fritzfs
October 3rd, 2013, 14:01
Hi ppl! Long time no see :-)
Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).
PE sections looks weird to me. I have:
Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).
Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?
Thanks!
Today I've come across target which uses sentinel hasp (run-time environment installer 5.90 from 2009).
PE sections looks weird to me. I have:
Code:
.text
CONST
.rdata
.data
.rsrc
pbm6thw3
zf41d72o
hsjh6lom
Entrypoint is at section pbm6thw3. PEiD identifies this as "UPX 1.03 - 1.04 -> Markus & Laszlo [Overlay]", but obviously it's not. I've used public external database (http://handlers.sans.org/jclausing/userdb.txt) for PEiD, but it didn't identified anything (Nothing found [Overlay] *).
Anyone recognizes this? I suppose this isn't related to old hasp envelope and it's .protect section?
Thanks!