PEiD signature parsing incomplete

[pesco]

While researching the PEiD "userdb.txt" format, I came across your code and decided to have a look at how you handle some of the obscure pattern features I found in the following file that I used as a reference: https://github.com/ynadji/peid/blob/master/userdb.txt

From reading, it seems that your code does not handle the cases I had in mind, leading (I guess) to patterns being misinterpreted.

• Nibble patterns: ?A and A? where A denotes a hex digit.
• Trailing nibbles: sometimes the last element of a signature will consist of a single hex digit.
• Patterns of the form Jx where x is a decimal digit (I've seen J1 and J3). I don't know what these mean.

• Patterns of the form Vx where x is a decimal digit (I've seen V3 and V4). These seem to correspond to substitutions in the name, for example:

  [Adobe PDF (Portable document) Version %v3.%v4] signature = 25 50 44 46 2D V3 2E V4

The file I mentioned contains 178 signatures that show one of the above features; 28 nibble patterns, 34 trailing nibbles, 128 "J" patterns, and 6 "V" patterns.

• In addition, some patterns seem to contain plain text parts, e.g.:

  signature = ... ?E P_ ON LY =T RU E
  signature = ... <S PA NS TY LE =" FO NT -W EI GH T: BO LD "> 01 </ SP AN >? ...
  signature = ... &# 40 ;T RU NC AT ED HE RE &# 41

  I'm not sure how to interpret these.

[erocarrera]

Thanks for letting me know. It's been a while since I wrote the PEiD parsing code. I don't believe I ever aimed at perfect compatibility, as you point out, there are patterns whose meaning does not appear entirely clear. If there were some documentation about the format, please let me know; I could take a look. I'd also accept any PRs to improve the parsing :-)

[ExeinfoASL]

Exeinfo Pe not support : "J", "V" or similar codes if you use external userdb.txt file.