diff --git a/BinaryObjectScanner/Protection/CopyX.cs b/BinaryObjectScanner/Protection/CopyX.cs index b02fae14..008ba3da 100644 --- a/BinaryObjectScanner/Protection/CopyX.cs +++ b/BinaryObjectScanner/Protection/CopyX.cs @@ -25,52 +25,60 @@ namespace BinaryObjectScanner.Protection // I am assuming based on 0 evidence that the former is Light and the latter is Professional. // Because I have no evidence, I am just returning copy-X for now. I have pre-emptively begun seperating the two, // just for when a designation can be applied for sure. - + // Overall: // Whenever I say "at the end of" or "at the start of" pertaining to the filesystem, I mean alphabetically, because this is how copy-X images seem to be mastered. // Both Light and Professional have a directory at the end of the image. The files within this directory are intersected by the physical ring. // This file is usually called ZDAT, but not always. At least one instance of Light calls it ZDATA. At least one instance of Professional calls it System. // Seemingly it can be anything. It doesn't help that most samples are specifically from one company's games, Tivola. Still, most use ZDAT. - + //Professional: //All instances of professional contain a disc check, performed via optgraph.dll. //All instances of professional contain in the directory at the end of the image 3 files. gov_[something].x64, iofile.x64, and sound.x64. //Due to gov's minor name variance, sound.x64 sometimes being intersected by a ring at the start, and iofile.x64 being referenced directly in optgraph.x64, I chose to just check iofile.x64. //It always starts the same, so if there are false positives, a more advanced check can be used if necessary. // TODO: optgraph.dll also contains DRM to prevent kernel debugger SoftICE from being used, via a process called SoftICE-Test. I don't know if this is specifically part of copy-X, or if it's an external solution employed by both copy-X and also other companies. If it's the latter, it should have its own check. It has none here since it wouldn't be necessary. - - + + /// public string? CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug) //Checks for Professional - { + { //I don't need this to check optgraph.dll, that's redundant. Unsure how to exclude that. if (pex.OverlayStrings != null) { - if (pex.OverlayStrings.Any(s => s.Contains("optgraph.dll"))) //Checks if main executable contains reference to optgraph.dll. Emergency 4's is missing this for some reason. - // TODO: TKKG also has an NE 3.1x executable with a reference. This can be added later. + if (pex.OverlayStrings.Any(s => + s.Contains( + "optgraph.dll"))) //Checks if main executable contains reference to optgraph.dll. Emergency 4's is missing this for some reason. + // TODO: TKKG also has an NE 3.1x executable with a reference. This can be added later. return "copy-X"; } + return null; } - + /// public string? CheckFilePath(string path) //Checks for Professional { - if (Path.GetFileName(path).Equals("optgraph.dll", StringComparison.OrdinalIgnoreCase)) //Filename check for optgraph.dll disc check + if (Path.GetFileName(path) + .Equals("optgraph.dll", + StringComparison.OrdinalIgnoreCase)) //Filename check for optgraph.dll disc check { return "copy-X"; } - if (Path.GetFileName(path).Equals("iofile.x64", StringComparison.OrdinalIgnoreCase)) //Filename check for seemingly comorbid file. + + if (Path.GetFileName(path) + .Equals("iofile.x64", StringComparison.OrdinalIgnoreCase)) //Filename check for seemingly comorbid file. { return "copy-X"; } + return null; } //Light: //All instances of light contain 1 or more files in the directory at the end of the image. They all consist of 0x00, except for the parts with the rings running through them. - + /// #if NET20 || NET35 public Queue CheckDirectoryPath(string path, IEnumerable? files) @@ -93,14 +101,13 @@ namespace BinaryObjectScanner.Protection FileStream stream = new FileStream(fileList[0], FileMode.Open, FileAccess.Read); byte[] block = new byte[1024]; stream.Read(block, 0, 1024); - if (block.All(thisByte => thisByte.Equals(0x00))) //Checks arbitrary number of bytes at the beginning of the first file in ZDAT* to see if they're all 0x00 + if (block.All(thisByte => thisByte.Equals(0x00))) { protections.Enqueue("x-Copy"); - } + } } + return protections; } - - } } \ No newline at end of file