View Full Version : Telock signature problem
bobik
June 4th, 2001, 10:30
Gentelmen,
I have following problem : the succseffuly dumped aplication can't be
compresed again ( it was telock 0.80 paked ) evey packer i try fails
(producing non working application ) . and telocks says "already compresed"
That means the header is somewhere signed ?
How telock signature looks like ?
Thx
CoDe_InSiDe
June 4th, 2001, 23:58
Hi bobik,
Most Packers/Encrypters leave a Signature at a certain place in the PE Header.
Look at the place:
"Offset PE Header + F0"
This place isn't used by the PE Header Structure (Or to say it even better by the Optional Header

)
I've tried tElock v0.80 myself with some test file and this place contained the value:
0000000000002000
It's probably the same with your File

Hope this helps.
Cya...
CoDe_InSiDe
Kilby
June 5th, 2001, 03:16
You can use upx -f to force the packer to get on with it's work.
Whough I would prefer to have Telock to have a force option.
Kilby...
madmax
June 5th, 2001, 11:38
I've noticed this prob on some unpacked apps with ASPR as well...I tried upx -f and my own packer and both lead to faults...I've not yet explored why, but it likely involves something with the rebuilt IAT from RV/importrec...Unfortunately some packers modify stuff as to not allow layering, and I find it to be kinda crappy...Check what changes in the peheader as well..I know telock changes # of sections (PE+8) to FFFF..Fix that first.
madmax
ThrawN
June 5th, 2001, 20:52
Try somethign on the simple side.
Some packers simply simply check the files sections (UPX) and if they are packed with a packer, or at least unpacked without the sections renamed etc.., they wont pack.
Kilby
June 6th, 2001, 07:55
Un-Asprtoected progs, seem to pack happily with upx -f.
TeLock, identifys the file as being packed with an as product.
Section renaming dosn't help.
Kilby...
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.