Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // DIE's signature file
- // 07.12.2014 detect x64, build date added //ajax
- init("protector","ENIGMA");
- function getVersion()
- {
- var nSection=PE.nLastSection;
- var nOffset=PE.section[nSection].FileOffset;
- var nSize=PE.section[nSection].FileSize;
- if(nSize==0)
- {
- nOffset=PE.section[nSection-1].FileOffset;
- nSize=PE.section[nSection-1].FileSize;
- }
- var nVersionOffset=PE.findSignature(nOffset,nSize,"000000'ENIGMA'");
- if(nVersionOffset!=-1)
- {
- var sMajor=PE.readByte(nVersionOffset+9);
- var sMinor=PE.readByte(nVersionOffset+10);
- var bYear=PE.readWord(nVersionOffset+11);
- var bMonth=PE.readWord(nVersionOffset+13);
- var bDay=PE.readWord(nVersionOffset+15);
- var bHour=PE.readWord(nVersionOffset+17);
- var bMin=PE.readWord(nVersionOffset+19);
- var bSec=PE.readWord(nVersionOffset+21);
- sVersion=sMajor+"."+sMinor+" build "+bYear+"."+bMonth+"."+bDay+" "+bHour+":"+bMin+":"+bSec;
- return 1;
- }
- nVersionOffset=PE.findSignature(nOffset,nSize,"'Enigma Protector'");
- if(nVersionOffset!=-1)
- {
- sVersion="5.X";
- return 1;
- }
- return 0;
- }
- function getVersion_old()
- {
- if(PE.section[".data"])
- {
- var nOffset=PE.section[".data"].FileOffset;
- var nSize=PE.section[".data"].FileSize;
- var nOffset=PE.findString(nOffset,nSize,"Enigma protector v");
- if(nOffset!=-1)
- {
- sVersion=PE.getString(nOffset+18,4);
- return 1;
- }
- }
- return 0;
- }
- function detect(bShowType,bShowVersion,bShowOptions)
- {
- if(!PE.isPEPlus())
- {
- if(PE.compareEP("558bec83c4..b8........e8........9a............e9$$$$$$$$60e8000000005d..ed"))
- {
- getVersion();
- bDetected=1;
- }
- else if(PE.compareEP("60e8000000005d81ed........81ed........e9"))
- {
- getVersion();
- bDetected=1;
- }
- else if(PE.compareEP("68........e8$$$$$$$$eb$$83c4..e9$$$$$$$$60e8000000005d81ed"))
- {
- getVersion();
- bDetected=1;
- }
- else if(PE.compareEP("eb$$e9$$$$$$$$60e8000000005d81ed........81ed........e9"))
- {
- getVersion();
- bDetected=1;
- }
- else if(PE.compareEP("e8$$$$$$$$83c4..e9$$$$$$$$60e8000000005d81ed........81ed........e9"))
- {
- getVersion();
- bDetected=1;
- }
- else if(PE.compareEP("60e8000000005d83....81ed")) //first versions
- {
- getVersion_old();
- bDetected=1;
- }
- }
- else if(PE.compareEP("5051525355565741504151415241534154415541564157489C4881EC080000000FAE1C24E8000000005D"))
- {
- getVersion();
- bDetected=1;
- }
- if(!bDetected)
- {
- if(PE.getNumberOfImports()>1
- &&PE.getNumberOfImportThunks(1)==1
- &&PE.getImportFunctionName(1,0)=="MessageBoxA"
- &&PE.getSectionCharacteristics(0)==0xe0000040
- &&getVersion())
- {
- bDetected=1;
- }
- else if(PE.isNET())
- {
- if(PE.isSignatureInSectionPresent(0,"000000'ENIGMA'"))
- {
- bDetected=1;
- }
- }
- }
- return result(bShowType,bShowVersion,bShowOptions);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement