mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/db/PE/protector_AHTeam_EP_Protector.2.sg
DosX 6767b50dbf Remove line breaks
2026-05-25 21:03:46 +03:00

40 lines
No EOL
2.2 KiB
JavaScript
Executable file
Raw Permalink Blame History

// Detect It Easy: detection rule file
// Author: horsicq <horsicq@gmail.com>
meta("protector", "AHTeam EP Protector");
function detect() {
if (PE.compareEP("90") && PE.compareEP("90FFE0", 47)) {
sVersion = "0.3";
bDetected = true;
if (PE.compareEP("60E8........5EB9000000002BC0", 50)) {
sOptions = "fake k.kryptor 9/kryptor a";
} else if (PE.compareEP("6A0068........E8........BF", 50)) {
sOptions = "fake Microsoft Visual C++ 7.0";
} else switch (PE.getEntryPointSignature(50, 14)) {
case "60E803000000E9EB045D4555C3E8": sOptions = "fake ASPack 2.12"; break;
case "60E801000000905D81ED00000000": sOptions = "fake ASProtect 1.0"; break;
case "538BD833C0A3000000006A00E800": sOptions = "fake Borland Delphi 6.0-7.0"; break;
case "FC5550E8000000005DEB01E360E8": sOptions = "fake PCGuard 4.03-4.15"; break;
case "EB03CD20C71EEB03CD20EA9CEB02": sOptions = "fake PE Lock NT 2.04"; break;
case "E8000000005B83EB05EB04524E44": sOptions = "fake PE-Crypt 1.02"; break;
case "60E800000000414E414B494E5D83": sOptions = "fake PESHiELD 2.X"; break;
case "B800000000680000000064FF3500": sOptions = "fake PEtite 2.2"; break;
case "9C608B442424E8000000005D81ED": sOptions = "fake Spalsher 1.X-3.X"; break;
case "535152565755E8000000005D81ED": sOptions = "fake Stone's PE Encryptor 2.0"; break;
case "60E8000000005D81ED06000000EB": sOptions = "fake SVKP 1.3X"; break;
case "E90000000060E8000000005883C0": sOptions = "fake tElock 0.61"; break;
case "EB16A85400004741424C4B434743": sOptions = "fake VIRUS/I-Worm Hybris"; break;
case "5F81EF00000000BE000040008B87": sOptions = "fake VOB ProtectCD"; break;
case "E8000000005D8100000000006A45": sOptions = "fake Xtreme-Protector 1.05"; break;
case "E912000000000000000000000000": sOptions = "fake ZCode 1.01"; break;
}
} else if (PE.compareEP("55908bec906aff9090")) {
sVersion = "0.3";
sOptions = "alt";
bDetected = true;
}
return result();
}
Reference in a new issue View git blame Copy permalink