From 2e71ef46352a6cf1da93203959e6acec691d73d8 Mon Sep 17 00:00:00 2001
From: TheRogueArchivist <24215969+TheRogueArchivist@users.noreply.github.com>
Date: Thu, 25 Jan 2024 22:19:16 -0700
Subject: [PATCH] Update CopyKiller detection and notes (WIP) (#277)
* Update CopyKiller detection and notes
* Cleanup Copykiller
---
BinaryObjectScanner/FileType/Textfile.cs | 14 +++
BinaryObjectScanner/Protection/CopyKiller.cs | 108 +++++++++++++++----
BinaryObjectScanner/Utilities/FileTypes.cs | 12 ++-
README.md | 2 +-
4 files changed, 109 insertions(+), 27 deletions(-)
diff --git a/BinaryObjectScanner/FileType/Textfile.cs b/BinaryObjectScanner/FileType/Textfile.cs
index dcd5e3d0..21122907 100644
--- a/BinaryObjectScanner/FileType/Textfile.cs
+++ b/BinaryObjectScanner/FileType/Textfile.cs
@@ -54,6 +54,20 @@ namespace BinaryObjectScanner.FileType
else if (fileContent.Contains("Please enter a valid registration number"))
protections.Add("CD-Key / Serial");
+ // CopyKiller
+ // Found in "autorun.dat" in CopyKiller versions 3.62 and 3.64.
+ if (fileContent.Contains("CopyKiller CD-Protection V3.6x"))
+ protections.Add("CopyKiller V3.62-V3.64");
+ // Found in "autorun.dat" in CopyKiller versions 3.99 and 3.99a.
+ else if (fileContent.Contains("CopyKiller V4 CD / DVD-Protection"))
+ protections.Add("CopyKiller V3.99+");
+ // Found in "engine.wzc" in CopyKiller versions 3.62 and 3.64.
+ else if (fileContent.Contains("CopyKiller V3.6x Protection Engine"))
+ protections.Add("CopyKiller V3.62-V3.64");
+ // Found in "engine.wzc" in CopyKiller versions 3.99 and 3.99a.
+ else if (fileContent.Contains("CopyKiller V3.99x Protection Engine"))
+ protections.Add("CopyKiller V3.99+");
+
// Freelock
// Found in "FILE_ID.DIZ" distributed with Freelock.
if (fileContent.Contains("FREELOCK 1.0"))
diff --git a/BinaryObjectScanner/Protection/CopyKiller.cs b/BinaryObjectScanner/Protection/CopyKiller.cs
index 423e62c1..9eaa025d 100644
--- a/BinaryObjectScanner/Protection/CopyKiller.cs
+++ b/BinaryObjectScanner/Protection/CopyKiller.cs
@@ -1,32 +1,61 @@
-#if NET40_OR_GREATER || NETCOREAPP
+using System;
+#if NET40_OR_GREATER || NETCOREAPP
using System.Collections.Concurrent;
#endif
using System.Collections.Generic;
using BinaryObjectScanner.Interfaces;
using SabreTools.Matching;
+using SabreTools.Serialization.Wrappers;
namespace BinaryObjectScanner.Protection
{
- public class CopyKiller : IContentCheck, IPathCheck
+ ///
+ /// CopyKiller was a program made by Webstylerzone that allowed you to copyprotect your own discs.
+ /// It appears to have used 3 different main forms of copy protection:
+ ///
+ /// First, its core copy protection is applied by adding a folder from the program's installation directory to the disc as you burn it.
+ /// The files in this folder appear to only be text files identifying the software used, and seemingly random file contents.
+ /// How this protects the disc is currently not confirmed, and the data itself isn't corrupted or copied incorrectly on purpose.
+ /// A personal guess is that it intended to use the same effect as SafeDisc's "weak sectors" to rely on the drive writing the disc incorrectly and making an "uncopyable" disc.
+ /// This is backed up by an official description of how CopyKillers works, saying how it "uses a firmware error to make the cd copy protected." (https://web.archive.org/web/20061109151642/http://www.webtoolmaster.com/copykiller.htm)
+ ///
+ /// Second, an optional autorun feature can be used by adding the appropriate contents of the "Autorun" folder from the program's installation directory to the disc as you burn it.
+ /// This relies on Window running the autorun automatically, causing a window to warning to popup that tells the user that this is a pirated copy, with seemingly nothing else happening.
+ /// I believe that it simply checks for the presence of the other protection files due to the complete lack of any ability to customize the DRM.
+ ///
+ /// Last, there is a locked option to learn how to use it to protect audio CDs, but unfortunately this is only available with a registered version.
+ /// This means that the mechanics of how this was done are currently unknown, but may have simply been to write the same folder's data in, whether as raw audio data or a separate data track.
+ ///
+ /// At some point at least as early as 2006 (https://web.archive.org/web/20061109151642/http://www.webtoolmaster.com/copykiller.htm), WTM (WebToolMaster) and Webstylerzone had some sort of partnership.
+ /// For example, WTM began hosting a link to CopyKiller beginning in 2006, and Webstylerzoning advertising WTM's products (https://web.archive.org/web/20070811202419/http://www.webstylerzone.com/en/download_brenner_copykiller_safedisc_safediscscanner_whatspeed_copyprotection_copy_protection_protect_cd_cds_audiocd_datacd_against_copying.htm).
+ /// As of October of 2011, WTM announced that CopyKiller was officially no longer being developed (https://web.archive.org/web/20111014233821/http://webtoolmaster.com/copykiller.htm).
+ ///
+ /// CopyKiller website: https://web.archive.org/web/20030312200712/http://www.webstylerzone.com/CopyKiller/index.htm
+ /// Version 3.62 Installer: https://web.archive.org/web/20031130192048/http://www.webstylerzone.com/Downloads/Brennertools/CopyKiller-Setup.exe
+ /// Version 3.64 Installer: https://web.archive.org/web/20060524220845/http://download.webstylerzone.com:80/exe/CopyKiller-Setup.exe
+ /// Version 3.99 Installer: https://web.archive.org/web/20060524220845/http://download.webstylerzone.com:80/exe/CopyKiller-Setup.exe
+ /// Version 3.99a Installer: https://web.archive.org/web/20070721070138/http://www.webstylerzone.com/Downloads/exe/CopyKiller-Setup.exe
+ /// Version 3.99a Portable: https://web.archive.org/web/20070721070214/http://www.webstylerzone.com/Downloads/zip/CopyKiller.zip
+ ///
+ /// TODO: Add support for the developer's EXE obfuscator, "EXEShield Deluxe". Most, if not all, EXEShield protected files are currently detected as "EXE Stealth" by BOS.
+ /// Samples include CopyKiller (Versions 3.64 & 3.99a) and SafeDiscScanner (Version 0.16) (https://archive.org/details/safediscscanner-0.16-webstylerzone-from-unofficial-source).
+ ///
+ public class CopyKiller : IPathCheck, IPortableExecutableCheck
{
///
- public string? CheckContents(string file, byte[] fileContent, bool includeDebug)
+ public string? CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
- // TODO: Obtain a sample to find where this string is in a typical executable
- if (includeDebug)
- {
- var contentMatchSets = new List
- {
- // Tom Commander
- new(new byte?[]
- {
- 0x54, 0x6F, 0x6D, 0x20, 0x43, 0x6F, 0x6D, 0x6D,
- 0x61, 0x6E, 0x64, 0x65, 0x72
- }, "CopyKiller"),
- };
+ // TODO: Figure out how to differentiate between V3.99 and V3.99a.
+ // Get the sections from the executable, if possible
+ var sections = pex.Model.SectionTable;
+ if (sections == null)
+ return null;
- return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
- }
+ // TODO: Figure out why this check doesn't work.
+ // Found in "autorun.exe" in CopyKiller V3.64, V3.99, and V3.99a.
+ var name = pex.ProductName;
+ if (name?.StartsWith("CopyKiller", StringComparison.OrdinalIgnoreCase) == true)
+ return "CopyKiller V3.64+";
return null;
}
@@ -38,11 +67,43 @@ namespace BinaryObjectScanner.Protection
public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable? files)
#endif
{
- // TODO: The following checks are overly broad and should be refined
- // TODO: Look into .PFF files as an indicator. At least one disc has those oversized files
+ // Previous versions of BOS noted to look at ".PFF" files as possible indicators of CopyKiller, but those files seem unrelated.
+ // TODO: Figure out why this doesn't work.
var matchers = new List
{
- //new(new PathMatch("Autorun.dat", useEndsWith: true), "CopyKiller"),
+ new(new FilePathMatch("CopyKillerV3"), "CopyKiller V3.62-3.64"),
+ new(new FilePathMatch("CopyKillerV4"), "CopyKiller V3.99-3.99a"),
+
+ new(new List
+ {
+ new FilePathMatch("ACK3900.ckt"),
+ new FilePathMatch("ACK3999.ckt"),
+ new FilePathMatch("CK100.wzc"),
+ new FilePathMatch("CK2500.ck"),
+ new FilePathMatch("CK3600.tcwz"),
+ new FilePathMatch("Engine.wzc"),
+ new FilePathMatch("P261XP.tcck"),
+ new FilePathMatch("WZ200.rwzc"),
+ new FilePathMatch("XCK3900.ck2"),
+ }, "CopyKiller V3.99+"),
+
+ new(new List
+ {
+ new FilePathMatch("ACK3900.ckt"),
+ new FilePathMatch("CK100.wzc"),
+ new FilePathMatch("CK2500.ck"),
+ new FilePathMatch("CK3600.tcwz"),
+ new FilePathMatch("Engine.wzc"),
+ new FilePathMatch("P261XP.tcck"),
+ new FilePathMatch("WZ200.rwzc"),
+ new FilePathMatch("XCK3900.ck2"),
+ }, "CopyKiller V3.64+"),
+
+ new(new List
+ {
+ new FilePathMatch("CK100.wzc"),
+ new FilePathMatch("Engine.wzc"),
+ }, "CopyKiller V3.62+"),
};
return MatchUtil.GetAllMatches(files, matchers, any: true);
@@ -51,11 +112,12 @@ namespace BinaryObjectScanner.Protection
///
public string? CheckFilePath(string path)
{
- // TODO: The following checks are overly broad and should be refined
- // TODO: Look into .PFF files as an indicator. At least one disc has those oversized files
+ // Previous versions of BOS noted to look at ".PFF" files as possible indicators of CopyKiller, but those files seem unrelated.
+ // TODO: Figure out why this doesn't work.
var matchers = new List
{
- //new(new PathMatch("Autorun.dat", useEndsWith: true), "CopyKiller"),
+ new(new FilePathMatch("CopyKillerV3"), "CopyKiller V3.62-3.64"),
+ new(new FilePathMatch("CopyKillerV4"), "CopyKiller V3.99-3.99a"),
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
diff --git a/BinaryObjectScanner/Utilities/FileTypes.cs b/BinaryObjectScanner/Utilities/FileTypes.cs
index c07c1072..98455851 100644
--- a/BinaryObjectScanner/Utilities/FileTypes.cs
+++ b/BinaryObjectScanner/Utilities/FileTypes.cs
@@ -725,6 +725,10 @@ namespace BinaryObjectScanner.Utilities
if (extension.Equals("doc", StringComparison.OrdinalIgnoreCase))
return SupportedFileType.Textfile;
+ // Property list
+ if (extension.Equals("plist", StringComparison.OrdinalIgnoreCase))
+ return SupportedFileType.Textfile;
+
// Rich Text File
if (extension.Equals("rtf", StringComparison.OrdinalIgnoreCase))
return SupportedFileType.Textfile;
@@ -737,13 +741,15 @@ namespace BinaryObjectScanner.Utilities
if (extension.Equals("hlp", StringComparison.OrdinalIgnoreCase))
return SupportedFileType.Textfile;
+ // WZC
+ if (extension.Equals("wzc", StringComparison.OrdinalIgnoreCase))
+ return SupportedFileType.Textfile;
+
// XML
if (extension.Equals("xml", StringComparison.OrdinalIgnoreCase))
return SupportedFileType.Textfile;
- // Property list
- if (extension.Equals("plist", StringComparison.OrdinalIgnoreCase))
- return SupportedFileType.Textfile;
+
#endregion
diff --git a/README.md b/README.md
index 5c2683d2..02809f38 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ Below is a list of protections detected by BinaryObjectScanner. The two columns
| CDSHiELD SE | True | False | |
| Cenga ProtectDVD | True | True | |
| ChosenBytes CodeLock | True | True | Partially unconfirmed² |
-| CopyKiller | True | True | Unconfirmed¹ |
+| CopyKiller | True | True | |
| CopyLok/CodeLok | True | False | |
| CrypKey | True | True | |
| Cucko (EA Custom) | True | False | Does not detect all known cases |