Log in

View Full Version : new hasp envelope? unknown PE packer


fritzfs
October 3rd, 2013, 14:01
Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code:

.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom


Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!

fritzfs
October 4th, 2013, 04:29
Quote:
[Originally Posted by fritzfs;95515]Hi ppl! Long time no see :-)

Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).

PE sections looks weird to me. I have:

Code:

.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom


Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).

Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?

Thanks!


Nah, friend gave me a hint to try with ProtectionID. I've identified it as execryptor. Case closed.