From d2a6c2e9ca13dd466f961bc651e105ba3651e595 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 15 Aug 2016 14:01:43 -0500 Subject: [PATCH 1/3] move rex bintools into new gem move all the *scan *parsey code out into the new rex-bin_tools gem MS-1691 --- Gemfile.lock | 8 + lib/rex/assembly/nasm.rb | 104 -- lib/rex/compat.rb | 385 ------ lib/rex/elfparsey.rb | 9 - lib/rex/elfparsey/elf.rb | 121 -- lib/rex/elfparsey/elfbase.rb | 265 ---- lib/rex/elfparsey/exceptions.rb | 25 - lib/rex/elfscan.rb | 10 - lib/rex/elfscan/scanner.rb | 226 ---- lib/rex/elfscan/search.rb | 44 - lib/rex/file.rb | 160 --- lib/rex/image_source.rb | 10 - lib/rex/image_source/disk.rb | 58 - lib/rex/image_source/image_source.rb | 48 - lib/rex/image_source/memory.rb | 35 - lib/rex/machparsey.rb | 9 - lib/rex/machparsey/exceptions.rb | 31 - lib/rex/machparsey/mach.rb | 209 ---- lib/rex/machparsey/machbase.rb | 408 ------- lib/rex/machscan.rb | 9 - lib/rex/machscan/scanner.rb | 217 ---- lib/rex/peparsey.rb | 10 - lib/rex/peparsey/exceptions.rb | 30 - lib/rex/peparsey/pe.rb | 210 ---- lib/rex/peparsey/pe_memdump.rb | 61 - lib/rex/peparsey/pebase.rb | 1662 -------------------------- lib/rex/peparsey/section.rb | 128 -- lib/rex/pescan.rb | 11 - lib/rex/pescan/analyze.rb | 366 ------ lib/rex/pescan/scanner.rb | 230 ---- lib/rex/pescan/search.rb | 68 -- metasploit-framework.gemspec | 2 + spec/lib/rex/file_utils_spec.rb | 60 - 33 files changed, 10 insertions(+), 5219 deletions(-) delete mode 100644 lib/rex/assembly/nasm.rb delete mode 100644 lib/rex/compat.rb delete mode 100644 lib/rex/elfparsey.rb delete mode 100644 lib/rex/elfparsey/elf.rb delete mode 100644 lib/rex/elfparsey/elfbase.rb delete mode 100644 lib/rex/elfparsey/exceptions.rb delete mode 100644 lib/rex/elfscan.rb delete mode 100644 lib/rex/elfscan/scanner.rb delete mode 100644 lib/rex/elfscan/search.rb delete mode 100644 lib/rex/file.rb delete mode 100644 lib/rex/image_source.rb delete mode 100644 lib/rex/image_source/disk.rb delete mode 100644 lib/rex/image_source/image_source.rb delete mode 100644 lib/rex/image_source/memory.rb delete mode 100644 lib/rex/machparsey.rb delete mode 100644 lib/rex/machparsey/exceptions.rb delete mode 100644 lib/rex/machparsey/mach.rb delete mode 100644 lib/rex/machparsey/machbase.rb delete mode 100644 lib/rex/machscan.rb delete mode 100644 lib/rex/machscan/scanner.rb delete mode 100644 lib/rex/peparsey.rb delete mode 100644 lib/rex/peparsey/exceptions.rb delete mode 100644 lib/rex/peparsey/pe.rb delete mode 100644 lib/rex/peparsey/pe_memdump.rb delete mode 100644 lib/rex/peparsey/pebase.rb delete mode 100644 lib/rex/peparsey/section.rb delete mode 100644 lib/rex/pescan.rb delete mode 100644 lib/rex/pescan/analyze.rb delete mode 100644 lib/rex/pescan/scanner.rb delete mode 100644 lib/rex/pescan/search.rb delete mode 100644 spec/lib/rex/file_utils_spec.rb diff --git a/Gemfile.lock b/Gemfile.lock index 31e09eeeec..8efa851d4d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -32,6 +32,7 @@ PATH recog redcarpet rex-arch + rex-bin_tools rex-java rex-ole rex-powershell @@ -225,6 +226,13 @@ GEM redcarpet (3.3.4) rex-arch (0.1.1) rex-text + rex-bin_tools (0.1.0) + metasm + rex-arch + rex-core + rex-struct2 + rex-text + rex-core (0.1.1) rex-java (0.1.2) rex-ole (0.1.2) rex-text diff --git a/lib/rex/assembly/nasm.rb b/lib/rex/assembly/nasm.rb deleted file mode 100644 index 705706b810..0000000000 --- a/lib/rex/assembly/nasm.rb +++ /dev/null @@ -1,104 +0,0 @@ -# -*- coding: binary -*- - -require 'tempfile' -require 'rex/file' -require 'rex/text' - -module Rex -module Assembly - -### -# -# This class uses nasm to assemble and disassemble stuff. -# -### -class Nasm - - @@nasm_path = 'nasm' - @@ndisasm_path = 'ndisasm' - - # - # Ensures that the nasm environment is sane. - # - def self.check - @@nasm_path = - Rex::FileUtils.find_full_path('nasm') || - Rex::FileUtils.find_full_path('nasm.exe') || - Rex::FileUtils.find_full_path('nasmw.exe') || - raise(RuntimeError, "No nasm installation was found.") - - @@ndisasm_path = - Rex::FileUtils.find_full_path('ndisasm') || - Rex::FileUtils.find_full_path('ndisasm.exe') || - Rex::FileUtils.find_full_path('ndisasmw.exe') || - raise(RuntimeError, "No ndisasm installation was found.") - end - - # - # Assembles the supplied assembly and returns the raw opcodes. - # - def self.assemble(assembly, bits=32) - check - - # Open the temporary file - tmp = Tempfile.new('nasmXXXX') - tmp.binmode - - tpath = tmp.path - opath = tmp.path + '.out' - - # Write the assembly data to a file - tmp.write("BITS #{bits}\n" + assembly) - tmp.flush() - tmp.seek(0) - - # Run nasm - if (system(@@nasm_path, '-f', 'bin', '-o', opath, tpath) == false) - raise RuntimeError, "Assembler did not complete successfully: #{$?.exitstatus}" - end - - # Read the assembled text - rv = ::IO.read(opath) - - # Remove temporary files - File.unlink(opath) - tmp.close(true) - - rv - end - - # - # Disassembles the supplied raw opcodes - # - def self.disassemble(raw, bits=32) - check - - tmp = Tempfile.new('nasmout') - tmp.binmode - - tfd = File.open(tmp.path, "wb") - - tfd.write(raw) - tfd.flush() - tfd.close - - p = ::IO.popen("\"#{@@ndisasm_path}\" -b #{bits} \"#{tmp.path}\"") - o = '' - - begin - until p.eof? - o += p.read - end - ensure - p.close - end - - tmp.close(true) - - o - end - -end - -end -end diff --git a/lib/rex/compat.rb b/lib/rex/compat.rb deleted file mode 100644 index a735ab5ba5..0000000000 --- a/lib/rex/compat.rb +++ /dev/null @@ -1,385 +0,0 @@ -# -*- coding: binary -*- -module Rex - -### -# -# This class provides os-specific functionality -# -### -module Compat - -STD_INPUT_HANDLE = -10 -STD_OUTPUT_HANDLE = -11 -STD_ERROR_HANDLE = -12 - -GENERIC_READ = 0x80000000 -GENERIC_WRITE = 0x40000000 -GENERIC_EXECUTE = 0x20000000 - -FILE_SHARE_READ = 0x00000001 -FILE_SHARE_WRITE = 0x00000002 -OPEN_EXISTING = 0x00000003 - -ENABLE_LINE_INPUT = 2 -ENABLE_ECHO_INPUT = 4 -ENABLE_PROCESSED_INPUT = 1 - - - -# -# Platform detection -# - -@@is_windows = @@is_cygwin = @@is_macosx = @@is_linux = @@is_bsdi = @@is_freebsd = @@is_netbsd = @@is_openbsd = @@is_java = false -@@loaded_win32api = false -@@loaded_tempfile = false -@@loaded_fileutils = false - - -def self.is_windows - return @@is_windows if @@is_windows - @@is_windows = (RUBY_PLATFORM =~ /mswin(32|64)|mingw(32|64)/) ? true : false -end - -def self.is_cygwin - return @@is_cygwin if @@is_cygwin - @@is_cygwin = (RUBY_PLATFORM =~ /cygwin/) ? true : false -end - -def self.is_macosx - return @@is_macosx if @@is_macosx - @@is_macosx = (RUBY_PLATFORM =~ /darwin/) ? true : false -end - -def self.is_linux - return @@is_linux if @@is_linux - @@is_linux = (RUBY_PLATFORM =~ /linux/) ? true : false -end - -def self.is_bsdi - return @@is_bsdi if @@is_bsdi - @@is_bsdi = (RUBY_PLATFORM =~ /bsdi/i) ? true : false -end - -def self.is_netbsd - return @@is_netbsd if @@is_netbsd - @@is_netbsd = (RUBY_PLATFORM =~ /netbsd/) ? true : false -end - -def self.is_freebsd - return @@is_freebsd if @@is_freebsd - @@is_freebsd = (RUBY_PLATFORM =~ /freebsd/) ? true : false -end - -def self.is_openbsd - return @@is_openbsd if @@is_openbsd - @@is_openbsd = (RUBY_PLATFORM =~ /openbsd/) ? true : false -end - -def self.is_java - return @@is_java if @@is_java - @@is_java = (RUBY_PLATFORM =~ /java/) ? true : false -end - -def self.is_wow64 - return false if not is_windows - is64 = false - begin - buff = "\x00" * 4 - Win32API.new("kernel32","IsWow64Process",['L','P'],'L').call(-1, buff) - is64 = (buff.unpack("V")[0]) == 1 ? true : false - rescue ::Exception - end - is64 -end - -def self.cygwin_to_win32(path) - if(path !~ /^\/cygdrive/) - return ::IO.popen("cygpath -w #{path}", "rb").read.strip - end - dir = path.split("/") - dir.shift - dir.shift - dir[0] = dir[0] + ":" - dir.join("\\") -end - -def self.open_file(url='') - case RUBY_PLATFORM - when /cygwin/ - path = self.cygwin_to_win32(url) - system(["cmd", "cmd"], "/c", "explorer", path) - else - self.open_browser(url) - end -end - -def self.open_browser(url='http://google.com/') - case RUBY_PLATFORM - when /cygwin/ - if(url[0,1] == "/") - self.open_file(url) - end - return if not @@loaded_win32api - Win32API.new("shell32.dll", "ShellExecute", ["PPPPPL"], "L").call(nil, "open", url, nil, nil, 0) - when /mswin32|mingw/ - return if not @@loaded_win32api - Win32API.new("shell32.dll", "ShellExecute", ["PPPPPL"], "L").call(nil, "open", url, nil, nil, 0) - when /darwin/ - system("open #{url}") - else - # Search through the PATH variable (if it exists) and chose a browser - # We are making an assumption about the nature of "PATH" so tread lightly - if defined? ENV['PATH'] - # "xdg-open" is more general than "sensible-browser" and can be useful for lots of - # file types -- text files, pcaps, or URLs. It's nearly always - # going to use the application the user is expecting. If we're not - # on something Debian-based, fall back to likely browsers. - ['xdg-open', 'sensible-browser', 'firefox', 'firefox-bin', 'opera', 'konqueror', 'chromium-browser'].each do |browser| - ENV['PATH'].split(':').each do |path| - # Does the browser exists? - if File.exist?("#{path}/#{browser}") - system("#{browser} #{url} &") - return - end - end - end - end - end -end - -def self.open_webrtc_browser(url='http://google.com/') - case RUBY_PLATFORM - when /mswin2|mingw|cygwin/ - paths = [ - "Google\\Chrome\\Application\\chrome.exe", - "Mozilla Firefox\\firefox.exe", - "Opera\\launcher.exe" - ] - - prog_files = ENV['ProgramFiles'] - paths = paths.map { |p| "#{prog_files}\\#{p}" } - - # Old chrome path - app_data = ENV['APPDATA'] - paths << "#{app_data}\\Google\\Chrome\\Application\\chrome.exe" - - paths.each do |path| - if File.exist?(path) - args = (path =~ /chrome\.exe/) ? "--allow-file-access-from-files" : "" - system("\"#{path}\" #{args} \"#{url}\"") - return true - end - end - - when /darwin/ - ['Google Chrome.app', 'Firefox.app'].each do |browser| - browser_path = "/Applications/#{browser}" - if File.directory?(browser_path) - args = (browser_path =~ /Chrome/) ? "--args --allow-file-access-from-files" : "" - - system("open #{url} -a \"#{browser_path}\" #{args} &") - return true - end - end - else - if defined? ENV['PATH'] - ['google-chrome', 'chrome', 'chromium', 'firefox' , 'firefox', 'opera'].each do |browser| - ENV['PATH'].split(':').each do |path| - browser_path = "#{path}/#{browser}" - if File.exist?(browser_path) - args = (browser_path =~ /Chrome/) ? "--allow-file-access-from-files" : "" - system("#{browser_path} #{args} #{url} &") - return true - end - end - end - end - end - - false -end - -def self.open_email(addr) - case RUBY_PLATFORM - when /mswin32|cygwin/ - return if not @@loaded_win32api - Win32API.new("shell32.dll", "ShellExecute", ["PPPPPL"], "L").call(nil, "open", "mailto:"+addr, nil, nil, 0) - when /darwin/ - system("open mailto:#{addr}") - else - # ? - end -end - -def self.play_sound(path) - case RUBY_PLATFORM - when /cygwin/ - path = self.cygwin_to_win32(path) - return if not @@loaded_win32api - Win32API.new("winmm.dll", "sndPlaySoundA", ["SI"], "I").call(path, 0x20000) - when /mswin32/ - return if not @@loaded_win32api - Win32API.new("winmm.dll", "sndPlaySoundA", ["SI"], "I").call(path, 0x20000) - when /darwin/ - system("afplay #{path} >/dev/null 2>&1") - else - system("aplay #{path} >/dev/null 2>&1") - end -end - -def self.getenv(var) - if (is_windows and @@loaded_win32api) - f = Win32API.new("kernel32", "GetEnvironmentVariable", ["P", "P", "I"], "I") - buff = "\x00" * 16384 - sz = f.call(var, buff, buff.length) - return nil if sz == 0 - buff[0,sz] - else - ENV[var] - end -end - -def self.setenv(var,val) - if (is_windows and @@loaded_win32api) - f = Win32API.new("kernel32", "SetEnvironmentVariable", ["P", "P"], "I") - f.call(var, val + "\x00") - else - ENV[var]= val - end -end - - -# -# Obtain the path to our interpreter -# -def self.win32_ruby_path - return nil if ! (is_windows and @@loaded_win32api) - gmh = Win32API.new("kernel32", "GetModuleHandle", ["P"], "L") - gmf = Win32API.new("kernel32", "GetModuleFileName", ["LPL"], "L") - mod = gmh.call(nil) - inf = "\x00" * 1024 - gmf.call(mod, inf, 1024) - inf.unpack("Z*")[0] -end - -# -# Call WinExec (equiv to system("cmd &")) -# -def self.win32_winexec(cmd) - return nil if ! (is_windows and @@loaded_win32api) - exe = Win32API.new("kernel32", "WinExec", ["PL"], "L") - exe.call(cmd, 0) -end - -# -# Verify the Console2 environment -# -def self.win32_console2_verify - return nil if ! (is_windows and @@loaded_win32api) - buf = "\x00" * 512 - out = Win32API.new("kernel32", "GetStdHandle", ["L"], "L").call(STD_OUTPUT_HANDLE) - res = Win32API.new("kernel32","GetConsoleTitle", ["PL"], "L").call(buf, buf.length-1) rescue 0 - ( res > 0 and buf.index("Console2 command").nil? ) ? false : true -end - -# -# Expand a 8.3 path to a full path -# -def self.win32_expand_path(path) - return nil if ! (is_windows and @@loaded_win32api) - glp = Win32API.new('kernel32', 'GetLongPathName', 'PPL', 'L') - buf = "\x00" * 260 - len = glp.call(path, buf, buf.length) - buf[0, len] -end - -# -# Platform independent socket pair -# -def self.pipe - - if (! is_windows()) - # Standard pipes should be fine - return ::IO.pipe - end - - # Create a socket connection for Windows - serv = nil - port = 1024 - - while (! serv and port < 65535) - begin - serv = TCPServer.new('127.0.0.1', (port += 1)) - rescue ::Exception - end - end - - pipe1 = TCPSocket.new('127.0.0.1', port) - - # Accept the forked child - pipe2 = serv.accept - - # Shutdown the server - serv.close - - return [pipe1, pipe2] -end - -# -# Copy a file to a temporary path -# - -def self.temp_copy(path) - raise RuntimeError,"missing Tempfile" if not @@loaded_tempfile - fd = File.open(path, "rb") - tp = Tempfile.new("msftemp") - tp.binmode - tp.write(fd.read(File.size(path))) - tp.close - fd.close - tp -end - -# -# Delete an opened temporary file -# - -def self.temp_delete(tp) - raise RuntimeError,"missing FileUtils" if not @@loaded_fileutils - begin - FileUtils.rm(tp.path) - rescue - end -end - - -# -# Initialization -# - -if(is_windows or is_cygwin) - begin - require "Win32API" - @@loaded_win32api = true - rescue ::Exception - end -end - -begin - require "tempfile" - @@loaded_tempfile = true -rescue ::Exception -end - -begin - require "fileutils" - @@loaded_fileutils = true -rescue ::Exception -end - - - -end -end - diff --git a/lib/rex/elfparsey.rb b/lib/rex/elfparsey.rb deleted file mode 100644 index bf29b396c9..0000000000 --- a/lib/rex/elfparsey.rb +++ /dev/null @@ -1,9 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ElfParsey - -end -end - -require 'rex/elfparsey/elf' diff --git a/lib/rex/elfparsey/elf.rb b/lib/rex/elfparsey/elf.rb deleted file mode 100644 index 4652c27f0b..0000000000 --- a/lib/rex/elfparsey/elf.rb +++ /dev/null @@ -1,121 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/elfparsey/elfbase' -require 'rex/elfparsey/exceptions' -require 'rex/image_source' - -module Rex -module ElfParsey -class Elf < ElfBase - - attr_accessor :elf_header, :program_header, :base_addr, :isource - - def initialize(isource) - offset = 0 - base_addr = 0 - - # ELF Header - elf_header = ElfHeader.new(isource.read(offset, ELF_HEADER_SIZE)) - - # Data encoding - ei_data = elf_header.e_ident[EI_DATA,1].unpack("C")[0] - - e_phoff = elf_header.e_phoff - e_phentsize = elf_header.e_phentsize - e_phnum = elf_header.e_phnum - - # Program Header Table - program_header = [] - - e_phnum.times do |i| - offset = e_phoff + (e_phentsize * i) - - program_header << ProgramHeader.new( - isource.read(offset, PROGRAM_HEADER_SIZE), ei_data - ) - - if program_header[-1].p_type == PT_LOAD && program_header[-1].p_flags & PF_EXEC > 0 - base_addr = program_header[-1].p_vaddr - end - - end - - self.elf_header = elf_header - self.program_header = program_header - self.base_addr = base_addr - self.isource = isource - end - - def self.new_from_file(filename, disk_backed = false) - - file = ::File.new(filename) - # file.binmode # windows... :\ - - if disk_backed - return self.new(ImageSource::Disk.new(file)) - else - obj = new_from_string(file.read) - file.close - return obj - end - end - - def self.new_from_string(data) - return self.new(ImageSource::Memory.new(data)) - end - - # - # Returns true if this binary is for a 64-bit architecture. - # - def ptr_64? - unless [ ELFCLASS32, ELFCLASS64 ].include?( - elf_header.e_ident[EI_CLASS,1].unpack("C*")[0]) - raise ElfHeaderError, 'Invalid class', caller - end - - elf_header.e_ident[EI_CLASS,1].unpack("C*")[0] == ELFCLASS64 - end - - # - # Returns true if this binary is for a 32-bit architecture. - # This check does not take into account 16-bit binaries at the moment. - # - def ptr_32? - ptr_64? == false - end - - # - # Converts a virtual address to a string representation based on the - # underlying architecture. - # - def ptr_s(rva) - (ptr_32?) ? ("0x%.8x" % rva) : ("0x%.16x" % rva) - end - - def offset_to_rva(offset) - base_addr + offset - end - - def rva_to_offset(rva) - rva - base_addr - end - - def read(offset, len) - isource.read(offset, len) - end - - def read_rva(rva, len) - isource.read(rva_to_offset(rva), len) - end - - def index(*args) - isource.index(*args) - end - - def close - isource.close - end - -end -end -end diff --git a/lib/rex/elfparsey/elfbase.rb b/lib/rex/elfparsey/elfbase.rb deleted file mode 100644 index e950bdb69d..0000000000 --- a/lib/rex/elfparsey/elfbase.rb +++ /dev/null @@ -1,265 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/struct2' - -module Rex -module ElfParsey -class ElfBase - - # ELF Header - - ELF_HEADER_SIZE = 52 - - EI_NIDENT = 16 - - ELF32_EHDR_LSB = Rex::Struct2::CStructTemplate.new( - [ 'string', 'e_ident', EI_NIDENT, '' ], - [ 'uint16v', 'e_type', 0 ], - [ 'uint16v', 'e_machine', 0 ], - [ 'uint32v', 'e_version', 0 ], - [ 'uint32v', 'e_entry', 0 ], - [ 'uint32v', 'e_phoff', 0 ], - [ 'uint32v', 'e_shoff', 0 ], - [ 'uint32v', 'e_flags', 0 ], - [ 'uint16v', 'e_ehsize', 0 ], - [ 'uint16v', 'e_phentsize', 0 ], - [ 'uint16v', 'e_phnum', 0 ], - [ 'uint16v', 'e_shentsize', 0 ], - [ 'uint16v', 'e_shnum', 0 ], - [ 'uint16v', 'e_shstrndx', 0 ] - ) - - ELF32_EHDR_MSB = Rex::Struct2::CStructTemplate.new( - [ 'string', 'e_ident', EI_NIDENT, '' ], - [ 'uint16n', 'e_type', 0 ], - [ 'uint16n', 'e_machine', 0 ], - [ 'uint32n', 'e_version', 0 ], - [ 'uint32n', 'e_entry', 0 ], - [ 'uint32n', 'e_phoff', 0 ], - [ 'uint32n', 'e_shoff', 0 ], - [ 'uint32n', 'e_flags', 0 ], - [ 'uint16n', 'e_ehsize', 0 ], - [ 'uint16n', 'e_phentsize', 0 ], - [ 'uint16n', 'e_phnum', 0 ], - [ 'uint16n', 'e_shentsize', 0 ], - [ 'uint16n', 'e_shnum', 0 ], - [ 'uint16n', 'e_shstrndx', 0 ] - ) - - # e_type This member identifies the object file type - - ET_NONE = 0 # No file type - ET_REL = 1 # Relocatable file - ET_EXEC = 2 # Executable file - ET_DYN = 3 # Shared object file - ET_CORE = 4 # Core file - ET_LOPROC = 0xff00 # Processor-specific - ET_HIPROC = 0xffff # Processor-specific - - # - # e_machine This member's value specifies the required architecture for an - # individual file. - # - - # ET_NONE = 0 # No machine - EM_M32 = 1 # AT&T WE 32100 - EM_SPARC = 2 # SPARC - EM_386 = 3 # Intel Architecture - EM_68K = 4 # Motorola 68000 - EM_88K = 5 # Motorola 88000 - EM_860 = 7 # Intel 80860 - EM_MIPS = 8 # MIPS RS3000 Big-Endian - EM_MIPS_RS4_BE = 10 # MIPS RS4000 Big-Endian - - # e_version This member identifies the object file version - - EV_NONE = 0 # Invalid version - EV_CURRENT = 1 # Current version - - - # ELF Identification - - # e_ident[] Identification indexes - - EI_MAG0 = 0 # File identification - EI_MAG1 = 1 # File identification - EI_MAG2 = 2 # File identification - EI_MAG3 = 3 # File identification - EI_CLASS = 4 # File class - EI_DATA = 5 # Data encoding - EI_VERSION = 6 # File version - EI_PAD = 7 # Start of padding bytes - # EI_NIDENT = 16 # Size of e_ident[] - - # - # EI_MAG0 to EI_MAG3 A file's first 4 bytes hold a "magic number", - # identifying the file as an ELF object file. - # - - ELFMAG0 = 0x7f # e_ident[EI_MAG0] - ELFMAG1 = ?E # e_ident[EI_MAG1] - ELFMAG2 = ?L # e_ident[EI_MAG2] - ELFMAG3 = ?F # e_ident[EI_MAG3] - - ELFMAG = ELFMAG0.chr + ELFMAG1.chr + ELFMAG2.chr + ELFMAG3.chr - - # EI_CLASS Identifies the file's class, or capacity - - ELFCLASSNONE = 0 # Invalid class - ELFCLASS32 = 1 # 32-bit objects - ELFCLASS64 = 2 # 64-bit objects - - # - # EI_DATA Specifies the data encoding of the processor-specific data in - # the object file. The following encodings are currently defined. - # - - ELFDATANONE = 0 # Invalid data encoding - ELFDATA2LSB = 1 # Least significant byte first - ELFDATA2MSB = 2 # Most significant byte first - - class GenericStruct - attr_accessor :struct - def initialize(_struct) - self.struct = _struct - end - - # The following methods are just pass-throughs for struct - - # Access a value - def v - struct.v - - end - - # Access a value by array - def [](*args) - struct[*args] - end - - # Obtain an array of all fields - def keys - struct.keys - end - - def method_missing(meth, *args) - v[meth.to_s] || (raise NoMethodError.new, meth) - end - end - - class GenericHeader < GenericStruct - end - - class ElfHeader < GenericHeader - def initialize(rawdata) - - # Identify the data encoding and parse ELF Header - elf_header = ELF32_EHDR_LSB.make_struct - - if !elf_header.from_s(rawdata) - raise ElfHeaderError, "Couldn't parse ELF Header", caller - end - - if elf_header.v['e_ident'][EI_DATA,1].unpack('C')[0] == ELFDATA2MSB - elf_header = ELF32_EHDR_MSB.make_struct - - if !elf_header.from_s(rawdata) - raise ElfHeaderError, "Couldn't parse ELF Header", caller - end - end - - unless [ ELFDATA2LSB, ELFDATA2MSB ].include?( - elf_header.v['e_ident'][EI_DATA,1].unpack('C')[0]) - raise ElfHeaderError, "Invalid data encoding", caller - end - - # Identify the file as an ELF object file - unless elf_header.v['e_ident'][EI_MAG0, 4] == ELFMAG - raise ElfHeaderError, 'Invalid magic number', caller - end - - self.struct = elf_header - end - - def e_ident - struct.v['e_ident'] - end - - end - - - # Program Header - - PROGRAM_HEADER_SIZE = 32 - - ELF32_PHDR_LSB = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'p_type', 0 ], - [ 'uint32v', 'p_offset', 0 ], - [ 'uint32v', 'p_vaddr', 0 ], - [ 'uint32v', 'p_paddr', 0 ], - [ 'uint32v', 'p_filesz', 0 ], - [ 'uint32v', 'p_memsz', 0 ], - [ 'uint32v', 'p_flags', 0 ], - [ 'uint32v', 'p_align', 0 ] - ) - - ELF32_PHDR_MSB = Rex::Struct2::CStructTemplate.new( - [ 'uint32n', 'p_type', 0 ], - [ 'uint32n', 'p_offset', 0 ], - [ 'uint32n', 'p_vaddr', 0 ], - [ 'uint32n', 'p_paddr', 0 ], - [ 'uint32n', 'p_filesz', 0 ], - [ 'uint32n', 'p_memsz', 0 ], - [ 'uint32n', 'p_flags', 0 ], - [ 'uint32n', 'p_align', 0 ] - ) - - # p_flags This member tells which permissions should have the segment - - # Flags - - PF_EXEC = 1 - PF_WRITE = 2 - PF_READ = 4 - - - # - # p_type This member tells what kind of segment this array element - # describes or how to interpret the array element's information. - # - - # Segment Types - - PT_NULL = 0 - PT_LOAD = 1 - PT_DYNAMIC = 2 - PT_INTERP = 3 - PT_NOTE = 4 - PT_SHLIB = 5 - PT_PHDR = 6 - PT_LOPROC = 0x70000000 - PT_HIPROC = 0x7fffffff - - class ProgramHeader < GenericHeader - def initialize(rawdata, ei_data) - # Identify the data encoding and parse Program Header - if ei_data == ELFDATA2LSB - program_header = ELF32_PHDR_LSB.make_struct - elsif ei_data == ELFDATA2MSB - program_header = ELF32_PHDR_MSB.make_struct - else - raise ElfHeaderError, "Invalid data encoding", caller - end - - if !program_header.from_s(rawdata) - raise ProgramHeaderError, "Couldn't parse Program Header", caller - end - - self.struct = program_header - end - - end - -end -end -end diff --git a/lib/rex/elfparsey/exceptions.rb b/lib/rex/elfparsey/exceptions.rb deleted file mode 100644 index 9f0ea0ed03..0000000000 --- a/lib/rex/elfparsey/exceptions.rb +++ /dev/null @@ -1,25 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ElfParsey - -class ElfError < ::RuntimeError -end - -class ParseError < ElfError -end - -class ElfHeaderError < ParseError -end - -class ProgramHeaderError < ParseError -end - -class BoundsError < ElfError -end - -class ElfParseyError < ElfError -end - -end -end diff --git a/lib/rex/elfscan.rb b/lib/rex/elfscan.rb deleted file mode 100644 index 45361eb5b7..0000000000 --- a/lib/rex/elfscan.rb +++ /dev/null @@ -1,10 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ElfScan - -end -end - -require 'rex/elfscan/scanner' -require 'rex/elfscan/search' diff --git a/lib/rex/elfscan/scanner.rb b/lib/rex/elfscan/scanner.rb deleted file mode 100644 index 989418d8af..0000000000 --- a/lib/rex/elfscan/scanner.rb +++ /dev/null @@ -1,226 +0,0 @@ -# -*- coding: binary -*- -require 'metasm' - -module Rex -module ElfScan -module Scanner -class Generic - - attr_accessor :elf, :regex - - def initialize(elf) - self.elf = elf - end - - def config(param) - end - - def scan(param) - config(param) - - $stdout.puts "[#{param['file']}]" - elf.program_header.each do |program_header| - - # Scan only loadable segment entries in the program header table - if program_header.p_type == Rex::ElfParsey::ElfBase::PT_LOAD - hits = scan_segment(program_header, param) - hits.each do |hit| - rva = hit[0] - message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1] - $stdout.puts elf.ptr_s(rva) + " " + message - if(param['disasm']) - message.gsub!("; ", "\n") - if message.include?("retn") - message.gsub!("retn", "ret") - end - - begin - d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble - rescue Metasm::ParseError - d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*')) - end - - addr = 0 - while ((di = d2.disassemble_instruction(addr))) - disasm = "0x%08x\t" % (rva + addr) - disasm << di.instruction.to_s - $stdout.puts disasm - addr = di.next_addr - end - end - end - end - - end - end - - def scan_segment(program_header, param={}) - [] - end -end - -class JmpRegScanner < Generic - - def config(param) - regnums = param['args'] - - # build a list of the call bytes - calls = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work.. - jmps = _build_byte_list(0xe0, regnums) - pushs1 = _build_byte_list(0x50, regnums) - pushs2 = _build_byte_list(0xf0, regnums) - - regexstr = '(' - if !calls.empty? - regexstr += "\xff[#{calls}]|" - end - - regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))" - - self.regex = Regexp.new(regexstr, nil, 'n') - end - - # build a list for regex of the possible bytes, based on a base - # byte and a list of register numbers.. - def _build_byte_list(base, regnums) - regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('') - end - - def _ret_size(offset) - case elf.read(offset, 1) - when "\xc3" - return 1 - when "\xc2" - return 3 - end - - raise "Cannot read at offset: #{offset}" - end - - def _parse_ret(data) - if data.length == 1 - return "ret" - else - return "retn 0x%04x" % data[1, 2].unpack('v')[0] - end - end - - - def scan_segment(program_header, param={}) - offset = program_header.p_offset - - hits = [] - - while (offset = elf.index(regex, offset)) != nil - - rva = elf.offset_to_rva(offset) - message = '' - - parse_ret = false - - byte1 = elf.read(offset, 1).unpack('C')[0] - - if byte1 == 0xff - byte2 = elf.read(offset+1, 1).unpack('C')[0] - regname = Rex::Arch::X86.reg_name32(byte2 & 0x7) - - case byte2 & 0xf8 - when 0xd0 - message = "call #{regname}" - offset += 2 - when 0xe0 - message = "jmp #{regname}" - offset += 2 - when 0xf0 - retsize = _ret_size(offset+2) - message = "push #{regname}; " + _parse_ret(elf.read(offset+2, retsize)) - offset += 2 + retsize - else - raise "Unexpected value at #{offset}" - end - else - regname = Rex::Arch::X86.reg_name32(byte1 & 0x7) - retsize = _ret_size(offset+1) - message = "push #{regname}; " + _parse_ret(elf.read(offset+1, retsize)) - offset += 1 + retsize - end - - hits << [ rva, message ] - end - - return hits - end -end - -class PopPopRetScanner < JmpRegScanner - - def config(param) - pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's... - self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n') - end - - def scan_segment(program_header, param={}) - offset = program_header.p_offset - - hits = [] - - while offset < program_header.p_offset + program_header.p_filesz && - (offset = elf.index(regex, offset)) != nil - - rva = elf.offset_to_rva(offset) - message = '' - - pops = elf.read(offset, 2) - reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack('C*')[0] & 0x7) - reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack('C*')[0] & 0x7) - - message = "pop #{reg1}; pop #{reg2}; " - - retsize = _ret_size(offset+2) - message += _parse_ret(elf.read(offset+2, retsize)) - - offset += 2 + retsize - - hits << [ rva, message ] - end - - return hits - end -end - -class RegexScanner < JmpRegScanner - - def config(param) - self.regex = Regexp.new(param['args'], nil, 'n') - end - - def scan_segment(program_header, param={}) - offset = program_header.p_offset - - hits = [] - - while offset < program_header.p_offset + program_header.p_filesz && - (offset = elf.index(regex, offset)) != nil - - idx = offset - buf = '' - mat = nil - - while (! (mat = buf.match(regex))) - buf << elf.read(idx, 1) - idx += 1 - end - - rva = elf.offset_to_rva(offset) - - hits << [ rva, buf.unpack("H*") ] - offset += buf.length - end - - return hits - end -end - -end -end -end diff --git a/lib/rex/elfscan/search.rb b/lib/rex/elfscan/search.rb deleted file mode 100644 index cd4a7a91c1..0000000000 --- a/lib/rex/elfscan/search.rb +++ /dev/null @@ -1,44 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ElfScan -module Search - - class DumpRVA - attr_accessor :elf - - def initialize(elf) - self.elf = elf - end - - def config(param) - @address = param['args'] - end - - def scan(param) - config(param) - - $stdout.puts "[#{param['file']}]" - - # Adjust based on -A and -B flags - pre = param['before'] || 0 - suf = param['after'] || 16 - - @address -= pre - @address = 0 if (@address < 0 || ! @address) - buf = elf.read_rva(@address, suf) - $stdout.puts elf.ptr_s(@address) + " " + buf.unpack("H*")[0] - end - end - - class DumpOffset < DumpRVA - def config(param) - begin - @address = elf.offset_to_rva(param['args']) - rescue Rex::ElfParsey::BoundsError - end - end - end -end -end -end diff --git a/lib/rex/file.rb b/lib/rex/file.rb deleted file mode 100644 index 8586be9159..0000000000 --- a/lib/rex/file.rb +++ /dev/null @@ -1,160 +0,0 @@ -# -*- coding: binary -*- -require 'find' -require 'rex/compat' -require 'tempfile' - -module Rex - -### -# -# This class provides helper methods for dealing with files that are not -# supplied by the standard ruby API. -# -### -module FileUtils - - # - # This method joins the paths together in Unix format. - # - def self.normalize_unix_path(*strs) - new_str = strs * '/' - new_str = new_str.gsub!("//", "/") while new_str.index("//") - - new_str - end - - # - # This method joins the paths together in Windows format. - # All reserved characters will be filtered out, including: - # " * : < > ? \ / | - # - def self.normalize_win_path(*strs) - # Convert to the same format so the parsing is easier - s = strs * '\\' - - # Filter out double slashes - s = s.gsub(/\\\\/, '\\') while s.index('\\\\') - - # Keep the trailing slash if exists - trailing_s = ('\\' if s =~ /\\$/) || '' - - # Check the items (fie/dir) individually - s = s.split(/\\/) - - # Parse the path prefix - prefix = (s[0] || '').gsub(/[\*<>\?\/]/, '') - - # Delete the original prefix. We want the new one later. - s.delete_at(0) - - # Filter out all the reserved characters - s.map! {|e| e.gsub(/["\*:<>\?\\\/|]/, '') } - - # Put the modified prefix back - s.insert(0, prefix) - - # And then safely join the items - s *= '\\' - - # Add the trailing slash back if exists - s << trailing_s - end - - # - # This method cleans the supplied path of directory traversal sequences - # It must accept path/with/..a/folder../starting/or/ending/in/two/dots - # but clean ../something as well as path/with/..\traversal - # - def self.clean_path(old) - path = old - while(path.index(/\/..\/|\/..\\|\\..\\|\\..\/|\A..\\|\A..\//) != nil) - path.gsub!(/\A..\\|\A..\//,'') #eliminate starting ..\ or ../ - path.gsub!(/\/..\/|\/..\\/,'/') #clean linux style - path.gsub!(/\\..\\|\\..\//,'\\') #clean windows style - end - path - end - - # - # This method searches the PATH environment variable for - # a fully qualified path to the supplied file name. - # - def self.find_full_path(file_name) - - # Check for the absolute fast first - if (file_name[0,1] == "/" and ::File.exist?(file_name) and ::File::Stat.new(file_name)) - return file_name - end - - path = Rex::Compat.getenv('PATH') - if (path) - path.split(::File::PATH_SEPARATOR).each { |base| - begin - # Deal with Windows paths surrounded by quotes. Prevents - # silliness like trying to look for - # '"C:\\framework\\nmap"\\nmap.exe' which will always fail. - base = $1 if base =~ /^"(.*)"$/ - path = base + ::File::SEPARATOR + file_name - if (::File::Stat.new(path) and not ::File.directory?(path)) - return path - end - rescue - end - } - end - return nil - end - -end - -class Quickfile < ::Tempfile - def initialize(*args) - super(*args) - self.binmode - ObjectSpace.undefine_finalizer(self) - end -end - -module Find - # - # Identical to Find.find from Ruby, but follows symlinks to directories. - # See http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/68671 - # - def self.find(*paths) - paths.collect!{|d| d.dup} - while file = paths.shift - catch(:prune) do - yield file.dup.taint - next unless File.exist? file - begin - if File.stat(file).directory? then - d = Dir.open(file) - begin - for f in d - next if f == "." or f == ".." - if File::ALT_SEPARATOR and file =~ /^(?:[\/\\]|[A-Za-z]:[\/\\]?)$/ then - f = file + f - elsif file == "/" then - f = "/" + f - else - f = File.join(file, f) - end - paths.unshift f.untaint - end - ensure - d.close - end - end - rescue Errno::ENOENT, Errno::EACCES - end - end - end - end - - def self.prune - throw :prune - end - -end - -end diff --git a/lib/rex/image_source.rb b/lib/rex/image_source.rb deleted file mode 100644 index e35a6876e4..0000000000 --- a/lib/rex/image_source.rb +++ /dev/null @@ -1,10 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ImageSource - -end -end - -require 'rex/image_source/disk' -require 'rex/image_source/memory' diff --git a/lib/rex/image_source/disk.rb b/lib/rex/image_source/disk.rb deleted file mode 100644 index 1b652aab25..0000000000 --- a/lib/rex/image_source/disk.rb +++ /dev/null @@ -1,58 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/image_source/image_source' -require 'rex/struct2' - -module Rex -module ImageSource -class Disk < ImageSource - - attr_accessor :file, :file_offset, :size - - WINDOW_SIZE = 4096 - WINDOW_OVERLAP = 64 - - def initialize(_file, _offset = 0, _len = nil) - _len = _file.stat.size if !_len - - self.file = _file - self.file_offset = _offset - self.size = _len - end - - def read(offset, len) - if offset < 0 || offset+len > size - raise RangeError, "Offset #{offset} outside of image source", caller - end - - file.seek(file_offset + offset) - file.read(len) - end - - def index(search, offset = 0) - # do a sliding window search across the disk - while offset < size - - # get a full window size if we can, we - # don't want to read past our boundaries - wsize = size - offset - wsize = WINDOW_SIZE if wsize > WINDOW_SIZE - - window = self.read(offset, wsize) - res = window.index(search) - return res + offset if res - offset += WINDOW_SIZE - WINDOW_OVERLAP - end - end - - def subsource(offset, len) - self.class.new(file, file_offset+offset, len) - end - - def close - file.close - end -end - -end -end diff --git a/lib/rex/image_source/image_source.rb b/lib/rex/image_source/image_source.rb deleted file mode 100644 index 33c7e49138..0000000000 --- a/lib/rex/image_source/image_source.rb +++ /dev/null @@ -1,48 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module ImageSource -class ImageSource - - # - # Um, just some abstract class stuff I guess, this is the interface - # that any image sources should subscribe to... - # - - def subsource(offset, len) - raise "do something" - end - - def size - raise "do something" - end - - def file_offset - raise "do something" - end - - def close - raise "do something" - end - - def read_asciiz(offset) - # FIXME, make me better - string = '' - loop do - begin - char = read(offset, 1) - rescue RangeError - break - end - break if char.nil? || char == "\x00" - offset += 1 - string << char - end - return string - end - - -end - -end -end diff --git a/lib/rex/image_source/memory.rb b/lib/rex/image_source/memory.rb deleted file mode 100644 index 5ba62f777e..0000000000 --- a/lib/rex/image_source/memory.rb +++ /dev/null @@ -1,35 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/image_source/image_source' -require 'rex/struct2' - -module Rex -module ImageSource -class Memory < ImageSource - - attr_accessor :rawdata, :size, :file_offset - - def initialize(_rawdata, _file_offset = 0) - self.rawdata = _rawdata - self.size = _rawdata.length - self.file_offset = _file_offset - end - - def read(offset, len) - rawdata[offset, len] - end - - def subsource(offset, len) - self.class.new(rawdata[offset, len], offset + file_offset) - end - - def close - end - - def index(*args) - rawdata.index(*args) - end -end - -end -end diff --git a/lib/rex/machparsey.rb b/lib/rex/machparsey.rb deleted file mode 100644 index 373b8b865b..0000000000 --- a/lib/rex/machparsey.rb +++ /dev/null @@ -1,9 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module MachParsey - -end -end - -require 'rex/machparsey/mach' diff --git a/lib/rex/machparsey/exceptions.rb b/lib/rex/machparsey/exceptions.rb deleted file mode 100644 index f7bbad9e41..0000000000 --- a/lib/rex/machparsey/exceptions.rb +++ /dev/null @@ -1,31 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module MachParsey - -class MachError < ::RuntimeError -end - -class MachParseError < MachError -end - -class MachHeaderError < MachParseError -end - -class ProgramHeaderError < MachParseError -end - -class BoundsError < MachError -end - -class FatError < ::RuntimeError -end - -class FatParseError < FatError -end - -class FatHeaderError < FatParseError -end - -end -end diff --git a/lib/rex/machparsey/mach.rb b/lib/rex/machparsey/mach.rb deleted file mode 100644 index 98a6117248..0000000000 --- a/lib/rex/machparsey/mach.rb +++ /dev/null @@ -1,209 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/machparsey/machbase' -require 'rex/machparsey/exceptions' -require 'rex/image_source' - -module Rex -module MachParsey - - -class Mach < MachBase - attr_accessor :mach_header, :segments, :isource, :bits, :endian, :arch, :fat_offset - - def initialize(isource, offset = 0, fat = false) - _parse_mach_header(isource, offset) - if fat == true - self.fat_offset = offset - else - self.fat_offset = 0 - end - - self.isource = isource - end - - def _parse_mach_header(isource, offset) - self.mach_header = MachHeader.new(isource.read(offset, MACH_HEADER_SIZE_64)) - bits = mach_header.bits - endian = mach_header.endian - ncmds = mach_header.ncmds - - if bits == BITS_32 - offset += MACH_HEADER_SIZE - else - offset += MACH_HEADER_SIZE_64 - end - - - segments = [] - ncmds.times do - load_command = LoadCommand.new(isource.read(offset, LOAD_COMMAND_SIZE), endian) - - case load_command.cmd - when LC_SEGMENT - segments << Segment.new(isource.read(offset, SEGMENT_COMMAND_SIZE), bits, endian) - when LC_SEGMENT_64 - segments << Segment.new(isource.read(offset, SEGMENT_COMMAND_SIZE_64), bits, endian) - end - - offset += load_command.cmdsize - end - - self.mach_header = mach_header - self.segments = segments - self.isource = isource - self.bits = bits - self.endian = endian - - return segments - end - - def self.new_from_file(filename, disk_backed = false) - - file = ::File.open(filename, "rb") - - if disk_backed - return self.new(ImageSource::Disk.new(file)) - else - obj = new_from_string(file.read) - file.close - return obj - end - end - - def self.new_from_string(data) - return self.new(ImageSource::Memory.new(data)) - end - - def ptr_64? - mach_header.bits == BITS_64 - end - - def ptr_32? - ptr_64? == false - end - - def ptr_s(vaddr) - (ptr_32?) ? ("0x%.8x" % vaddr) : ("0x%.16x" % vaddr) - end - - def read(offset, len) - isource.read(fat_offset + offset, len) - end - - def index(*args) - isource.index(*args) - end - - def close - isource.close - end - -end - -class Fat < FatBase - attr_accessor :fat_header, :fat_archs, :machos, :isource - - def initialize(isource, offset = 0) - self.fat_archs = [] - self.machos = [] - self.isource = isource - self.fat_header = FatHeader.new(isource.read(offset, FAT_HEADER_SIZE)) - - if !self.fat_header - raise FatHeaderError, "Could not parse FAT header" - end - - print "Detected " + self.fat_header.nfat_arch.to_s + " archs in binary.\n" - - offset += FAT_HEADER_SIZE - - self.fat_header.nfat_arch.times do - fat_arch = FatArch.new(isource.read(offset, FAT_ARCH_SIZE), self.fat_header.endian) - self.fat_archs << fat_arch - self.machos << Mach.new(isource, fat_arch.offset, true) - offset += FAT_ARCH_SIZE - end - - - end - - #this is useful for debugging but we don't use it for anything. - def _parse_fat_header(isource, offset) - archs = [] - nfat_arch = self.fat_header.nfat_arch - - print "Number of archs in binary: " + nfat_arch.to_s + "\n" - - nfat_arch.times do - arch = FatArch.new(isource.read(offset, FAT_ARCH_SIZE), self.endian) - - case arch.cpu_type - - when CPU_TYPE_I386 - print "i386\n" - - when CPU_TYPE_X86_64 - print "x86_64\n" - - when CPU_TYPE_ARM - print "Arm\n" - - when CPU_TYPE_POWERPC - print "Power PC\n" - - when CPU_TYPE_POWERPC64 - print "Power PC 64\n" - end - - offset += FAT_ARCH_SIZE - end - end - - def self.new_from_file(filename, disk_backed = false) - - file = ::File.open(filename, "rb") - - if disk_backed - return self.new(ImageSource::Disk.new(file)) - else - obj = new_from_string(file.read) - file.close - return obj - end - end - - - def self.new_from_string(data) - return self.new(ImageSource::Memory.new(data)) - end - - def ptr_64? - mach_header.bits == BITS_64 - end - - def ptr_32? - ptr_64? == false - end - - def ptr_s(vaddr) - (ptr_32?) ? ("0x%.8x" % vaddr) : ("0x%.16x" % vaddr) - end - - def read(offset, len) - isource.read(offset, len) - end - - def index(*args) - isource.index(*args) - end - - def close - isource.close - end - -end - - -end -end diff --git a/lib/rex/machparsey/machbase.rb b/lib/rex/machparsey/machbase.rb deleted file mode 100644 index e9eab5c18e..0000000000 --- a/lib/rex/machparsey/machbase.rb +++ /dev/null @@ -1,408 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/struct2' - -module Rex -module MachParsey - -require 'rex/machparsey/exceptions' -require 'rex/struct2' - -class GenericStruct - attr_accessor :struct - def initialize(_struct) - self.struct = _struct - end - - # Access a value - def v - struct.v - end - - # Access a value by array - def [](*args) - struct[*args] - end - - # Obtain an array of all fields - def keys - struct.keys - end - - def method_missing(meth, *args) - v[meth.to_s] || (raise NoMethodError.new, meth) - end -end - -class GenericHeader < GenericStruct -end - -BITS_32 = 0 -BITS_64 = 1 -ENDIAN_LSB = 0 -ENDIAN_MSB = 1 - -class MachBase - - MH_MAGIC = 0xfeedface - MH_MAGIC_64 = 0xfeedfacf - MH_CIGAM = 0xcefaedfe - MH_CIGAM_64 = 0xcffaedfe - MACH_HEADER_SIZE = 28 - MACH_HEADER_SIZE_64 = 32 - - - MACH_HEADER_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'magic', 0], - ['uint32v', 'cputype', 0], - ['uint32v', 'cpusubtype',0], - ['uint32v', 'filetype', 0], - ['uint32v', 'ncmds', 0], - ['uint32v', 'sizeofcmds',0], - ['uint32v', 'flags', 0] - ) - - MACH_HEADER_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'magic', 0], - ['uint32n', 'cputype', 0], - ['uint32n', 'cpusubtype',0], - ['uint32n', 'filetype', 0], - ['uint32n', 'ncmds', 0], - ['uint32n', 'sizeofcmds',0], - ['uint32n', 'flags', 0] - ) - - - MACH_HEADER_64_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'magic', 0], - ['uint32v', 'cputype', 0], - ['uint32v', 'cpusubtype',0], - ['uint32v', 'filetype', 0], - ['uint32v', 'ncmds', 0], - ['uint32v', 'sizeofcmds',0], - ['uint32v', 'flags', 0], - ['uint32v', 'reserved', 0] - ) - - MACH_HEADER_64_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'magic', 0], - ['uint32n', 'cputype', 0], - ['uint32n', 'cpusubtype',0], - ['uint32n', 'filetype', 0], - ['uint32n', 'ncmds', 0], - ['uint32n', 'sizeofcmds',0], - ['uint32n', 'flags', 0], - ['uint32n', 'reserved', 0] - ) - - #cpu types for Mach-O binaries - CPU_TYPE_I386 = 0x7 - CPU_TYPE_X86_64 = 0x01000007 - CPU_TYPE_ARM = 0xC - CPU_TYPE_POWERPC = 0x12 - CPU_TYPE_POWERPC64 = 0x01000012 - - CPU_SUBTYPE_LITTLE_ENDIAN = 0 - CPU_SUBTYPE_BIG_ENDIAN = 1 - - LC_SEGMENT = 0x1 #/* segment of this file to be mapped */ - LC_SYMTAB = 0x2 #/* link-edit stab symbol table info */ - LC_SYMSEG = 0x3 #/* link-edit gdb symbol table info (obsolete) */ - LC_THREAD = 0x4 #/* thread */ - LC_UNIXTHREAD = 0x5 #/* unix thread (includes a stack) */ - LC_LOADFVMLIB = 0x6 #/* load a specified fixed VM shared library */ - LC_IDFVMLIB = 0x7 #/* fixed VM shared library identification */ - LC_IDENT = 0x8 #/* object identification info (obsolete) */ - LC_FVMFILE = 0x9 #/* fixed VM file inclusion (internal use) */ - LC_PREPAGE = 0xa #/* prepage command (internal use) */ - LC_DYSYMTAB = 0xb #/* dynamic link-edit symbol table info */ - LC_LOAD_DYLIB = 0xc #/* load a dynamicly linked shared library */ - LC_ID_DYLIB = 0xd #/* dynamicly linked shared lib identification */ - LC_LOAD_DYLINKER = 0xe #/* load a dynamic linker */ - LC_ID_DYLINKER = 0xf #/* dynamic linker identification */ - LC_PREBOUND_DYLIB = 0x10 #/* modules prebound for a dynamicly */ - LC_SEGMENT_64 = 0x19 #/* segment of this file to be mapped */ - - - - - class MachHeader < GenericHeader - attr_accessor :bits, :endian - - def initialize(rawdata) - mach_header = MACH_HEADER_LSB.make_struct - if !mach_header.from_s(rawdata) - raise MachHeaderError, "Could't access Mach-O Magic", caller - end - - if mach_header.v['magic'] == MH_MAGIC - endian = ENDIAN_LSB - bits = BITS_32 - mach_header = MACH_HEADER_LSB.make_struct - elsif mach_header.v['magic'] == MH_CIGAM - bits = BITS_32 - endian = ENDIAN_MSB - mach_header = MACH_HEADER_MSB.make_struct - elsif mach_header.v['magic'] == MH_MAGIC_64 - endian = ENDIAN_LSB - bits = BITS_64 - mach_header = MACH_HEADER_LSB.make_struct - elsif mach_header.v['magic'] == MH_CIGAM_64 - endian = ENDIAN_MSB - bits = BITS_64 - mach_header = MACH_HEADER_MSB.make_struct - else - raise MachHeaderError, "Couldn't find Mach Magic", caller - end - - if !mach_header.from_s(rawdata) - raise MachHeaderError, "Could't process Mach-O Header", caller - end - - self.struct = mach_header - self.endian = endian - self.bits = bits - end - end - - LOAD_COMMAND_SIZE = 8 - - LOAD_COMMAND_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v','cmd',0], - ['uint32v','cmdsize',0] - ) - - LOAD_COMMAND_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n','cmd',0], - ['uint32n','cmdsize',0] - ) - - class LoadCommand < GenericHeader - def initialize(rawdata, endian) - - if endian == ENDIAN_MSB - load_command = LOAD_COMMAND_MSB.make_struct - else - load_command = LOAD_COMMAND_LSB.make_struct - end - - if !load_command.from_s(rawdata) - raise MachParseError, "Couldn't parse load command" - end - - self.struct = load_command - - end - end - - SEGMENT_COMMAND_SIZE = 56 - - SEGMENT_COMMAND_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'cmd', 0], - ['uint32v', 'cmdsize', 0], - ['string', 'segname', 16, ''], - ['uint32v', 'vmaddr', 0], - ['uint32v', 'vmsize', 0], - ['uint32v', 'fileoff', 0], - ['uint32v', 'filesize', 0], - ['uint32v', 'maxprot', 0], - ['uint32v', 'initprot', 0], - ['uint32v', 'nsects', 0], - ['uint32v', 'flags', 0] - ) - - SEGMENT_COMMAND_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'cmd', 0], - ['uint32n', 'cmdsize', 0], - ['string', 'segname', 16, ''], - ['uint32n', 'vmaddr', 0], - ['uint32n', 'vmsize', 0], - ['uint32n', 'fileoff', 0], - ['uint32n', 'filesize', 0], - ['uint32n', 'maxprot', 0], - ['uint32n', 'initprot', 0], - ['uint32n', 'nsects', 0], - ['uint32n', 'flags', 0] - ) - - SEGMENT_COMMAND_SIZE_64 = 72 - - SEGMENT_COMMAND_64_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'cmd', 0], - ['uint32v', 'cmdsize', 0], - ['string', 'segname', 16, ''], - ['uint64v', 'vmaddr', 0], - ['uint64v', 'vmsize', 0], - ['uint64v', 'fileoff', 0], - ['uint64v', 'filesize', 0], - ['uint32v', 'maxprot', 0], - ['uint32v', 'initprot', 0], - ['uint32v', 'nsects', 0], - ['uint32v', 'flags', 0] - ) - - SEGMENT_COMMAND_64_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'cmd', 0], - ['uint32n', 'cmdsize', 0], - ['string', 'segname', 16, ''], - ['uint64n', 'vmaddr', 0], - ['uint64n', 'vmsize', 0], - ['uint64n', 'fileoff', 0], - ['uint64n', 'filesize', 0], - ['uint32n', 'maxprot', 0], - ['uint32n', 'initprot', 0], - ['uint32n', 'nsects', 0], - ['uint32n', 'flags', 0] - ) - - class Segment < GenericHeader - attr_accessor :_bits, :_endian - - def initialize(rawdata, bits, endian) - self._bits = bits - - if bits == BITS_64 - if endian == ENDIAN_MSB - segment_command = SEGMENT_COMMAND_64_MSB.make_struct - else - segment_command = SEGMENT_COMMAND_64_LSB.make_struct - end - else - if endian == ENDIAN_MSB - segment_command = SEGMENT_COMMAND_MSB.make_struct - else - segment_command = SEGMENT_COMMAND_LSB.make_struct - end - end - if !segment_command.from_s(rawdata) - raise MachParseError, "Couldn't parse segment command" - end - - self.struct = segment_command - end - - def Segname - v['segname'] - end - - def Vmaddr - v['vmaddr'] - end - - def Vmsize - v['vmsize'] - end - - def FileOff - v['fileoff'] - end - - def FileSize - v['filesize'] - end - end - - class Thread < GenericHeader - def initialize(rawdata) - end - end -end - - FAT_MAGIC = 0xcafebabe - FAT_CIGAM = 0xbebafeca - FAT_HEADER_SIZE = 8 - - FAT_HEADER_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'magic', 0], - ['uint32v', 'nfat_arch',0] - ) - - FAT_HEADER_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'magic', 0], - ['uint32n', 'nfat_arch',0] - ) - - - FAT_ARCH_SIZE = 20 - - FAT_ARCH_LSB = Rex::Struct2::CStructTemplate.new( - ['uint32v', 'cpu_type', 0], - ['uint32v', 'cpu_subtype',0], - ['uint32v', 'offset', 0], - ['uint32v', 'size', 0], - ['uint32v', 'align', 0] - ) - - FAT_ARCH_MSB = Rex::Struct2::CStructTemplate.new( - ['uint32n', 'cpu_type', 0], - ['uint32n', 'cpu_subtype',0], - ['uint32n', 'offset', 0], - ['uint32n', 'size', 0], - ['uint32n', 'align', 0] - ) - - -class FatBase - - class FatHeader < GenericHeader - attr_accessor :nfat_arch, :endian, :exists - - def initialize(rawdata) - fat_header = FAT_HEADER_LSB.make_struct - if !fat_header.from_s(rawdata) - #raise something - end - - magic = fat_header.v['magic'] - if magic == FAT_MAGIC - endian = ENDIAN_LSB - elsif magic == FAT_CIGAM - endian = ENDIAN_MSB - fat_header = FAT_HEADER_MSB.make_struct - if !fat_header.from_s(rawdata) - raise FatHeaderError, "Could not parse FAT header" - end - else - self.exists = 0 - return - end - - self.nfat_arch = fat_header.v['nfat_arch'] - self.struct = fat_header - self.endian = endian - end - end - - class FatArch < GenericHeader - attr_accessor :cpu_type, :cpu_subtype, :offset, :size - - def initialize(rawdata, endian) - if endian == ENDIAN_LSB - fat_arch = FAT_ARCH_LSB.make_struct - else - fat_arch = FAT_ARCH_MSB.make_struct - end - - if !fat_arch.from_s(rawdata) - raise FatHeaderError, "Could not parse arch from FAT header" - end - - self.cpu_type = fat_arch.v['cpu_type'] - self.cpu_subtype = fat_arch.v['cpu_subtype'] - self.offset = fat_arch.v['offset'] - self.size = fat_arch.v['size'] - self.struct = fat_arch - end - - end - - class Thread < GenericHeader - def initialize(rawdata) - end - end - - -end - -end -end diff --git a/lib/rex/machscan.rb b/lib/rex/machscan.rb deleted file mode 100644 index ce8d22724d..0000000000 --- a/lib/rex/machscan.rb +++ /dev/null @@ -1,9 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module MachScan - -end -end - -require 'rex/machscan/scanner' diff --git a/lib/rex/machscan/scanner.rb b/lib/rex/machscan/scanner.rb deleted file mode 100644 index b1d9aaa5e4..0000000000 --- a/lib/rex/machscan/scanner.rb +++ /dev/null @@ -1,217 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module MachScan -module Scanner -class Generic - - attr_accessor :mach, :fat, :regex - - def initialize(binary) - if binary.class == Rex::MachParsey::Mach - self.mach = binary - else - self.fat = binary - end - end - - def config(param) - end - - def scan(param) - config(param) - - $stdout.puts "[#{param['file']}]" - - if !self.mach - for mach in fat.machos - if mach.mach_header.cputype == 0x7 #since we only support intel for the time being its all we process - self.mach = mach - end - end - end - - self.mach.segments.each do |segment| - if segment.segname.include? "__TEXT" - scan_segment(segment, param).each do |hit| - vaddr = hit[0] - message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1] - $stdout.puts self.mach.ptr_s(vaddr - self.mach.fat_offset) + " " + message - end - end - end - - end - - def scan_segment(segment, param={}) - [] - end -end - -class JmpRegScanner < Generic - - def config(param) - regnums = param['args'] - - # build a list of the call bytes - calls = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work.. - jmps = _build_byte_list(0xe0, regnums) - pushs1 = _build_byte_list(0x50, regnums) - pushs2 = _build_byte_list(0xf0, regnums) - - regexstr = '(' - if !calls.empty? - regexstr += "\xff[#{calls}]|" - end - - regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))" - - self.regex = Regexp.new(regexstr, nil, 'n') - end - - # build a list for regex of the possible bytes, based on a base - # byte and a list of register numbers.. - def _build_byte_list(base, regnums) - regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('') - end - - def _ret_size(offset) - case mach.read(offset, 1) - when "\xc3" - return 1 - when "\xc2" - return 3 - end - $stderr.puts("Invalid return instruction") - end - - def _parse_ret(data) - if data.length == 1 - return "ret" - else - return "retn 0x%04x" % data[1, 2].unpack('v')[0] - end - end - - def scan_segment(segment, param={}) - base_addr = segment.vmaddr - segment_offset = segment.fileoff - offset = segment_offset - - hits = [] - - while (offset = mach.index(regex, offset)) != nil - - vaddr = base_addr + (offset - segment_offset) - message = '' - - parse_ret = false - - byte1 = mach.read(offset, 1).unpack("C*")[0] - - if byte1 == 0xff - byte2 = mach.read(offset+1, 1).unpack("C*")[0] - regname = Rex::Arch::X86.reg_name32(byte2 & 0x7) - - case byte2 & 0xf8 - when 0xd0 - message = "call #{regname}" - offset += 2 - when 0xe0 - message = "jmp #{regname}" - offset += 2 - when 0xf0 - retsize = _ret_size(offset+2) - message = "push #{regname}; " + _parse_ret(mach.read(offset+2, retsize)) - offset += 2 + retsize - else - raise "Unexpected value at offset: #{offset}" - end - else - regname = Rex::Arch::X86.reg_name32(byte1 & 0x7) - retsize = _ret_size(offset+1) - message = "push #{regname}; " + _parse_ret(mach.read(offset+1, retsize)) - offset += 1 + retsize - end - - hits << [ vaddr, message ] - end - - return hits - end -end - -class PopPopRetScanner < JmpRegScanner - - def config(param) - pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's... - self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n') - end - - def scan_segment(segment, param={}) - base_addr = segment.vmaddr - segment_offset = segment.fileoff - offset = segment_offset - - hits = [] - - while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil - - vaddr = base_addr + (offset - segment_offset) - message = '' - - pops = mach.read(offset, 2) - reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7) - reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7) - - message = "pop #{reg1}; pop #{reg2}; " - - retsize = _ret_size(offset+2) - message += _parse_ret(mach.read(offset+2, retsize)) - - offset += 2 + retsize - - hits << [ vaddr, message ] - end - - return hits - end -end - -class RegexScanner < JmpRegScanner - - def config(param) - self.regex = Regexp.new(param['args'], nil, 'n') - end - - def scan_segment(segment, param={}) - base_addr = segment.vmaddr - segment_offset = segment.fileoff - offset = segment_offset - - hits = [] - - while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil - - idx = offset - buf = '' - mat = nil - - while (! (mat = buf.match(regex))) - buf << mach.read(idx, 1) - idx += 1 - end - - vaddr = base_addr + (offset - segment_offset) - - hits << [ vaddr, buf.unpack("H*") ] - offset += buf.length - end - return hits - end -end - -end -end -end - diff --git a/lib/rex/peparsey.rb b/lib/rex/peparsey.rb deleted file mode 100644 index 139f6a1638..0000000000 --- a/lib/rex/peparsey.rb +++ /dev/null @@ -1,10 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module PeParsey - -end -end - -require 'rex/peparsey/pe' -require 'rex/peparsey/pe_memdump' diff --git a/lib/rex/peparsey/exceptions.rb b/lib/rex/peparsey/exceptions.rb deleted file mode 100644 index c2725614fc..0000000000 --- a/lib/rex/peparsey/exceptions.rb +++ /dev/null @@ -1,30 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module PeParsey - -class PeError < ::RuntimeError -end - -class ParseError < PeError -end - -class DosHeaderError < ParseError -end - -class FileHeaderError < ParseError -end - -class OptionalHeaderError < ParseError -end - -class BoundsError < PeError -end - -class PeParseyError < PeError -end - -class SkipError < PeError -end - -end end diff --git a/lib/rex/peparsey/pe.rb b/lib/rex/peparsey/pe.rb deleted file mode 100644 index 2ba37fc305..0000000000 --- a/lib/rex/peparsey/pe.rb +++ /dev/null @@ -1,210 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/image_source' -require 'rex/peparsey/exceptions' -require 'rex/peparsey/pebase' -require 'rex/peparsey/section' -require 'rex/struct2' - -module Rex -module PeParsey -class Pe < PeBase - - def initialize(isource) - - # - # DOS Header - # - # Parse the initial dos header, starting at the file beginning - # - offset = 0 - dos_header = self.class._parse_dos_header(isource.read(offset, IMAGE_DOS_HEADER_SIZE)) - - # - # File Header - # - # If there is going to be a PE, the dos header tells us where to find it - # So now we try to parse the file (pe) header - # - offset += dos_header.e_lfanew - - # most likely an invalid e_lfanew... - if offset > isource.size - raise FileHeaderError, "e_lfanew looks invalid", caller - end - - file_header = self.class._parse_file_header(isource.read(offset, IMAGE_FILE_HEADER_SIZE)) - - # - # Optional Header - # - # After the file header, we find the optional header. Right now - # we require a optional header. Despite it's name, all binaries - # that we are interested in should have one. We need this - # header for a lot of stuff, so we die without it... - # - offset += IMAGE_FILE_HEADER_SIZE - optional_header = self.class._parse_optional_header( - isource.read(offset, file_header.SizeOfOptionalHeader) - ) - - if !optional_header - raise OptionalHeaderError, "No optional header!", caller - end - - base = optional_header.ImageBase - - # - # Section Headers - # - # After the optional header should be the section headers. - # We know how many there should be from the file header... - # - offset += file_header.SizeOfOptionalHeader - - num_sections = file_header.NumberOfSections - section_headers = self.class._parse_section_headers( - isource.read(offset, IMAGE_SIZEOF_SECTION_HEADER * num_sections) - ) - - # - # End of Headers - # - # After the section headers (which are padded to FileAlignment) - # we should find the section data, described by the section - # headers... - # - # So this is the end of our header data, lets store this - # in an image source for possible access later... - # - offset += IMAGE_SIZEOF_SECTION_HEADER * num_sections - offset = self.class._align_offset(offset, optional_header.FileAlignment) - - header_section = Section.new(isource.subsource(0, offset), 0, nil) - - # - # Sections - # - # So from here on out should be section data, and then any - # trailing data (like authenticode and stuff I think) - # - - sections = [ ] - - section_headers.each do |section_header| - - rva = section_header.VirtualAddress - size = section_header.SizeOfRawData - file_offset = section_header.PointerToRawData - - sections << Section.new( - isource.subsource(file_offset, size), - rva, - section_header - ) - end - - - - # - # Save the stuffs! - # - # We have parsed enough to load the file up here, now we just - # save off all of the structures and data... We will - # save our fake header section, the real sections, etc. - # - - # - # These should not be accessed directly - # - - self._isource = isource - - self._dos_header = dos_header - self._file_header = file_header - self._optional_header = optional_header - self._section_headers = section_headers - - self.image_base = base - self.sections = sections - self.header_section = header_section - - self._config_header = _parse_config_header() - self._tls_header = _parse_tls_header() - - # These can be accessed directly - self.hdr = HeaderAccessor.new - self.hdr.dos = self._dos_header - self.hdr.file = self._file_header - self.hdr.opt = self._optional_header - self.hdr.sections = self._section_headers - self.hdr.config = self._config_header - self.hdr.tls = self._tls_header - self.hdr.exceptions = self._exception_header - - # We load the exception directory last as it relies on hdr.file to be created above. - self._exception_header = _load_exception_directory() - end - - # - # Return everything that's going to be mapped in the process - # and accessable. This should include all of the sections - # and our "fake" section for the header data... - # - def all_sections - [ header_section ] + sections - end - - # - # Returns true if this binary is for a 64-bit architecture. - # - def ptr_64? - [ - IMAGE_FILE_MACHINE_IA64, - IMAGE_FILE_MACHINE_ALPHA64, - IMAGE_FILE_MACHINE_AMD64 - ].include?(self._file_header.Machine) - end - - # - # Returns true if this binary is for a 32-bit architecture. - # This check does not take into account 16-bit binaries at the moment. - # - def ptr_32? - ptr_64? == false - end - - # - # Converts a virtual address to a string representation based on the - # underlying architecture. - # - def ptr_s(va) - (ptr_32?) ? ("0x%.8x" % va) : ("0x%.16x" % va) - end - - # - # Converts a file offset into a virtual address - # - def file_offset_to_va(offset) - image_base + file_offset_to_rva(offset) - end - - # - # Read raw bytes from the specified offset in the underlying file - # - # NOTE: You should pass raw file offsets into this, not offsets from - # the beginning of the section. If you need to read from within a - # section, add section.file_offset prior to passing the offset in. - # - def read(offset, len) - _isource.read(offset, len) - end - - def size - _isource.size - end - def length - _isource.size - end - -end end end diff --git a/lib/rex/peparsey/pe_memdump.rb b/lib/rex/peparsey/pe_memdump.rb deleted file mode 100644 index f719b877a7..0000000000 --- a/lib/rex/peparsey/pe_memdump.rb +++ /dev/null @@ -1,61 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/image_source' -require 'rex/peparsey/exceptions' -require 'rex/peparsey/pebase' -require 'rex/peparsey/section' -require 'rex/struct2' - -# -# This class is for use with memdump.exe generated dump images. It basically -# just lies, gets the ImageBase from the file name, and generates 1 big -# header_section with all of the data in it... -# - -module Rex -module PeParsey -class PeMemDump < Pe - - def self.new_from_string(data) - raise NotImplementError - end - - def self.new_from_file(filename, disk_backed = false) - - if filename[-4, 4] != '.rng' - raise "Not a .rng file: #{filename}" - end - - if filename[-9, 9] == "index.rng" - raise SkipError - end - - file = File.open(filename, 'rb') - - if disk_backed - obj = ImageSource::Disk.new(file) - else - obj = ImageSource::Memory.new(file.read) - obj.close - end - - return self.new(obj, filename.gsub(/.*[\/\\]/, '')[0,8].hex) - end - - def initialize(isource, base) - self._isource = isource - self.header_section = Section.new(isource, base, nil) - self.sections = [ self.header_section ] - self.image_base = 0 - end - - def all_sections - self.sections - end - - # No 64-bit support - def ptr_64? - false - end - -end end end diff --git a/lib/rex/peparsey/pebase.rb b/lib/rex/peparsey/pebase.rb deleted file mode 100644 index 6dc7668207..0000000000 --- a/lib/rex/peparsey/pebase.rb +++ /dev/null @@ -1,1662 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/peparsey/exceptions' -require 'rex/struct2' - -module Rex -module PeParsey -class PeBase - - - # #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ - IMAGE_DOS_SIGNATURE = 0x5a4d - - IMAGE_DOS_HEADER_SIZE = 64 - # Struct - # typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header - # WORD e_magic; // Magic number - # WORD e_cblp; // Bytes on last page of file - # WORD e_cp; // Pages in file - # WORD e_crlc; // Relocations - # WORD e_cparhdr; // Size of header in paragraphs - # WORD e_minalloc; // Minimum extra paragraphs needed - # WORD e_maxalloc; // Maximum extra paragraphs needed - # WORD e_ss; // Initial (relative) SS value - # WORD e_sp; // Initial SP value - # WORD e_csum; // Checksum - # WORD e_ip; // Initial IP value - # WORD e_cs; // Initial (relative) CS value - # WORD e_lfarlc; // File address of relocation table - # WORD e_ovno; // Overlay number - # WORD e_res[4]; // Reserved words - # WORD e_oemid; // OEM identifier (for e_oeminfo) - # WORD e_oeminfo; // OEM information; e_oemid specific - # WORD e_res2[10]; // Reserved words - # LONG e_lfanew; // File address of new exe header - # } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; - IMAGE_DOS_HEADER = Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'e_magic', IMAGE_DOS_SIGNATURE ], - [ 'uint16v', 'e_cblp', 0 ], - [ 'uint16v', 'e_cp', 0 ], - [ 'uint16v', 'e_crlc', 0 ], - [ 'uint16v', 'e_cparhdr', 0 ], - [ 'uint16v', 'e_minalloc', 0 ], - [ 'uint16v', 'e_maxalloc', 0 ], - [ 'uint16v', 'e_ss', 0 ], - [ 'uint16v', 'e_sp', 0 ], - [ 'uint16v', 'e_csum', 0 ], - [ 'uint16v', 'e_ip', 0 ], - [ 'uint16v', 'e_cs', 0 ], - [ 'uint16v', 'e_lfarlc', 0 ], - [ 'uint16v', 'e_ovno', 0 ], - [ 'template', 'e_res', Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'e_res_0', 0 ], - [ 'uint16v', 'e_res_1', 0 ], - [ 'uint16v', 'e_res_2', 0 ], - [ 'uint16v', 'e_res_3', 0 ] - )], - [ 'uint16v', 'e_oemid', 0 ], - [ 'uint16v', 'e_oeminfo', 0 ], - [ 'template', 'e_res2', Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'e_res2_0', 0 ], - [ 'uint16v', 'e_res2_1', 0 ], - [ 'uint16v', 'e_res2_2', 0 ], - [ 'uint16v', 'e_res2_3', 0 ], - [ 'uint16v', 'e_res2_4', 0 ], - [ 'uint16v', 'e_res2_5', 0 ], - [ 'uint16v', 'e_res2_6', 0 ], - [ 'uint16v', 'e_res2_7', 0 ], - [ 'uint16v', 'e_res2_8', 0 ], - [ 'uint16v', 'e_res2_9', 0 ] - )], - [ 'uint32v', 'e_lfanew', 0 ] - ) - - - class HeaderAccessor - attr_accessor :dos, :file, :opt, :sections, :config, :exceptions, :tls - def initialize - end - end - - class GenericStruct - attr_accessor :struct - def initialize(_struct) - self.struct = _struct - end - - # The following methods are just pass-throughs for struct - - # Access a value - def v - struct.v - end - - # Access a value by array - def [](*args) - struct[*args] - end - - # Obtain an array of all fields - def keys - struct.keys - end - - def method_missing(meth, *args) - v[meth.to_s] || (raise NoMethodError.new, meth) - end - end - - class GenericHeader < GenericStruct - end - - class DosHeader < GenericHeader - - def initialize(rawdata) - dos_header = IMAGE_DOS_HEADER.make_struct - - if !dos_header.from_s(rawdata) - raise DosHeaderError, "Couldn't parse IMAGE_DOS_HEADER", caller - end - - if dos_header.v['e_magic'] != IMAGE_DOS_SIGNATURE - raise DosHeaderError, "Couldn't find DOS e_magic", caller - end - - self.struct = dos_header - end - - def e_lfanew - v['e_lfanew'] - end - end - - - def self._parse_dos_header(rawdata) - return DosHeader.new(rawdata) - end - - # #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 - IMAGE_NT_SIGNATURE = 0x00004550 - # #define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386. - IMAGE_FILE_MACHINE_I386 = 0x014c - # #define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64 - IMAGE_FILE_MACHINE_IA64 = 0x0200 - # #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64 - IMAGE_FILE_MACHINE_ALPHA64 = 0x0284 - # #define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8) - IMAGE_FILE_MACHINE_AMD64 = 0x8664 - # #define IMAGE_SIZEOF_FILE_HEADER 20 - IMAGE_FILE_HEADER_SIZE = 20+4 # because we include the signature - - # C struct defining the PE file header - # typedef struct _IMAGE_FILE_HEADER { - # WORD Machine; - # WORD NumberOfSections; - # DWORD TimeDateStamp; - # DWORD PointerToSymbolTable; - # DWORD NumberOfSymbols; - # WORD SizeOfOptionalHeader; - # WORD Characteristics; - # } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; - IMAGE_FILE_HEADER = Rex::Struct2::CStructTemplate.new( - # not really in the header, but easier for us this way - [ 'uint32v', 'NtSignature', 0 ], - [ 'uint16v', 'Machine', 0 ], - [ 'uint16v', 'NumberOfSections', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint32v', 'PointerToSymbolTable', 0 ], - [ 'uint32v', 'NumberOfSymbols', 0 ], - [ 'uint16v', 'SizeOfOptionalHeader', 0 ], - [ 'uint16v', 'Characteristics', 0 ] - ) - - SUPPORTED_MACHINES = [ - IMAGE_FILE_MACHINE_I386, - IMAGE_FILE_MACHINE_IA64, - IMAGE_FILE_MACHINE_ALPHA64, - IMAGE_FILE_MACHINE_AMD64 - ] - - class FileHeader < GenericHeader - def initialize(rawdata) - file_header = IMAGE_FILE_HEADER.make_struct - - if !file_header.from_s(rawdata) - raise FileHeaderError, "Couldn't parse IMAGE_FILE_HEADER", caller - end - - if file_header.v['NtSignature'] != IMAGE_NT_SIGNATURE - raise FileHeaderError, "Couldn't find the PE magic!" - end - - if SUPPORTED_MACHINES.include?(file_header.v['Machine']) == false - raise FileHeaderError, "Unsupported machine type: #{file_header.v['Machine']}", caller - end - - self.struct = file_header - end - - def Machine - v['Machine'] - end - - def SizeOfOptionalHeader - v['SizeOfOptionalHeader'] - end - - def NumberOfSections - v['NumberOfSections'] - end - end - - def self._parse_file_header(rawdata) - return FileHeader.new(rawdata) - end - - IMAGE_ORDINAL_FLAG32 = 0x80000000 - IMAGE_IMPORT_DESCRIPTOR_SIZE = 20 - # Struct - # typedef struct _IMAGE_IMPORT_DESCRIPTOR { - # union { - # DWORD Characteristics; // 0 for terminating null import descriptor - # DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) - # }; - # DWORD TimeDateStamp; // 0 if not bound, - # // -1 if bound, and real date\time stamp - # // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) - # // O.W. date/time stamp of DLL bound to (Old BIND) - # - # DWORD ForwarderChain; // -1 if no forwarders - # DWORD Name; - # DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) - # } IMAGE_IMPORT_DESCRIPTOR; - IMAGE_IMPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'OriginalFirstThunk', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint32v', 'ForwarderChain', 0 ], - [ 'uint32v', 'Name', 0 ], - [ 'uint32v', 'FirstThunk', 0 ] - ) - - # typedef struct _IMAGE_IMPORT_BY_NAME { - # WORD Hint; - # BYTE Name[1]; - # } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME; - # - - class ImportDescriptor - attr_accessor :name, :entries - def initialize(_name, _entries) - self.name = _name - self.entries = _entries - end - end - - class ImportEntry - attr_accessor :name, :ordinal - def initialize(_name, _ordinal) - self.name = _name - self.ordinal = _ordinal - end - end - - # sizeof(struct _IMAGE_EXPORT_DESCRIPTOR) - IMAGE_EXPORT_DESCRIPTOR_SIZE = 40 - # Struct defining the export table - # typedef struct _IMAGE_EXPORT_DIRECTORY { - # DWORD Characteristics; - # DWORD TimeDateStamp; - # WORD MajorVersion; - # WORD MinorVersion; - # DWORD Name; - # DWORD Base; - # DWORD NumberOfFunctions; - # DWORD NumberOfNames; - # DWORD AddressOfFunctions; // RVA from base of image - # DWORD AddressOfNames; // RVA from base of image - # DWORD AddressOfNameOrdinals; // RVA from base of image - # } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; - IMAGE_EXPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'Characteristics', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint16v', 'MajorVersion', 0 ], - [ 'uint16v', 'MinorVersion', 0 ], - [ 'uint32v', 'Name', 0 ], - [ 'uint32v', 'Base', 0 ], - [ 'uint32v', 'NumberOfFunctions', 0 ], - [ 'uint32v', 'NumberOfNames', 0 ], - [ 'uint32v', 'AddressOfFunctions', 0 ], - [ 'uint32v', 'AddressOfNames', 0 ], - [ 'uint32v', 'AddressOfNameOrdinals', 0 ] - ) - - class ExportDirectory - attr_accessor :name, :entries, :base - - def initialize(_name, _entries, _base) - self.name = _name - self.entries = _entries - self.base = _base - end - end - - class ExportEntry - attr_accessor :name, :ordinal, :rva - def initialize(_name, _ordinal, _rva) - self.name = _name - self.ordinal = _ordinal - self.rva = _rva - end - end - - IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 - IMAGE_DATA_DIRECTORY_SIZE = 8 - IMAGE_DIRECTORY_ENTRY_EXPORT = 0 - IMAGE_DIRECTORY_ENTRY_IMPORT = 1 - IMAGE_DIRECTORY_ENTRY_RESOURCE = 2 - IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3 - IMAGE_DIRECTORY_ENTRY_SECURITY = 4 - IMAGE_DIRECTORY_ENTRY_BASERELOC = 5 - IMAGE_DIRECTORY_ENTRY_DEBUG = 6 - IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7 - IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7 - IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8 - IMAGE_DIRECTORY_ENTRY_TLS = 9 - IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10 - IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11 - IMAGE_DIRECTORY_ENTRY_IAT = 12 - IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13 - IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14 - # Struct - # typedef struct _IMAGE_DATA_DIRECTORY { - # DWORD VirtualAddress; - # DWORD Size; - # } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; - IMAGE_DATA_DIRECTORY = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'VirtualAddress', 0 ], - [ 'uint32v', 'Size', 0 ] - ) - - # Struct - # typedef struct _IMAGE_OPTIONAL_HEADER { - # // - # // Standard fields. - # // - # - # WORD Magic; - # BYTE MajorLinkerVersion; - # BYTE MinorLinkerVersion; - # DWORD SizeOfCode; - # DWORD SizeOfInitializedData; - # DWORD SizeOfUninitializedData; - # DWORD AddressOfEntryPoint; - # DWORD BaseOfCode; - # DWORD BaseOfData; - # - # // - # // NT additional fields. - # // - # - # DWORD ImageBase; - # DWORD SectionAlignment; - # DWORD FileAlignment; - # WORD MajorOperatingSystemVersion; - # WORD MinorOperatingSystemVersion; - # WORD MajorImageVersion; - # WORD MinorImageVersion; - # WORD MajorSubsystemVersion; - # WORD MinorSubsystemVersion; - # DWORD Win32VersionValue; - # DWORD SizeOfImage; - # DWORD SizeOfHeaders; - # DWORD CheckSum; - # WORD Subsystem; - # WORD DllCharacteristics; - # DWORD SizeOfStackReserve; - # DWORD SizeOfStackCommit; - # DWORD SizeOfHeapReserve; - # DWORD SizeOfHeapCommit; - # DWORD LoaderFlags; - # DWORD NumberOfRvaAndSizes; - # IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; - # } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; - # - # #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b - # #define IMAGE_SIZEOF_NT_OPTIONAL32_HEADER 224 - # - - IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b - IMAGE_SIZEOF_NT_OPTIONAL32_HEADER = 224 - IMAGE_OPTIONAL_HEADER32 = Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'Magic', 0 ], - [ 'uint8', 'MajorLinkerVersion', 0 ], - [ 'uint8', 'MinorLinkerVersion', 0 ], - [ 'uint32v', 'SizeOfCode', 0 ], - [ 'uint32v', 'SizeOfInitializeData', 0 ], - [ 'uint32v', 'SizeOfUninitializeData', 0 ], - [ 'uint32v', 'AddressOfEntryPoint', 0 ], - [ 'uint32v', 'BaseOfCode', 0 ], - [ 'uint32v', 'BaseOfData', 0 ], - [ 'uint32v', 'ImageBase', 0 ], - [ 'uint32v', 'SectionAlignment', 0 ], - [ 'uint32v', 'FileAlignment', 0 ], - [ 'uint16v', 'MajorOperatingSystemVersion', 0 ], - [ 'uint16v', 'MinorOperatingSystemVersion', 0 ], - [ 'uint16v', 'MajorImageVersion', 0 ], - [ 'uint16v', 'MinorImageVersion', 0 ], - [ 'uint16v', 'MajorSubsystemVersion', 0 ], - [ 'uint16v', 'MinorSubsystemVersion', 0 ], - [ 'uint32v', 'Win32VersionValue', 0 ], - [ 'uint32v', 'SizeOfImage', 0 ], - [ 'uint32v', 'SizeOfHeaders', 0 ], - [ 'uint32v', 'CheckSum', 0 ], - [ 'uint16v', 'Subsystem', 0 ], - [ 'uint16v', 'DllCharacteristics', 0 ], - [ 'uint32v', 'SizeOfStackReserve', 0 ], - [ 'uint32v', 'SizeOfStackCommit', 0 ], - [ 'uint32v', 'SizeOfHeapReserve', 0 ], - [ 'uint32v', 'SizeOfHeapCommit', 0 ], - [ 'uint32v', 'LoaderFlags', 0 ], - [ 'uint32v', 'NumberOfRvaAndSizes', 0 ], - [ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new( - [ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ] - )] - ) - - # #define IMAGE_SIZEOF_NT_OPTIONAL64_HEADER 240 - IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b - # #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b - IMAGE_SIZEOF_NT_OPTIONAL64_HEADER = 240 - - # Struct - # typedef struct _IMAGE_OPTIONAL_HEADER64 { - # USHORT Magic; - # UCHAR MajorLinkerVersion; - # UCHAR MinorLinkerVersion; - # ULONG SizeOfCode; - # ULONG SizeOfInitializedData; - # ULONG SizeOfUninitializedData; - # ULONG AddressOfEntryPoint; - # ULONG BaseOfCode; - # ULONGLONG ImageBase; - # ULONG SectionAlignment; - # ULONG FileAlignment; - # USHORT MajorOperatingSystemVersion; - # USHORT MinorOperatingSystemVersion; - # USHORT MajorImageVersion; - # USHORT MinorImageVersion; - # USHORT MajorSubsystemVersion; - # USHORT MinorSubsystemVersion; - # ULONG Win32VersionValue; - # ULONG SizeOfImage; - # ULONG SizeOfHeaders; - # ULONG CheckSum; - # USHORT Subsystem; - # USHORT DllCharacteristics; - # ULONGLONG SizeOfStackReserve; - # ULONGLONG SizeOfStackCommit; - # ULONGLONG SizeOfHeapReserve; - # ULONGLONG SizeOfHeapCommit; - # ULONG LoaderFlags; - # ULONG NumberOfRvaAndSizes; - # IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; - # } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; - IMAGE_OPTIONAL_HEADER64 = Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'Magic', 0 ], - [ 'uint8', 'MajorLinkerVersion', 0 ], - [ 'uint8', 'MinorLinkerVersion', 0 ], - [ 'uint32v', 'SizeOfCode', 0 ], - [ 'uint32v', 'SizeOfInitializeData', 0 ], - [ 'uint32v', 'SizeOfUninitializeData', 0 ], - [ 'uint32v', 'AddressOfEntryPoint', 0 ], - [ 'uint32v', 'BaseOfCode', 0 ], - [ 'uint64v', 'ImageBase', 0 ], - [ 'uint32v', 'SectionAlignment', 0 ], - [ 'uint32v', 'FileAlignment', 0 ], - [ 'uint16v', 'MajorOperatingsystemVersion', 0 ], - [ 'uint16v', 'MinorOperatingsystemVersion', 0 ], - [ 'uint16v', 'MajorImageVersion', 0 ], - [ 'uint16v', 'MinorImageVersion', 0 ], - [ 'uint16v', 'MajorSubsystemVersion', 0 ], - [ 'uint16v', 'MinorSubsystemVersion', 0 ], - [ 'uint32v', 'Win32VersionValue', 0 ], - [ 'uint32v', 'SizeOfImage', 0 ], - [ 'uint32v', 'SizeOfHeaders', 0 ], - [ 'uint32v', 'CheckSum', 0 ], - [ 'uint16v', 'Subsystem', 0 ], - [ 'uint16v', 'DllCharacteristics', 0 ], - [ 'uint64v', 'SizeOfStackReserve', 0 ], - [ 'uint64v', 'SizeOfStackCommit', 0 ], - [ 'uint64v', 'SizeOfHeapReserve', 0 ], - [ 'uint64v', 'SizeOfHeapCommit', 0 ], - [ 'uint32v', 'LoaderFlags', 0 ], - [ 'uint32v', 'NumberOfRvaAndSizes', 0 ], - [ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new( - [ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ], - [ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ] - )] - ) - - class OptionalHeader < GenericHeader - def ImageBase - v['ImageBase'] - end - def FileAlignment - v['FileAlignment'] - end - end - - class OptionalHeader32 < OptionalHeader - def initialize(rawdata) - optional_header = IMAGE_OPTIONAL_HEADER32.make_struct - - if !optional_header.from_s(rawdata) - raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER32", caller - end - - if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR32_MAGIC - raise OptionalHeaderError, "Magic did not match!", caller() - end - - self.struct = optional_header - end - end - - class OptionalHeader64 < OptionalHeader - def initialize(rawdata) - optional_header = IMAGE_OPTIONAL_HEADER64.make_struct - - if !optional_header.from_s(rawdata) - raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER64", caller - end - - if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR64_MAGIC - raise OptionalHeaderError, "Magic did not match!", caller() - end - - self.struct = optional_header - end - end - - def self._parse_optional_header(rawdata) - case rawdata.length - # no optional header - when 0 - return nil - - # good, good - when IMAGE_SIZEOF_NT_OPTIONAL32_HEADER - return OptionalHeader32.new(rawdata) - - when IMAGE_SIZEOF_NT_OPTIONAL64_HEADER - return OptionalHeader64.new(rawdata) - - # bad, bad - else - raise OptionalHeaderError, "I don't know this header size, #{rawdata.length}", caller - end - - end - - # #define IMAGE_SIZEOF_SECTION_HEADER 40 - IMAGE_SIZEOF_SECTION_HEADER = 40 - # Struct - # typedef struct _IMAGE_SECTION_HEADER { - # BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; - # union { - # DWORD PhysicalAddress; - # DWORD VirtualSize; - # } Misc; - # DWORD VirtualAddress; - # DWORD SizeOfRawData; - # DWORD PointerToRawData; - # DWORD PointerToRelocations; - # DWORD PointerToLinenumbers; - # WORD NumberOfRelocations; - # WORD NumberOfLinenumbers; - # DWORD Characteristics; - # } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; - IMAGE_SECTION_HEADER = Rex::Struct2::CStructTemplate.new( - [ 'string', 'Name', 8, '' ], - [ 'uint32v', 'Misc', 0 ], - [ 'uint32v', 'VirtualAddress', 0 ], - [ 'uint32v', 'SizeOfRawData', 0 ], - [ 'uint32v', 'PointerToRawData', 0 ], - [ 'uint32v', 'PointerToRelocations', 0 ], - [ 'uint32v', 'NumberOfRelocations', 0 ], - [ 'uint32v', 'NumberOfLineNumbers', 0 ], - [ 'uint32v', 'Characteristics', 0 ] - ) - - class SectionHeader < GenericHeader - def initialize(rawdata) - section_header = IMAGE_SECTION_HEADER.make_struct - - if !section_header.from_s(rawdata) - raise SectionHeaderError, "Could not parse header", caller - end - - self.struct = section_header - end - - def VirtualAddress - v['VirtualAddress'] - end - def SizeOfRawData - v['SizeOfRawData'] - end - def PointerToRawData - v['PointerToRawData'] - end - end - - def self._parse_section_headers(rawdata) - section_headers = [ ] - size = IMAGE_SIZEOF_SECTION_HEADER - numsections = rawdata.length / size - - numsections.times do |i| - data = rawdata[i * size, size] - section_headers << SectionHeader.new(data) - end - - return section_headers - end - - # #define IMAGE_SIZEOF_BASE_RELOCATION 8 - IMAGE_SIZEOF_BASE_RELOCATION = 8 - - # Struct - # typedef struct _IMAGE_BASE_RELOCATION { - # DWORD VirtualAddress; - # DWORD SizeOfBlock; - # // WORD TypeOffset[1]; - # } IMAGE_BASE_RELOCATION; - # typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION; - IMAGE_BASE_RELOCATION = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'VirtualAddress', 0 ], - [ 'uint32v', 'SizeOfBlock', 0 ] - ) - IMAGE_BASE_RELOCATION_TYPE_OFFSET = Rex::Struct2::CStructTemplate.new( - [ 'uint16v', 'TypeOffset', 0 ] - ) - - class RelocationDirectory - attr_accessor :entries, :rva - - def initialize(rva, entries) - self.rva = rva - self.entries = entries - self.name = name - self.characteristics = chars - self.timedate = timedate - self.version = version - self.entries = [] - end - end - - class RelocationEntry - attr_accessor :rva, :reltype - - def initialize(_rva, _type) - self.rva = _rva - self.reltype = _type - end - end - - - class ResourceDirectory - attr_accessor :entries, :name - - def initialize(name, entries) - self.name = name - self.entries = entries - end - end - - class ResourceEntry - attr_accessor :path, :lang, :code, :rva, :size, :pe, :file - - def initialize(pe, path, lang, code, rva, size, file) - self.pe = pe - self.path = path - self.lang = lang - self.code = code - self.rva = rva - self.size = size - self.file = file.to_s - end - - def data - pe._isource.read(pe.rva_to_file_offset(rva), size) - end - end - - # Struct - # typedef struct { - # DWORD Size; - # DWORD TimeDateStamp; - # WORD MajorVersion; - # WORD MinorVersion; - # DWORD GlobalFlagsClear; - # DWORD GlobalFlagsSet; - # DWORD CriticalSectionDefaultTimeout; - # DWORD DeCommitFreeBlockThreshold; - # DWORD DeCommitTotalFreeThreshold; - # DWORD LockPrefixTable; // VA - # DWORD MaximumAllocationSize; - # DWORD VirtualMemoryThreshold; - # DWORD ProcessHeapFlags; - # DWORD ProcessAffinityMask; - # WORD CSDVersion; - # WORD Reserved1; - # DWORD EditList; // VA - # DWORD SecurityCookie; // VA - # DWORD SEHandlerTable; // VA - # DWORD SEHandlerCount; - # } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32; - # - IMAGE_LOAD_CONFIG_DIRECTORY32 = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'Size', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint16v', 'MajorVersion', 0 ], - [ 'uint16v', 'MinorVersion', 0 ], - [ 'uint32v', 'GlobalFlagsClear', 0 ], - [ 'uint32v', 'GlobalFlagsSet', 0 ], - [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ], - [ 'uint32v', 'DeCommitFreeBlockThreshold', 0 ], - [ 'uint32v', 'DeCommitTotalFreeThreshold', 0 ], - [ 'uint32v', 'LockPrefixTable', 0 ], - [ 'uint32v', 'MaximumAllocationSize', 0 ], - [ 'uint32v', 'VirtualMemoryThreshold', 0 ], - [ 'uint32v', 'ProcessHeapFlags', 0 ], - [ 'uint32v', 'ProcessAffinityMask', 0 ], - [ 'uint16v', 'CSDVersion', 0 ], - [ 'uint16v', 'Reserved1', 0 ], - [ 'uint32v', 'EditList', 0 ], - [ 'uint32v', 'SecurityCookie', 0 ], - [ 'uint32v', 'SEHandlerTable', 0 ], - [ 'uint32v', 'SEHandlerCount', 0 ] - ) - - # Struct - # typedef struct { - # ULONG Size; - # ULONG TimeDateStamp; - # USHORT MajorVersion; - # USHORT MinorVersion; - # ULONG GlobalFlagsClear; - # ULONG GlobalFlagsSet; - # ULONG CriticalSectionDefaultTimeout; - # ULONGLONG DeCommitFreeBlockThreshold; - # ULONGLONG DeCommitTotalFreeThreshold; - # ULONGLONG LockPrefixTable; // VA - # ULONGLONG MaximumAllocationSize; - # ULONGLONG VirtualMemoryThreshold; - # ULONGLONG ProcessAffinityMask; - # ULONG ProcessHeapFlags; - # USHORT CSDVersion; - # USHORT Reserved1; - # ULONGLONG EditList; // VA - # ULONGLONG SecurityCookie; // VA - # ULONGLONG SEHandlerTable; // VA - # ULONGLONG SEHandlerCount; - # } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64; - IMAGE_LOAD_CONFIG_DIRECTORY64 = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'Size', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint16v', 'MajorVersion', 0 ], - [ 'uint16v', 'MinorVersion', 0 ], - [ 'uint32v', 'GlobalFlagsClear', 0 ], - [ 'uint32v', 'GlobalFlagsSet', 0 ], - [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ], - [ 'uint64v', 'DeCommitFreeBlockThreshold', 0 ], - [ 'uint64v', 'DeCommitTotalFreeThreshold', 0 ], - [ 'uint64v', 'LockPrefixTable', 0 ], - [ 'uint64v', 'MaximumAllocationSize', 0 ], - [ 'uint64v', 'VirtualMemoryThreshold', 0 ], - [ 'uint64v', 'ProcessAffinityMask', 0 ], - [ 'uint32v', 'ProcessHeapFlags', 0 ], - [ 'uint16v', 'CSDVersion', 0 ], - [ 'uint16v', 'Reserved1', 0 ], - [ 'uint64v', 'EditList', 0 ], - [ 'uint64v', 'SecurityCookie', 0 ], - [ 'uint64v', 'SEHandlerTable', 0 ], - [ 'uint64v', 'SEHandlerCount', 0 ] - ) - - - class ConfigHeader < GenericHeader - - end - - #-- - # doesn't seem to be used -- not compatible with 64-bit - #def self._parse_config_header(rawdata) - # header = IMAGE_LOAD_CONFIG_DIRECTORY32.make_struct - # header.from_s(rawdata) - # ConfigHeader.new(header) - #end - #++ - - def _parse_config_header - - # - # Get the data directory entry, size, etc - # - exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG] - rva = exports_entry.v['VirtualAddress'] - size = exports_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - - dirdata = _isource.read(rva_to_file_offset(rva), size) - klass = (ptr_64?) ? IMAGE_LOAD_CONFIG_DIRECTORY64 : IMAGE_LOAD_CONFIG_DIRECTORY32 - header = klass.make_struct - - header.from_s(dirdata) - - @config = ConfigHeader.new(header) - end - - - def config - _parse_config_header if @config.nil? - @config - end - - # - # TLS Directory - # - - # Struct - # typedef struct { - # DWORD Size; - # DWORD TimeDateStamp; - # WORD MajorVersion; - # WORD MinorVersion; - # DWORD GlobalFlagsClear; - # DWORD GlobalFlagsSet; - # DWORD CriticalSectionDefaultTimeout; - # DWORD DeCommitFreeBlockThreshold; - # DWORD DeCommitTotalFreeThreshold; - # DWORD LockPrefixTable; // VA - # DWORD MaximumAllocationSize; - # DWORD VirtualMemoryThreshold; - # DWORD ProcessHeapFlags; - # DWORD ProcessAffinityMask; - # WORD CSDVersion; - # WORD Reserved1; - # DWORD EditList; // VA - # DWORD SecurityCookie; // VA - # DWORD SEHandlerTable; // VA - # DWORD SEHandlerCount; - # } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32; - IMAGE_LOAD_TLS_DIRECTORY32 = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'Size', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint16v', 'MajorVersion', 0 ], - [ 'uint16v', 'MinorVersion', 0 ], - [ 'uint32v', 'GlobalFlagsClear', 0 ], - [ 'uint32v', 'GlobalFlagsSet', 0 ], - [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ], - [ 'uint32v', 'DeCommitFreeBlockThreshold', 0 ], - [ 'uint32v', 'DeCommitTotalFreeThreshold', 0 ], - [ 'uint32v', 'LockPrefixTable', 0 ], - [ 'uint32v', 'MaximumAllocationSize', 0 ], - [ 'uint32v', 'VirtualMemoryThreshold', 0 ], - [ 'uint32v', 'ProcessHeapFlags', 0 ], - [ 'uint32v', 'ProcessAffinityMask', 0 ], - [ 'uint16v', 'CSDVersion', 0 ], - [ 'uint16v', 'Reserved1', 0 ], - [ 'uint32v', 'EditList', 0 ], - [ 'uint32v', 'SecurityCookie', 0 ], - [ 'uint32v', 'SEHandlerTable', 0 ], - [ 'uint32v', 'SEHandlerCount', 0 ] - ) - - # Struct - # typedef struct { - # ULONG Size; - # ULONG TimeDateStamp; - # USHORT MajorVersion; - # USHORT MinorVersion; - # ULONG GlobalFlagsClear; - # ULONG GlobalFlagsSet; - # ULONG CriticalSectionDefaultTimeout; - # ULONGLONG DeCommitFreeBlockThreshold; - # ULONGLONG DeCommitTotalFreeThreshold; - # ULONGLONG LockPrefixTable; // VA - # ULONGLONG MaximumAllocationSize; - # ULONGLONG VirtualMemoryThreshold; - # ULONGLONG ProcessAffinityMask; - # ULONG ProcessHeapFlags; - # USHORT CSDVersion; - # USHORT Reserved1; - # ULONGLONG EditList; // VA - # ULONGLONG SecurityCookie; // VA - # ULONGLONG SEHandlerTable; // VA - # ULONGLONG SEHandlerCount; - # } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64; - IMAGE_LOAD_TLS_DIRECTORY64 = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'Size', 0 ], - [ 'uint32v', 'TimeDateStamp', 0 ], - [ 'uint16v', 'MajorVersion', 0 ], - [ 'uint16v', 'MinorVersion', 0 ], - [ 'uint32v', 'GlobalFlagsClear', 0 ], - [ 'uint32v', 'GlobalFlagsSet', 0 ], - [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ], - [ 'uint64v', 'DeCommitFreeBlockThreshold', 0 ], - [ 'uint64v', 'DeCommitTotalFreeThreshold', 0 ], - [ 'uint64v', 'LockPrefixTable', 0 ], - [ 'uint64v', 'MaximumAllocationSize', 0 ], - [ 'uint64v', 'VirtualMemoryThreshold', 0 ], - [ 'uint64v', 'ProcessAffinityMask', 0 ], - [ 'uint32v', 'ProcessHeapFlags', 0 ], - [ 'uint16v', 'CSDVersion', 0 ], - [ 'uint16v', 'Reserved1', 0 ], - [ 'uint64v', 'EditList', 0 ], - [ 'uint64v', 'SecurityCookie', 0 ], - [ 'uint64v', 'SEHandlerTable', 0 ], - [ 'uint64v', 'SEHandlerCount', 0 ] - ) - - - class TLSHeader < GenericHeader - - end - - def _parse_tls_header - - # - # Get the data directory entry, size, etc - # - exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_TLS] - rva = exports_entry.v['VirtualAddress'] - size = exports_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - - dirdata = _isource.read(rva_to_file_offset(rva), size) - klass = (ptr_64?) ? IMAGE_LOAD_TLS_DIRECTORY64 : IMAGE_LOAD_TLS_DIRECTORY32 - header = klass.make_struct - - header.from_s(dirdata) - - @tls = TLSHeader.new(header) - end - - - def tls - _parse_config_header if @tls.nil? - @tls - end - - ## - # - # Exception directory - # - ## - - IMAGE_RUNTIME_FUNCTION_ENTRY_SZ = 12 - # Struct - # typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY { - # DWORD BeginAddress; - # DWORD EndAddress; - # DWORD UnwindInfoAddress; - # } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY; - IMAGE_RUNTIME_FUNCTION_ENTRY = Rex::Struct2::CStructTemplate.new( - [ 'uint32v', 'BeginAddress', 0 ], - [ 'uint32v', 'EndAddress', 0 ], - [ 'uint32v', 'UnwindInfoAddress', 0 ] - ) - - UNWIND_INFO_HEADER_SZ = 4 - UNWIND_INFO_HEADER = Rex::Struct2::CStructTemplate.new( - [ 'uint8', 'VersionFlags', 0 ], - [ 'uint8', 'SizeOfProlog', 0 ], - [ 'uint8', 'CountOfCodes', 0 ], - [ 'uint8', 'FrameRegisterAndOffset', 0 ] - ) - - UWOP_PUSH_NONVOL = 0 # 1 node - UWOP_ALLOC_LARGE = 1 # 2 or 3 nodes - UWOP_ALLOC_SMALL = 2 # 1 node - UWOP_SET_FPREG = 3 # 1 node - UWOP_SAVE_NONVOL = 4 # 2 nodes - UWOP_SAVE_NONVOL_FAR = 5 # 3 nodes - UWOP_SAVE_XMM128 = 8 # 2 nodes - UWOP_SAVE_XMM128_FAR = 9 # 3 nodes - UWOP_PUSH_MACHFRAME = 10 # 1 node - - UNW_FLAG_EHANDLER = 1 - UNW_FLAG_UHANDLER = 2 - UNW_FLAG_CHAININFO = 4 - - class UnwindCode - def initialize(data) - - self.code_offset = data[0].to_i - self.unwind_op = data[1].to_i & 0xf - self.op_info = data[1].to_i >> 4 - self.frame_offset = data[2..3].unpack("v")[0] - - data.slice!(0, 4) - end - - attr_reader :code_offset, :unwind_op, :op_info, :frame_offset - attr_writer :code_offset, :unwind_op, :op_info, :frame_offset - - end - - class UnwindInfo - def initialize(pe, unwind_rva) - data = pe.read_rva(unwind_rva, UNWIND_INFO_HEADER_SZ) - - unwind = UNWIND_INFO_HEADER.make_struct - unwind.from_s(data) - - @version = unwind.v['VersionFlags'] & 0x7 - @flags = unwind.v['VersionFlags'] >> 3 - @size_of_prolog = unwind.v['SizeOfProlog'] - @count_of_codes = unwind.v['CountOfCodes'] - @frame_register = unwind.v['FrameRegisterAndOffset'] & 0xf - @frame_register_offset = unwind.v['FrameRegisterAndOffset'] >> 4 - - # Parse unwind codes - clist = pe.read_rva(unwind_rva + UNWIND_INFO_HEADER_SZ, count_of_codes * 4) - - @unwind_codes = [] - - while clist.length > 0 - @unwind_codes << UnwindCode.new(clist) - end - end - - attr_reader :version, :flags, :size_of_prolog, :count_of_codes - attr_reader :frame_register, :frame_register_offset - - def unwind_codes - @unwind_codes - end - - end - - class RuntimeFunctionEntry - - def initialize(pe, data) - @pe = pe - @begin_address, @end_address, @unwind_info_address = data.unpack("VVV"); - self.unwind_info = UnwindInfo.new(pe, unwind_info_address) - end - - attr_reader :begin_address, :end_address, :unwind_info_address - attr_reader :unwind_info - attr_writer :unwind_info - - end - - def _load_exception_directory - @exception = [] - - exception_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_EXCEPTION] - rva = exception_entry.v['VirtualAddress'] - size = exception_entry.v['Size'] - - return if (rva == 0) - - data = _isource.read(rva_to_file_offset(rva), size) - - case hdr.file.Machine - when IMAGE_FILE_MACHINE_AMD64 - count = data.length / IMAGE_RUNTIME_FUNCTION_ENTRY_SZ - - count.times { |current| - @exception << RuntimeFunctionEntry.new(self, - data.slice!(0, IMAGE_RUNTIME_FUNCTION_ENTRY_SZ)) - } - else - end - - return @exception - end - - - def exception - _load_exception_directory if @exception.nil? - @exception - end - - # - # Just a stupid routine to round an offset up to it's alignment. - # - # For example, you're going to want this for FileAlignment and - # SectionAlignment, etc... - # - def self._align_offset(offset, alignment) - offset += alignment - 1 - offset -= offset % alignment - return offset - end - - # - # instance stuff - # - - attr_accessor :_isource - attr_accessor :_dos_header, :_file_header, :_optional_header, - :_section_headers, :_config_header, :_tls_header, :_exception_header - - attr_accessor :sections, :header_section, :image_base - - attr_accessor :_imports_cache, :_imports_cached - attr_accessor :_exports_cache, :_exports_cached - attr_accessor :_relocations_cache, :_relocations_cached - attr_accessor :_resources_cache, :_resources_cached - - attr_accessor :hdr - - def self.new_from_file(filename, disk_backed = false) - - file = ::File.new(filename) - file.binmode # windows... :\ - - if disk_backed - return self.new(ImageSource::Disk.new(file)) - else - obj = new_from_string(file.read) - file.close - return obj - end - end - - def self.new_from_string(data) - return self.new(ImageSource::Memory.new(data)) - end - - def close - _isource.close - end - - # - # - # Random rva, vma, file offset, section offset, etc - # conversion routines... - # - # - def rva_to_vma(rva) - return rva + image_base - end - - def vma_to_rva(vma) - return vma - image_base - end - - def rva_to_file_offset(rva) - all_sections.each do |section| - if section.contains_rva?(rva) - return section.rva_to_file_offset(rva) - end - end - raise PeParseyError, "No section contains RVA", caller - end - - def vma_to_file_offset(vma) - return rva_to_file_offset(vma_to_rva(vma)) - end - - def file_offset_to_rva(foffset) - if foffset < 0 - raise PeParseyError, "Offset should not be less than 0. The value is: #{foffset}", caller - end - - all_sections.each do |section| - if section.contains_file_offset?(foffset) - return section.file_offset_to_rva(foffset) - end - end - - raise PeParseyError, "No section contains file offset #{foffset}", caller - end - - def file_offset_to_vma(foffset) - return rva_to_vma(file_offset_to_rva(foffset)) - end - - # - # - # Some routines to find which section something belongs - # to. These will search all_sections (so including - # our fake header section, etc... - # - # - - # - # Find a section by an RVA - # - def _find_section_by_rva(rva) - all_sections.each do |section| - if section.contains_rva?(rva) - return section - end - end - - return nil - end - def find_section_by_rva(rva) - section = _find_section_by_rva(rva) - - if !section - raise PeParseyError, "Cannot find rva! #{rva}", caller - end - - return section - end - - # - # Find a section by a VMA - # - def find_section_by_vma(vma) - return find_section_by_rva(vma_to_rva(vma)) - end - - def valid_rva?(rva) - _find_section_by_rva(rva) != nil - end - def valid_vma?(vma) - _find_section_by_rva(vma_to_rva(vma)) != nil - end - - # - # - # Some convenient methods to read a vma/rva without having - # the section... (inefficent though I suppose...) - # - # - - def read_rva(rva, length) - return find_section_by_rva(rva).read_rva(rva, length) - end - - def read_vma(vma, length) - return read_rva(vma_to_rva(vma), length) - end - - def read_asciiz_rva(rva) - return find_section_by_rva(rva).read_asciiz_rva(rva) - end - - def read_asciiz_vma(vma) - return read_asciiz_rva(vma_to_rva(vma)) - end - - # - # - # Imports, exports, and other stuff! - # - # - - # - # We lazily parse the imports, and then cache it - # - def imports - if !_imports_cached - self._imports_cache = _load_imports - self._imports_cached = true - end - return _imports_cache - end - - def _load_imports - # - # Get the data directory entry, size, etc - # - imports_entry = _optional_header['DataDirectory'][1] - rva = imports_entry.v['VirtualAddress'] - size = imports_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - - imports = [ ] - - descriptors_data = _isource.read(rva_to_file_offset(rva), size) - - while descriptors_data.length >= IMAGE_IMPORT_DESCRIPTOR_SIZE - descriptor = IMAGE_IMPORT_DESCRIPTOR.make_struct - descriptor.from_s(descriptors_data) - descriptors_data = descriptor.leftover - - othunk = descriptor.v['OriginalFirstThunk'] - fthunk = descriptor.v['FirstThunk'] - - break if fthunk == 0 - - dllname = _isource.read_asciiz(rva_to_file_offset(descriptor.v['Name'])) - - import = ImportDescriptor.new(dllname, [ ]) - - # we prefer the Characteristics/OriginalFirstThunk... - thunk_off = rva_to_file_offset(othunk == 0 ? fthunk : othunk) - - while (orgrva = _isource.read(thunk_off, 4).unpack('V')[0]) != 0 - hint = nil - name = nil - - if (orgrva & IMAGE_ORDINAL_FLAG32) != 0 - hint = orgrva & 0xffff - else - foff = rva_to_file_offset(orgrva) - hint = _isource.read(foff, 2).unpack('v')[0] - name = _isource.read_asciiz(foff + 2) - end - - import.entries << ImportEntry.new(name, hint) - - thunk_off += 4 - end - - imports << import - end - - return imports - end - - - - # - # We lazily parse the exports, and then cache it - # - def exports - if !_exports_cached - self._exports_cache = _load_exports - self._exports_cached = true - end - return _exports_cache - end - - def _load_exports - - # - # Get the data directory entry, size, etc - # - exports_entry = _optional_header['DataDirectory'][0] - rva = exports_entry.v['VirtualAddress'] - size = exports_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - - directory = IMAGE_EXPORT_DESCRIPTOR.make_struct - directory.from_s(_isource.read(rva_to_file_offset(rva), IMAGE_EXPORT_DESCRIPTOR_SIZE)) - - # - # We can have nameless exports, so we need to do the whole - # NumberOfFunctions NumberOfNames foo - # - num_functions = directory.v['NumberOfFunctions'] - num_names = directory.v['NumberOfNames'] - - dllname_rva = directory.v['Name'] - dllname = _isource.read_asciiz(rva_to_file_offset(dllname_rva)) - - # FIXME Base, etc - fun_off = rva_to_file_offset(directory.v['AddressOfFunctions']) - name_off = rva_to_file_offset(directory.v['AddressOfNames']) - ord_off = rva_to_file_offset(directory.v['AddressOfNameOrdinals']) - base = directory.v['Base'] - - # Allocate the list of names - names = Array.new(num_functions) - - # - # Iterate the names and name/ordinal list, getting the names - # and storing them in the name list... - # - num_names.times do |i| - name_rva = _isource.read(name_off + (i * 4), 4).unpack('V')[0] - ordinal = _isource.read(ord_off + (i * 2), 2).unpack('v')[0] - name = _isource.read_asciiz(rva_to_file_offset(name_rva)) - - # store the exported name in the name list - names[ordinal] = name - end - - exports = ExportDirectory.new(dllname, [ ], base) - - # - # Now just iterate the functions (rvas) list.. - # - num_functions.times do |i| - rva = _isource.read(fun_off + (i * 4), 4).unpack('V')[0] - - # ExportEntry.new(name, ordinal, rva) - exports.entries << ExportEntry.new(names[i], i + base, rva) - end - - return exports - end - - # - # Base relocations in the hizzy - # - def relocations - if !_relocations_cached - self._relocations_cache = _load_relocations - self._relocations_cached = true - end - return _relocations_cache - end - - def _load_relocations - - # - # Get the data directory entry, size, etc - # - exports_entry = _optional_header['DataDirectory'][5] - rva = exports_entry.v['VirtualAddress'] - size = exports_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - - dirdata = _isource.read(rva_to_file_offset(rva), size) - - relocdirs = [ ] - - while dirdata.length >= IMAGE_SIZEOF_BASE_RELOCATION - header = IMAGE_BASE_RELOCATION.make_struct - header.from_s(dirdata) - dirdata = header.leftover - - numrelocs = (header.v['SizeOfBlock'] - IMAGE_SIZEOF_BASE_RELOCATION) / 2 - - relocbase = header.v['VirtualAddress'] - - relocdir = RelocationDirectory.new(relocbase, [ ]) - - numrelocs.times do - reloc = IMAGE_BASE_RELOCATION_TYPE_OFFSET.make_struct - reloc.from_s(dirdata) - dirdata = reloc.leftover - - typeoffset = reloc.v['TypeOffset'] - - relocrva = relocbase + (typeoffset & 0xfff) - reloctype = (typeoffset >> 12) & 0xf - - relocdir.entries << RelocationEntry.new(relocrva, reloctype) - end - - relocdirs << relocdir - end - - return relocdirs - end - - - # - # We lazily parse the resources, and then cache them - # - def resources - if !_resources_cached - _load_resources - self._resources_cached = true - end - - return self._resources_cache - end - - def _load_resources - # - # Get the data directory entry, size, etc - # - rsrc_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_RESOURCE] - rva = rsrc_entry.v['VirtualAddress'] - size = rsrc_entry.v['Size'] - - return nil if size == 0 - - # - # Ok, so we have the data directory, now lets parse it - # - data = _isource.read(rva_to_file_offset(rva), size) - - self._resources_cache = {} - _parse_resource_directory(data) - end - - def _parse_resource_directory(data, rname=0, rvalue=0x80000000, path='0', pname=nil) - - pname = _parse_resource_name(data, rname) - if (path.scan('/').length == 1) - if (pname !~ /^\d+/) - path = "/" + pname - else - path = "/" + _resource_lookup( (rname & ~0x80000000).to_s) - end - end - - - rvalue &= ~0x80000000 - vals = data[rvalue, 16].unpack('VVvvvv') - - chars = vals[0] - tdate = vals[1] - vers = "#{vals[2]}#{vals[3]}" - count = vals[4] + vals[5] - - 0.upto(count-1) do |i| - - ename, evalue = data[rvalue + 16 + ( i * 8), 8].unpack('VV') - epath = path + '/' + i.to_s - - if (ename & 0x80000000 != 0) - pname = _parse_resource_name(data, ename) - end - - if (evalue & 0x80000000 != 0) - # This is a subdirectory - _parse_resource_directory(data, ename, evalue, epath, pname) - else - # This is an entry - _parse_resource_entry(data, ename, evalue, epath, pname) - end - end - - end - - def _resource_lookup(i) - tbl = { - '1' => 'RT_CURSOR', - '2' => 'RT_BITMAP', - '3' => 'RT_ICON', - '4' => 'RT_MENU', - '5' => 'RT_DIALOG', - '6' => 'RT_STRING', - '7' => 'RT_FONTDIR', - '8' => 'RT_FONT', - '9' => 'RT_ACCELERATORS', - '10' => 'RT_RCDATA', - '11' => 'RT_MESSAGETABLE', - '12' => 'RT_GROUP_CURSOR', - '14' => 'RT_GROUP_ICON', - '16' => 'RT_VERSION', - '17' => 'RT_DLGINCLUDE', - '19' => 'RT_PLUGPLAY', - '20' => 'RT_VXD', - '21' => 'RT_ANICURSOR', - '22' => 'RT_ANIICON', - '23' => 'RT_HTML', - '24' => 'RT_MANIFEST', - '32767' => 'RT_ERROR', - '8192' => 'RT_NEWRESOURCE', - '8194' => 'RT_NEWBITMAP', - '8196' => 'RT_NEWMENU', - '8197' => 'RT_NEWDIALOG' - } - tbl[i] || i - end - - def _parse_resource_entry(data, rname, rvalue, path, pname) - - rva, size, code = data[rvalue, 12].unpack('VVV') - lang = _parse_resource_name(data, rname) - - ent = ResourceEntry.new( - self, - path, - lang, - code, - rva, - size, - pname - ) - self._resources_cache[path] = ent - end - - def _parse_resource_name(data, rname) - if (rname & 0x80000000 != 0) - rname &= ~0x80000000 - unistr = data[rname+2, 2 * data[rname,2].unpack('v')[0] ] - unistr, trash = unistr.split(/\x00\x00/n, 2) - return unistr ? unistr.gsub(/\x00/n, '') : nil - end - - rname.to_s - end - - def update_checksum - off = _dos_header.e_lfanew + IMAGE_FILE_HEADER_SIZE + 0x40 - _isource.rawdata[off, 4] = [0].pack('V') - - rem = _isource.size % 4 - sum_me = '' - sum_me << _isource.rawdata - sum_me << "\x00" * (4 - rem) if rem > 0 - - cksum = 0 - sum_me.unpack('V*').each { |el| - cksum = (cksum & 0xffffffff) + (cksum >> 32) + el - if cksum > 2**32 - cksum = (cksum & 0xffffffff) + (cksum >> 32) - end - } - - cksum = (cksum & 0xffff) + (cksum >> 16) - cksum += (cksum >> 16) - cksum &= 0xffff - - cksum += _isource.size - - _isource.rawdata[off, 4] = [cksum].pack('V') - end - -end end end diff --git a/lib/rex/peparsey/section.rb b/lib/rex/peparsey/section.rb deleted file mode 100644 index ddf3968deb..0000000000 --- a/lib/rex/peparsey/section.rb +++ /dev/null @@ -1,128 +0,0 @@ -# -*- coding: binary -*- - -require 'rex/peparsey/exceptions' -require 'rex/peparsey/pebase' -require 'rex/struct2' - -module Rex -module PeParsey -class Section - attr_accessor :_section_header, :_isource - attr_accessor :base_rva - - # - # Initialize a section. - # - # isource - The ImageSource class backing the image - # base_vma - The address of this section base - # section_header - The section header (struct2) although this is not - # required, which is why there is a base_vma. This can be nil. - # - def initialize(isource, base_rva, section_header = nil) - self._isource = isource - self.base_rva = base_rva - self._section_header = section_header - end - - def file_offset - _isource.file_offset - end - - def size - _isource.size - end - - def name - # a section header is not required - return nil if !_section_header - - # FIXME make this better... - _section_header.v['Name'].gsub(/\x00+$/n, '') - end - - def flags - # a section header is not required - return nil if !_section_header - _section_header.v['Characteristics'] - end - - def vma - # a section header is not required - return nil if !_section_header - _section_header.v['VirtualAddress'] - end - - def raw_size - # a section header is not required - return nil if !_section_header - _section_header.v['SizeOfRawData'] - end - - def _check_offset(offset, len = 1) - if offset < 0 || offset+len > size - raise BoundsError, "Offset #{offset} outside of section", caller - end - end - - def read(offset, len) - _check_offset(offset, len) - return _isource.read(offset, len) - end - - def read_rva(rva, len) - return read(rva_to_offset(rva), len) - end - - def read_asciiz(offset) - _check_offset(offset) - return _isource.read_asciiz(offset) - end - - def read_asciiz_rva(rva) - return read_asciiz(rva_to_offset(rva)) - end - - def index(*args) - _isource.index(*args) - end - - def offset_to_rva(offset) - if !contains_offset?(offset) - raise BoundsError, "Offset #{offset} outside of section", caller - end - - return offset + base_rva - end - - def file_offset_to_rva(foffset) - return offset_to_rva(foffset - file_offset) - end - - def rva_to_offset(rva) - offset = rva - base_rva - if !contains_offset?(offset) - raise BoundsError, "RVA #{rva} outside of section", caller - end - - return offset - end - - def rva_to_file_offset(rva) - return rva_to_offset(rva) + file_offset - end - - def contains_offset?(offset) - offset >= 0 && offset < size - end - - def contains_file_offset?(foffset) - contains_offset?(foffset - file_offset) - end - - def contains_rva?(rva) - contains_offset?(rva - base_rva) - end - -end - -end end diff --git a/lib/rex/pescan.rb b/lib/rex/pescan.rb deleted file mode 100644 index 5d38758c6d..0000000000 --- a/lib/rex/pescan.rb +++ /dev/null @@ -1,11 +0,0 @@ -# -*- coding: binary -*- - -module Rex -module PeScan - -end -end - -require 'rex/pescan/analyze' -require 'rex/pescan/scanner' -require 'rex/pescan/search' diff --git a/lib/rex/pescan/analyze.rb b/lib/rex/pescan/analyze.rb deleted file mode 100644 index e76903cc4a..0000000000 --- a/lib/rex/pescan/analyze.rb +++ /dev/null @@ -1,366 +0,0 @@ -# -*- coding: binary -*- -module Rex -module PeScan -module Analyze - - require "rex/text/table" - - class Fingerprint - attr_accessor :pe - - def initialize(pe) - self.pe = pe - end - - def config(param) - @sigs = {} - - name = nil - regx = '' - epon = 0 - sidx = 0 - - fd = File.open(param['database'], 'rb') - fd.each_line do |line| - case line - when /^\s*#/ - next - when /\[\s*(.*)\s*\]/ - if (name) - @sigs[ name ] = [regx, epon] - end - name = $1 + " [#{ sidx+=1 }]" - epon = 0 - next - when /signature\s*=\s*(.*)/ - pat = $1.strip - regx = '' - pat.split(/\s+/).each do |c| - next if c.length != 2 - regx << (c.index('?') ? '.' : "\\x#{c}") - end - when /ep_only\s*=\s*(.*)/ - epon = ($1 =~ /^T/i) ? 1 : 0 - end - end - - if (name and ! @sigs[name]) - @sigs[ name ] = [regx, epon] - end - - fd.close - end - - def scan(param) - config(param) - - epa = pe.hdr.opt.AddressOfEntryPoint - buf = pe.read_rva(epa, 256) || "" - - @sigs.each_pair do |name, data| - begin - if (buf.match(Regexp.new('^' + data[0], nil, 'n'))) - $stdout.puts param['file'] + ": " + name - end - rescue RegexpError - $stderr.puts "Invalid signature: #{name} #{data[0]}" - end - end - end - end - - class Information - attr_accessor :pe - - def initialize(pe) - self.pe = pe - end - - def add_fields(tbl, obj, fields) - fields.each do |name| - begin - tbl << [name, "0x%.8x" % obj.send(name)] - rescue ::NoMethodError => e - $stderr.puts "Invalid field #{name}" - end - end - end - - def scan(param) - - $stdout.puts "\n\n" - - tbl = table("Image Headers", ['Name', 'Value']) - add_fields(tbl, pe.hdr.file, %W{ - Characteristics - SizeOfOptionalHeader - PointerToSymbolTable - TimeDateStamp - NumberOfSections - Machine - }) - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - - tbl = table("Optional Image Headers", ['Name', 'Value']) - add_fields(tbl, pe.hdr.opt, %W{ - ImageBase - Magic - MajorLinkerVersion - MinorLinkerVersion - SizeOfCode - SizeOfInitializeData - SizeOfUninitializeData - AddressOfEntryPoint - BaseOfCode - BaseOfData - SectionAlignment - FileAlignment - MajorOperatingSystemVersion - MinorOperatingSystemVersion - MajorImageVersion - MinorImageVersion - MajorSubsystemVersion - MinorSubsystemVersion - Win32VersionValue - SizeOfImage - SizeOfHeaders - CheckSum - Subsystem - DllCharacteristics - SizeOfStackReserve - SizeOfStackCommit - SizeOfHeapReserve - SizeOfHeapCommit - LoaderFlags - NumberOfRvaAndSizes - }) - - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - - # Get DllCharacteristics (in Integer) - dllcharacteristics = pe.hdr.opt.struct[23].value - - if (dllcharacteristics > 0) - tbl = table("DllCharacteristics", ['Flag', 'Value']) - - # http://msdn.microsoft.com/en-us/library/ms680339(v=vs.85).aspx - traits = { - :ASLR => 'False', #IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE - :Integrity => 'False', #IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY - :NX => 'False', #IMAGE_DLLCHARACTERISTICS_NX_COMPAT - :Isolation => 'False', #IMAGE_DLLCHARACTERISTICS_NO_ISOLATION - :SEH => 'False', #IMAGE_DLLCHARACTERISTICS_NO_SEH - :Bind => 'False', #IMAGE_DLLCHARACTERISTICS_NO_BIND - :WDM => 'False', #IMAGE_DLLCHARACTERISTICS_WDM_DRIVER - :Terminal => 'False' #IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE - } - - # Convert integer to an bit array - c_bits = ("%32d" %dllcharacteristics.to_s(2)).split('').map { |e| e.to_i }.reverse - - # Check characteristics - traits[:ASLR] = 'True' if c_bits[6] == 1 #0x0040 - traits[:Integrity] = 'True' if c_bits[7] == 1 #0x0080 - traits[:NX] = 'True' if c_bits[8] == 1 #0x0100 - traits[:Isolation] = 'True' if c_bits[9] == 1 #0x0200 - traits[:SEH] = 'True' if c_bits[10] == 1 #0x0400 - traits[:Bind] = 'True' if c_bits[11] == 1 #0x0800 - traits[:WDM] = 'True' if c_bits[13] == 1 #2000 - traits[:Terminal] = 'True' if c_bits[15] == 1 #0x8000 - - # Putting results to table - traits.each do |trait_name, trait_value| - tbl << [trait_name, trait_value] - end - - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - end - - if (pe.exports) - tbl = table("Exported Functions", ['Ordinal', 'Name', 'Address']) - pe.exports.entries.each do |ent| - tbl << [ent.ordinal, ent.name, "0x%.8x" % pe.rva_to_vma(ent.rva)] - end - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - end - - # Rex::PeParsey::Pe doesn't seem to give us any offset information for each function, - # which makes it difficult to calculate the actual addresses for them. So instead we - # are using Metasm::COFF::ImportDirectory to do this task. The ability to see - # addresses is mainly for ROP. - if (pe.imports) - tbl = table("Imported Functions", ['Library', 'Address', 'Ordinal', 'Name']) - exefmt = Metasm::AutoExe.orshellcode{ Metasm.const_get('x86_64').new } - exe = exefmt.decode_file(pe._isource.file.path) - ibase = pe.image_base - exe_imports = exe.imports - exe_imports.each do |lib| - lib_name = lib.libname - ini_offset = lib.iat_p - func_table = lib.imports - offset = 0 - func_table.each do |func| - func_addr = "0x%08x" %(ibase + ini_offset + offset) - tbl << [lib_name, func_addr, func.hint, func.name] - offset += 4 - end - end - - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - end - - if(pe.config) - tbl = table("Configuration Header", ['Name', 'Value']) - add_fields(tbl, pe.config, %W{ - Size - TimeDateStamp - MajorVersion - MinorVersion - GlobalFlagsClear - GlobalFlagsSet - CriticalSectionDefaultTimeout - DeCommitFreeBlockThreshold - DeCommitTotalFreeThreshold - LockPrefixTable - MaximumAllocationSize - VirtualMemoryThreshold - ProcessAffinityMask - ProcessHeapFlags - CSDVersion - Reserved1 - EditList - SecurityCookie - SEHandlerTable - SEHandlerCount - }) - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - end - - - if(pe.resources) - tbl = table("Resources", ['ID', 'Language', 'Code Page', 'Size', 'Name']) - pe.resources.keys.sort.each do |rkey| - res = pe.resources[rkey] - tbl << [rkey, res.lang, res.code, res.size, res.file] - end - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - end - - tbl = table("Section Header", ["Name", "VirtualAddress", "SizeOfRawData", "Characteristics"]) - pe.sections.each do |sec| - tbl << [ sec.name, *[sec.vma, sec.raw_size, sec.flags].map{|x| "0x%.8x" % x} ] - end - $stdout.puts tbl.to_s - $stdout.puts "\n\n" - - end - - def table(name, cols) - Rex::Text::Table.new( - 'Header' => name, - 'Columns' => cols - ) - end - end - - - class Ripper - - require "fileutils" - - attr_accessor :pe - - def initialize(pe) - self.pe = pe - end - - def scan(param) - dest = param['dir'] - - if (param['file']) - dest = File.join(dest, File.basename(param['file'])) - end - - ::FileUtils.mkdir_p(dest) - - pe.resources.keys.sort.each do |rkey| - res = pe.resources[rkey] - path = File.join(dest, rkey.split('/')[1] + '_' + res.file) - - fd = File.new(path, 'wb') - fd.write(res.data) - fd.close - end - end - end - - class ContextMapDumper - - attr_accessor :pe - - def initialize(pe) - self.pe = pe - end - - def scan(param) - dest = param['dir'] - path = '' - - ::FileUtils.mkdir_p(dest) - - if(not (param['dir'] and param['file'])) - $stderr.puts "No directory or file specified" - return - end - - if (param['file']) - path = File.join(dest, File.basename(param['file']) + ".map") - end - - fd = File.new(path, "wb") - pe.all_sections.each do |section| - - # Skip over known bad sections - next if section.name == ".data" - next if section.name == ".reloc" - - offset = 0 - while offset < section.size - byte = section.read(offset, 1)[0] - if byte != 0 - chunkbase = pe.rva_to_vma(section.base_rva) + offset - data = '' - while byte != 0 - data << byte - offset += 1 - byte = 0 - byte = section.read(offset, 1)[0] if offset < section.size - end - buff = nil - buff = [ 0x01, chunkbase, data.length, data].pack("CNNA*") if data.length > 0 - - fd.write(buff) if buff - end - offset += 1 - end - - end - - - fd.close - end - end - -# EOC - -end -end -end - diff --git a/lib/rex/pescan/scanner.rb b/lib/rex/pescan/scanner.rb deleted file mode 100644 index 4ff69f7bbe..0000000000 --- a/lib/rex/pescan/scanner.rb +++ /dev/null @@ -1,230 +0,0 @@ -# -*- coding: binary -*- -require 'metasm' - -module Rex -module PeScan -module Scanner - - class Generic - - attr_accessor :pe, :regex - - def initialize(pe) - self.pe = pe - end - - def config(param) - end - - def scan(param) - config(param) - - $stdout.puts "[#{param['file']}]" - pe.all_sections.each do |section| - hits = scan_section(section, param) - hits.each do |hit| - vma = pe.rva_to_vma(hit[0]) - - next if (param['filteraddr'] and [vma].pack("V").reverse !~ /#{param['filteraddr']}/) - - msg = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1] - $stdout.puts pe.ptr_s(vma) + " " + msg - if(param['disasm']) - #puts [msg].pack('H*').inspect - insns = [] - - msg.gsub!("; ", "\n") - if msg.include?("retn") - msg.gsub!("retn", "ret") - end - #puts msg - begin - d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, msg).disassemble - rescue Metasm::ParseError - d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [msg].pack('H*')) - end - addr = 0 - while ((di = d2.disassemble_instruction(addr))) - insns << di.instruction - disasm = "0x%08x\t" % (vma + addr) - disasm << di.instruction.to_s - $stdout.puts disasm - addr = di.next_addr - end -# ::Rex::Assembly::Nasm.disassemble([msg].pack("H*")).split("\n").each do |line| -# $stdout.puts "\tnasm: #{line.strip}" - #end - end - end - end - end - - def scan_section(section, param={}) - [] - end - end - - class JmpRegScanner < Generic - - def config(param) - regnums = param['args'] - - # build a list of the call bytes - calls = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work.. - jmps = _build_byte_list(0xe0, regnums) - pushs1 = _build_byte_list(0x50, regnums) - pushs2 = _build_byte_list(0xf0, regnums) - - regexstr = '(' - if !calls.empty? - regexstr += "\xff[#{calls}]|" - end - - regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))" - - self.regex = Regexp.new(regexstr, nil, 'n') - end - - # build a list for regex of the possible bytes, based on a base - # byte and a list of register numbers.. - def _build_byte_list(base, regnums) - regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('') - end - - def _ret_size(section, index) - d = section.read(index, 1) - case d - when "\xc3" - return 1 - when "\xc2" - return 3 - end - - raise RuntimeError, "invalid return opcode" - end - - def _parse_ret(data) - if data.length == 1 - return "ret" - else - return "retn 0x%04x" % data[1, 2].unpack('v')[0] - end - end - - - def scan_section(section, param={}) - index = 0 - - hits = [ ] - - while (index = section.index(regex, index)) != nil - rva = section.offset_to_rva(index) - message = '' - - parse_ret = false - - byte1 = section.read(index, 1).unpack("C*")[0] - - if byte1 == 0xff - byte2 = section.read(index+1, 1).unpack("C*")[0] - regname = Rex::Arch::X86.reg_name32(byte2 & 0x7) - - case byte2 & 0xf8 - when 0xd0 - message = "call #{regname}" - index += 2 - when 0xe0 - message = "jmp #{regname}" - index += 2 - when 0xf0 - retsize = _ret_size(section, index+2) - message = "push #{regname}; " + _parse_ret(section.read(index+2, retsize)) - index += 2 + retsize - else - raise "wtf" - end - else - regname = Rex::Arch::X86.reg_name32(byte1 & 0x7) - retsize = _ret_size(section, index+1) - message = "push #{regname}; " + _parse_ret(section.read(index+1, retsize)) - index += 1 + retsize - end - - hits << [ rva, message ] - end - - return hits - end - end - - class PopPopRetScanner < JmpRegScanner - - def config(param) - pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's... - self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n') - end - - def scan_section(section, param={}) - - index = 0 - - hits = [ ] - - while index < section.size && (index = section.index(regex, index)) != nil - rva = section.offset_to_rva(index) - message = '' - - pops = section.read(index, 2) - reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7) - reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7) - - message = "pop #{reg1}; pop #{reg2}; " - - retsize = _ret_size(section, index+2) - message += _parse_ret(section.read(index+2, retsize)) - - index += 2 + retsize - - hits << [ rva, message ] - end - - return hits - end - end - - class RegexScanner < Generic - - def config(param) - self.regex = Regexp.new(param['args'], nil, 'n') - end - - def scan_section(section, param={}) - index = 0 - - hits = [ ] - - while index < section.size && (index = section.index(regex, index)) != nil - - idx = index - buf = '' - mat = nil - - while (! (mat = buf.match(regex))) - buf << section.read(idx, 1) - idx += 1 - end - - rva = section.offset_to_rva(index) - - hits << [ rva, buf.unpack("H*") ] - index += buf.length - end - - return hits - end - end - -end -end -end - diff --git a/lib/rex/pescan/search.rb b/lib/rex/pescan/search.rb deleted file mode 100644 index 2e415731ec..0000000000 --- a/lib/rex/pescan/search.rb +++ /dev/null @@ -1,68 +0,0 @@ -# -*- coding: binary -*- -module Rex -module PeScan -module Search - - require "rex/assembly/nasm" - - class DumpRVA - attr_accessor :pe - - def initialize(pe) - self.pe = pe - end - - def config(param) - @address = pe.vma_to_rva(param['args']) - end - - def scan(param) - config(param) - - $stdout.puts "[#{param['file']}]" - - # Adjust based on -A and -B flags - pre = param['before'] || 0 - suf = param['after'] || 16 - - @address -= pre - @address = 0 if (@address < 0 || ! @address) - - begin - buf = pe.read_rva(@address, suf) - rescue ::Rex::PeParsey::PeParseyError - return - end - - $stdout.puts pe.ptr_s(pe.rva_to_vma(@address)) + " " + buf.unpack("H*")[0] - if(param['disasm']) - insns = [] - buf.gsub!("; ", "\n") - if buf.include?("retn") - buf.gsub!("retn", "ret") - end - d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, buf) - addr = 0 - while ((di = d2.disassemble_instruction(addr))) - insns << di.instruction - disasm = "0x%08x\t" % (pe.rva_to_vma(@address) + addr) - disasm << di.instruction.to_s - $stdout.puts disasm - addr = di.next_addr - end - end - - end - end - - class DumpOffset < DumpRVA - def config(param) - begin - @address = pe.file_offset_to_rva(param['args']) - rescue Rex::PeParsey::BoundsError - end - end - end -end -end -end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 52abbba707..14eeb610f4 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -132,6 +132,8 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'rex-arch' # Library for working with OLE. spec.add_runtime_dependency 'rex-ole' + # Library for parsing and manipulating executable binaries + spec.add_runtime_dependency 'rex-bin_tools' # rb-readline doesn't work with Ruby Installer due to error with Fiddle: # NoMethodError undefined method `dlopen' for Fiddle:Module diff --git a/spec/lib/rex/file_utils_spec.rb b/spec/lib/rex/file_utils_spec.rb deleted file mode 100644 index 1230c0ee0e..0000000000 --- a/spec/lib/rex/file_utils_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -require 'rex/file' - -RSpec.describe Rex::FileUtils do - context "Class methods" do - - context ".normalize_win_path" do - it "should convert an absolute path as an array into Windows format" do - expect(described_class.normalize_win_path('C:\\', 'hello', 'world')).to eq("C:\\hello\\world") - end - - it "should convert an absolute path as a string into Windows format" do - expect(described_class.normalize_win_path('C:\\hello\\world')).to eq("C:\\hello\\world") - end - - it "should convert a relative path" do - expect(described_class.normalize_win_path('/', 'test', 'me')).to eq("\\test\\me") - expect(described_class.normalize_win_path('\\temp')).to eq("\\temp") - expect(described_class.normalize_win_path('temp')).to eq("temp") - end - - it "should keep the trailing slash if exists" do - expect(described_class.normalize_win_path('/', 'test', 'me\\')).to eq("\\test\\me\\") - expect(described_class.normalize_win_path('\\temp\\')).to eq("\\temp\\") - end - - it "should convert a path without reserved characters" do - expect(described_class.normalize_win_path('C:\\', 'Windows:')).to eq("C:\\Windows") - expect(described_class.normalize_win_path('C:\\Windows???\\test')).to eq("C:\\Windows\\test") - end - - it "should convert a path without double slashes" do - expect(described_class.normalize_win_path('C:\\\\\\', 'Windows')).to eq("C:\\Windows") - expect(described_class.normalize_win_path('C:\\\\\\Hello World\\\\whatever.txt')).to eq("C:\\Hello World\\whatever.txt") - expect(described_class.normalize_win_path('C:\\\\')).to eq("C:\\") - expect(described_class.normalize_win_path('\\test\\\\test\\\\')).to eq("\\test\\test\\") - end - end - - context ".normalize_unix_path" do - it "should convert an absolute path as an array into Unix format" do - expect(described_class.normalize_unix_path('/etc', '/passwd')).to eq("/etc/passwd") - end - - it "should convert an absolute path as a string into Unix format" do - expect(described_class.normalize_unix_path('/etc/passwd')).to eq('/etc/passwd') - end - - it "should still give me a trailing slash if I have it" do - expect(described_class.normalize_unix_path('/etc/folder/')).to eq("/etc/folder/") - end - - it "should convert a path without double slashes" do - expect(described_class.normalize_unix_path('//etc////passwd')).to eq("/etc/passwd") - expect(described_class.normalize_unix_path('/etc////', 'passwd')).to eq('/etc/passwd') - end - end - - end -end - From 8bece28d0051897fdd54d03a2c034146471c364a Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 15 Aug 2016 14:04:00 -0500 Subject: [PATCH 2/3] remove *scan bins as well all *scan bins need to be removed as the rex-bin_tools gem will now handle these and put them in PATH MS-1691 --- data/msfpescan/identify.txt | 3043 ----------------------------------- msfbinscan | 300 ---- msfelfscan | 135 -- msfmachscan | 116 -- msfpescan | 199 --- 5 files changed, 3793 deletions(-) delete mode 100755 data/msfpescan/identify.txt delete mode 100755 msfbinscan delete mode 100755 msfelfscan delete mode 100755 msfmachscan delete mode 100755 msfpescan diff --git a/data/msfpescan/identify.txt b/data/msfpescan/identify.txt deleted file mode 100755 index b290f4b363..0000000000 --- a/data/msfpescan/identify.txt +++ /dev/null @@ -1,3043 +0,0 @@ -[Name of the Packer v1.0] -signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 -ep_only = true - -[Crypto-Lock v2.02 (Eng) -> Ryan Thian] -signature = 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 55 00 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 01 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 -ep_only = true - -[Exact Audio Copy -> (UnknownCompiler)] -signature = E8 ?? ?? ?? 00 31 ED 55 89 E5 81 EC ?? 00 00 00 8D BD ?? FF FF FF B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.00 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 51 FF FF FF 5F BB 28 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1C ?? ?? 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB 27 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 07 74 EF FE 07 75 06 47 FF 37 AF EB 09 FE 07 0F 84 1A ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1B ?? ?? 00 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.30 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.31 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 97 33 C9 41 FF D3 13 C9 FF D3 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 5B 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 58 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 89 06 AD 85 C0 75 D9 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 88 01 00 00 -ep_only = true - -[FSG 1.31 -> dulek/xt] -signature = BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 -ep_only = true - -[FSG v1.33 (Eng) -> dulek/xt] -signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 9D 8B D6 5E AD 48 74 0A 79 02 AD 50 56 8B F2 97 EB 87 AD 93 5E 46 AD 97 56 FF 13 95 AC 84 C0 75 FB FE 0E 74 F0 79 05 46 AD 50 EB 09 FE 0E 0F 84 ?? ?? ?? FF 56 55 FF 53 04 AB EB E0 33 C9 41 FF 13 13 C9 FF 13 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 54 01 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 01 00 00 6F 01 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[NoodleCrypt v2.00 (Eng) -> NoodleSpa] -signature = EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 04 00 00 EB 01 9A E8 19 07 00 00 EB 01 9A E8 9C 00 00 00 EB 01 9A E8 9C 06 00 00 E8 00 00 00 00 0F 7E F8 EB 01 9A 8B F8 C3 E8 00 00 00 00 58 EB 01 9A 25 00 F0 FF FF 8B F8 EB 01 9A 0F 6E F8 C3 8B D0 EB 01 9A 81 C2 C8 00 00 00 EB 01 9A B9 00 17 00 00 EB 01 9A C0 0A 06 EB 01 9A 80 2A 15 EB 01 9A 42 E2 EE 0F 6E C0 EB 01 9A 0F 7E C0 EB 01 9A 8B D0 00 85 EB A5 F5 65 4B 45 45 00 85 EB B3 65 07 45 45 00 85 EB 75 C7 C6 00 85 EB 65 CF 8A 00 85 EB D5 FD C0 00 85 EB 7F E5 05 05 05 00 85 EB 7F 61 06 45 45 00 85 EB 7F -ep_only = true - -[PassLock 2000 v1.0 (Eng) -> Moonlight-Software] -signature = 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 2C 01 00 00 00 74 05 0F B7 44 24 30 83 C4 44 89 43 56 FF 15 D0 61 40 00 E8 9E 00 00 00 89 43 4C FF 15 D4 61 40 00 89 43 48 6A 00 FF 15 E4 61 40 00 89 43 5C E8 F9 00 00 00 E8 AA 00 00 00 B8 FF 00 00 00 72 0D 53 E8 96 00 00 00 5B FF 4B 10 FF 4B 18 5F 5E 5B 5D 50 FF 15 C8 61 40 00 C3 83 7D 0C 01 75 3F E8 81 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 FF 15 D0 61 40 00 E8 3A 00 00 00 89 43 4C FF 15 D4 61 40 00 89 43 48 8B 45 08 89 43 5C E8 9A 00 00 00 E8 4B 00 00 00 72 11 66 FF 43 5A 8B 45 0C 89 43 60 53 -ep_only = true - -[PESpin v0.3 (Eng) -> cyberbob] -signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 -ep_only = true - -[PeX v0.99 (Eng) -> bart/CrackPl] -signature = E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 50 65 58 20 28 63 29 20 62 79 20 62 61 72 74 5E 43 72 61 63 6B 50 6C 20 62 65 74 61 20 72 65 6C 65 61 73 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 60 E8 01 00 00 -ep_only = true - -[Special EXE Pasword Protector v1.01 (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 04 00 00 52 6A 00 51 50 FF 95 08 7A 00 00 5D 8D B5 3F 78 00 00 6A 00 6A 00 6A 00 56 FF 95 0C 7A 00 00 0B C0 0F 84 FE 00 00 00 56 FF 95 10 7A 00 00 56 FF 95 14 7A 00 00 80 BD 3E 78 00 00 00 74 D4 33 D2 8B BD 3E 77 00 00 8D 85 1D 02 00 00 89 85 42 77 00 00 8D 85 49 02 00 00 89 85 46 77 00 00 8D 85 EB 75 00 00 89 85 4A 77 00 00 8B 84 D5 24 76 00 00 03 F8 8B 8C D5 28 76 00 00 3B 85 36 77 00 00 60 74 1F 8D B5 BD 02 00 00 FF D6 85 D2 75 11 60 87 FE 8D BD 15 78 00 00 B9 08 00 00 00 F3 A5 61 EB 15 8D 85 9F 02 00 -ep_only = true - -[SVK Protector v1.32 (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[SVK Protector v1.3x (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[Video-Lan-Client -> (UnknownCompiler)] -signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE EB 02 CD 20 57 EB 02 CD 20 5A 88 10 EB 02 CD 20 40 E8 02 00 00 00 C5 62 5A 4E E8 01 00 00 00 43 5A 2B DB 3B F3 75 B1 C1 F3 0D 92 B8 DC 0C 4E 0D B7 F7 0A 39 F4 B5 ?? ?? 36 FF 45 D9 FA FB FE FD FE CD 6B FE 82 0D 28 F3 B6 A6 A0 71 1F BA 92 9C EE DA FE 0D 47 DB 09 AE DF E3 F6 50 E4 12 9E C8 EC FB 4D EA 77 C9 03 75 E0 D2 D6 E5 E2 8B 41 B6 41 FA 70 B0 A0 AB F9 B5 C0 BF ED 78 25 CB 96 E5 A8 A7 AA A0 DC 5F 73 9D 14 F0 B5 6A 87 B7 3B E5 6D 77 B2 45 8C B9 96 95 A0 DC A2 1E 9C 9B 11 93 08 83 9B F8 9E 0A 8E 10 F7 85 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 EB 02 42 C0 EB 01 08 88 16 80 F1 98 80 C9 28 46 91 EB 02 C0 55 4B EB 01 55 34 44 0B DB 75 AD E8 01 00 00 00 9D 59 0B C6 EB 01 6C E9 D2 C3 82 C2 03 C2 B2 82 C2 00 ?? ?? 7C C2 6F DA BC C2 C2 C2 CC 1C 3D CF 4C D8 84 D0 0C FD F0 42 77 0D 66 F1 AC C1 DE CE 97 BA D7 EB C3 AE DE 91 AA D5 02 0D 1E EE 3F 23 77 C4 01 72 12 C1 0E 1E 14 82 37 AB 39 01 88 C9 DE CA 07 C2 C2 C2 17 79 49 B2 DA 0A C2 C2 C2 A9 EA 6E 91 AA 2E 03 CF 7B 9F CE 51 FA 6D A2 AA 56 8A E4 C2 C2 C2 07 C2 47 C2 C2 17 B8 42 C6 8D 31 88 45 BA 3D 2B BC -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB 02 F0 49 C1 F6 09 88 0B F7 DE 0F B6 F2 43 EB 02 CD 20 C1 E7 0A 48 EB 01 89 C1 E7 14 2B FF 3B C7 75 A8 E8 01 00 00 00 81 5F F7 D7 D9 EE 1F 5E 1E DD 1E 2E 5E 1E DC ?? ?? 5E 1E 71 06 28 1E 1E 1E 20 F0 93 23 A8 34 64 30 F0 E1 D0 9E 51 F9 C2 D1 20 1D 32 42 91 16 51 E7 1D 32 42 91 36 51 DE 1D 32 42 91 3F D1 20 5F CE 2E 1D 32 42 30 DE 91 17 93 5D C8 09 FA 06 61 1E 1E 1E 49 E9 93 2E 06 56 1E 1E 1E 09 46 CA EF 06 92 5F 31 E7 09 3A AF 66 DF FE 26 CA 06 40 1E 1E 1E 5B 1E 9B 1E 1E 91 28 9E 1A 23 91 24 A1 16 9D 95 20 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE 58 80 EA 33 C1 E1 12 32 D3 48 80 C2 26 EB 02 CD 20 88 16 F7 D8 46 EB 01 C0 4B 40 8D 0D 00 00 00 00 3B D9 75 B7 EB 01 14 EB 01 0A CF C5 93 53 90 DA 96 67 54 8D CC ?? ?? 51 8E 18 74 53 82 83 80 47 B4 D2 41 FB 64 31 6A AF 7D 89 BC 0A 91 D7 83 37 39 43 50 A2 32 DC 81 32 3A 4B 97 3D D9 63 1F 55 42 F0 45 32 60 9A 28 51 61 4B 38 4B 12 E4 49 C4 99 09 47 F9 42 8C 48 51 4E 70 CF B8 12 2B 78 09 06 07 17 55 D6 EA 10 8D 3F 28 E5 02 0E A2 58 B8 D6 0F A8 E5 10 EB E8 F1 23 EF 61 E5 E2 54 EA A9 2A 22 AF 17 A1 23 97 9A 1C -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 EB 02 82 53 EB 02 CD 20 87 FA 88 10 80 F3 CA EB 02 CD 20 40 03 D7 0B D0 4E 1B D2 EB 02 CD 20 2B D2 3B F2 75 AC F7 DA 80 C3 AF 91 1C 31 62 A1 61 20 61 71 A1 61 1F ?? ?? ?? 61 B4 49 6B 61 61 61 63 33 D6 66 EB 77 A7 73 33 24 13 E1 94 3C 05 14 63 60 75 85 D4 59 94 2A 60 75 85 D4 79 94 21 60 75 85 D4 82 14 63 A2 11 71 60 75 85 73 21 D4 5A D6 A0 0B 4C 3D 49 A4 61 61 61 8C 2C D6 71 49 99 61 61 61 4C 89 0D 32 49 D5 A2 74 2A 4C 7D F2 A9 22 41 69 0D 49 83 61 61 61 9E 61 DE 61 61 D4 6B E1 5D 66 D4 67 E4 59 E0 D8 63 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA 73 8B CF 81 C2 96 44 EB 04 EB 02 CD 20 88 16 E8 02 00 00 00 44 A2 59 46 E8 01 00 00 00 AD 59 4B 80 C1 13 83 FB 00 75 B2 F7 D9 96 8F 80 4D 0C 4C 91 50 1C 0C 50 8A ?? ?? ?? 50 E9 34 16 50 4C 4C 0E 7E 9B 49 C6 32 02 3E 7E 7B 5E 8C C5 6B 50 3F 0E 0F 38 C8 95 18 D1 65 11 2C B8 87 28 C3 4C 0B 3C AC D9 2D 15 4E 8F 1C 40 4F 28 98 3E 10 C1 45 DB 8F 06 3F EC 48 61 4C 50 50 81 DF C3 20 34 84 10 10 0C 1F 68 DC FF 24 8C 4D 29 F5 1D 2C BF 74 CF F0 24 C0 08 2E 0C 0C 10 51 0C 91 10 10 81 16 D0 54 4B D7 42 C3 54 CB C9 4E -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 D6 83 C7 32 F7 DA 03 FE EB 02 CD 20 87 FA 88 10 EB 02 CD 20 40 E8 02 00 00 00 F1 F8 5B 4E 2B D2 85 F6 75 AF EB 02 DE 09 EB 01 EF 34 4A 7C BC 7D 3D 7F 90 C1 82 41 ?? ?? ?? 87 DB 71 94 8B 8C 8D 90 61 05 96 1C A9 DA A7 68 5A 4A 19 CD 76 40 50 A0 9E B4 C5 15 9B D7 6E A5 BB CC 1C C2 DE 6C AC C2 D3 23 D2 65 B5 F5 65 C6 B6 CC DD CC 7B 2F B6 33 FE 6A AC 9E AB 07 C5 C6 C7 F3 94 3F DB B4 05 CE CF D0 BC FA 7F A5 BD 4A 18 EB A2 C5 F7 6D 25 9F BF E8 8D CA 05 E4 E5 E6 24 E8 66 EA EB 5F F7 6E EB F5 64 F8 76 EC 74 6D F9 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 F7 2B FE EB 01 7F 81 EF DF 30 90 1E EB 02 CD 20 87 FA 88 10 80 EA 03 40 EB 01 20 4E EB 01 3D 83 FE 00 75 A2 EB 02 CD 20 EB 01 C3 78 73 42 F7 35 6C 2D 3F ED 33 97 ?? ?? ?? 5D F0 45 29 55 57 55 71 63 02 72 E9 1F 2D 67 B1 C0 91 FD 10 58 A3 90 71 6C 83 11 E0 5D 20 AE 5C 71 83 D0 7B 10 97 54 17 11 C0 0E 00 33 76 85 33 3C 33 21 31 F5 50 CE 56 6C 89 C8 F7 CD 70 D5 E3 DD 08 E8 4E 25 FF 0D F3 ED EF C8 0B 89 A6 CD 77 42 F0 A6 C8 19 66 3D B2 CD E7 89 CB 13 D7 D5 E3 1E DF 5A E3 D5 50 DF B3 39 32 C0 2D B0 3F B4 B4 43 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++)] -signature = 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA 33 0F B6 C9 0F BE 0E 88 16 EB 01 5F EB 01 6B 46 EB 01 6D 0F BE C0 4B EB 02 CD 20 0F BE C9 2B C9 3B D9 75 B0 EB 01 99 C1 C1 05 91 9D B2 E3 22 E2 A1 E2 F2 22 E2 A0 ?? ?? ?? E2 35 CA EC E2 E2 E2 E4 B4 57 E7 6C F8 28 F4 B4 A5 94 62 15 BD 86 95 E4 E1 F6 06 55 DA 15 AB E1 F6 06 55 FA 15 A2 E1 F6 06 55 03 95 E4 23 92 F2 E1 F6 06 F4 A2 55 DB 57 21 8C CD BE CA 25 E2 E2 E2 0D AD 57 F2 CA 1A E2 E2 E2 CD 0A 8E B3 CA 56 23 F5 AB CD FE 73 2A A3 C2 EA 8E CA 04 E2 E2 E2 1F E2 5F E2 E2 55 EC 62 DE E7 55 E8 65 DA 61 59 E4 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland C++)] -signature = C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 EB 02 56 7B 2A D3 E8 01 00 00 00 ED 58 88 16 13 C3 46 EB 02 CD 20 4B EB 02 CD 20 2B C9 3B D9 75 A1 E8 02 00 00 00 D7 6B 58 EB 00 9E 96 6A 28 67 AB 69 54 03 3E 7F ?? ?? ?? 31 0D 63 44 35 38 37 18 87 9F 10 8C 37 C6 41 80 4C 5E 8B DB 60 4C 3A 28 08 30 BF 93 05 D1 58 13 2D B8 86 AE C8 58 16 A6 95 C5 94 03 33 6F FF 92 20 98 87 9C E5 B9 20 B5 68 DE 16 4A 15 C1 7F 72 71 65 3E A9 85 20 AF 5A 59 54 26 66 E9 3F 27 DE 8E 7D 34 53 61 F7 AF 09 29 5C F7 36 83 60 5F 52 92 5C D0 56 55 C9 61 7A FD EF 7E E8 70 F8 6E 7B EF -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 EA 0F E8 01 00 00 00 64 59 02 D3 EB 02 D6 5C 88 16 EB 02 CD 20 46 E8 02 00 00 00 6B B5 59 4B 0F B7 C6 0B DB 75 B1 EB 02 50 AA 91 44 5C 90 D2 95 57 9B AE E1 A4 65 ?? ?? ?? B3 09 A1 C6 BF C2 C5 CA 9D 43 D6 5E ED 20 EF B2 A6 98 69 1F CA 96 A8 FA FA 12 25 77 FF 3D D6 0F 27 3A 8C 34 52 E2 24 3C 4F A1 52 E7 39 7B ED 50 42 5A 6D 5E 0F C5 4E CD 9A 08 4C 40 4F AD 6D 70 73 A1 44 F1 8F 6A BD 88 8B 8E 7C BC 43 6B 85 14 E4 B9 72 97 CB 43 FD 79 9B C6 6D AC E9 CA CD D0 10 D6 56 DC DF 55 EF 68 E7 F3 64 FA 7A F2 7C 77 05 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB EE 90 14 2C 77 2A D3 EB 01 87 2A D3 E8 01 00 00 00 92 59 88 16 EB 02 52 08 46 EB 02 CD 20 4B 80 F1 C2 85 DB 75 AE C1 E0 04 EB 00 DA B2 82 5C 9B C7 89 98 4F 8A F7 ?? ?? ?? B1 4D DF B8 AD AC AB D4 07 27 D4 50 CF 9A D5 1C EC F2 27 77 18 40 4E A4 A8 B4 CB 9F 1D D9 EC 1F AD BC 82 AA C0 4C 0A A2 15 45 18 8F BB 07 93 BE C0 BC A3 B0 9D 51 D4 F1 08 22 62 96 6D 09 73 7E 71 A5 3A E5 7D 94 A3 96 99 98 72 B2 31 57 7B FA AE 9D 28 4F 99 EF A3 25 49 60 03 42 8B 54 53 5E 92 50 D4 52 4D C1 55 76 FD F7 8A FC 78 0C 82 87 0F -ep_only = true - -[DEF v1.00 (Eng) -> bart/xt] -signature = BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE] -signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++ / ASM)] -signature = EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt -> WinRAR-SFX] -signature = EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt -> WinRAR-SFX] -signature = 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0 / ASM)] -signature = E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / ASM)] -signature = F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual Basic / MASM32)] -signature = EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual Basic 5.0 / 6.0)] -signature = C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32 / Microsoft Visual Basic)] -signature = F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 4.x / LCC Win32 1.x)] -signature = 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++)] -signature = 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 87 FE ?? 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 5.0 / 6.0)] -signature = 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MASM32)] -signature = EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)x] -signature = 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = EB 01 ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi 2.0)] -signature = EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++ 1999)] -signature = EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt -> (Watcom C/C++ EXE)] -signature = EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MS Visual C++ / Borland C++ / Watcom C++)] -signature = EB 02 CD 20 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi 4.0 - 5.0)] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 7.0)] -signature = EB 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C# / Basic .NET)] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B3 -ep_only = true - -[FSG 1.31 -> dulek/xt] -signature = BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = BB D0 01 40 ?? BF ?? 10 40 ?? BE -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? F6 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = E8 01 00 00 00 ?? ?? E8 ?? 00 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = EB 02 ?? ?? EB 02 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt] -signature = ?? ?? EB ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt] -signature = BB D0 01 40 ?? BF ?? 10 40 ?? BE -ep_only = true - -[Microsoft Visual C# / Basic .NET] -signature = FF 25 00 20 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[MASM32] -signature = 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 -ep_only = true - -[Video-Lan-Client] -signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF -ep_only = true - -[Exact Audio Copy] -signature = E8 ?? ?? ?? 00 31 ED 55 89 E5 81 EC ?? 00 00 00 8D BD ?? FF FF FF B9 ?? 00 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE EB 02 CD 20 57 EB 02 CD 20 5A 88 10 EB 02 CD 20 40 E8 02 00 00 00 C5 62 5A 4E E8 01 00 00 00 43 5A 2B DB 3B F3 75 B1 C1 F3 0D 92 B8 DC 0C 4E 0D B7 F7 0A 39 F4 B5 ?? ?? 36 FF 45 D9 FA FB FE FD FE CD 6B FE 82 0D 28 F3 B6 A6 A0 71 1F BA 92 9C EE DA FE 0D 47 DB 09 AE DF E3 F6 50 E4 12 9E C8 EC FB 4D EA 77 C9 03 75 E0 D2 D6 E5 E2 8B 41 B6 41 FA 70 B0 A0 AB F9 B5 C0 BF ED 78 25 CB 96 E5 A8 A7 AA A0 DC 5F 73 9D 14 F0 B5 6A 87 B7 3B E5 6D 77 B2 45 8C B9 96 95 A0 DC A2 1E 9C 9B 11 93 08 83 9B F8 9E 0A 8E 10 F7 85 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 EB 02 42 C0 EB 01 08 88 16 80 F1 98 80 C9 28 46 91 EB 02 C0 55 4B EB 01 55 34 44 0B DB 75 AD E8 01 00 00 00 9D 59 0B C6 EB 01 6C E9 D2 C3 82 C2 03 C2 B2 82 C2 00 ?? ?? 7C C2 6F DA BC C2 C2 C2 CC 1C 3D CF 4C D8 84 D0 0C FD F0 42 77 0D 66 F1 AC C1 DE CE 97 BA D7 EB C3 AE DE 91 AA D5 02 0D 1E EE 3F 23 77 C4 01 72 12 C1 0E 1E 14 82 37 AB 39 01 88 C9 DE CA 07 C2 C2 C2 17 79 49 B2 DA 0A C2 C2 C2 A9 EA 6E 91 AA 2E 03 CF 7B 9F CE 51 FA 6D A2 AA 56 8A E4 C2 C2 C2 07 C2 47 C2 C2 17 B8 42 C6 8D 31 88 45 BA 3D 2B BC -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE 58 80 EA 33 C1 E1 12 32 D3 48 80 C2 26 EB 02 CD 20 88 16 F7 D8 46 EB 01 C0 4B 40 8D 0D 00 00 00 00 3B D9 75 B7 EB 01 14 EB 01 0A CF C5 93 53 90 DA 96 67 54 8D CC ?? ?? 51 8E 18 74 53 82 83 80 47 B4 D2 41 FB 64 31 6A AF 7D 89 BC 0A 91 D7 83 37 39 43 50 A2 32 DC 81 32 3A 4B 97 3D D9 63 1F 55 42 F0 45 32 60 9A 28 51 61 4B 38 4B 12 E4 49 C4 99 09 47 F9 42 8C 48 51 4E 70 CF B8 12 2B 78 09 06 07 17 55 D6 EA 10 8D 3F 28 E5 02 0E A2 58 B8 D6 0F A8 E5 10 EB E8 F1 23 EF 61 E5 E2 54 EA A9 2A 22 AF 17 A1 23 97 9A 1C -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 F7 2B FE EB 01 7F 81 EF DF 30 90 1E EB 02 CD 20 87 FA 88 10 80 EA 03 40 EB 01 20 4E EB 01 3D 83 FE 00 75 A2 EB 02 CD 20 EB 01 C3 78 73 42 F7 35 6C 2D 3F ED 33 97 ?? ?? ?? 5D F0 45 29 55 57 55 71 63 02 72 E9 1F 2D 67 B1 C0 91 FD 10 58 A3 90 71 6C 83 11 E0 5D 20 AE 5C 71 83 D0 7B 10 97 54 17 11 C0 0E 00 33 76 85 33 3C 33 21 31 F5 50 CE 56 6C 89 C8 F7 CD 70 D5 E3 DD 08 E8 4E 25 FF 0D F3 ED EF C8 0B 89 A6 CD 77 42 F0 A6 C8 19 66 3D B2 CD E7 89 CB 13 D7 D5 E3 1E DF 5A E3 D5 50 DF B3 39 32 C0 2D B0 3F B4 B4 43 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland C++)] -signature = C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 EB 02 56 7B 2A D3 E8 01 00 00 00 ED 58 88 16 13 C3 46 EB 02 CD 20 4B EB 02 CD 20 2B C9 3B D9 75 A1 E8 02 00 00 00 D7 6B 58 EB 00 9E 96 6A 28 67 AB 69 54 03 3E 7F ?? ?? ?? 31 0D 63 44 35 38 37 18 87 9F 10 8C 37 C6 41 80 4C 5E 8B DB 60 4C 3A 28 08 30 BF 93 05 D1 58 13 2D B8 86 AE C8 58 16 A6 95 C5 94 03 33 6F FF 92 20 98 87 9C E5 B9 20 B5 68 DE 16 4A 15 C1 7F 72 71 65 3E A9 85 20 AF 5A 59 54 26 66 E9 3F 27 DE 8E 7D 34 53 61 F7 AF 09 29 5C F7 36 83 60 5F 52 92 5C D0 56 55 C9 61 7A FD EF 7E E8 70 F8 6E 7B EF -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB EE 90 14 2C 77 2A D3 EB 01 87 2A D3 E8 01 00 00 00 92 59 88 16 EB 02 52 08 46 EB 02 CD 20 4B 80 F1 C2 85 DB 75 AE C1 E0 04 EB 00 DA B2 82 5C 9B C7 89 98 4F 8A F7 ?? ?? ?? B1 4D DF B8 AD AC AB D4 07 27 D4 50 CF 9A D5 1C EC F2 27 77 18 40 4E A4 A8 B4 CB 9F 1D D9 EC 1F AD BC 82 AA C0 4C 0A A2 15 45 18 8F BB 07 93 BE C0 BC A3 B0 9D 51 D4 F1 08 22 62 96 6D 09 73 7E 71 A5 3A E5 7D 94 A3 96 99 98 72 B2 31 57 7B FA AE 9D 28 4F 99 EF A3 25 49 60 03 42 8B 54 53 5E 92 50 D4 52 4D C1 55 76 FD F7 8A FC 78 0C 82 87 0F -ep_only = true - -[Microsoft (R) Incremental Linker Version 5.12.8078 (MASM/TASM)->WinASM Studio] -signature=6A 00 68 00 30 40 00 68 1E 30 40 00 6A 00 E8 0D 00 00 00 6A 00 E8 00 00 00 00 FF 25 00 20 40 00 FF 25 08 20 40 -ep_only = true - -[Borland Pascal v7.0 for Windows] -signature = 9A FF FF 00 00 9A FF FF 00 00 55 89 E5 31 C0 9A FF FF 00 00 -ep_only = true - -[Borland C++ for Win32 1994] -signature = A1 ?? ?? ?? ?? C1 ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? ?? ?? 75 ?? 57 51 33 C0 BF -ep_only = true - -[Borland C++ for Win32 1995] -signature = A1 ?? ?? ?? ?? C1 ?? ?? A3 ?? ?? ?? ?? 57 51 33 C0 BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 3B CF 76 -ep_only = true - -[Borland C++ for Win32 1995] -signature = A1 ?? ?? ?? ?? C1 ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? ?? ?? 75 ?? 80 ?? ?? ?? ?? ?? ?? 74 -ep_only = true - -[Borland C++ for Win32 1999] -signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 ?? ?? ?? ?? A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 52 -ep_only = true - -[Borland C++ for Win32 1999] -signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 -ep_only = true - -[Borland C++] -signature = A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 57 51 33 C0 BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 3B CF 76 05 2B CF FC F3 AA 59 5F -ep_only = true - -[Borland C++ DLL] -signature = A1 ?? ?? ?? ?? C1 E0 02 A3 -ep_only = true - -[Borland C++ DLL] -signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 -ep_only = true - -[Borland C++ DLL] -signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3 8B -ep_only = true - -[Borland C++ DLL] -signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 ?? ?? ?? ?? A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 8B -ep_only = true - -[Borland Delphi vx.x (Component)] -signature = C3 E9 ?? ?? ?? FF 8D 40 -ep_only = true - -[Borland Delphi DLL] -signature = 55 8B EC 83 C4 B4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 40 -ep_only = true - -[Borland Delphi v6.0 - v7.0] -signature = 55 8B EC 83 C4 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[Borland Delphi v2.0] -signature = E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0A ?? ?? ?? B8 ?? ?? ?? ?? C3 -ep_only = true - -[Borland Delphi v3.0] -signature = 50 6A ?? E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 55 8B EC 33 C0 -ep_only = true - -[Borland Delphi v3.0] -signature = 55 8B EC 83 C4 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[Borland Delphi v4.0 - v5.0] -signature = 50 6A ?? E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 -ep_only = true - -[Borland Delphi v4.0 - v5.0] -signature = 55 8B EC 83 C4 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 20 -ep_only = true - -[Borland Delphi v4.0 - v5.0] -signature = 50 6A 00 E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 00 00 00 00 C7 42 0C 00 00 00 00 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 -ep_only = true - -[Borland Delphi v6.0 - v7.0] -signature = BA ?? ?? ?? ?? 83 7D 0C 01 75 ?? 50 52 C6 05 ?? ?? ?? ?? ?? 8B 4D 08 89 0D ?? ?? ?? ?? 89 4A 04 -ep_only = true - -[Borland Delphi v6.0 - v7.0] -signature = 53 8B D8 33 C0 A3 00 ?? ?? ?? 06 A0 0E 80 ?? ?? 0F FA 30 ?? ?? ?? 0A 10 ?? ?? ?? 0A 30 ?? ?? ?? 03 3C 0A 30 ?? ?? ?? 03 3C 0A 30 ?? ?? ?? E8 -ep_only = true - -[Borland Delphi v6.0 - v7.0] -signature = 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 ?? ?? FB FF A1 ?? ?? ?? ?? 8B ?? E8 ?? ?? FF FF 8B 0D ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 8B 15 ?? ?? ?? ?? E8 ?? ?? FF FF A1 ?? ?? ?? ?? 8B ?? E8 ?? ?? FF FF E8 ?? ?? FB FF 8D 40 -ep_only = true - -[Borland Delphi v5.0 KOL/MCK] -signature = 55 8B EC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? 00 00 00 -ep_only = true - -[Borland Delphi v5.0 KOL] -signature = 55 8B EC 83 C4 F0 B8 ?? ?? 40 00 E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF 8B C0 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[Borland Delphi v6.0] -signature = 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? FF A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? E8 -ep_only = true - -[Borland Delphi v6.0] -signature = 55 8B EC 83 C4 F0 B8 ?? ?? 45 00 E8 ?? ?? ?? FF A1 ?? ?? 45 00 8B 00 E8 ?? ?? FF FF 8B 0D -ep_only = true - -[Borland Delphi v6.0 KOL] -signature = 55 8B EC 83 C4 F0 B8 ?? ?? 40 00 E8 ?? ?? FF FF A1 ?? 72 40 00 33 D2 E8 ?? ?? FF FF A1 ?? 72 40 00 8B 00 83 C0 14 E8 ?? ?? FF FF E8 ?? ?? FF FF -ep_only = true - -[Borland Delphi Setup Module] -signature = 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 -ep_only = true - -[Borland Delphi] -signature = 55 8B EC 83 C4 F4 -ep_only = true - -[Borland Delphi (Component)] -signature = C3 E9 ?? ?? ?? FF 8D 40 -ep_only = true - -[Cygwin32] -signature = 55 89 E5 83 EC 04 83 3D -ep_only = true - -[FASM v1.3x] -signature = 6A ?? FF 15 ?? ?? ?? ?? A3 -ep_only = true - -[Free Pascal v0.99.10] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 00 6E 00 00 55 89 E5 8B 7D 0C 8B 75 08 89 F8 8B 5D 10 29 -ep_only = true - -[LCC Win32 v1.x] -signature = 64 A1 ?? ?? ?? ?? 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 ?? 50 -ep_only = true - -[LCC Win32 DLL] -signature = 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 ?? ?? ?? FF 75 10 FF 75 0C FF 75 08 A1 -ep_only = true - -[Microsoft Visual C++] -signature = 8B 44 24 08 56 83 E8 ?? 74 ?? 48 75 -ep_only = true - -[Microsoft Visual C++] -signature = 8B 44 24 08 83 ?? ?? 74 -ep_only = true - -[Microsoft Visual C v2.0] -signature = 53 56 57 BB ?? ?? ?? ?? 8B ?? ?? ?? 55 3B FB 75 -ep_only = true - -[Microsoft Visual C++ vx.x] -signature = 55 8B EC 56 57 BF ?? ?? ?? ?? 8B ?? ?? 3B F7 0F -ep_only = true - -[Microsoft Visual C++ vx.x] -signature = 53 55 56 8B ?? ?? ?? 85 F6 57 B8 ?? ?? ?? ?? 75 ?? 8B ?? ?? ?? ?? ?? 85 C9 75 ?? 33 C0 5F 5E 5D 5B C2 -ep_only = true - -[Microsoft Visual C++ v4.x] -signature = 64 A1 00 00 00 00 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 64 89 25 00 00 00 00 83 EC ?? 53 56 57 -ep_only = true - -[Microsoft Visual C++ v4.2] -signature = 64 A1 00 00 00 00 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? 53 56 57 89 ?? ?? FF -ep_only = true - -[Microsoft Visual C++ v4.2] -signature = 64 A1 00 00 00 00 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? 53 56 57 89 ?? ?? C7 -ep_only = true - -[Microsoft Visual C++ v4.2 DLL] -signature = 53 B8 ?? ?? ?? ?? 8B ?? ?? ?? 56 57 85 DB 55 75 -ep_only = true - -[Microsoft Visual C++ v5.0] -signature = 55 8B EC 6A FF 68 68 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 53 56 57 -ep_only = true - -[Microsoft Visual C++ v5.0 DLL] -signature = ?? ?? 24 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? 24 0C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D -ep_only = true - -[Microsoft Visual C++ v5.0/v6.0 (MFC)] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 -ep_only = true - -[Microsoft Visual C++ vx.x] -signature = 55 8B EC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? 83 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[Microsoft Visual C++ vx.x DLL] -signature = ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 ?? ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? 00 ?? 00 -ep_only = true - -[Microsoft Visual C++ v6.0 SPx] -signature = 55 8B EC 83 EC 44 56 FF 15 ?? ?? ?? ?? 8B F0 8A ?? 3C 22 -ep_only = true - -[Microsoft Visual C++ v6.0 SPx] -signature = 55 8B EC 83 EC 44 56 FF 15 ?? ?? ?? ?? 6A 01 8B F0 FF 15 -ep_only = true - -[Microsoft Visual C++ v6.0] -signature = 55 8B EC 6A FF 68 68 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 53 56 57 -ep_only = true - -[Microsoft Visual C++ v6.0 DLL] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 51 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 8B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? ?? ?? 02 -ep_only = true - -[Microsoft Visual C++ v6.0 DLL] -signature = 83 7C 24 08 01 75 09 8B 44 24 04 A3 ?? ?? 00 10 E8 8B FF FF FF -ep_only = true - -[Microsoft Visual C++ v6.0] -signature = 55 8B EC 83 EC 50 53 56 57 BE ?? ?? ?? ?? 8D 7D F4 A5 A5 66 A5 8B -ep_only = true - -[Microsoft Visual C++ v6.0 DLL] -signature = 55 8D 6C ?? ?? 81 EC ?? ?? ?? ?? 8B 45 ?? 83 F8 01 56 0F 84 ?? ?? ?? ?? 85 C0 0F 84 -ep_only = true - -[Microsoft Visual C++ v6.0 DLL] -signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C -ep_only = true - -[Microsoft Visual C++ v6.0] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 0D ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1C ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 -ep_only = true - -[Microsoft Visual C++ v6.0 (Debug Version)] -signature = 55 8B EC 51 ?? ?? ?? 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 -ep_only = true - -[Microsoft Visual C++ v7.0] -signature = 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 ?? 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? ?? 8B 46 ?? A3 -ep_only = true - -[Microsoft Visual C++ v7.0 DLL] -signature = 55 8D 6C ?? ?? 81 EC ?? ?? ?? ?? 8B 45 ?? 83 F8 01 56 0F 84 ?? ?? ?? ?? 85 C0 0F 84 -ep_only = true - -[Microsoft Visual C++ v7.0 DLL] -signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 -ep_only = true - -[Microsoft Visual C++ v7.1 DLL] -signature = 6A 0C 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 40 89 45 E4 -ep_only = true - -[Microsoft Visual C++ v7.1 DLL] -signature = 83 7C 24 08 01 75 ?? ?? ?? 24 04 50 A3 ?? ?? ?? 50 FF 15 00 10 ?? 50 33 C0 40 C2 0C 00 -ep_only = true - -[Microsoft Visual C++ v7.1 DLL] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 E4 53 56 57 89 65 E8 C7 45 E4 01 00 00 00 C7 45 FC -ep_only = true - -[Microsoft Visual C++ v7.1 DLL] -signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 75 09 83 3D ?? ?? 40 00 00 EB 26 83 FE 01 74 05 83 FE 02 75 22 A1 -ep_only = true - -[Microsoft Visual C++ v7.1 DLL (Debug)] -signature = 55 8B EC ?? ?? 0C 83 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 8B -ep_only = true - -[Microsoft Visual C++ v7.1 EXE] -signature = 6A ?? 68 ?? ?? ?? 01 E8 ?? ?? 00 00 66 81 3D 00 00 00 01 4D 5A 75 ?? A1 3C 00 00 01 ?? ?? 00 00 00 01 -ep_only = true - -[Microsoft Visual C++ v7.1 EXE] -signature = 6A ?? 68 ?? ?? ?? ?? E8 -ep_only = true - -[Microsoft Visual C++ DLL] -signature = 53 55 56 8B 74 24 14 85 F6 57 B8 01 00 00 00 -ep_only = true - -[Microsoft Visual C++ DLL] -signature = 53 56 57 BB 01 ?? ?? ?? 8B ?? 24 14 -ep_only = true - -[Microsoft Visual C++ DLL] -signature = 53 B8 01 00 00 00 8B 5C 24 0C 56 57 85 DB 55 75 12 83 3D ?? ?? ?? ?? ?? 75 09 33 C0 -ep_only = true - -[Microsoft Visual C++ DLL] -signature = 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C -ep_only = true - -[Microsoft Visual C++] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 -ep_only = true - -[Microsoft Visual Basic v5.0] -signature = ?? ?? ?? ?? ?? ?? ?? FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 -ep_only = true - -[Microsoft Visual Basic v5.0/v6.0] -signature = 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 00 00 00 00 00 00 30 00 00 00 -ep_only = true - -[Microsoft Visual Basic v6.0 DLL] -signature = 5A 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E9 ?? ?? FF -ep_only = true - -[MinGW GCC v2.x] -signature = 55 89 E5 E8 ?? ?? ?? ?? C9 C3 ?? ?? 45 58 45 -ep_only = true - -[MinGW GCC v2.x] -signature = 55 89 E5 ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[MinGW GCC v2.x] -signature = 55 89 E5 E8 ?? ?? ?? ?? C9 C3 ?? ?? 45 58 45 -ep_only = true - -[MinGW GCC DLL v2xx] -signature = 55 89 E5 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 68 -ep_only = true - -[MinGW v3.2.x (Dll_main)] -signature = 55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 96 01 00 00 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D 00 30 00 10 85 C9 75 10 31 DB 89 D8 8B 5D F8 8B 75 FC 89 EC 5D C2 0C 00 E8 59 00 00 00 EB EB 8D B4 26 00 00 00 00 85 C0 75 D0 E8 47 00 00 00 EB C9 90 8D 74 26 00 C7 04 24 80 00 00 00 E8 F4 05 00 00 A3 00 30 00 10 85 C0 74 1A C7 00 00 00 00 00 A3 10 30 00 10 E8 3B 02 00 00 E8 C6 01 00 00 E9 75 FF FF FF E8 BC 05 00 00 C7 00 0C 00 00 00 31 C0 EB 98 89 F6 55 89 E5 83 EC 08 89 5D FC 8B 15 00 30 00 10 85 D2 74 29 8B 1D 10 30 00 10 83 EB 04 39 D3 72 0D 8B 03 85 C0 75 2A 83 EB 04 39 D3 73 F3 89 14 24 E8 6B 05 00 00 31 C0 A3 00 30 00 10 C7 04 24 00 00 00 00 E8 48 05 00 00 8B 5D FC 89 EC 5D C3 -ep_only = true - -[MinGW v3.2.x (Dll_WinMain)] -signature = 55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 76 01 00 00 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D 00 30 00 10 85 C9 75 10 31 DB 89 D8 8B 5D F8 8B 75 FC 89 EC 5D C2 0C 00 E8 59 00 00 00 EB EB 8D B4 26 00 00 00 00 85 C0 75 D0 E8 47 00 00 00 EB C9 90 8D 74 26 00 C7 04 24 80 00 00 00 E8 A4 05 00 00 A3 00 30 00 10 85 C0 74 1A C7 00 00 00 00 00 A3 10 30 00 10 E8 1B 02 00 00 E8 A6 01 00 00 E9 75 FF FF FF E8 6C 05 00 00 C7 00 0C 00 00 00 31 C0 EB 98 89 F6 55 89 E5 83 EC 08 89 5D FC 8B 15 00 30 00 10 85 D2 74 29 8B 1D 10 30 00 10 83 EB 04 39 D3 72 0D 8B 03 85 C0 75 2A 83 EB 04 39 D3 73 F3 89 14 24 E8 1B 05 00 00 31 C0 A3 00 30 00 10 C7 04 24 00 00 00 00 E8 F8 04 00 00 8B 5D FC 89 EC 5D C3 -ep_only = true - -[MinGW v3.2.x (main)] -signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 E4 40 40 00 E8 68 00 00 00 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 E4 40 40 00 E8 48 00 00 00 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 55 08 89 14 24 FF 15 00 41 40 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 55 08 89 14 24 FF 15 F4 40 40 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 53 83 EC 24 C7 04 24 A0 11 40 00 E8 8D 07 00 00 83 EC 04 E8 85 02 00 00 C7 04 24 00 20 40 00 8B 15 10 20 40 00 8D 4D F8 C7 45 F8 00 00 00 00 89 4C 24 10 89 54 24 0C 8D 55 F4 89 54 24 08 C7 44 24 04 04 20 40 00 E8 02 07 00 00 A1 20 20 40 00 85 C0 74 76 A3 30 20 40 00 A1 F0 40 40 00 85 C0 74 1F 89 04 24 E8 C3 06 00 00 8B 1D 20 20 40 00 89 04 24 89 5C 24 04 E8 C1 06 00 00 -ep_only = true - -[MinGW v3.2.x (WinMain)] -signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 FC 40 40 00 E8 68 00 00 00 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 FC 40 40 00 E8 48 00 00 00 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 55 08 89 14 24 FF 15 18 41 40 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 55 08 89 14 24 FF 15 0C 41 40 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 53 83 EC 24 C7 04 24 A0 11 40 00 E8 5D 08 00 00 83 EC 04 E8 55 03 00 00 C7 04 24 00 20 40 00 8B 15 10 20 40 00 8D 4D F8 C7 45 F8 00 00 00 00 89 4C 24 10 89 54 24 0C 8D 55 F4 89 54 24 08 C7 44 24 04 04 20 40 00 E8 D2 07 00 00 A1 20 20 40 00 85 C0 74 76 A3 30 20 40 00 A1 08 41 40 00 85 C0 74 1F 89 04 24 E8 93 07 00 00 8B 1D 20 20 40 00 89 04 24 89 5C 24 04 E8 91 07 00 00 -ep_only = true - -[MinGW v3.2.x (Dll_mainCRTStartup)] -signature = 55 89 E5 83 EC 08 6A 00 6A 00 6A 00 6A 00 E8 0D 00 00 00 B8 00 00 00 00 C9 C3 90 90 90 90 90 90 FF 25 38 20 00 10 90 90 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 -ep_only = true - -[MinGW v3.2.x (_mainCRTStartup)] -signature = 55 89 E5 83 EC 08 6A 00 6A 00 6A 00 6A 00 E8 0D 00 00 00 B8 00 00 00 00 C9 C3 90 90 90 90 90 90 FF 25 38 20 40 00 90 90 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 -ep_only = true - -[Stranik 1.3 Modula/C/Pascal] -signature = E8 ?? ?? FF FF E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? 00 00 00 ?? ?? ?? 00 ?? ?? 00 ?? 00 ?? 00 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? 00 00 00 ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[WATCOM C/C++ 32 Run-Time System 1988-1995] -signature = E9 ?? ?? ?? ?? ?? ?? ?? ?? 57 41 54 43 4F 4D 20 43 2F 43 2B 2B 33 32 20 52 75 6E 2D 54 -ep_only = true - -[WATCOM C/C++ 32 Run-Time System 1988-1994] -signature = FB 83 ?? ?? 89 E3 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 29 C0 B4 30 CD 21 -ep_only = true - -[WATCOM C/C++] -signature = E9 ?? ?? ?? ?? ?? ?? ?? ?? 57 41 -ep_only = true - -[WATCOM C/C++ DLL] -signature = 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 -ep_only = true - -[.BJFnt v1.1b] -signature = EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 -ep_only = true - -[.BJFnt v1.2 RC] -signature = EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB -ep_only = true - -[.BJFnt v1.3] -signature = EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 -ep_only = true - -[.BJFnt v1.3] -signature = EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB -ep_only = true - -[32Lite v0.03a] -signature = 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68 -ep_only = true - -[AcidCrypt] -signature = 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB -ep_only = true - -[AcidCrypt] -signature = BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB -ep_only = true - -[Alloy v1.x.2000] -signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B -ep_only = true - -[Armadillo v1.60a] -signature = 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.71] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 -ep_only = true - -[Armadillo v1.72 - v1.73] -signature = 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 -ep_only = true - -[Armadillo v1.77] -signature = 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.80] -signature = 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.82] -signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.83] -signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.84] -signature = 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90] -signature = 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.9x] -signature = 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 -ep_only = true - -[Armadillo v1.90b1] -signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90b2] -signature = 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90b3] -signature = 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90b4] -signature = 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90a] -signature = 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.90c] -signature = 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v1.xx - v2.xx] -signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 -ep_only = true - -[Armadillo v2.00] -signature = 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.00b1] -signature = 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 -ep_only = true - -[Armadillo v2.00b2-2.00b3] -signature = 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.01] -signature = 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.10b2] -signature = 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.20] -signature = 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.20b1] -signature = 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 -ep_only = true - -[Armadillo v2.50] -signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 -ep_only = true - -[Armadillo v2.50b1] -signature = 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 -ep_only = true - -[Armadillo v2.50b3] -signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 -ep_only = true - -[Armadillo v2.51] -signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 -ep_only = true - -[Armadillo v2.52 beta2] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24 -ep_only = true - -[Armadillo v2.52] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38 -ep_only = true - -[Armadillo v2.52] -signature = 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38 -ep_only = true - -[Armadillo v2.52b2] -signature = 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24 -ep_only = true - -[Armadillo v2.53] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89 -ep_only = true - -[Armadillo v2.53] -signature = 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC -ep_only = true - -[Armadillo v2.53b3] -signature = 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 -ep_only = true - -[Armadillo v2.xx (CopyMem II)] -signature = 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 -ep_only = true - -[Armadillo v2.5x - v2.6x] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC -ep_only = true - -[Armadillo v2.60] -signature = 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84 -ep_only = true - -[Armadillo v2.60b1] -signature = 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC -ep_only = true - -[Armadillo v2.60b2] -signature = 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C -ep_only = true - -[Armadillo v2.60a] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4 -ep_only = true - -[Armadillo v2.60c] -signature = 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4 -ep_only = true - -[Armadillo v2.61] -signature = 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C -ep_only = true - -[Armadillo v2.65b1] -signature = 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4 -ep_only = true - -[Armadillo v2.75a] -signature = 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 -ep_only = true - -[Armadillo v2.85] -signature = 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 -ep_only = true - -[Armadillo v3.00] -signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 -ep_only = true - -[Armadillo v3.00a] -signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB -ep_only = true - -[Armadillo 3.00a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD 26 42 -ep_only = true - -[Armadillo v3.01, v3.05] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 75 02 EB 15 EB 33 C9 75 18 7A 0C 70 0E EB 0D E8 72 0E 79 F1 FF 15 00 79 09 74 F0 EB 87 DB 7A F0 A0 33 61 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 A0 8B 04 24 EB 03 7A 29 E9 C6 00 90 C3 E8 70 F0 87 D2 71 07 E9 00 40 8B DB 7A 11 EB 08 E9 EB F7 EB C3 E8 7A E9 70 DA 7B D1 71 F3 E9 7B -ep_only = true - -[Armadillo v3.01 - v3.50a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD B8 43 -ep_only = true - -[Armadillo v3.10] -signature = 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 44 00 33 F6 56 E8 72 16 00 00 59 85 C0 75 08 6A 1C E8 B0 00 00 00 59 89 75 FC E8 3D 13 00 00 FF 15 30 40 44 00 A3 84 B7 44 00 E8 FB 11 00 00 A3 E0 A1 44 00 E8 A4 0F 00 00 E8 E6 0E 00 00 E8 4E F6 FF FF 89 75 D0 8D 45 A4 50 FF 15 38 40 44 00 E8 77 0E 00 00 89 45 9C F6 45 D0 01 74 06 0F B7 45 D4 EB 03 6A 0A 58 50 FF 75 9C 56 56 FF 15 7C 41 44 00 50 E8 49 D4 FE FF 89 45 A0 50 E8 3C F6 FF FF 8B 45 EC 8B 08 8B 09 89 4D 98 50 51 E8 B5 0C 00 00 59 59 C3 8B 65 E8 FF 75 98 E8 2E F6 FF FF 83 3D E8 A1 44 00 01 75 05 -ep_only = true - -[Armadillo v3.xx] -signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 -ep_only = true - -[Armadillo 3.6x -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD AB 76 -ep_only = true - -[Armadillo 3.7x -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 B8 3B 01 00 00 03 C5 33 DB 81 C3 01 01 01 01 31 18 81 38 78 54 00 00 74 04 31 18 EB EC -ep_only = true - -[APatch GUI v1.1] -signature = 52 31 C0 E8 FF FF FF FF -ep_only = true - -[ASPack v1.00b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 -ep_only = true - -[ASPack v1.01b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 -ep_only = true - -[ASPack v1.02a] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF -ep_only = true - -[ASPack v1.02b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 -ep_only = true - -[ASPack v1.02b] -signature = 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 -ep_only = true - -[ASPack v1.03b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 -ep_only = true - -[ASPack v1.04b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D -ep_only = true - -[ASPack v1.05b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 -ep_only = true - -[ASPack v1.06b] -signature = 90 75 00 E9 -ep_only = true - -[ASPack v1.06b] -signature = 90 90 75 00 E9 -ep_only = true - -[ASPack v1.06b] -signature = 90 90 90 75 00 E9 -ep_only = true - -[ASPack v1.061b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 -ep_only = true - -[ASPack v1.07b] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE -ep_only = true - -[ASPack v1.07b (DLL)] -signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 -ep_only = true - -[ASPack v1.07b] -signature = 90 90 90 75 ?? E9 -ep_only = true - -[ASPack v1.07b] -signature = 90 90 75 ?? E9 -ep_only = true - -[ASPack v1.07b] -signature = 90 75 ?? E9 -ep_only = true - -[ASPack v1.08] -signature = 90 75 01 FF E9 -ep_only = true - -[ASPack v1.08] -signature = 90 90 75 01 FF E9 -ep_only = true - -[ASPack v1.08] -signature = 90 90 90 75 01 FF E9 -ep_only = true - -[ASPack v1.08.01] -signature = 90 90 90 75 ?? 90 E9 -ep_only = true - -[ASPack v1.08.01] -signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D -ep_only = true - -[ASPack v1.08.01] -signature = 90 90 75 ?? 90 E9 -ep_only = true - -[ASPack v1.08.01] -signature = 90 75 ?? 90 E9 -ep_only = true - -[ASPack v1.08.01] -signature = 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 -ep_only = true - -[ASPack v1.08.01] -signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D -ep_only = true - -[ASPack v1.08.02] -signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 -ep_only = true - -[ASPack v1.08.x] -signature = 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A -ep_only = true - -[ASPack v1.08.03] -signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD -ep_only = true - -[ASPack v1.08.03] -signature = 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD -ep_only = true - -[ASPack v1.08.03] -signature = 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E -ep_only = true - -[ASPack v1.08.04] -signature = 60 E8 41 06 00 00 EB 41 -ep_only = true - -[ASPack v2.xx] -signature = A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 -ep_only = true - -[ASPack v2.000] -signature = 60 E8 70 05 00 00 EB 4C -ep_only = true - -[ASPack v2.001] -signature = 60 E8 72 05 00 00 EB 4C -ep_only = true - -[ASPack v2.1] -signature = 60 E8 72 05 00 00 EB 33 87 DB 90 00 -ep_only = true - -[ASPack v2.11] -signature = 60 E9 3D 04 00 00 -ep_only = true - -[ASPack v2.11b] -signature = 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 -ep_only = true - -[ASPack v2.11c] -signature = 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 -ep_only = true - -[ASPack v2.11d] -signature = 60 E8 02 00 00 00 EB 09 5D 55 -ep_only = true - -[ASPack v2.12] -signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB -ep_only = true - -[ASPack v2.12] -signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 -ep_only = true - -[ASPack v2.xx] -signature = A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 -ep_only = true - -[Anticrack Software Protector v1.09 (ACProtect)] -signature = 60 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[Anticrack Software Protector v1.09 (ACProtect)] -signature = 60 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 04 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 78 03 79 01 ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 -ep_only = true - -[Anticrack Software Protector v1.09 (ACProtect)] -signature = 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 66 -ep_only = true - -[Anticrack Software Protector v1.09 (ACProtect)] -signature = 60 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[ASProtect vx.x] -signature = 90 60 ?? ?? ?? 00 00 -ep_only = true - -[ASProtect vx.x] -signature = 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD -ep_only = true - -[ASProtect v1.0] -signature = 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D -ep_only = true - -[ASProtect v1.1] -signature = 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE -ep_only = true - -[ASProtect v1.1 MTE] -signature = 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 -ep_only = true - -[ASProtect v1.1 MTEb] -signature = 90 60 E9 ?? 04 -ep_only = true - -[ASProtect v1.1 MTEc] -signature = 90 60 E8 1B ?? ?? ?? E9 FC -ep_only = true - -[ASProtect v1.1 BRS] -signature = 60 E9 ?? 05 -ep_only = true - -[ASProtect v1.2] -signature = 68 01 ?? ?? ?? C3 -ep_only = true - -[ASProtect v1.2x] -signature = 00 00 68 01 ?? ?? ?? C3 AA -ep_only = true - -[ASProtect v1.2x (New Strain)] -signature = 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 -ep_only = true - -[ASProtect v1.23 RC1] -signature = 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 -ep_only = true - -[ASPR Stripper v2.x unpacked] -signature = BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC -ep_only = true - -[Blade Joiner v1.5] -signature = 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 -ep_only = true - -[BopCrypt v1.0] -signature = 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00 -ep_only = true - -[CExe v1.0a] -signature = 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 -ep_only = true - -[CD-Cops II] -signature = 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D -ep_only = true - -[CodeCrypt v0.14b] -signature = E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F -ep_only = true - -[CodeCrypt v0.15b] -signature = E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F -ep_only = true - -[CodeCrypt v0.16b - v0.163b] -signature = E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F -ep_only = true - -[CodeCrypt v0.164] -signature = E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 -ep_only = true - -[Code-Lock vx.x] -signature = 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 -ep_only = true - -[CodeSafe v2.0] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 EC 10 53 56 57 E8 C4 01 00 -ep_only = true - -[CopyControl v3.03] -signature = CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C -ep_only = true - -[CreateInstall Stub vx.x] -signature = 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56 BF 00 30 00 00 FF 15 20 61 40 00 50 FF 15 2C 61 40 00 6A 04 57 68 00 FF 01 00 56 FF 15 CC 60 40 00 6A 04 A3 CC 35 40 00 57 68 00 0F 01 00 56 FF 15 CC 60 40 00 68 00 01 00 00 BE B0 3F 40 00 56 A3 C4 30 40 00 FF 75 08 FF 15 10 61 40 00 -ep_only = true - -[Crunch/PE] -signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 -ep_only = true - -[Crunch/PE v1.0.x.x] -signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85 -ep_only = true - -[Crunch/PE v2.0.x.x] -signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26 -ep_only = true - -[Crunch/PE v3.0.x.x] -signature = EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74 -ep_only = true - -[Crunch v4.0] -signature = EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 03 00 00 89 85 D9 41 00 00 68 EC 49 7B 79 33 C0 50 E8 11 03 00 00 89 85 D1 41 00 00 E8 67 05 00 00 E9 56 05 00 00 51 52 53 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 5B 8B C2 C1 C0 10 66 8B C1 5A 59 C3 68 03 02 00 00 E8 80 04 00 00 0F 82 A8 02 00 00 96 8B 44 24 04 0F C8 8B D0 25 0F 0F 0F 0F 33 D0 C1 C0 08 0B C2 8B D0 25 33 33 33 33 33 D0 C1 C0 04 0B C2 8B D0 25 55 55 55 55 33 D0 C1 C0 02 0B C2 -ep_only = true - -[CrypKey v5 - v6] -signature = E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06 -ep_only = true - -[CrypWrap vx.x] -signature = E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E -ep_only = true - -[CICompress v1.0] -signature = 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 9C 14 40 00 FF 35 FC 10 40 00 FF 35 F8 10 40 00 FF 15 34 10 40 00 FF 35 F8 10 40 00 FF 15 30 10 40 00 68 00 40 00 00 FF 35 9C 14 40 00 FF 35 FC 10 40 00 FF 15 3C 10 40 00 6A 00 FF 15 28 10 40 00 60 33 DB 33 C9 E8 7F 00 00 00 73 0A B1 08 E8 82 00 00 00 AA EB EF E8 6E 00 00 00 73 14 B1 04 E8 71 00 00 00 3C 00 74 EB 56 8B F7 2B F0 A4 5E EB D4 33 ED E8 51 00 00 00 72 10 B1 02 E8 54 00 00 00 3C 00 74 3B 8B E8 C1 C5 08 B1 08 E8 44 00 00 00 0B C5 50 33 ED E8 2E 00 00 00 72 0C B1 02 E8 31 00 00 00 8B E8 C1 C5 08 -ep_only = true - -[CipherWall Self-Extrator/Decryptor (GUI) v1.5] -signature = 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 52 10 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 0E 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 -ep_only = true - -[CipherWall Self-Extrator/Decryptor (Console) v1.5] -signature = 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 12 10 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 06 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 -ep_only = true - -[DAEMON Protect v0.6.7] -signature = 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 -ep_only = true - -[DEF v1.0] -signature = BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 -ep_only = true - -[Ding Boy's PE-lock v0.07] -signature = 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00 -ep_only = true - -[Ding Boy's PE-lock Phantasm v0.8] -signature = 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00 -ep_only = true - -[Ding Boy's PE-lock Phantasm v1.0 / v1.1] -signature = 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC -ep_only = true - -[Ding Boy's PE-lock Phantasm v1.5b3] -signature = 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0 -ep_only = true - -[DBPE v1.53] -signature = 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA -ep_only = true - -[DBPE v2.10] -signature = 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE -ep_only = true - -[DBPE v2.10] -signature = EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C ?? 53 6C 65 65 70 ?? 47 65 74 54 69 63 6B 43 6F 75 6E 74 -ep_only = true - -[DBPE v2.33] -signature = EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 -ep_only = true - -[DBPE vx.xx] -signature = EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED -ep_only = true - -[DxPack 1.0] -signature = 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 -ep_only = true - -[EP v1.0] -signature = 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 C0 30 ?? 68 ?? ?? F3 00 C3 AA -ep_only = true - -[EP v2.0] -signature = 6A ?? 60 E9 01 01 -ep_only = true - -[ExeBundle v3.0 (standard loader)] -signature = 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB -ep_only = true - -[ExeBundle v3.0 (small loader)] -signature = 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 -ep_only = true - -[Exe Shield vx.x] -signature = 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 -ep_only = true - -[Exe Shield v1.7] -signature = EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 -ep_only = true - -[Exe Shield v2.7] -signature = EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00 -ep_only = true - -[Exe Shield v2.7b] -signature = EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40 00 03 9D E6 90 40 00 53 8B C3 8B FB 2D AC 90 40 00 89 85 AD 90 40 00 8D B5 AC 90 40 00 B9 40 04 00 00 F3 A5 8B FB C3 BD 00 00 00 00 8B F7 83 C6 54 81 C7 FF 10 00 00 56 57 57 56 FF 95 DA 90 40 00 8B C8 5E 5F 8B C1 C1 F9 02 F3 A5 03 C8 83 E1 03 F3 A4 EB 26 D0 12 5B 00 AC 12 5B 00 48 12 5B 00 00 00 40 00 00 D0 5A 00 00 10 5B 00 87 DB 87 DB 87 DB 87 DB 87 DB 87 DB 87 DB 8B 0E B5 E6 90 40 07 56 03 76 EE 0F 18 83 C6 14 12 35 97 80 8D BD 63 39 0D B9 06 86 02 07 F3 A5 6A 04 68 06 10 12 1B FF B5 51 29 EE 10 22 95 -ep_only = true - -[Exe Shield v2.9] -signature = 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8 -ep_only = true - -[EXE Stealth v1.1] -signature = 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC -ep_only = true - -[EXE Stealth v2.7] -signature = EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40 -ep_only = true - -[EXE Stealth v2.71] -signature = EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40 -ep_only = true - -[EXE Stealth v2.72] -signature = EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 -ep_only = true - -[EXE Stealth v2.74 -> WebToolMaster] -signature = EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D -ep_only = true - -[EXE32Pack v1.36] -signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 -ep_only = true - -[EXE32Pack v1.37] -signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 -ep_only = true - -[EXE32Pack v1.38] -signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 -ep_only = true - -[EXE32Pack v1.39] -signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 -ep_only = true - -[EXE32Pack v1.3x] -signature = 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED -ep_only = true - -[EXECryptor v1.3.0.45] -signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 -ep_only = true - -[EXECryptor v1.3.0.45] -signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 -ep_only = true - -[EXECryptor v1.4.0.1] -signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 -ep_only = true - -[EXECryptor v1.5.1.x] -signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3 -ep_only = true - -[EXECryptor vx.x.x.x] -signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 -ep_only = true - -[EXEJoiner v1.0] -signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 -ep_only = true - -[ExeSmasher vx.x] -signature = 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 -ep_only = true - -[EZIP v1.0] -signature = E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C -ep_only = true - -[FSG v1.0] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B -ep_only = true - -[FSG v1.1] -signature = BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 -ep_only = true - -[FSG v1.2] -signature = 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 -ep_only = true - -[FSG v1.3] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE -ep_only = true - -[FSG v1.31] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 -ep_only = true - -[FSG v1.33] -signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 -ep_only = true - -[Feokt] -signature = 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 BE ?? ?? 40 00 BF -ep_only = true - -[FixupPak v1.20] -signature = 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 AC 0F B6 C0 03 D8 29 13 E2 FA EB BC 8D 85 ?? ?? 00 00 5D FF E0 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[Gleam v1.00] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 EC 0C 53 56 57 E8 24 02 00 -ep_only = true - -[Guardant Stealth aka Novex Dongle] -signature = 55 8B EC 83 C4 F0 60 E8 51 FF FF FF -ep_only = true - -[Hasp dongle (Alladin)] -signature = 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 -ep_only = true - -[Hasp 4 envelope dongle (Alladin)] -signature = 10 02 D0 51 0F 00 83 -ep_only = true - -[Hardlock dongle (Alladin)] -signature = 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 -ep_only = true - -[Inno Setup Module] -signature = 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43 -ep_only = true - -[Inno Setup Module] -signature = 49 6E 6E 6F -ep_only = true - -[Inno Setup Module v1.09a] -signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 -ep_only = true - -[Inno Setup Module v1.2.9] -signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 -ep_only = true - -[Install Stub 32-bit] -signature = 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29 -ep_only = true - -[InstallShield 2000] -signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57 -ep_only = true - -[JDPack] -signature = 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45 -ep_only = true - -[kryptor 3] -signature = EB 66 87 DB -ep_only = true - -[kryptor 5] -signature = E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0 -ep_only = true - -[kryptor 6] -signature = E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 -ep_only = true - -[kryptor 8] -signature = EB 6A 87 DB -ep_only = true - -[kryptor 9] -signature = 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 -ep_only = true - -[Krypton v0.2] -signature = 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 -ep_only = true - -[Krypton v0.3] -signature = 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA -ep_only = true - -[Krypton v0.4] -signature = 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06 -ep_only = true - -[Krypton v0.5] -signature = 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF -ep_only = true - -[KGCrypt vx.x] -signature = E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74 -ep_only = true - -[LameCrypt v1.0] -signature = 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 -ep_only = true - -[LTC v1.3] -signature = 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 -ep_only = true - -[Lockless Intro Pack] -signature = 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85 -ep_only = true - -[LaunchAnywhere v4.0.0.1] -signature = 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3 EB 19 3C 22 75 14 89 C0 8D 40 00 43 8A 03 84 C0 74 04 3C 22 75 F5 3C 22 75 01 43 8A 03 84 C0 74 0B 3C 20 74 07 3C 09 75 D9 EB 01 43 8A 03 84 C0 74 04 3C 20 7E F5 8D 45 B8 50 FF 15 E4 C1 44 00 8B 45 E4 25 01 00 00 00 74 06 0F B7 45 E8 EB 05 B8 0A 00 00 00 50 53 6A 00 6A 00 FF 15 08 C2 44 00 50 E8 63 15 FF FF 50 E8 EE 2A 00 00 59 8D 65 FC 5B -ep_only = true - -[Microsoft CAB SFX module] -signature = 55 8B EC 83 EC 44 56 FF 15 ?? 10 00 01 8B F0 8A 06 3C 22 75 14 8A 46 01 46 84 C0 74 04 3C 22 75 F4 80 3E 22 75 0D ?? EB 0A 3C 20 -ep_only = true - -[Macromedia Windows Flash Projector/Player v3.0] -signature = 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 -ep_only = true - -[Macromedia Windows Flash Projector/Player v4.0] -signature = 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C -ep_only = true - -[Macromedia Windows Flash Projector/Player v5.0] -signature = 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 00 00 00 50 FF 15 80 61 44 00 F6 44 24 30 01 74 0B 8B 44 24 34 25 FF FF 00 00 EB 05 B8 0A 00 00 00 50 56 6A 00 6A 00 FF 15 74 61 44 00 50 E8 18 00 00 00 50 FF 15 78 61 44 00 5E 83 C4 44 C3 90 90 90 90 90 90 -ep_only = true - -[Macromedia Windows Flash Projector/Player v6.0] -signature = 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C -ep_only = true - -[Morphine v1.2] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? 00 00 00 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 51 66 ?? ?? ?? 59 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E2 ?? ?? ?? ?? ?? 82 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[Morphine v1.2 (DLL)] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 5B ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 -ep_only = true - -[Neolite v2.0] -signature = E9 A6 00 00 00 -ep_only = true - -[NeoLite vx.x] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9E 37 00 00 ?? ?? 48 ?? ?? ?? 6F 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 61 -ep_only = true - -[NeoLite v1.0] -signature = E9 9B 00 00 00 A0 -ep_only = true - -[NeoLite v1.0] -signature = 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25 -ep_only = true - -[NeoLite v2.00] -signature = E9 A6 -ep_only = true - -[NeoLite v2.00] -signature = 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74 -ep_only = true - -[NeoLite v2.0] -signature = E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65 -ep_only = true - -[NFO v1.0] -signature = 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C -ep_only = true - -[NFO v1.x modified] -signature = 60 9C 8D 50 -ep_only = true - -[NoodleCrypt v2.0] -signature = EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 -ep_only = true - -[Nullsoft Install System v1.xx] -signature = 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00 56 56 56 89 75 E4 E8 C1 C9 FF FF 8B 1D 68 70 40 00 83 C4 0C 89 45 E8 89 75 F0 6A 02 56 6A FC 57 FF D3 89 45 FC 8D 45 F8 56 50 8D 45 E4 6A 04 50 57 FF 15 48 70 40 00 85 C0 75 07 BB 7C 9E 40 00 EB 7A 56 56 56 57 FF D3 39 75 FC 7E 62 BF 74 A2 40 00 B8 00 10 00 00 39 45 FC 7F 03 8B 45 FC 8D 4D F8 56 51 50 57 FF 75 EC FF 15 48 70 40 00 85 C0 74 5A FF 75 F8 57 FF 75 E8 E8 4D C9 FF FF 89 45 E8 8B 45 F8 29 45 FC 83 C4 0C 39 75 F4 75 11 57 E8 D3 F9 FF FF 85 C0 59 74 06 8B 45 F0 89 45 F4 8B 45 F8 01 45 F0 39 75 FC -ep_only = true - -[Nullsoft Install System v1.xx] -signature = 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 0B 56 FF D7 8B F0 8A 06 84 C0 75 F1 80 3E 00 74 05 56 FF D7 8B F0 89 74 24 14 80 3E 20 75 07 56 FF D7 8B F0 EB F4 80 3E 2F 75 -ep_only = true - -[Nullsoft Install System v1.98] -signature = 83 EC 0C 53 56 57 FF 15 2C 81 40 -ep_only = true - -[Nullsoft Install System v2.0b2, v2.0b3] -signature = 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 -ep_only = true - -[Nullsoft PIMP Install System v1.3x] -signature = 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD -ep_only = true - -[Nullsoft PIMP Install System v1.x] -signature = 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 -ep_only = true - -[NX PE Packer v1.0] -signature = FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 -ep_only = true - -[Obsidium v1.1.1.1] -signature = EB 02 ?? ?? E8 E7 1C 00 00 -ep_only = true - -[Obsidium v1.0.0.59 Final] -signature = E8 AB 1C -ep_only = true - -[Obsidium v1.0.0.61] -signature = E8 AF 1C 00 00 -ep_only = true - -[Obsidium vx.x.x.x] -signature = E8 47 19 -ep_only = true - -[ORiEN v2.11 (DEMO)] -signature = E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D 20 2D 0D 0A 2D 2D 2D 2D 2D 2D 20 43 72 65 61 74 65 64 20 62 79 20 41 2E 20 46 69 73 75 6E 2C 20 31 39 39 34 2D 32 30 30 33 20 2D 2D 2D 2D 2D 2D 0D 0A 2D 2D 2D 2D 2D 2D 2D 20 57 57 57 3A 20 68 74 74 70 3A 2F 2F 7A 61 6C 65 78 66 2E 6E 61 72 6F 64 2E 72 75 2F 20 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 20 65 2D 6D 61 69 6C 3A 20 7A 61 6C 65 78 66 40 68 6F 74 6D 61 69 6C 2E 72 75 20 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D -ep_only = true - -[Pack Master v1.0] -signature = 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 -ep_only = true - -[PC PE Encryptor Alpha preview] -signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 -ep_only = true - -[PEEncrypt v4.0b (JunkCode)] -signature = 66 ?? ?? 00 66 83 ?? 00 -ep_only = true - -[PE Crypt v1.00/v1.01] -signature = E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB -ep_only = true - -[PE Crypt v1.02] -signature = E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 -ep_only = true - -[PE Crypt32 v1.02] -signature = E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21 -ep_only = true - -[PE Crypt32 (Console v1.0, v1.01, v1.02)] -signature = E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB -ep_only = true - -[PE Intro v1.0] -signature = 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48 -ep_only = true - -[PE Lock NT v2.01] -signature = EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD -ep_only = true - -[PE Lock NT v2.02c] -signature = EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD -ep_only = true - -[PE Lock NT v2.03] -signature = EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 -ep_only = true - -[PE Lock NT v2.04] -signature = EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 -ep_only = true - -[PE Lock v1.06] -signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 -ep_only = true - -[PE Pack v0.99] -signature = 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2 -ep_only = true - -[PE Pack v1.0] -signature = 74 ?? E9 -ep_only = true - -[PE Packer] -signature = FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 -ep_only = true - -[PE Password v0.2 SMT/SMF] -signature = E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 -ep_only = true - -[PE Protect v0.9] -signature = 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3 -ep_only = true - -[PC Shrinker v0.20] -signature = E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68 -ep_only = true - -[PC Shrinker v0.29] -signature = ?? BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40 -ep_only = true - -[PC Shrinker v0.45] -signature = ?? BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40 -ep_only = true - -[PC Shrinker v0.71] -signature = 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 -ep_only = true - -[PC-Guard v3.03d, v3.05d] -signature = 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 -ep_only = true - -[PC-Guard v4.05d, v4.10d, v4.15d] -signature = FC 55 50 E8 00 00 00 00 5D EB 01 -ep_only = true - -[PC-Guard v5.00d] -signature = FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 89 85 E1 EA 41 00 9C EB 01 D5 9D EB 01 0B 58 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 89 85 F9 EA 41 00 9C EB 01 D5 9D EB 01 0B 89 9D E5 EA 41 00 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 89 8D E9 EA 41 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 89 95 ED EA 41 00 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 89 B5 F1 EA 41 00 9C EB 01 D5 9D EB 01 0B 89 -ep_only = true - -[PE-Crypter] -signature = 60 E8 00 00 00 00 5D EB 26 -ep_only = true - -[Pack Master v1.0] -signature = 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 -ep_only = true - -[PEBundle v0.2 - v2.0x] -signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 -ep_only = true - -[PEBundle v2.0b5 - v2.3] -signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD -ep_only = true - -[PEBundle v2.44] -signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD -ep_only = true - -[PECompact v0.90] -signature = EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 -ep_only = true - -[PECompact v0.92] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 -ep_only = true - -[PECompact v0.94] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02 -ep_only = true - -[PECompact v0.971 - v0.976] -signature = EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 -ep_only = true - -[PECompact v0.977] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 -ep_only = true - -[PECompact v0.978] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 -ep_only = true - -[PECompact v0.978.1] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 -ep_only = true - -[PECompact v0.978.2] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 -ep_only = true - -[PECompact v0.98] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 -ep_only = true - -[PECompact v0.99] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 -ep_only = true - -[PECompact v1.00] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 -ep_only = true - -[PECompact v1.10b1] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 -ep_only = true - -[PECompact v1.10b2] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 -ep_only = true - -[PECompact v1.10b3] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95 -ep_only = true - -[PECompact v1.10b4] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44 -ep_only = true - -[PECompact v1.10b5] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49 -ep_only = true - -[PECompact v1.10b6] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7 -ep_only = true - -[PECompact v1.10b7] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14 -ep_only = true - -[PECompact v1.20 - v1.20.1] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 -ep_only = true - -[PECompact v1.22] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08 -ep_only = true - -[PECompact v1.23b3 - v1.24.1] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 -ep_only = true - -[PECompact v1.24.2 - v1.24.3] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 -ep_only = true - -[PECompact v1.25] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D -ep_only = true - -[PECompact v1.26b1 - v1.26b2] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E -ep_only = true - -[PECompact v1.33] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E -ep_only = true - -[PECompact v1.34 - v1.40b1] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10 -ep_only = true - -[PECompact v1.40b2 - v1.40b4] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11 -ep_only = true - -[PECompact v1.40b5 - v1.40b6] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11 -ep_only = true - -[PECompact v1.40 - v1.45] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11 -ep_only = true - -[PECompact v1.46] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12 -ep_only = true - -[PECompact v1.47 - v1.50] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12 -ep_only = true - -[PECompact v1.55] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12 -ep_only = true - -[PECompact v1.56] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12 -ep_only = true - -[PECompact v1.60 - v1.65] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12 -ep_only = true - -[PECompact v1.66] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 -ep_only = true - -[PECompact v1.67] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 -ep_only = true - -[PECompact v1.68 - v1.84] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 -ep_only = true - -[PECompact v1.4x+] -signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 -ep_only = true - -[PECompact v1.84] -signature = 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 -ep_only = true - -[PECompact v2.0 beta -> Jeremy Collake] -signature = B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 -ep_only = true - -[PE Diminisher v0.1] -signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 -ep_only = true - -[PE Diminisher v0.1] -signature = 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99 -ep_only = true - -[PEncrypt v1.0] -signature = 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 -ep_only = true - -[PEncrypt v3.0] -signature = E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA -ep_only = true - -[PEncrypt v3.1] -signature = E9 ?? ?? ?? 00 F0 0F C6 -ep_only = true - -[PEnguinCrypt v1.0] -signature = B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0 -ep_only = true - -[PENightMare v1.3] -signature = 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9 -ep_only = true - -[PENightMare 2 Beta] -signature = 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A -ep_only = true - -[PENinja] -signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 -ep_only = true - -[PENinja modified] -signature = 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD -ep_only = true - -[PEMangle] -signature = 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3 -ep_only = true - -[PESHiELD v0.1b MTE] -signature = E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1 -ep_only = true - -[PESHiELD v0.2 / v0.2b / v0.2b2] -signature = 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 -ep_only = true - -[PESHiELD v0.25] -signature = 60 E8 2B 00 00 00 -ep_only = true - -[PESHiELD v0.251] -signature = 5D 83 ED 06 EB 02 EA 04 8D -ep_only = true - -[PEShit] -signature = B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF -ep_only = true - -[PE Spin v0.b] -signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9 8B 95 68 20 40 00 8B 42 3C 03 C2 89 85 76 20 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D 8A 20 40 00 8B 59 24 03 DA 8B 1B 89 9D 8E 20 40 00 53 8F 85 E2 1F 40 00 8D 85 92 20 40 00 6A 0C 5B 6A 17 59 30 0C 03 02 CB 4B 75 F8 40 8D 9D 41 8F 4E 00 50 53 81 2C 24 01 78 0E 00 FF B5 8A 20 40 00 C3 92 EB 15 68 BB ?? 00 00 00 B9 90 08 00 00 8D BD FF 20 40 00 4F 30 1C 39 FE CB E2 F9 68 1D 01 00 00 59 8D BD 2F 28 40 00 C0 0C 39 02 E2 FA 68 A0 20 40 00 50 01 6C 24 04 E8 BD 09 00 00 33 C0 0F 84 C0 08 00 -ep_only = true - -[PEtite v1.2] -signature = 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 -ep_only = true - -[PEtite v1.3] -signature = ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 -ep_only = true - -[PEtite v1.4] -signature = ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC -ep_only = true - -[PEtite v1.4] -signature = 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC -ep_only = true - -[PEtite v2.0] -signature = B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 -ep_only = true - -[PEtite v2.1] -signature = B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 -ep_only = true - -[PEtite v2.2] -signature = B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 -ep_only = true - -[PEtite vx.x] -signature = B8 ?? ?? ?? ?? 66 9C 60 50 -ep_only = true - -[PEX v0.99] -signature = E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 -ep_only = true - -[PEX v0.99] -signature = 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81 -ep_only = true - -[PKLITE32 v1.1] -signature = 55 8B EC A1 ?? ?? ?? ?? 85 C0 74 09 B8 01 00 00 00 5D C2 0C 00 8B 45 0C 57 56 53 8B 5D 10 -ep_only = true - -[PKLITE32 v1.1] -signature = 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 00 00 00 00 E8 -ep_only = true - -[PKLITE32 v1.1] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 -ep_only = true - -[PKLITE32 1.1 -> PKWARE Inc.] -signature = 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 00 00 00 00 E8 ?? ?? ?? ?? E9 -ep_only = true - -[Private EXE v2.0a] -signature = 53 E8 00 00 00 00 5B 8B C3 2D -ep_only = true - -[Private EXE v2.0a] -signature = EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 -ep_only = true - -[Program Protector XP v1.0] -signature = E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50 -ep_only = true - -[Protection Plus vx.x] -signature = 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85 28 ?? ?? ?? 50 6A -ep_only = true - -[RatPacker (Glue) stub] -signature = 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF -ep_only = true - -[Shrinker v3.2] -signature = 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF -ep_only = true - -[Shrinker v3.3] -signature = 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 -ep_only = true - -[Shrinker v3.4] -signature = 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF -ep_only = true - -[Shrink Wrap v1.4] -signature = 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB -ep_only = true - -[SecuPack v1.5] -signature = 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80 -ep_only = true - -[SmokesCrypt v1.2] -signature = 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 -ep_only = true - -[Soft Defender v1.0 - v1.1] -signature = 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8 -ep_only = true - -[Soft Defender v1.1x -> Randy Li] -signature = 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D -ep_only = true - -[SoftSentry v2.11] -signature = 55 8B EC 83 EC ?? 53 56 57 E9 50 -ep_only = true - -[SoftSentry v3.0] -signature = 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 -ep_only = true - -[SoftWrap] -signature = 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F -ep_only = true - -[Spalsher v1.0 - v3.0] -signature = 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84 -ep_only = true - -[Special EXE Password Protector v1.0] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 -ep_only = true - -[SPEC b2] -signature = 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 -ep_only = true - -[SPEC b3] -signature = 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD -ep_only = true - -[Stealth PE v1.1] -signature = BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 -ep_only = true - -[Stone's PE Encryptor v1.0] -signature = 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 -ep_only = true - -[Stone's PE Encryptor v1.13] -signature = 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 -ep_only = true - -[Stone's PE Encryptor v2.0] -signature = 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 -ep_only = true - -[SVK-Protector v1.11] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 -ep_only = true - -[SVK-Protector v1.051] -signature = 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB -ep_only = true - -[SVK-Protector v1.32] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 -ep_only = true - -[Symantec Visual Cafe v3.0] -signature = 64 8B 05 ?? ?? ?? ?? 55 8B EC 6A FF 68 ?? ?? 40 ?? 68 ?? ?? 40 ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 08 50 53 56 57 89 65 E8 C7 45 FC -ep_only = true - -[SOFTWrapper for Win9x/NT (Evaluation Version)] -signature = E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF 5F 5E 83 C6 14 83 C7 14 EB D3 00 00 00 00 8B F5 81 C6 0D 0A 00 00 B9 0C 00 00 00 8B 85 03 0F 00 00 01 46 02 83 C6 06 E2 F8 E8 06 08 00 00 68 00 01 00 00 8D 85 DD 0D 00 00 50 6A 00 E8 95 09 00 00 8B B5 03 0F 00 00 66 81 3E 4D 5A 75 33 03 76 3C 81 3E 50 45 00 00 75 28 8B 46 28 03 85 03 0F 00 00 3B C5 74 1B 6A 30 E8 99 09 00 00 6A 30 8D 85 DD 0D 00 00 50 8D 85 2B 0F 00 00 E9 55 03 00 00 66 8B 85 9D 0A 00 00 F6 C4 80 74 31 E8 6A 07 00 00 0B C0 75 23 6A 40 E8 69 09 00 00 6A 40 8D 85 DD 0D 00 00 50 8B 9D 17 0F -ep_only = true - -[TASM / MASM] -signature = 6A 00 E8 ?? ?? 00 00 A3 ?? ?? 40 00 -ep_only = true - -[tElock v1.00] -signature = E9 E5 E2 FF FF -ep_only = true - -[tElock v0.41x] -signature = 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08 -ep_only = true - -[tElock v0.42] -signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 -ep_only = true - -[tElock v0.51] -signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 -ep_only = true - -[tElock v0.4x - v0.5x] -signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 -ep_only = true - -[tElock v0.60] -signature = E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 -ep_only = true - -[tElock v0.70] -signature = 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70 -ep_only = true - -[tElock v0.71] -signature = 60 E8 ED 10 00 00 C3 83 -ep_only = true - -[tElock v0.71b2] -signature = 60 E8 44 11 00 00 C3 83 -ep_only = true - -[tElock v0.71b7] -signature = 60 E8 48 11 00 00 C3 83 -ep_only = true - -[tElock v0.80] -signature = 60 E8 F9 11 00 00 C3 83 -ep_only = true - -[tElock v0.7x - v0.84] -signature = 60 E8 00 00 C3 83 -ep_only = true - -[tElock v0.85f] -signature = 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 -ep_only = true - -[tElock v0.90] -signature = ?? ?? E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B -ep_only = true - -[tElock v0.92a] -signature = E9 7E E9 FF FF 00 -ep_only = true - -[tElock v0.95] -signature = E9 D5 E4 FF FF 00 -ep_only = true - -[tElock v0.96] -signature = E9 59 E4 FF FF 00 -ep_only = true - -[tElock v0.98] -signature = E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E -ep_only = true - -[tElock v0.98b1] -signature = E9 25 E4 FF FF -ep_only = true - -[tElock v0.98b2] -signature = E9 1B E4 FF FF -ep_only = true - -[tElock v0.99] -signature = E9 ?? ?? FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? 02 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 ?? ?? 02 00 00 00 00 00 ?? ?? 02 00 00 00 00 00 ?? ?? 02 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? 02 00 ?? ?? 02 00 ?? ?? 02 00 ?? ?? 02 00 77 ?? 02 00 ?? ?? 02 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? 00 00 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 00 00 ?? 00 00 ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 00 00 00 00 -ep_only = true - -[tElock 1.0 (private) -> tE!] -signature = E9 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 -ep_only = true - -[The Guard Library] -signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 -ep_only = true - -[Thinstall vx.x] -signature = B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF -ep_only = true - -[UG2002 Cruncher v0.3b3] -signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 -ep_only = true - -[UPX v0.51] -signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 D8 01 ?? ?? 83 CD FF 31 DB ?? ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 -ep_only = true - -[UPX v0.60 - v0.61] -signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 -ep_only = true - -[UPX v0.62] -signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 -ep_only = true - -[UPX v0.70] -signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 -ep_only = true - -[UPX v0.71 - v0.72] -signature = 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 -ep_only = true - -[UPX v0.89.6 - v1.02 / v1.05 - v1.22 DLL] -signature = 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF -ep_only = true - -[UPX v0.80 - v0.84] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC -ep_only = true - -[UPX v0.89.6 - v1.02 / v1.05 - v1.22] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC -ep_only = true - -[UPX Custom] -signature = 90 90 90 90 90 90 8A 06 46 88 07 47 01 db -ep_only = true - -[FSG v1.33 (Eng) -> dulek/xt] -signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF -ep_only = true - -[Crypto-Lock v2.02 (Eng) -> Ryan Thian] -signature = 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 -ep_only = true - -[PassLock 2000 v1.0 (Eng) -> Moonlight-Software] -signature = 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 -ep_only = true - -[PESpin v0.3 (Eng) -> cyberbob] -signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 -ep_only = true - -[Special EXE Pasword Protector v1.01 (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E -ep_only = true - -[Crypto-Lock v2.02 (Eng) -> Ryan Thian] -signature = 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 55 00 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 01 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 -ep_only = true - -[Crypto-Lock v2.02 (Eng) -> Ryan Thian] -signature = 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF 5E 89 F7 B9 55 00 00 00 8A 07 47 2C E8 3C 01 77 F7 80 3F 01 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 -ep_only = true - -[Exact Audio Copy -> (UnknownCompiler)] -signature = E8 ?? ?? ?? 00 31 ED 55 89 E5 81 EC ?? 00 00 00 8D BD ?? FF FF FF B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.00 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 51 FF FF FF 5F BB 28 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1C ?? ?? 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.10 (Eng) -> bart/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB 27 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 07 74 EF FE 07 75 06 47 FF 37 AF EB 09 FE 07 0F 84 1A ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1B ?? ?? 00 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.30 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 -ep_only = true - -[FSG v1.31 (Eng) -> dulek/xt] -signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 97 33 C9 41 FF D3 13 C9 FF D3 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 5B 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 58 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 89 06 AD 85 C0 75 D9 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 88 01 00 00 -ep_only = true - -[FSG v1.33 (Eng) -> dulek/xt] -signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 9D 8B D6 5E AD 48 74 0A 79 02 AD 50 56 8B F2 97 EB 87 AD 93 5E 46 AD 97 56 FF 13 95 AC 84 C0 75 FB FE 0E 74 F0 79 05 46 AD 50 EB 09 FE 0E 0F 84 ?? ?? ?? FF 56 55 FF 53 04 AB EB E0 33 C9 41 FF 13 13 C9 FF 13 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 54 01 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 01 00 00 6F 01 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[NoodleCrypt v2.00 (Eng) -> NoodleSpa] -signature = EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 04 00 00 EB 01 9A E8 19 07 00 00 EB 01 9A E8 9C 00 00 00 EB 01 9A E8 9C 06 00 00 E8 00 00 00 00 0F 7E F8 EB 01 9A 8B F8 C3 E8 00 00 00 00 58 EB 01 9A 25 00 F0 FF FF 8B F8 EB 01 9A 0F 6E F8 C3 8B D0 EB 01 9A 81 C2 C8 00 00 00 EB 01 9A B9 00 17 00 00 EB 01 9A C0 0A 06 EB 01 9A 80 2A 15 EB 01 9A 42 E2 EE 0F 6E C0 EB 01 9A 0F 7E C0 EB 01 9A 8B D0 00 85 EB A5 F5 65 4B 45 45 00 85 EB B3 65 07 45 45 00 85 EB 75 C7 C6 00 85 EB 65 CF 8A 00 85 EB D5 FD C0 00 85 EB 7F E5 05 05 05 00 85 EB 7F 61 06 45 45 00 85 EB 7F -ep_only = true - -[PassLock 2000 v1.0 (Eng) -> Moonlight-Software] -signature = 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 2C 01 00 00 00 74 05 0F B7 44 24 30 83 C4 44 89 43 56 FF 15 D0 61 40 00 E8 9E 00 00 00 89 43 4C FF 15 D4 61 40 00 89 43 48 6A 00 FF 15 E4 61 40 00 89 43 5C E8 F9 00 00 00 E8 AA 00 00 00 B8 FF 00 00 00 72 0D 53 E8 96 00 00 00 5B FF 4B 10 FF 4B 18 5F 5E 5B 5D 50 FF 15 C8 61 40 00 C3 83 7D 0C 01 75 3F E8 81 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 FF 15 D0 61 40 00 E8 3A 00 00 00 89 43 4C FF 15 D4 61 40 00 89 43 48 8B 45 08 89 43 5C E8 9A 00 00 00 E8 4B 00 00 00 72 11 66 FF 43 5A 8B 45 0C 89 43 60 53 -ep_only = true - -[PESpin v0.3 (Eng) -> cyberbob] -signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 -ep_only = true - -[PeX v0.99 (Eng) -> bart/CrackPl] -signature = E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 50 65 58 20 28 63 29 20 62 79 20 62 61 72 74 5E 43 72 61 63 6B 50 6C 20 62 65 74 61 20 72 65 6C 65 61 73 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 60 E8 01 00 00 -ep_only = true - -[Special EXE Pasword Protector v1.01 (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 04 00 00 52 6A 00 51 50 FF 95 08 7A 00 00 5D 8D B5 3F 78 00 00 6A 00 6A 00 6A 00 56 FF 95 0C 7A 00 00 0B C0 0F 84 FE 00 00 00 56 FF 95 10 7A 00 00 56 FF 95 14 7A 00 00 80 BD 3E 78 00 00 00 74 D4 33 D2 8B BD 3E 77 00 00 8D 85 1D 02 00 00 89 85 42 77 00 00 8D 85 49 02 00 00 89 85 46 77 00 00 8D 85 EB 75 00 00 89 85 4A 77 00 00 8B 84 D5 24 76 00 00 03 F8 8B 8C D5 28 76 00 00 3B 85 36 77 00 00 60 74 1F 8D B5 BD 02 00 00 FF D6 85 D2 75 11 60 87 FE 8D BD 15 78 00 00 B9 08 00 00 00 F3 A5 61 EB 15 8D 85 9F 02 00 -ep_only = true - -[SVK Protector v1.32 (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[SVK Protector v1.3x (Eng) -> Pavol Cerven] -signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = true - -[Video-Lan-Client -> (UnknownCompiler)] -signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE EB 02 CD 20 57 EB 02 CD 20 5A 88 10 EB 02 CD 20 40 E8 02 00 00 00 C5 62 5A 4E E8 01 00 00 00 43 5A 2B DB 3B F3 75 B1 C1 F3 0D 92 B8 DC 0C 4E 0D B7 F7 0A 39 F4 B5 ?? ?? 36 FF 45 D9 FA FB FE FD FE CD 6B FE 82 0D 28 F3 B6 A6 A0 71 1F BA 92 9C EE DA FE 0D 47 DB 09 AE DF E3 F6 50 E4 12 9E C8 EC FB 4D EA 77 C9 03 75 E0 D2 D6 E5 E2 8B 41 B6 41 FA 70 B0 A0 AB F9 B5 C0 BF ED 78 25 CB 96 E5 A8 A7 AA A0 DC 5F 73 9D 14 F0 B5 6A 87 B7 3B E5 6D 77 B2 45 8C B9 96 95 A0 DC A2 1E 9C 9B 11 93 08 83 9B F8 9E 0A 8E 10 F7 85 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)] -signature = C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 EB 02 42 C0 EB 01 08 88 16 80 F1 98 80 C9 28 46 91 EB 02 C0 55 4B EB 01 55 34 44 0B DB 75 AD E8 01 00 00 00 9D 59 0B C6 EB 01 6C E9 D2 C3 82 C2 03 C2 B2 82 C2 00 ?? ?? 7C C2 6F DA BC C2 C2 C2 CC 1C 3D CF 4C D8 84 D0 0C FD F0 42 77 0D 66 F1 AC C1 DE CE 97 BA D7 EB C3 AE DE 91 AA D5 02 0D 1E EE 3F 23 77 C4 01 72 12 C1 0E 1E 14 82 37 AB 39 01 88 C9 DE CA 07 C2 C2 C2 17 79 49 B2 DA 0A C2 C2 C2 A9 EA 6E 91 AA 2E 03 CF 7B 9F CE 51 FA 6D A2 AA 56 8A E4 C2 C2 C2 07 C2 47 C2 C2 17 B8 42 C6 8D 31 88 45 BA 3D 2B BC -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB 02 F0 49 C1 F6 09 88 0B F7 DE 0F B6 F2 43 EB 02 CD 20 C1 E7 0A 48 EB 01 89 C1 E7 14 2B FF 3B C7 75 A8 E8 01 00 00 00 81 5F F7 D7 D9 EE 1F 5E 1E DD 1E 2E 5E 1E DC ?? ?? 5E 1E 71 06 28 1E 1E 1E 20 F0 93 23 A8 34 64 30 F0 E1 D0 9E 51 F9 C2 D1 20 1D 32 42 91 16 51 E7 1D 32 42 91 36 51 DE 1D 32 42 91 3F D1 20 5F CE 2E 1D 32 42 30 DE 91 17 93 5D C8 09 FA 06 61 1E 1E 1E 49 E9 93 2E 06 56 1E 1E 1E 09 46 CA EF 06 92 5F 31 E7 09 3A AF 66 DF FE 26 CA 06 40 1E 1E 1E 5B 1E 9B 1E 1E 91 28 9E 1A 23 91 24 A1 16 9D 95 20 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (MASM32 / TASM32)] -signature = 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE 58 80 EA 33 C1 E1 12 32 D3 48 80 C2 26 EB 02 CD 20 88 16 F7 D8 46 EB 01 C0 4B 40 8D 0D 00 00 00 00 3B D9 75 B7 EB 01 14 EB 01 0A CF C5 93 53 90 DA 96 67 54 8D CC ?? ?? 51 8E 18 74 53 82 83 80 47 B4 D2 41 FB 64 31 6A AF 7D 89 BC 0A 91 D7 83 37 39 43 50 A2 32 DC 81 32 3A 4B 97 3D D9 63 1F 55 42 F0 45 32 60 9A 28 51 61 4B 38 4B 12 E4 49 C4 99 09 47 F9 42 8C 48 51 4E 70 CF B8 12 2B 78 09 06 07 17 55 D6 EA 10 8D 3F 28 E5 02 0E A2 58 B8 D6 0F A8 E5 10 EB E8 F1 23 EF 61 E5 E2 54 EA A9 2A 22 AF 17 A1 23 97 9A 1C -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 EB 02 82 53 EB 02 CD 20 87 FA 88 10 80 F3 CA EB 02 CD 20 40 03 D7 0B D0 4E 1B D2 EB 02 CD 20 2B D2 3B F2 75 AC F7 DA 80 C3 AF 91 1C 31 62 A1 61 20 61 71 A1 61 1F ?? ?? ?? 61 B4 49 6B 61 61 61 63 33 D6 66 EB 77 A7 73 33 24 13 E1 94 3C 05 14 63 60 75 85 D4 59 94 2A 60 75 85 D4 79 94 21 60 75 85 D4 82 14 63 A2 11 71 60 75 85 73 21 D4 5A D6 A0 0B 4C 3D 49 A4 61 61 61 8C 2C D6 71 49 99 61 61 61 4C 89 0D 32 49 D5 A2 74 2A 4C 7D F2 A9 22 41 69 0D 49 83 61 61 61 9E 61 DE 61 61 D4 6B E1 5D 66 D4 67 E4 59 E0 D8 63 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] -signature = EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA 73 8B CF 81 C2 96 44 EB 04 EB 02 CD 20 88 16 E8 02 00 00 00 44 A2 59 46 E8 01 00 00 00 AD 59 4B 80 C1 13 83 FB 00 75 B2 F7 D9 96 8F 80 4D 0C 4C 91 50 1C 0C 50 8A ?? ?? ?? 50 E9 34 16 50 4C 4C 0E 7E 9B 49 C6 32 02 3E 7E 7B 5E 8C C5 6B 50 3F 0E 0F 38 C8 95 18 D1 65 11 2C B8 87 28 C3 4C 0B 3C AC D9 2D 15 4E 8F 1C 40 4F 28 98 3E 10 C1 45 DB 8F 06 3F EC 48 61 4C 50 50 81 DF C3 20 34 84 10 10 0C 1F 68 DC FF 24 8C 4D 29 F5 1D 2C BF 74 CF F0 24 C0 08 2E 0C 0C 10 51 0C 91 10 10 81 16 D0 54 4B D7 42 C3 54 CB C9 4E -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 D6 83 C7 32 F7 DA 03 FE EB 02 CD 20 87 FA 88 10 EB 02 CD 20 40 E8 02 00 00 00 F1 F8 5B 4E 2B D2 85 F6 75 AF EB 02 DE 09 EB 01 EF 34 4A 7C BC 7D 3D 7F 90 C1 82 41 ?? ?? ?? 87 DB 71 94 8B 8C 8D 90 61 05 96 1C A9 DA A7 68 5A 4A 19 CD 76 40 50 A0 9E B4 C5 15 9B D7 6E A5 BB CC 1C C2 DE 6C AC C2 D3 23 D2 65 B5 F5 65 C6 B6 CC DD CC 7B 2F B6 33 FE 6A AC 9E AB 07 C5 C6 C7 F3 94 3F DB B4 05 CE CF D0 BC FA 7F A5 BD 4A 18 EB A2 C5 F7 6D 25 9F BF E8 8D CA 05 E4 E5 E6 24 E8 66 EA EB 5F F7 6E EB F5 64 F8 76 EC 74 6D F9 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)] -signature = 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 F7 2B FE EB 01 7F 81 EF DF 30 90 1E EB 02 CD 20 87 FA 88 10 80 EA 03 40 EB 01 20 4E EB 01 3D 83 FE 00 75 A2 EB 02 CD 20 EB 01 C3 78 73 42 F7 35 6C 2D 3F ED 33 97 ?? ?? ?? 5D F0 45 29 55 57 55 71 63 02 72 E9 1F 2D 67 B1 C0 91 FD 10 58 A3 90 71 6C 83 11 E0 5D 20 AE 5C 71 83 D0 7B 10 97 54 17 11 C0 0E 00 33 76 85 33 3C 33 21 31 F5 50 CE 56 6C 89 C8 F7 CD 70 D5 E3 DD 08 E8 4E 25 FF 0D F3 ED EF C8 0B 89 A6 CD 77 42 F0 A6 C8 19 66 3D B2 CD E7 89 CB 13 D7 D5 E3 1E DF 5A E3 D5 50 DF B3 39 32 C0 2D B0 3F B4 B4 43 -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++)] -signature = 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA 33 0F B6 C9 0F BE 0E 88 16 EB 01 5F EB 01 6B 46 EB 01 6D 0F BE C0 4B EB 02 CD 20 0F BE C9 2B C9 3B D9 75 B0 EB 01 99 C1 C1 05 91 9D B2 E3 22 E2 A1 E2 F2 22 E2 A0 ?? ?? ?? E2 35 CA EC E2 E2 E2 E4 B4 57 E7 6C F8 28 F4 B4 A5 94 62 15 BD 86 95 E4 E1 F6 06 55 DA 15 AB E1 F6 06 55 FA 15 A2 E1 F6 06 55 03 95 E4 23 92 F2 E1 F6 06 F4 A2 55 DB 57 21 8C CD BE CA 25 E2 E2 E2 0D AD 57 F2 CA 1A E2 E2 E2 CD 0A 8E B3 CA 56 23 F5 AB CD FE 73 2A A3 C2 EA 8E CA 04 E2 E2 E2 1F E2 5F E2 E2 55 EC 62 DE E7 55 E8 65 DA 61 59 E4 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland C++)] -signature = C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 EB 02 56 7B 2A D3 E8 01 00 00 00 ED 58 88 16 13 C3 46 EB 02 CD 20 4B EB 02 CD 20 2B C9 3B D9 75 A1 E8 02 00 00 00 D7 6B 58 EB 00 9E 96 6A 28 67 AB 69 54 03 3E 7F ?? ?? ?? 31 0D 63 44 35 38 37 18 87 9F 10 8C 37 C6 41 80 4C 5E 8B DB 60 4C 3A 28 08 30 BF 93 05 D1 58 13 2D B8 86 AE C8 58 16 A6 95 C5 94 03 33 6F FF 92 20 98 87 9C E5 B9 20 B5 68 DE 16 4A 15 C1 7F 72 71 65 3E A9 85 20 AF 5A 59 54 26 66 E9 3F 27 DE 8E 7D 34 53 61 F7 AF 09 29 5C F7 36 83 60 5F 52 92 5C D0 56 55 C9 61 7A FD EF 7E E8 70 F8 6E 7B EF -ep_only = true - -[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 EA 0F E8 01 00 00 00 64 59 02 D3 EB 02 D6 5C 88 16 EB 02 CD 20 46 E8 02 00 00 00 6B B5 59 4B 0F B7 C6 0B DB 75 B1 EB 02 50 AA 91 44 5C 90 D2 95 57 9B AE E1 A4 65 ?? ?? ?? B3 09 A1 C6 BF C2 C5 CA 9D 43 D6 5E ED 20 EF B2 A6 98 69 1F CA 96 A8 FA FA 12 25 77 FF 3D D6 0F 27 3A 8C 34 52 E2 24 3C 4F A1 52 E7 39 7B ED 50 42 5A 6D 5E 0F C5 4E CD 9A 08 4C 40 4F AD 6D 70 73 A1 44 F1 8F 6A BD 88 8B 8E 7C BC 43 6B 85 14 E4 B9 72 97 CB 43 FD 79 9B C6 6D AC E9 CA CD D0 10 D6 56 DC DF 55 EF 68 E7 F3 64 FA 7A F2 7C 77 05 -ep_only = true - -[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)] -signature = 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB EE 90 14 2C 77 2A D3 EB 01 87 2A D3 E8 01 00 00 00 92 59 88 16 EB 02 52 08 46 EB 02 CD 20 4B 80 F1 C2 85 DB 75 AE C1 E0 04 EB 00 DA B2 82 5C 9B C7 89 98 4F 8A F7 ?? ?? ?? B1 4D DF B8 AD AC AB D4 07 27 D4 50 CF 9A D5 1C EC F2 27 77 18 40 4E A4 A8 B4 CB 9F 1D D9 EC 1F AD BC 82 AA C0 4C 0A A2 15 45 18 8F BB 07 93 BE C0 BC A3 B0 9D 51 D4 F1 08 22 62 96 6D 09 73 7E 71 A5 3A E5 7D 94 A3 96 99 98 72 B2 31 57 7B FA AE 9D 28 4F 99 EF A3 25 49 60 03 42 8B 54 53 5E 92 50 D4 52 4D C1 55 76 FD F7 8A FC 78 0C 82 87 0F -ep_only = true - -[PECompact 2.0beta/student version ->Jeremy Collake] -signature=B8 ?? ?? ?? EE 05 12 13 13 12 50 64 FF 35 00 00 00 00 64 89 25 00 -ep_only = true - -[EXE Shield v0.5-v0.6 -> Smoke] -signature=E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 -ep_only = true - -[Thinstall v2.403 ->Jitit ] -signature=6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 -ep_only = true - -[PECompact 2.x (beta version) ->Jeremy Collake] -signature=B8 ?? ?? ?? 00 80 00 28 40 -ep_only = true - -[PECompact 2.0x Heuristic Mode -> Jeremy Collake] -signature=B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 -ep_only = true - -[PECompact 2.0x Heuristic Mode -> Jeremy Collake] -signature=B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 -ep_only = true - -[Armadillo 3.00a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD 26 42 -ep_only = true - -[Armadillo 3.00a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD 26 42 -ep_only = true - -[Armadillo 3.01 - 3.50a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD B8 43 -ep_only = true - -[Armadillo 3.6x -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD AB 76 -ep_only = true - -[Armadillo 3.7x -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 B8 3B 01 00 00 03 C5 33 DB 81 C3 01 01 01 01 31 18 81 38 78 54 00 00 74 04 31 18 EB EC -ep_only = true - -[Soft Defender v1.1x -> Randy Li] -signature = 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D -ep_only = true - -[EXE Stealth v2.74 -> WebToolMaster] -signature = EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D -ep_only = true - -[AHTeam EP Protector v0.3 -> FEUERRADER] -signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 -ep_only = true - -[PECompact v2.0 beta -> Jeremy Collake] -signature = B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 -ep_only = true - -[PKLITE32 1.1 -> PKWARE Inc.] -signature = 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 00 00 00 00 E8 ?? ?? ?? ?? E9 -ep_only = true - -[tElock 1.0 (private) -> tE!] -signature = E9 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 -ep_only = true - -[Mew 10 exe-coder 1.0 -> Northfox [HCC]] -signature = 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 -ep_only = true - -[FSG v2.0 -> bart/xt] -signature = 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 -ep_only = true - -[PeCompact v2.08->Bitsum Technologies(signature by loveboom)] -signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D -ep_only=true - -[MEW 11 SE v1.1 -> Northfox [HCC]] -signature = E9 ?? ?? ?? FF 0C ?0 -ep_only = true - -[yoda's Protector 1.0x-->Ashkbiz Danehkar] -signature = 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 -ep_only = true - -[yoda's Crypter 1.3-->Ashkbiz Danehkar] -signature = 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 -ep_only = true - -[UPX v1.03 - v1.04] -signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC -ep_only = true - -[UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub] -signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B -ep_only = true - -[UPX v0.81 - v0.84 Modified] -signature = 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF -ep_only = true - -[UPX v0.89.6 - v1.02 / v1.05 - v1.22 Modified] -signature = 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 -ep_only = true - -[UPX v1.03 - v1.04 Modified] -signature = 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF -ep_only = true - -[UPX Alternative stub] -signature = 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B -ep_only = true - -[UPX Modifier v0.1x] -signature = 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD -ep_only = true - -[UPX Modified stub] -signature = 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF -ep_only = true - -[UPX Protector v1.0x] -signature = EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 -ep_only = true - -[UPX + ECLiPSE layer] -signature = B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 -ep_only = true - -[UPX-Scrambler RC v1.x] -signature = 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF -ep_only = true - -[UPXShit 0.06] -signature = B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF -ep_only = true - -[VBOX v4.2 MTE] -signature = 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 -ep_only = true - -[VBOX v4.3 MTE] -signature = 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 -ep_only = true - -[VOB ProtectCD 5] -signature = 36 3E 26 8A C0 60 E8 -ep_only = true - -[VOB ProtectCD] -signature = 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F -ep_only = true - -[Virogen Crypt v0.75] -signature = 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 -ep_only = true - -[Winkript v1.0] -signature = 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 -ep_only = true - -[WinZip 32-bit SFX v6.x module] -signature = FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15 -ep_only = true - -[WinZip 32-bit SFX v8.x module] -signature = 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15 -ep_only = true - -[WinRAR 32-bit SFX Module] -signature = E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF -ep_only = true - -[Wise Installer Stub] -signature = 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 74 -ep_only = true - -[Wise Installer Stub] -signature = 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF 89 45 FC 0F 84 7B 01 00 00 8D 85 90 FC FF FF 50 56 FF 15 28 20 40 00 8D 85 98 FE FF FF 50 53 8D 85 90 FC FF FF 68 10 30 40 00 50 FF 15 24 20 40 00 53 68 80 00 00 00 6A 02 53 53 8D 85 98 FE FF FF 68 00 00 00 40 50 FF D7 83 F8 FF 89 45 F4 0F 84 2F 01 00 00 53 53 53 6A 02 53 FF 75 FC FF 15 00 20 40 00 53 53 53 6A 04 50 89 45 F8 FF 15 1C 20 40 00 8B F8 C7 45 FC 01 00 00 00 8D 47 01 8B 08 81 F9 4D 5A 9A 00 74 08 81 F9 4D 5A 90 00 75 06 80 78 04 03 74 0D FF 45 FC 40 81 7D FC 00 80 00 00 7C DB 8D 4D F0 53 51 68 -ep_only = true - -[Wise Installer Stub v1.10.1029.1] -signature = 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 E8 8A 08 80 F9 2F 74 2B 84 C9 74 1F 80 F9 3D 74 1A 8A 48 01 40 EB F1 33 F6 84 C9 74 D6 80 F9 20 74 -ep_only = true - -[WWPack32 v1.00, v1.11, v1.12, v1.20] -signature = 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 -ep_only = true - -[WWPack32 v1.x] -signature = 53 55 8B E8 33 DB EB 60 -ep_only = true - -[X-PEOR v0.99b] -signature = E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 -ep_only = true - -[Xtreme-Protector v1.05] -signature = E9 ?? ?? 00 00 00 00 00 00 00 00 -ep_only = true - -[Xtreme-Protector v1.06] -signature = B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02 D2 75 05 8A 16 46 12 D2 13 C0 02 D2 75 05 8A 16 46 12 D2 13 C0 02 D2 75 05 8A 16 46 12 D2 13 C0 02 D2 75 05 8A 16 46 12 D2 13 C0 74 06 57 2B F8 8A 07 5F 88 07 47 BB 02 00 00 00 EB 9B B8 01 00 00 00 02 D2 75 05 8A 16 46 12 D2 13 C0 02 D2 75 05 8A 16 46 12 D2 72 EA 2B C3 BB 01 00 00 00 75 28 B9 01 00 00 00 02 D2 75 05 8A 16 46 12 D2 13 C9 02 D2 75 05 8A 16 46 12 D2 72 EA 56 8B F7 2B F5 F3 A4 5E E9 4F FF FF FF 48 C1 E0 08 8A 06 46 8B E8 B9 01 00 00 00 02 D2 75 05 8A 16 46 12 D2 13 C9 02 D2 75 05 8A 16 46 12 D2 72 EA 3D 00 7D 00 00 73 1A 3D 00 05 00 00 72 0E 41 56 8B F7 2B F0 F3 A4 5E E9 0F FF FF FF 83 F8 7F 77 03 83 C1 02 56 8B F7 2B F0 F3 A4 5E E9 FA FE FF FF 8A 06 46 33 C9 C0 E8 01 74 17 83 D1 02 8B E8 56 8B F7 2B F0 F3 A4 5E BB 01 00 00 00 E9 D9 FE FF FF 2B 7C 24 28 89 7C 24 1C 61 C2 08 00 E9 ?? ?? ?? 00 E9 38 ?? ?? ?? 01 -ep_only = true - -[XCR v0.11] -signature = 60 8B F0 33 DB 83 C3 01 83 C0 01 -ep_only = true - -[XCR v0.12] -signature = 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D -ep_only = true - -[XCR v0.13] -signature = 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB -ep_only = true - -[X-PEOR v0.99b] -signature = E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 -ep_only = true - -[y0da's Crypter v1.0] -signature = 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85 -ep_only = true - -[y0da's Crypter v1.1] -signature = 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 -ep_only = true - -[y0da's Crypter v1.2] -signature = 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC -ep_only = true - -[y0da's Crypter v1.x / Modified] -signature = 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC -ep_only = true - -[ZCode Win32/PE Protector v1.01] -signature = E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35 -ep_only = true - -[*** Protector v1.1.11 (DDeM->PE Engine v0.9, DDeM->CI v0.9.2)] -signature = 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04 - -[Mew 10 v1.0 (Eng) -> Northfox] -signature = 33 C0 E9 ?? ?? ?? FF -ep_only = true - -[AHTeam EP Protector v0.3 -> FEUERRADER] -signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 -ep_only = true - -[PECompact v2.0] -signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 -ep_only = true -[Exe Stealth 2.75a -> WebtoolMaster] -signature = EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC -ep_only = True - -[AHTeam EP Protector v0.3 -> FEUERRADER] -signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 -ep_only = true - -[PeCompact v2.08 ->Bitsum Technologies] -signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D -ep_only=true - -[Armadillo 3.01 - 3.50a -> Silicon Realms Toolworks] -signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 ?? 87 DB 7A F0 ?? ?? 61 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 60 9C 33 C0 E8 09 00 00 00 E8 E8 23 00 00 00 7A 23 ?? 8B 04 24 EB 03 7A 29 ?? C6 00 90 C3 ?? 70 F0 87 D2 71 07 ?? ?? 40 8B DB 7A 11 EB 08 ?? EB F7 EB C3 ?? 7A E9 70 DA 7B D1 71 F3 ?? 7B F3 71 D6 ?? 9D 61 83 ED 06 33 FF 47 60 33 C9 75 02 EB 15 ?? 33 C9 75 18 7A 0C 70 0E EB 0D ?? 72 0E 79 F1 ?? ?? ?? 79 09 74 F0 EB 87 ?? 7A F0 ?? ?? 61 8B 9C BD B8 43 -ep_only = true - -[Microsoft (R) Incremental Linker Version 5.12.8078 (MASM/TASM)] -signature= 6A 00 68 00 30 40 00 68 1E 30 40 00 6A 00 E8 0D 00 00 00 6A 00 E8 00 00 00 00 FF 25 00 20 40 00 FF 25 08 20 40 -ep_only = true - -[MinGW] -signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF -ep_only = true - -[EXE Shield v0.x -> Smoke] -signature= E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 -ep_only = true - -[Thinstall v2.460 -> Jitit] -signature= 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E -ep_only = true - -[yoda's Protector v1.01 -> Ashkbiz Danehkar] -signature= 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 -ep_only = true - -[yoda's Protector v1.0b -> Ashkbiz Danehkar] -signature= 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 -ep_only = true - -[yoda's Protector 1.02 -> Ashkibiz Danehlar] -signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 90 EB 01 ?? AC -ep_only = True - -[yoda's Protector v1.02b-> Ashkbiz Danehkar] -signature= E8 03 00 00 00 EB 01 -ep_only = true - -[yoda's Protector 1.03.1 -> Ashkibiz Danehlar] -signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 90 EB 01 ?? AC -ep_only = True - -[yoda's cryptor 1.3 -> Ashkbiz Danehkar] -signature= 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC -ep_only = true - -[ExeStealth -> WebToolMaster] -signature= EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F -ep_only = true - -[ARM Protector v0.2-> SMoKE] -signature= E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00 -ep_only = true - -[MEW 10 packer v1.0 -> Northfox] -signature= 33 C0 E9 ?? ?0 -ep_only = true - -[MEW 11 SE v1.0 -> Northfox] -signature= E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C ?0 -ep_only = true - -[MEW 11 SE v1.1 -> Northfox] -signature= E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 -ep_only = true - -[LamCrypt v1.0 -> LaZaRuS] -signature= 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 -ep_only = true - -[ACProtect 1.09g -> Risco software Inc.] -signature = 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00 -ep_only = true - -[UPXcrypter -> archphase/NWC] -signature = BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 -ep_only = true - -[ACProtect v1.90g -> Risco software Inc.] -signature = 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3 -ep_only = true - -[MEW 5 1.0 -> Northfox] -signature = BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 -ep_only = true - -[ROD High TECH -> Ayman] -signature = 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00 -ep_only = true - -[Alex Protector v1.0 -> Alex] -signature = 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B -ep_only = true - -[Unknown Packer -> Northfox] -signature = 54 59 68 61 7A 79 -ep_only = true - -[hying's PE-Armor -> hying[CCG]] -signature = E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D -ep_only= true - -[PE-Armor 0.46 -> China Cracking Group] -signature = E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 A2 01 00 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 5D 81 ED 05 00 00 00 8D 75 3D 56 FF 55 31 8D B5 86 00 00 00 56 50 FF 55 2D 89 85 93 00 00 00 6A 04 68 00 10 00 00 FF B5 82 00 00 00 6A 00 FF 95 93 00 00 00 50 8B 9D 7E 00 00 00 03 DD 50 53 E8 04 00 00 00 5A 55 FF E2 60 8B 74 24 24 8B 7C 24 28 FC -ep_only = True - -[Microsoft Visual C++ v7.0] -signature = 6A 0C 68 88 BF 01 10 E8 B8 1C 00 00 33 C0 40 89 45 E4 8B 75 0C 33 FF 3B F7 75 0C 39 3D 6C 1E 12 10 0F 84 B3 00 00 00 89 7D FC 3B F0 74 05 83 FE 02 75 31 A1 98 36 12 10 3B C7 74 0C FF 75 10 56 -ep_only = true - -[North Star PE Shrinker 1.3 -> Liuxingping] -signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 -ep_only = true - -[WebCops [EXE] -> LINK Data Security] -signature = EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72 -ep_only = true - -[WebCops [DLL] -> LINK Data Security] -signature = A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B -ep_only = true - -[REALbasic] -signature = 55 89 E5 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 ?? ?? ?? ?? ?? 00 -ep_only = true - -[PowerBASIC/CC 3.0x] -signature = 55 8B EC 53 56 57 BB 00 ?? ?? 00 66 2E F7 05 ?? ?? ?? 00 04 00 0F 85 -ep_only = true - -[PowerBASIC/Win 7.0x] -signature = 55 8B EC 53 56 57 BB 00 ?? 40 00 66 2E F7 05 ?? ?? 40 00 04 00 0F 85 DB 00 00 00 -ep_only = true - -[PE Ninja v1.0 -> +DzA kRAker TNT] -signature = BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 -ep_only = true - - -[EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE] -signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 -ep_only = true - -[Themida -> Oreans Technologies 2004] -signature = B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 -ep_only = true - -[Packanoid -> Arkanoid] -signature = BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 -ep_only = true - -[Packanoid 1.0 -> ackanoid] -signature = BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00 EB 21 00 ?? ?? 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 C0 00 F3 A4 E9 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 C0 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C -ep_only = True - -[Alloy 4.x -> PGWare LLC] -signature = 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 D8 01 00 00 50 FF 95 CC 33 40 00 50 8D 85 28 33 40 00 50 FF B5 2E 33 40 00 FF 95 D0 33 40 00 58 83 C0 05 EB 0C 68 D8 01 00 00 50 FF 95 C0 33 40 00 8B BD 2E 33 40 00 03 F8 C6 07 5C 47 8D B5 00 33 40 00 AC 0A C0 74 03 AA EB F8 83 BD DC 32 40 00 01 74 7A 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 FF B5 2E 33 40 00 FF 95 B4 33 40 00 83 F8 FF 74 57 89 85 32 33 40 00 8D 85 56 33 40 00 8D 9D 5E 33 40 00 8D 8D 66 33 40 00 51 53 50 FF B5 32 33 40 00 FF 95 C4 33 40 00 FF B5 32 33 40 00 FF 95 B8 33 40 00 8B 85 -ep_only = True - -[SoftDefender 1.x -> Randy Li] -signature = 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = True - -[SDProtector 1.x -> Randy Li] -signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = True - -[ExeJoiner 1.0 -> Yoda f2f] -signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 B7 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1A 12 40 00 FF 35 08 12 40 00 E8 98 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 8B 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 34 12 40 00 FF 35 08 12 40 00 E8 6C 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 5F 02 00 00 -ep_only = True - -[EmbedPE 1.13 -> cyclotron] -signature = 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 A3 F5 0B 85 97 7C BA 1D 96 DD 07 F8 FD D2 3A 98 83 CC 46 99 9D DF 6F 89 92 54 46 9F 94 43 CC 41 43 9B 8C 61 B9 D8 6F 96 3B D1 07 32 24 DD 07 05 8E CB 6F A1 07 5C 62 20 E0 DB BA 9D 83 54 46 E6 83 51 7A 2B 94 54 64 8A 83 05 68 D7 5E 2D C6 B7 57 00 B3 E8 3C 71 B8 3C 97 7C 36 19 32 7C 08 2A 06 51 64 73 A3 F1 4E 92 25 CB 80 8D 99 54 46 B0 E1 D3 46 A5 2D 10 68 B6 83 91 46 F2 DF 64 FD D1 BC CA AA 70 E2 AB 39 AE 3B 5A 6F 9B 15 BD 25 98 25 30 4C AD 7D 55 07 A8 A3 AC 0A C1 BD 54 72 BC 83 54 82 A3 97 B1 1A B3 83 54 46 83 -ep_only = True - -[Dual's eXe 1.0] -signature = 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 0E 04 00 00 89 03 58 83 C3 04 EB E3 8D 85 24 03 00 00 50 68 1F 00 02 00 6A 00 8D 85 48 03 00 00 50 68 01 00 00 80 FF 95 69 02 00 00 83 BD 24 03 00 00 00 0F 84 8B 00 00 00 C7 85 28 03 00 00 04 00 00 00 8D 85 28 03 00 00 50 8D 85 20 03 00 00 50 8D 85 6C 03 00 00 50 6A 00 8D 85 62 03 00 00 50 FF B5 24 03 00 00 FF 95 71 02 00 00 83 BD 20 03 00 00 01 7E 02 EB 20 6A 40 8D 85 73 03 00 00 50 8D 85 82 03 00 00 50 6A 00 FF 95 61 02 00 00 6A 00 FF 95 65 02 00 00 FF 8D 20 03 00 00 FF -ep_only = True - -[Crunch v5 -> Bit-Arts] -signature = EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00 00 8B 56 3C 8D 8C 32 C8 00 00 00 83 39 00 74 50 8B D9 53 68 BB D4 C3 79 33 C0 50 E8 0E 04 00 00 50 8D 95 EC 07 00 00 52 6A 04 68 00 10 00 00 FF B5 E8 07 00 00 FF D0 58 5B C7 03 00 00 00 00 C7 43 04 00 00 00 00 8D 95 F0 07 00 00 52 FF B5 EC 07 00 00 68 00 10 00 00 FF B5 E8 07 00 00 FF D0 68 6C D9 B2 96 33 C0 50 E8 C1 03 00 00 89 85 ?? 46 00 00 68 EC 49 7B 79 33 C0 50 E8 AE 03 00 00 89 85 ?? 46 00 00 E8 04 06 00 00 E9 F3 05 00 00 51 52 53 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 -ep_only = True - -[Goat's PE Mutilator 1.6] -signature = E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 53 0F DE 0F 55 0F 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -ep_only = True - -[Vcasm-Protector 1.0] -signature = 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 -ep_only = True - -[ExeShield 3.6 -> www.exeshield.com] -signature = B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F 8C B9 0A FC EC E4 82 97 AE 0F 18 D2 47 1B 65 EA 46 A5 FD 3E 9D 75 2A 62 80 60 F9 B0 0D E1 AC 12 0E 9D 24 D5 43 CE 9A D6 18 BF 22 DA 1F 72 76 B0 98 5B C2 64 BC AE D8 -ep_only = True - -[PocketPC SHA] -signature = 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 00 08 D0 05 D4 06 D5 0B 40 09 00 10 7F 26 4F 0B 00 09 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 7F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = True - -[PocketPC MIB] -signature = E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 01 3C ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 -ep_only = True - -[PocketPC ARM] -signature = F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00 -ep_only = True - -[Hide PE 1.01 -> BGCorp] -signature = ?? BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D -ep_only = True - -[VMProtect 0.7x - 0.8 -> PolyTech] -signature = 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D -ep_only = False - -[PE Crypt 1.5 -> BitShape Software] -signature = 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC -ep_only = True - -[LameCrypt -> LaZaRus] -signature = 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0 -ep_only = True - -[PeX 0.99 -> bart^CrackPl] -signature = E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 -ep_only = True - -[Obsidium 1.2.0.0 -> Obsidium Software] -signature = EB 02 ?? ?? E8 3F 1E 00 00 -ep_only = True - -[Ste@lth PE 1.01 -> BGCorp] -signature = ?? ?? ?? ?? ?? BA ?? ?? ?? 00 -ep_only = True - -[GCC-Win32 / XMINGW] -signature = 55 89 e5 83 ec 08 c7 04 24 01 00 00 00 -ep_only = False - diff --git a/msfbinscan b/msfbinscan deleted file mode 100755 index 213861e254..0000000000 --- a/msfbinscan +++ /dev/null @@ -1,300 +0,0 @@ -#!/usr/bin/env ruby -# -*- coding: binary -*- -# -# $Id$ -# $Revision$ -# - -msfbase = __FILE__ -while File.symlink?(msfbase) - msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) -end - -$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) -require 'msfenv' - - - -$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - -require 'metasm' -require 'rex/elfparsey' -require 'rex/elfscan' -require 'rex/machparsey' -require 'rex/machscan' -require 'rex/peparsey' -require 'rex/pescan' -require 'rex/arch/x86' -require 'optparse' - -def opt2i(o) - o.index("0x")==0 ? o.hex : o.to_i -end - -opt = OptionParser.new - -opt.banner = "Usage: #{$PROGRAM_NAME} [mode] [targets]" -opt.separator('') -opt.separator('Modes:') - -worker = nil -param = {} -files = [] -mode = "" - -opt.on('-j', '--jump [regA,regB,regC]', 'Search for jump equivalent instructions [PE|ELF|MACHO]') do |t| - # take csv of register names (like eax,ebx) and convert - # them to an array of register numbers - mode = "jump" - regnums = t.split(',').collect { |o| - begin - Rex::Arch::X86.reg_number(o) - rescue - puts "Invalid register \"#{o}\"" - exit(1) - end - } - param['args'] = regnums -end - -opt.on('-p', '--poppopret', 'Search for pop+pop+ret combinations [PE|ELF|MACHO]') do |t| - mode = "pop" - param['args'] = t -end - -opt.on('-r', '--regex [regex]', 'Search for regex match [PE|ELF|MACHO]') do |t| - mode = "regex" - param['args'] = t -end - -opt.on('-a', '--analyze-address [address]', 'Display the code at the specified address [PE|ELF]') do |t| - mode = "analyze-address" - param['args'] = opt2i(t) -end - -opt.on('-b', '--analyze-offset [offset]', 'Display the code at the specified offset [PE|ELF]') do |t| - mode = "analyze-offset" - param['args'] = opt2i(t) -end - -opt.on('-f', '--fingerprint', 'Attempt to identify the packer/compiler [PE]') do |t| - mode = "fingerprint" - param['database'] = File.join(File.dirname(msfbase), 'data', 'msfpescan', 'identify.txt') -end - -opt.on('-i', '--info', 'Display detailed information about the image [PE]') do |t| - mode = "info" -end - -opt.on('-R', '--ripper [directory]', 'Rip all module resources to disk [PE]') do |t| - mode = "ripper" - param['dir'] = t -end - -opt.on('--context-map [directory]', 'Generate context-map files [PE]') do |t| - mode = "context" - param['dir'] = t -end - -opt.separator('') -opt.separator('Options:') - -opt.on('-A', '--after [bytes]', 'Number of bytes to show after match (-a/-b) [PE|ELF|MACHO]') do |t| - param['after'] = opt2i(t) -end - -opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b) [PE|ELF|MACHO]') do |t| - param['before'] = opt2i(t) -end - -opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase [PE|ELF|MACHO]') do |t| - param['imagebase'] = opt2i(t) -end - -opt.on('-D', '--disasm', 'Disassemble the bytes at this address [PE|ELF]') do |t| - param['disasm'] = true -end - -opt.on('-F', '--filter-addresses [regex]', 'Filter addresses based on a regular expression [PE]') do |t| - param['filteraddr'] = t -end - -opt.on_tail("-h", "--help", "Show this message") do - $stderr.puts opt - exit -end - -begin - opt.parse! -rescue OptionParser::InvalidOption, OptionParser::MissingArgument - $stderr.puts "Invalid option, try -h for usage" - exit(1) -end - - -if mode.empty? - $stderr.puts "A mode must be selected" - $stderr.puts opt - exit(1) -end - -# check if the file is a directory if it is collect all the entries -ARGV.each do |file| - - if(File.directory?(file)) - dir = Dir.open(file) - dir.entries.each do |ent| - path = File.join(file, ent) - next if not File.file?(path) - files << File.join(path) - end - else - files << file - end -end - -# we need to do some work to figure out the file format -files.each do |file| - param['file'] = file - - bin = Metasm::AutoExe.decode_file(file) if not file.empty? - - if bin.kind_of?(Metasm::PE) - case mode - when "jump" - worker = Rex::PeScan::Scanner::JmpRegScanner - when "pop" - worker = Rex::PeScan::Scanner::PopPopRetScanner - when "regex" - worker = Rex::PeScan::Scanner::RegexScanner - when "analyze-address" - worker = Rex::PeScan::Search::DumpRVA - when "analyze-offset" - worker = Rex::PeScan::Search::DumpOffset - when "fingerprint" - worker = Rex::PeScan::Analyze::Fingerprint - when "info" - worker = Rex::PeScan::Analyze::Information - when "ripper" - worker = Rex::PeScan::Analyze::Ripper - when "context" - worker = Rex::PeScan::Analyze::ContextMapDumper - else - $stderr.puts("Mode unsupported by file format") - end - - pe_klass = Rex::PeParsey::Pe - begin - pe = pe_klass.new_from_file(file, true) - rescue ::Interrupt - raise $! - rescue Rex::PeParsey::FileHeaderError - next if $!.message == "Couldn't find the PE magic!" - raise $! - rescue Errno::ENOENT - $stdout.puts("File does not exist: #{file}") - next - rescue ::Rex::PeParsey::SkipError - next - rescue ::Exception => e - $stdout.puts "[#{file}] #{e.class}: #{e}" - next - end - - if (param['imagebase']) - pe.image_base = param['imagebase']; - end - - if not worker - $stderr.puts("A mode could not be set for this file.") - next - end - - o = worker.new(pe) - o.scan(param) - - pe.close - - elsif bin.kind_of?(Metasm::ELF) - case mode - when "jump" - worker = Rex::ElfScan::Scanner::JmpRegScanner - when "pop" - worker = Rex::ElfScan::Scanner::PopPopRetScanner - when "regex" - worker = Rex::ElfScan::Scanner::RegexScanner - when "analyze-address" - worker = Rex::ElfScan::Search::DumpRVA - when "analyze-offset" - worker = Rex::ElfScan::Search::DumpOffset - else - $stderr.puts("Mode unsupported by file format") - end - - begin - elf = Rex::ElfParsey::Elf.new_from_file(file, true) - rescue Rex::ElfParsey::ElfHeaderError - if $!.message == 'Invalid magic number' - $stderr.puts("Skipping #{file}: #{$!}") - next - end - raise $! - rescue Errno::ENOENT - $stderr.puts("File does not exist: #{file}") - next - end - - if (param['imagebase']) - elf.base_addr = param['imagebase']; - end - - if not worker - $stderr.puts("A mode could not be set for this file.") - next - end - - o = worker.new(elf) - o.scan(param) - - elf.close - - elsif bin.kind_of?(Metasm::MachO) - case mode - when "jump" - worker = Rex::MachScan::Scanner::JmpRegScanner - when "pop" - worker = Rex::MachScan::Scanner::PopPopRetScanner - when "regex" - worker = Rex::MachScan::Scanner::RegexScanner - else - $stderr.puts("Mode unsupported by file format") - end - - begin - mach = Rex::MachParsey::Mach.new_from_file(file, true) - o = worker.new(mach) - o.scan(param) - mach.close - rescue Rex::MachParsey::MachHeaderError - $stderr.puts("File is not a Mach-O binary, trying Fat..\n") - begin - fat = Rex::MachParsey::Fat.new_from_file(file, true) - o = worker.new(fat) - o.scan(param) - fat.close - rescue - $stderr.puts("Error: " + $!.to_s) - $stderr.puts("Skipping #{file}") - end - rescue Errno::ENOENT - $stderr.puts("File does not exist: #{file}") - next - end - end - - if not worker - $stderr.puts("Unsupported file format") - $stderr.puts("Skipping #{file}") - next - end -end diff --git a/msfelfscan b/msfelfscan deleted file mode 100755 index 4d9c0d0312..0000000000 --- a/msfelfscan +++ /dev/null @@ -1,135 +0,0 @@ -#!/usr/bin/env ruby -# -*- coding: binary -*- -# -# $Id$ -# $Revision$ -# - -msfbase = __FILE__ -while File.symlink?(msfbase) - msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) -end - -$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) -require 'msfenv' - - - -$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - -require 'rex/elfparsey' -require 'rex/elfscan' -require 'rex/arch/x86' -require 'optparse' - -def opt2i(o) - o.index("0x")==0 ? o.hex : o.to_i -end - -opt = OptionParser.new - -opt.banner = "Usage: #{$PROGRAM_NAME} [mode] [targets]" -opt.separator('') -opt.separator('Modes:') - -worker = nil -param = {} - -opt.on('-j', '--jump [regA,regB,regC]', 'Search for jump equivalent instructions') do |t| - # take csv of register names (like eax,ebx) and convert - # them to an array of register numbers - regnums = t.split(',').collect { |o| - begin - Rex::Arch::X86.reg_number(o) - rescue - puts "Invalid register \"#{o}\"" - exit(1) - end - } - worker = Rex::ElfScan::Scanner::JmpRegScanner - param['args'] = regnums -end - -opt.on('-p', '--poppopret', 'Search for pop+pop+ret combinations') do |t| - worker = Rex::ElfScan::Scanner::PopPopRetScanner - param['args'] = t -end - -opt.on('-r', '--regex [regex]', 'Search for regex match') do |t| - worker = Rex::ElfScan::Scanner::RegexScanner - param['args'] = t -end - -opt.on('-a', '--analyze-address [address]', 'Display the code at the specified address') do |t| - worker = Rex::ElfScan::Search::DumpRVA - param['args'] = opt2i(t) -end - -opt.on('-b', '--analyze-offset [offset]', 'Display the code at the specified offset') do |t| - worker = Rex::ElfScan::Search::DumpOffset - param['args'] = opt2i(t) -end - -opt.separator('') -opt.separator('Options:') - -opt.on('-A', '--after [bytes]', 'Number of bytes to show after match (-a/-b)') do |t| - param['after'] = opt2i(t) -end - -opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b)') do |t| - param['before'] = opt2i(t) -end - -opt.on('-D', '--disasm', 'Disassemble the bytes at this address') do |t| - param['disasm'] = true -end - -opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase') do |t| - param['imagebase'] = opt2i(t) -end - -opt.on_tail("-h", "--help", "Show this message") do - puts opt - exit -end - -begin - opt.parse! -rescue OptionParser::InvalidOption - puts "Invalid option, try -h for usage" - exit(1) -end - -if (! worker) - puts opt - exit(1) -end - -ARGV.each do |file| - - param['file'] = file - - begin - elf = Rex::ElfParsey::Elf.new_from_file(file, true) - rescue Rex::ElfParsey::ElfHeaderError - if $!.message == 'Invalid magic number' - $stderr.puts("Skipping #{file}: #{$!}") - next - end - raise $! - rescue Errno::ENOENT - $stderr.puts("File does not exist: #{file}") - next - end - - if (param['imagebase']) - elf.base_addr = param['imagebase']; - end - - o = worker.new(elf) - o.scan(param) - - elf.close - -end diff --git a/msfmachscan b/msfmachscan deleted file mode 100755 index 4b0ba7c497..0000000000 --- a/msfmachscan +++ /dev/null @@ -1,116 +0,0 @@ -#!/usr/bin/env ruby -# -*- coding: binary -*- -# -# $Id$ -# $Revision$ -# - -msfbase = __FILE__ -while File.symlink?(msfbase) - msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) -end - -$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) -require 'msfenv' - - - -$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - -require 'rex/machparsey' -require 'rex/machscan' -require 'rex/arch/x86' -require 'optparse' - - -def opt2i(o) - o.index("0x")==0 ? o.hex : o.to_i -end - -opt = OptionParser.new - -opt.banner = "Usage: #{$PROGRAM_NAME} [mode] [targets]" -opt.separator('') -opt.separator('Modes:') - -worker = nil -param = {} - -opt.on('-j', '--jump [regA,regB,regC]', 'Search for jump equivalent instructions') do |t| - # take csv of register names (like eax,ebx) and convert - # them to an array of register numbers - regnums = t.split(',').collect { |o| - begin - Rex::Arch::X86.reg_number(o) - rescue - puts "Invalid register \"#{o}\"" - exit(1) - end - } - worker = Rex::MachScan::Scanner::JmpRegScanner - param['args'] = regnums -end - -opt.on('-p', '--poppopret', 'Search for pop+pop+ret combinations') do |t| - worker = Rex::MachScan::Scanner::PopPopRetScanner - param['args'] = t -end - -opt.on('-r', '--regex [regex]', 'Search for regex match') do |t| - worker = Rex::MachScan::Scanner::RegexScanner - param['args'] = t -end - -opt.separator('') -opt.separator('Options:') - -opt.on('-A', '--after [bytes]', 'Number of bytes to show after match (-a/-b)') do |t| - param['after'] = opt2i(t) -end - -opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b)') do |t| - param['before'] = opt2i(t) -end - -opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase') do |t| - param['imagebase'] = opt2i(t) -end - -opt.on_tail("-h", "--help", "Show this message") do - puts opt - exit -end - -begin - opt.parse! -rescue OptionParser::InvalidOption - puts "Invalid option, try -h for usage" - exit(1) -end - -if (! worker) - puts opt - exit(1) -end - -ARGV.each do |file| - - param['file'] = file - - begin - mach = Rex::MachParsey::Mach.new_from_file(file, true) - o = worker.new(mach) - o.scan(param) - mach.close - rescue Rex::MachParsey::MachHeaderError - $stderr.puts("File is not a Mach-O binary, trying Fat..\n") - fat = Rex::MachParsey::Fat.new_from_file(file, true) - o = worker.new(fat) - o.scan(param) - fat.close - rescue Errno::ENOENT - $stderr.puts("File does not exist: #{file}") - next - end -end - diff --git a/msfpescan b/msfpescan deleted file mode 100755 index e7819dc92d..0000000000 --- a/msfpescan +++ /dev/null @@ -1,199 +0,0 @@ -#!/usr/bin/env ruby -# -*- coding: binary -*- -# -# $Id$ -# $Revision$ -# - -msfbase = __FILE__ -while File.symlink?(msfbase) - msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) -end - -$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) -require 'msfenv' - - - -$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - -require 'rex/peparsey' -require 'rex/pescan' -require 'rex/arch/x86' -require 'optparse' - -def opt2i(o) - o.index("0x")==0 ? o.hex : o.to_i -end - - -# -# Right now this program is a bit shakey... -# -# - It tries to error on the side of caution, so it will try for a -# false negative vs a false positive. -# - It doesn't account for the entire PE image neccesairly -# - It wouldn't find hits that overlap sections -# - etc etc -# - -opt = OptionParser.new - -opt.banner = "Usage: #{$PROGRAM_NAME} [mode] [targets]" -opt.separator('') -opt.separator('Modes:') - -worker = nil -param = {} - -pe_klass = Rex::PeParsey::Pe - -opt.on('-j', '--jump [regA,regB,regC]', 'Search for jump equivalent instructions') do |t| - # take csv of register names (like eax,ebx) and convert - # them to an array of register numbers - regnums = t.split(',').collect { |o| - begin - Rex::Arch::X86.reg_number(o) - rescue - puts "Invalid register \"#{o}\"" - exit(1) - end - } - worker = Rex::PeScan::Scanner::JmpRegScanner - param['args'] = regnums -end - -opt.on('-p', '--poppopret', 'Search for pop+pop+ret combinations') do |t| - worker = Rex::PeScan::Scanner::PopPopRetScanner - param['args'] = t -end - -opt.on('-r', '--regex [regex]', 'Search for regex match') do |t| - worker = Rex::PeScan::Scanner::RegexScanner - param['args'] = t -end - -opt.on('-a', '--analyze-address [address]', 'Display the code at the specified address') do |t| - worker = Rex::PeScan::Search::DumpRVA - param['args'] = opt2i(t) -end - -opt.on('-b', '--analyze-offset [offset]', 'Display the code at the specified offset') do |t| - worker = Rex::PeScan::Search::DumpOffset - param['args'] = opt2i(t) -end - -opt.on('-f', '--fingerprint', 'Attempt to identify the packer/compiler') do |t| - worker = Rex::PeScan::Analyze::Fingerprint - param['database'] = File.join(File.dirname(msfbase), 'data', 'msfpescan', 'identify.txt') -end - -opt.on('-i', '--info', 'Display detailed information about the image') do |t| - worker = Rex::PeScan::Analyze::Information -end - -opt.on('-R', '--ripper [directory]', 'Rip all module resources to disk ') do |t| - worker = Rex::PeScan::Analyze::Ripper - param['dir'] = t -end - -opt.on('--context-map [directory]', 'Generate context-map files') do |t| - worker = Rex::PeScan::Analyze::ContextMapDumper - param['dir'] = t -end - -opt.separator('') -opt.separator('Options:') - -opt.on('-M', '--memdump', 'The targets are memdump.exe directories') do |t| - pe_klass = Rex::PeParsey::PeMemDump -end - - -opt.on('-A', '--after [bytes]', 'Number of bytes to show after match (-a/-b)') do |t| - param['after'] = opt2i(t) -end - -opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b)') do |t| - param['before'] = opt2i(t) -end - -opt.on('-D', '--disasm', 'Disassemble the bytes at this address') do |t| - param['disasm'] = true -end - -opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase') do |t| - param['imagebase'] = opt2i(t) -end - -opt.on('-F', '--filter-addresses [regex]', 'Filter addresses based on a regular expression') do |t| - param['filteraddr'] = t -end - -opt.on_tail("-h", "--help", "Show this message") do - puts opt - exit -end - -begin - opt.parse! -rescue OptionParser::InvalidOption - puts "Invalid option, try -h for usage" - exit(1) -end - -if (! worker) - puts opt - exit(1) -end - - -files = [] - -ARGV.each do |file| - - if(File.directory?(file)) - dir = Dir.open(file) - dir.entries.each do |ent| - path = File.join(file, ent) - next if not File.file?(path) - files << File.join(path) - end - else - files << file - end -end - -files.each do |file| - $stdout.puts "" - - param['file'] = file - - begin - pe = pe_klass.new_from_file(file, true) - rescue ::Interrupt - raise $! - rescue Rex::PeParsey::FileHeaderError - next if $!.message == "Couldn't find the PE magic!" - raise $! - rescue Errno::ENOENT - $stdout.puts("File does not exist: #{file}") - next - rescue ::Rex::PeParsey::SkipError - next - rescue ::Exception => e - $stdout.puts "[#{file}] #{e.class}: #{e}" - next - end - - if (param['imagebase']) - pe.image_base = param['imagebase']; - end - - o = worker.new(pe) - o.scan(param) - - pe.close - -end -$stdout.puts "" From 42b1ced4fb4db54cd642c0f443475ec7bd1df69b Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 16 Aug 2016 09:33:09 -0500 Subject: [PATCH 3/3] remove *scan from gemspec bins update the gemspec so that it doesn't try to build binstubs for the *scan bins MS-1691 --- metasploit-framework.gemspec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 14eeb610f4..98615cc860 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -30,12 +30,8 @@ Gem::Specification.new do |spec| spec.bindir = '.' if ENV['CREATE_BINSTUBS'] spec.executables = [ - 'msfbinscan', 'msfconsole', 'msfd', - 'msfelfscan', - 'msfmachscan', - 'msfpescan', 'msfrop', 'msfrpc', 'msfrpcd',