Log in

View Full Version : Telock signature problem


bobik
June 4th, 2001, 10:30
Gentelmen,

I have following problem : the succseffuly dumped aplication can't be
compresed again ( it was telock 0.80 paked ) evey packer i try fails
(producing non working application ) . and telocks says "already compresed"

That means the header is somewhere signed ?
How telock signature looks like ?

Thx

CoDe_InSiDe
June 4th, 2001, 23:58
Hi bobik,

Most Packers/Encrypters leave a Signature at a certain place in the PE Header.
Look at the place:

"Offset PE Header + F0"

This place isn't used by the PE Header Structure (Or to say it even better by the Optional Header )
I've tried tElock v0.80 myself with some test file and this place contained the value:

0000000000002000

It's probably the same with your File
Hope this helps.

Cya...

CoDe_InSiDe

Kilby
June 5th, 2001, 03:16
You can use upx -f to force the packer to get on with it's work.

Whough I would prefer to have Telock to have a force option.

Kilby...

madmax
June 5th, 2001, 11:38
I've noticed this prob on some unpacked apps with ASPR as well...I tried upx -f and my own packer and both lead to faults...I've not yet explored why, but it likely involves something with the rebuilt IAT from RV/importrec...Unfortunately some packers modify stuff as to not allow layering, and I find it to be kinda crappy...Check what changes in the peheader as well..I know telock changes # of sections (PE+8) to FFFF..Fix that first.

madmax

ThrawN
June 5th, 2001, 20:52
Try somethign on the simple side.
Some packers simply simply check the files sections (UPX) and if they are packed with a packer, or at least unpacked without the sections renamed etc.., they wont pack.

Kilby
June 6th, 2001, 07:55
Un-Asprtoected progs, seem to pack happily with upx -f.

TeLock, identifys the file as being packed with an as product.

Section renaming dosn't help.

Kilby...