mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Database update

Browse source
This commit is contained in:
DosX 2024-11-20 21:16:02 +03:00
commit 206cfc7547
3 changed files with 37 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

10
db/Binary/archive.AR.1.sg
View file

@ -53,13 +53,13 @@ function detect() {
while (nOffset < Binary.getSize()) {
sFileName = Binary.getString(nOffset, 0x10).trim();
nOffset += 0x10;
nOffset += 0x0C; //modification_timestamp
nOffset += 0x06; //ownerID
nOffset += 0x06; //groupID
nOffset += 0x08; //fileMode
nOffset += 0x0C; // modification_timestamp
nOffset += 0x06; // ownerID
nOffset += 0x06; // groupID
nOffset += 0x08; // fileMode
nFileSize = parseInt(Binary.getString(nOffset, 0x0A));
nOffset += 0x0A;
nOffset += 0x02; //endMarker
nOffset += 0x02; // endMarker
switch (sFileName) {
case "/":
ParseLibInfo();

62
db/PE/Arxan.2.sg
View file

@ -3,23 +3,6 @@
init("protector", "Arxan");
function skipJumpsAndNops(offset) {
var rva = PE.OffsetToRVA(offset);
while (true) {
var byte = PE.readByte(PE.RVAToOffset(rva));
if (byte == 0xE9)
rva += PE.readSDword(PE.RVAToOffset(rva + 1)) + 5;
else if (byte == 0xEB)
rva += PE.readSByte(PE.RVAToOffset(rva + 1)) + 2;
else if (byte == 0x90)
rva++;
else
break;
}
return PE.RVAToOffset(rva);
}
function detect() {
if (PE.is64() && !PE.isNET()) {
if (PE.compareEP("40 50 40 51 40 52 40 53 55 56 57 9C 48 83 EC 38 FC B8 01 00 00 00 B9 FF FF 00 00 E0 FE")) {
@ -27,48 +10,37 @@ function detect() {
sVersion = "GuardIT ~2013";
} else {
var ep = skipJumpsAndNops(PE.getEntryPointOffset()),
rva = -1;
if (PE.compare("48 83 EC 28 E8", ep))
rva = PE.OffsetToRVA(ep) + PE.readSDword(ep + 5) + 9;
else
rva = PE.OffsetToRVA(ep);
rva = PE.compare("48 83 EC 28 E8", ep) ? PE.OffsetToRVA(ep) + PE.readSDword(ep + 5) + 9 : PE.OffsetToRVA(ep);
if (rva != -1) {
var addr = PE.OffsetToVA(PE.RVAToOffset(rva));
const limit = 32;
var pushCount = 0;
for (var i = 0; i < limit; i++) {
var disasm = PE.getDisasmString(addr);
if (disasm.indexOf("PUSH") != 0)
break;
if (PE.getDisasmString(addr).indexOf("PUSH") !== 0) break;
pushCount++;
addr = PE.getDisasmNextAddress(addr);
}
if (pushCount > 3 && PE.getDisasmString(addr).indexOf("LEA RSP,") == 0) {
if (pushCount > 3 && PE.getDisasmString(addr).indexOf("LEA RSP,") === 0) {
addr = PE.getDisasmNextAddress(addr);
var movupdCount = 0;
for (var i = 0; i < limit; i++) {
var disasm = PE.getDisasmString(addr);
if (disasm.indexOf("MOVUPD") != 0)
break;
if (PE.getDisasmString(addr).indexOf("MOVUPD") !== 0) break;
movupdCount++;
addr = PE.getDisasmNextAddress(addr);
}
if (movupdCount > 0 &&
PE.getDisasmString(addr) == "PUSH 0X10" &&
PE.getDisasmString(PE.getDisasmNextAddress(addr)) == "TEST RSP, 0XF") {
PE.getDisasmString(addr) === "PUSH 0X10" &&
PE.getDisasmString(PE.getDisasmNextAddress(addr)) === "TEST RSP, 0XF") {
bDetected = true;
sVersion = "GuardIT ";
if (pushCount < 14 || movupdCount < 16)
sVersion += "12.0+";
else
sVersion += "2014-2021";
sVersion += (pushCount < 14 || movupdCount < 16) ? "12.0+" : "2014-2021";
}
}
}
@ -77,3 +49,21 @@ function detect() {
return result();
}
function skipJumpsAndNops(offset) {
var rva = PE.OffsetToRVA(offset);
while (true) {
const byte = PE.readByte(PE.RVAToOffset(rva));
if (byte === 0xE9) {
rva += PE.readSDword(PE.RVAToOffset(rva + 1)) + 5;
} else if (byte === 0xEB) {
rva += PE.readSByte(PE.RVAToOffset(rva + 1)) + 2;
} else if (byte === 0x90) {
rva++;
} else {
break;
}
}
return PE.RVAToOffset(rva);
}

6
db/_init
View file

@ -46,6 +46,12 @@ function result() {
sName = String();
sVersion = String();
sOptions = String();
var resultValue = bDetected;
bDetected = false;
return resultValue;
}
/**