Improve CrypKey detection (#275)

* Improve CrypKey detection * Add CrypKey file detections. * Add new CrypKey executable detections. * Fix CrypKey version parsing * Address PR reviews * Check for both "code" and "CODE" sections
2026-02-04 05:35:49 +00:00 · 2023-12-28 21:35:57 -07:00
parent e76ce64568
commit 04cd1098ea
2 changed files with 71 additions and 4 deletions
--- a/BinaryObjectScanner/Protection/CrypKey.cs
+++ b/BinaryObjectScanner/Protection/CrypKey.cs
@@ -1,4 +1,10 @@
-using BinaryObjectScanner.Interfaces;
+#if NET40_OR_GREATER || NETCOREAPP
+using System.Collections.Concurrent;
+#endif
+using System.Collections.Generic;
+using System.Linq;
+using BinaryObjectScanner.Interfaces;
+using SabreTools.Matching;
 using SabreTools.Serialization.Wrappers;

 namespace BinaryObjectScanner.Protection
@@ -7,7 +13,7 @@ namespace BinaryObjectScanner.Protection
    // https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/CrypKey%20Installer.1.sg
    // https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/CrypKey.2.sg
    // https://github.com/wolfram77web/app-peid/blob/master/userdb.txt
-    public class CrypKey : IPortableExecutableCheck
+    public class CrypKey : IPathCheck, IPortableExecutableCheck
    {
        /// <inheritdoc/>
        public string? CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
@@ -17,6 +23,26 @@ namespace BinaryObjectScanner.Protection
            if (sections == null)
                return null;

+            // Get the code/CODE section strings, if they exist
+            var strs = pex.GetFirstSectionStrings("code") ?? pex.GetFirstSectionStrings("CODE");
+            if (strs != null)
+            {
+                // Found in "NECRO95.EXE" in IA item "NBECRORV11".
+                // Full string:
+                // *CrypKey Instant 2.0 security i(32 - bit)  *
+                // *Copyright(c) 1996 Kenonic Controls Ltd.  *
+                if (strs.Any(s => s.Contains("CrypKey Instant 2.0 security")))
+                    return "CrypKey Instant 2.0";
+
+                // Generic check to catch unknown CrypKey Instant versions.
+                if (strs.Any(s => s.Contains("CrypKey Instant")))
+                    return "CrypKey Instant (Unknown version - Please report to us on GitHub)";
+
+                // Generic check to catch unknown CrypKey products.
+                if (strs.Any(s => s.Contains("CrypKey")))
+                    return "CrypKey (Unknown version - Please report to us on GitHub)";
+            }
+
            // Get the CrypKey version from the VersionInfo, if it exists
            string version = pex.GetVersionInfoString("CrypKey Version") ?? string.Empty;

@@ -24,9 +50,14 @@ namespace BinaryObjectScanner.Protection
            var name = pex.CompanyName;
            if (name?.StartsWith("CrypKey") == true)
                return $"CrypKey {version}".TrimEnd();
+            
+            name = pex.FileDescription;
+
+            // Found in "CKSEC_32.DLL" in IA item "NBECRORV11".
+            if (name?.StartsWith("CrypKey Instant security library") == true)
+                return $"CrypKey Instant {pex.GetInternalVersion()}";

            // Found in 'cki32k.dll'
-            name = pex.FileDescription;
            if (name?.StartsWith("CrypKey") == true)
                return $"CrypKey {version}".TrimEnd();

@@ -43,5 +74,41 @@ namespace BinaryObjectScanner.Protection

            return null;
        }
+
+        /// <inheritdoc/>
+#if NET20 || NET35
+        public Queue<string> CheckDirectoryPath(string path, IEnumerable<string>? files)
+#else
+        public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string>? files)
+#endif
+        {
+            var matchers = new List<PathMatchSet>
+            {
+                // Found in IA item "NBECRORV11".
+                new(new FilePathMatch("CKLICENS.HLP"), "CrypKey"),
+                new(new FilePathMatch("CKSEC_32.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYP95.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYP9516.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYPKEY.HLP"), "CrypKey"),
+            };
+
+            return MatchUtil.GetAllMatches(files, matchers, any: true);
+        }
+
+        /// <inheritdoc/>
+        public string? CheckFilePath(string path)
+        {
+            var matchers = new List<PathMatchSet>
+            {
+                // Found in IA item "NBECRORV11".
+                new(new FilePathMatch("CKLICENS.HLP"), "CrypKey"),
+                new(new FilePathMatch("CKSEC_32.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYP95.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYP9516.DLL"), "CrypKey"),
+                new(new FilePathMatch("CRYPKEY.HLP"), "CrypKey"),
+            };
+
+            return MatchUtil.GetFirstMatch(path, matchers, any: true);
+        }
    }
 }
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ Below is a list of protections detected by BinaryObjectScanner. The two columns
 | ChosenBytes CodeLock | True | True | Partially unconfirmed² |
 | CopyKiller | True | True | Unconfirmed¹ |
 | CopyLok/CodeLok | True | False | |
-| CrypKey | True | False | |
+| CrypKey | True | True | |
 | Cucko (EA Custom) | True | False | Does not detect all known cases |
 | Denuvo Anti-Cheat/Anti-Tamper| True | True | |
 | DigiGuard | True | True | |