I wanted to wirte a small program to fool the File Anaylize Tool (such as PEiD or FileInfo) by changing the codes on the EntryPoint.

Now I pretend programs to VC++6.0 successfully, but when I want to pretned them to DELPHI, the FileInfo was fooled,but PEiD says "WIN32 Unknown" instead of "Delphi". I copy more than 100 bytes of the REAL DELPHI PROGRAM to the EntryPoint , but it still doesn't work. And it was the same in VB.

I want to know how the PEiD detected the Programs. Doesn't It detected only by KeyCode of the EP?

BTW:Who has the KeyCode of the shells and compilers ,THANX!

if you open the userdb.txt file you can see a boolean variable called "ep_only"

Yes,But I think the detection of the DELPHI (or VC or BASIC) is built in the program. Must I reverse the program ? Oh,It's a difficult task

Basically what you are looking for is a compiler signature.
The entry point is not always the best place to look.
If you are wanting to use the PEiD database you might be able to contact the authors and get some help:

snaker: snaker(AT)myrealbox(DOT)com
Qwerton: qwaci(AT)gmx(DOT)net
Jibz: mail(AT)ibsensoftware(DOT)com

Other tools have been built using their database, such as:
Stud_PE: hxxp://itimer.home.ro/studpe.html

Or perhaps building your own signatures, using hex comparing software with multiple file of the same compiler/packer/encrypter, and looking for a common signature.

You can fool PEId by making your own lame cryptor, for example, going thru the first section of code (in the file) and XORing it with a value. Then, add your own code (and set a new PE entrypoint) to re-XOR it at runtime, and jump back to the original entrypoint.

-nt20

I made a program do that 2 months ago. But the important things may be the new OEP should in first section of the locked PE file. So you can backup some code from first section to the last section. copy start code to fisrt section,and jmp to last section,restore code backuped.

I think someone may have done this (unless its yours :hxxp://wasm.ru/tools/8/FakeSigner.zip