Detect-It-Easy/db/PE/AHTeam_EP_Protector.2.sg

// Detect It Easy: detection rule file

init("protector", "AHTeam EP Protector");

function detect() {
    if (PE.compareEP("90") && PE.compareEP("90FFE0", 47)) {
        sVersion = "0.3";
        bDetected = true;

        if (PE.compareEP("60E8........5EB9000000002BC0", 50)) {
            sOptions = "fake k.kryptor 9/kryptor a";
        } else if (PE.compareEP("6A0068........E8........BF", 50)) {
            sOptions = "fake Microsoft Visual C++ 7.0";
        } else switch (PE.getEPSignature(50, 14)) {
            case "60E803000000E9EB045D4555C3E8":
                sOptions = "fake ASPack 2.12";
                break;
            case "60E801000000905D81ED00000000":
                sOptions = "fake ASProtect 1.0";
                break;
            case "538BD833C0A3000000006A00E800":
                sOptions = "fake Borland Delphi 6.0-7.0";
                break;
            case "FC5550E8000000005DEB01E360E8":
                sOptions = "fake PCGuard 4.03-4.15";
                break;
            case "EB03CD20C71EEB03CD20EA9CEB02":
                sOptions = "fake PE Lock NT 2.04";
                break;
            case "E8000000005B83EB05EB04524E44":
                sOptions = "fake PE-Crypt 1.02";
                break;
            case "60E800000000414E414B494E5D83":
                sOptions = "fake PESHiELD 2.x";
                break;
            case "B800000000680000000064FF3500":
                sOptions = "fake PEtite 2.2";
                break;
            case "9C608B442424E8000000005D81ED":
                sOptions = "fake Spalsher 1.x-3.x";
                break;
            case "535152565755E8000000005D81ED":
                sOptions = "fake Stone's PE Encryptor 2.0";
                break;
            case "60E8000000005D81ED06000000EB":
                sOptions = "fake SVKP 1.3x";
                break;
            case "E90000000060E8000000005883C0":
                sOptions = "fake tElock 0.61";
                break;
            case "EB16A85400004741424C4B434743":
                sOptions = "fake VIRUS/I-Worm Hybris";
                break;
            case "5F81EF00000000BE000040008B87":
                sOptions = "fake VOB ProtectCD";
                break;
            case "E8000000005D8100000000006A45":
                sOptions = "fake Xtreme-Protector 1.05";
                break;
            case "E912000000000000000000000000":
                sOptions = "fake ZCode 1.01";
                break;
        }
    } else if (PE.compareEP("55908bec906aff9090")) {
        sVersion = "0.3";
        sOptions = "alt";
        bDetected = true;
    }

    return result();
}