PDA

View Full Version : Two PE detector,Why two detections?


Hero
April 9th, 2005, 05:05
Hi all
I try a program with two PE tools,PEid and TrId.But I get a strange result:
PEid return file signature as Borland Delphi 3.0,But The highest percent that
TrId returned was PECompact!TrId return Borland Delphi too,but with a ver
low percent.
How this is possible?Because all of program should have special signature,isn't it?
Then Why this strange result will happen?

sincerely yours

Admiral
April 9th, 2005, 19:26
Packed programs don't have special signatures as such. Different binaries packed with the same packer will generally look quite different, even in the areas that are supposed to be characteristic of the packer in question. This is why TrID gives you a percentage resemblance rather than a concrete answer.

Maybe PECompact is designed with PEiD's algorithm in mind such that its targets are made to look like Borland Delphi 3.0? Then again, maybe it's just a coincidence.
If I were you, I'd Google the result. It's probable sombody has been in this situation before and has succeeded in identifying the packer.
If that fails, I guess you'll have to play around with both possibilities (bearing in mind that it may well be neither) to get a better idea of what stands between you and your target.

MrAnonymous
April 10th, 2005, 01:54
Packers generally (not always) have a consistant pattern of bytes at the EP, thats one of the ways PEiD detects packers/protectors. I would look at what sections are in the files, and the EP Section. If its a Delphi than the the EP section should be CODE. Disasmble the file, judging by the text strings you should easily beable to see if its packed or not.