daily pastebin goal
35%
SHARE
TWEET

Untitled

a guest Mar 22nd, 2019 44 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // DIE's signature file
  2. // 07.12.2014 detect x64, build date added //ajax
  3.  
  4. init("protector","ENIGMA");
  5.  
  6. function getVersion()
  7. {
  8.     var nSection=PE.nLastSection;
  9.     var nOffset=PE.section[nSection].FileOffset;
  10.     var nSize=PE.section[nSection].FileSize;
  11.     if(nSize==0)
  12.     {
  13.         nOffset=PE.section[nSection-1].FileOffset;
  14.         nSize=PE.section[nSection-1].FileSize;
  15.     }
  16.     var nVersionOffset=PE.findSignature(nOffset,nSize,"000000'ENIGMA'");
  17.     if(nVersionOffset!=-1)
  18.     {
  19.         var sMajor=PE.readByte(nVersionOffset+9);
  20.         var sMinor=PE.readByte(nVersionOffset+10);
  21.         var bYear=PE.readWord(nVersionOffset+11);
  22.         var bMonth=PE.readWord(nVersionOffset+13);
  23.         var bDay=PE.readWord(nVersionOffset+15);
  24.         var bHour=PE.readWord(nVersionOffset+17);
  25.         var bMin=PE.readWord(nVersionOffset+19);
  26.         var bSec=PE.readWord(nVersionOffset+21);
  27.         sVersion=sMajor+"."+sMinor+" build "+bYear+"."+bMonth+"."+bDay+" "+bHour+":"+bMin+":"+bSec;
  28.         return 1;
  29.     }
  30.     nVersionOffset=PE.findSignature(nOffset,nSize,"'Enigma Protector'");
  31.     if(nVersionOffset!=-1)
  32.     {
  33.         sVersion="5.X";
  34.         return 1;
  35.     }
  36.  
  37.  
  38.     return 0;
  39. }
  40.  
  41. function getVersion_old()
  42. {
  43.     if(PE.section[".data"])
  44.     {
  45.         var nOffset=PE.section[".data"].FileOffset;
  46.         var nSize=PE.section[".data"].FileSize;
  47.         var nOffset=PE.findString(nOffset,nSize,"Enigma protector v");
  48.         if(nOffset!=-1)
  49.         {
  50.             sVersion=PE.getString(nOffset+18,4);
  51.             return 1;
  52.         }
  53.     }
  54.     return 0;
  55. }
  56.  
  57. function detect(bShowType,bShowVersion,bShowOptions)
  58. {
  59.     if(!PE.isPEPlus())
  60.     {
  61.         if(PE.compareEP("558bec83c4..b8........e8........9a............e9$$$$$$$$60e8000000005d..ed"))
  62.         {
  63.             getVersion();
  64.             bDetected=1;
  65.         }
  66.         else if(PE.compareEP("60e8000000005d81ed........81ed........e9"))
  67.         {
  68.             getVersion();
  69.             bDetected=1;
  70.         }
  71.         else if(PE.compareEP("68........e8$$$$$$$$eb$$83c4..e9$$$$$$$$60e8000000005d81ed"))
  72.         {
  73.             getVersion();
  74.             bDetected=1;
  75.         }
  76.         else if(PE.compareEP("eb$$e9$$$$$$$$60e8000000005d81ed........81ed........e9"))
  77.         {
  78.             getVersion();
  79.             bDetected=1;
  80.         }
  81.         else if(PE.compareEP("e8$$$$$$$$83c4..e9$$$$$$$$60e8000000005d81ed........81ed........e9"))
  82.         {
  83.             getVersion();
  84.             bDetected=1;
  85.         }
  86.         else if(PE.compareEP("60e8000000005d83....81ed")) //first versions
  87.         {
  88.             getVersion_old();
  89.             bDetected=1;
  90.         }
  91.     }
  92.     else if(PE.compareEP("5051525355565741504151415241534154415541564157489C4881EC080000000FAE1C24E8000000005D"))
  93.     {
  94.         getVersion();
  95.         bDetected=1;
  96.     }
  97.  
  98.     if(!bDetected)
  99.     {
  100.         if(PE.getNumberOfImports()>1
  101.               &&PE.getNumberOfImportThunks(1)==1
  102.               &&PE.getImportFunctionName(1,0)=="MessageBoxA"
  103.               &&PE.getSectionCharacteristics(0)==0xe0000040
  104.               &&getVersion())
  105.         {
  106.             bDetected=1;
  107.         }
  108.         else if(PE.isNET())
  109.         {
  110.             if(PE.isSignatureInSectionPresent(0,"000000'ENIGMA'"))
  111.             {
  112.                 bDetected=1;
  113.             }
  114.         }
  115.     }
  116.  
  117.     return result(bShowType,bShowVersion,bShowOptions);
  118. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top