new hasp envelope? unknown PE packer [Archive] - RCE Messageboard's Regroupment

fritzfs

October 3rd, 2013, 14:01

Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code:



.text

CONST

.rdata

.data

.rsrc

pbm6thw3

zf41d72o

hsjh6lom

Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!

fritzfs

October 4th, 2013, 04:29

Quote:

[Originally Posted by fritzfs;95515]Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code:

.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom

Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!

Nah, friend gave me a hint to try with ProtectionID. I've identified it as execryptor. Case closed.