If you work with PEiD (or similar apps) then you known that apps can tell we, the opened executable file Compiled with what Compiler or Packed with what packer.
The PEiD do this work using comparing executable signature with all signatures in UserDB
.
I want to create a new signature for (for example) a new compiler/packer .How can i do it ??
I wrote a routine for extracting compiler/packer signature from executable file, Now i want to get a new signature, I should retrieve compiler/packer signature from some of executable file (In this case 5) and compare that's together and create new signature,For example if the following strings are compiler/packer signatures of 5 files :
'E4 55 33 22 00 FF E4 55 33 22 00 11 FF E2 22 00 E0'
'E4 55 32 22 01 FF E4 55 32 22 01 11 FF E2 21 00 E0'
'E4 55 42 22 00 FF E2 55 42 22 00 11 FE E2 22 10 E0'
'E4 55 35 22 01 FF E4 55 35 22 01 11 FF E2 22 00 E0'
'E4 55 25 22 01 FF E4 55 35 22 01 11 FF E2 22 00 E0'
I must get this string for result :
'E4 55 ?? 22 ?? FF ?? 55 ?? 22 ?? 11 ?? E2 ?? ?? E0'
It means that : If a value (For example 'E4') was common in all of the other signatures then that's add to the result
Else
replace with '??'
(I hop you can understand my mean)
I wrote the following code but doesn't work correctly and return :
'E4 55 ?? 22 ?? FF E4 55 ?? 22 ?? 11 FF E2 ?? 00 E0'
Instead of :
'E4 55 ?? 22 ?? FF ?? 55 ?? 22 ?? 11 ?? E2 ?? ?? E0'
Code :
...
uses System.StrUtils, System.Types;
...
var
InputSignatures: TStringList;
I, J: Integer;
CompleteTxt: string;
Con: array of TStringDynArray;
begin
InputSignatures := TStringList.Create;
InputSignatures.Add('E4 55 33 22 00 FF E4 55 33 22 00 11 FF E2 22 00 E0');
InputSignatures.Add('E4 55 32 22 01 FF E4 55 32 22 01 11 FF E2 21 00 E0');
InputSignatures.Add('E4 55 42 22 00 FF E2 55 42 22 00 11 FE E2 22 10 E0');
InputSignatures.Add('E4 55 35 22 01 FF E4 55 35 22 01 11 FF E2 22 00 E0');
InputSignatures.Add('E4 55 25 22 01 FF E4 55 35 22 01 11 FF E2 22 00 E0');
// E4 55 ?? 22 ?? FF ?? 55 ?? 22 ?? 11 ?? E2 ?? ?? E0
SetLength(Con, InputSignatures.Count);
for I := 0 to InputSignatures.Count - 1 do
begin
Con[I] := SplitString(InputSignatures[I], ' ');
end;
J := 0;
for I := 0 to Length(Con[J]) - 1 do
begin
for J := Low(Con) to High(Con) - 1 do
begin
if Con[J][I] <> Con[J + 1][I] then
begin
CompleteTxt := CompleteTxt + '?? ';
Break;
end
else
begin
CompleteTxt := CompleteTxt + Con[J][I] + ' ';
Break;
end;
end;
end;
ShowMessage(CompleteTxt);
end;
...
Any idea ??
(Excuse me if my English is bad).