Error in signatures detection #18

hasherezade · 2023-02-19T17:20:32Z

Example (from unpacking by Athracene):

Both files have been packed with UPX.

Signature that should match:

UPX_old
48
60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 83 CD FF
EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB
75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00

If this is the only signature loaded, both are detected properly. But in case if there are other signatures, only one is detected.

The reason is, there is another signature that overshadows the matching one.

Once the character that is not a wildcard is matched (here at position 3: 60 BE 00 _A0_), the signature with the wildcard is completely dropped.
This is an invalid behavior, and the signature with the wildcards should be still kept for the comparisons.

The text was updated successfully, but these errors were encountered:

…h exact matches (Issue #18)

hasherezade · 2023-02-21T22:43:10Z

After the fixes, both files are detected:

hasherezade · 2023-02-24T18:14:20Z

fixed in the latest release:

https://github.com/hasherezade/pe-bear/releases/tag/v0.6.5

hasherezade added the bug Something isn't working label Feb 19, 2023

hasherezade self-assigned this Feb 19, 2023

hasherezade added a commit that referenced this issue Feb 19, 2023

[BUGFIX] Allow for alternate sig search paths: with wildcards AND wit…

f90c5f3

…h exact matches (Issue #18)

hasherezade closed this as completed Feb 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error in signatures detection #18

Error in signatures detection #18

hasherezade commented Feb 19, 2023

hasherezade commented Feb 21, 2023

hasherezade commented Feb 24, 2023

Error in signatures detection #18

Error in signatures detection #18

Comments

hasherezade commented Feb 19, 2023

hasherezade commented Feb 21, 2023

hasherezade commented Feb 24, 2023