v 2.4.0.1 [2 apr 2008]
-fixed a bug with imported functions name lenght;
-added external signature verifier; writed a note about signatures;
-fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fine;
-added basic disassembler from hexeditor right click menu;
-fixed showing which export is in fact a forwarder to other dll; like HeapAlloc in kernel.dll;
-added process memory dumper/viewer; right click on the process you want to inspect; you can
use dissasambler (from right click menu inside the hexeditor) to see how the code looks at
certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is that it can dump/view
code blocks protected with PAGE_GUARD or NOACCESS flags.
Note about external signatures
------------------------------
-we have 2 kind of signatures :
1. relative to entry point (ep_only=true); a number of bytes searched only at a location;
2. absolute (ep_only=false); a number of bytes searched in entire file;
-relative signature can start with an offset (negative or positive) specified by
(offset=x , x can be ie. 5 or -7 relative to entry point); in addition the relative
signature can start with a number of unknown bytes (?? ?? ?? 3E 45 etc), in this case,
the starting number of those bytes will be considered as an positif offset; but remember,
this is only for (ep_only=true);
Signature rules:-sections with different names; section is ie:"[Name of the Packer v1.0]"
-sections with different signatures; for not wasting time;
-signature bytes must be hex represended (0-9,A-F);
-each signature lenght must be a multiple of 2;
-you can use as separator an empty space between each byte (2 hex char)
for good understanding (like: "signature = 00 A2 3F" , the same as
"signature = 00A23F";
-you can use wildcards as "??" if the byte can be everething inside a signature;
-only relative signatures (ep_only=true) can start with "??";
-when you fix external signatures file, you must fix first!!, section names (otherwise will
have checking mistakes for next verifications!!),then signature correctitude,then overlaping
signatures; you will have on clipboard the section's name or signature when an error is
found; just paste it to search box in notepad; if you have multiple sections with the same
name and different signatures, just rename it like mepacker_s1, mepacker_s2 etc.;
-avoid adding large signature; it will be a time killer; be smart!
-add signature at the end of the file (EOF) then see if your file is detected, for avoiding
signatures overlaping;
-the signatures verification is done only for those signatures starting at entry point! for
different offsets ( ie signatures starting with "?? ?? A2" etc. or offset=x) the code it
becomes to complicate, so it is easy to add those signatures at the EOF and see if it works;
-what is overlapping: look next 2 signatures "EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? F6" and
"EB 02 ?? ?? EB 02"; it covers the same range of bytes; the short one is covered by longest;
in this case you may escape a packer because of this, depending of which is searched first;
it's recommended to put the longest first;
