Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

new hasp envelope? unknown PE packer

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
fritzfs
Junior Member
Posts: 2
Joined: Thu Oct 03, 2013 1:44 pm

new hasp envelope? unknown PE packer

Post by fritzfs »

Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code: Select all

.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom
Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!
fritzfs
Junior Member
Posts: 2
Joined: Thu Oct 03, 2013 1:44 pm

Post by fritzfs »

fritzfs wrote:Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code: Select all

.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom
Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!
Nah, friend gave me a hint to try with ProtectionID. I've identified it as execryptor. Case closed.
Locked