posts: 123
Rept. Given: 3
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 1
Thanks Rcvd at 5 Times in 4 Posts
NimDa2k Reputation: 3
Wink user Sig for DB

This is My USERDB fo PEiD
Attached Files
File Type: rar userdb.rar (28.9 KB, 74 views)
Reply With Quote
  #3  
Old 10-30-2005, 01:20
diablo2oo2's Avatar
diablo2oo2 diablo2oo2 is offline
Family
 
Join Date: Mar 2004
Posts: 231
Rept. Given: 6
Rept. Rcvd 111 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
diablo2oo2 Reputation: 100-199 diablo2oo2 Reputation: 100-199
my userdb.txt is very big and there are a lot of double signatures.

i started today to write an optimizing tool.i will release the first version next week on my homepage.

shall i sort the signatures by the entry "ep_only" ? means ep_only=true as first signatures in the userdb.txt
__________________
Thinking In Bytes
Reply With Quote
  #4  
Old 10-31-2005, 20:50
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 127
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally Posted by diablo2oo2
i started today to write an optimizing tool.i will release the first version next week on my homepage.
Nice idea. I start some job too, but don't finish due permanent timeout :-(

For now only view/sort and remove dups (automatically)
Attached Files
File Type: rar Undercooked.rar (9.1 KB, 45 views)
Reply With Quote
  #5  
Old 10-31-2005, 21:06
diablo2oo2's Avatar
diablo2oo2 diablo2oo2 is offline
Family
 
Join Date: Mar 2004
Posts: 231
Rept. Given: 6
Rept. Rcvd 111 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
diablo2oo2 Reputation: 100-199 diablo2oo2 Reputation: 100-199
how do you remove dupes? by name or by signature pattern? its nice idea to make a syslist view, where you can edit each signature. i also thought about add a feature which allows you to import signatures from a other signature file.
i also dont have many time to code this. maybe its also a good idea to release such a tool as plugin for peid...
__________________
Thinking In Bytes
Reply With Quote
  #6  
Old 10-31-2005, 23:06
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Ok Im coding a stand-alone tool as we speak.

It will allow you to sort by name or by ep-type

It will highlight duplicates (names or signatures)
But simple duplicates eg (notice the spaces in the file before the field names)

Code:
[test1]
ep_only = true
signature = BE 88 00 ?? ?? 00 00
Code:
[test2]
ep_only=true
signature=BE 88 00 ?? ?? 00 00
not complex ones like

Code:
[test3]
ep_only=true
signature=BE ?? 00 ?? ?? 00 00
Even tho test2 and test3 are very similar I wont be doing that level of signature parsing.

I see that NimDa2k's file is 300KB uncompressed so my little proggie needs to be able to cater for this.

The idea to make it handle import / merging of new files is a nice idea.

Just got to think through the interface properly.

Lets see!

Nice job on your tool alephz, I like that interface..
Reply With Quote
  #7  
Old 11-01-2005, 07:35
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
thx to Redbull and all which contributed sigs...

bye NeOXOeN
Reply With Quote
  #8  
Old 11-01-2005, 13:27
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 127
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
PEiD Signature Manager

Quote:
Originally Posted by diablo2oo2
how do you remove dupes? by name or by signature pattern?
For me, the Name is not so important (may be variable), so i check dups by Pattern only (just str compare).

Quote:
maybe its also a good idea to release such a tool as plugin for peid
Not sure. Solely thing PEiD got to plugin (as support) is a filename. In standalone tool u get filename in oneclick, in plugin - go to menu, select plugin ... a few extra movs. More than, Signature Manage is relative rare work (in most cases u append a new sign just in the any text editor), so keep the menu shortest :-)

P.S.

One more signature

Code:
[VMProtect 1.06..1.07 -> PolyTech]
signature = 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 
ep_only = false
Unfortunately, PEiD check for EP first and neglect with this one.

Last edited by alephz; 11-01-2005 at 16:46. Reason: appendix
Reply With Quote
  #9  
Old 11-01-2005, 16:42
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Hi Guys,

An early Alpha version of my editing / sorting / duplicate searching tool

Code:
        
PS2 := PPEIDSig(PEIDSigs.Items[tmp2]);
 if PS1.Name = PS2.Name then
    if (PS1.Sig = PS2.Sig) and (PS1.isEPTrue = PS2.isEPTrue) then
       lstItems.Checked[tmp2] := true;
Currently I detect duplicates if the Name, Signature and EP_Only fields are
all the same, but obviously this will be configurable. (and the list has to be sorted)

Dupes.txt is a test file with three types of duplicates. I currently only detect it as two duplicates.
Attached Files
File Type: rar PEIDUserDBEdit.rar (200.0 KB, 50 views)
File Type: txt Dupes.txt (1.6 KB, 23 views)
Reply With Quote
  #10  
Old 11-02-2005, 14:13
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 127
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally Posted by redbull
An early Alpha version of my editing / sorting / duplicate searching tool
I think, you need redesign smth in the main form - i can't even see any button on the form with any size of dialog.
Attached Images
File Type: png Clipboard01.png (8.8 KB, 30 views)
Reply With Quote
  #11  
Old 11-02-2005, 21:08
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
alephz, thanks ... strange one ... What o/s is that on ??

Busy fixing and registering a sourceforge project for this program.
Reply With Quote
  #12  
Old 11-02-2005, 21:48
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 127
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally Posted by redbull
What o/s is that on ??
Win'2K + SP3, 1280x1024, 32bits, large font (150%)
Reply With Quote
  #13  
Old 11-02-2005, 22:15
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
shit will have to test the large font story
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
64 bit Tool to inject an external .dll sope General Discussion 1 06-26-2018 17:31
Big Number Sigs Git General Discussion 0 10-20-2013 23:25


All times are GMT +8. The time now is 08:08.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )