From 3f5a66f170997ddea021aed5b1f8756d0a5d7808 Mon Sep 17 00:00:00 2001 From: TheRogueArchivist Date: Wed, 14 Dec 2022 17:37:06 -0700 Subject: [PATCH] Add support for Gefest Protection System (#185) * Add detection and notes for Gefest Protection System. * Add Gefest Protection System to README. --- BurnOutSharp/ProtectionType/Gefest.cs | 84 +++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 85 insertions(+) create mode 100644 BurnOutSharp/ProtectionType/Gefest.cs diff --git a/BurnOutSharp/ProtectionType/Gefest.cs b/BurnOutSharp/ProtectionType/Gefest.cs new file mode 100644 index 00000000..a1b8b252 --- /dev/null +++ b/BurnOutSharp/ProtectionType/Gefest.cs @@ -0,0 +1,84 @@ +using System; +using System.Collections.Concurrent; +using System.Collections.Generic; +using System.Linq; +using BurnOutSharp.Interfaces; +using BurnOutSharp.Matching; +using BurnOutSharp.Wrappers; + +namespace BurnOutSharp.ProtectionType +{ + /// + /// Gefest Protection System is a completely unknown protection. There is only one known sample (Redump entry 93700), and no useful information online that's been found as of yet. + /// It's unknown if the errors present in the only known sample are a manufacturing error, or if they're related to the protection. + /// Despite this sample supposedly being the "[License Version]", no license key check appears to take place. + /// The sample is protected by a seemingly unrelated packer. Until that packer can be investigated further, here's the infomation that can be found online about it: + /// https://itsafety.net/report/20210912-9edb2d29cbdf1ac7e24fb32d99c1347a-splintercell-exe_general-threat + /// https://xakep.ru/2003/10/06/20015/ + /// https://j3qx.wordpress.com/2008/12/20/%D0%BF%D0%B8%D1%80%D0%B0%D1%82%D1%81%D0%BA%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B0%D1%88%D0%BA%D0%B8-%D0%B8%D0%BB%D0%B8-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BE%D1%82-7wolf/ + /// http://www.imho.ws/showthread.php?t=34225 + /// + public class Gefest : IPathCheck, IPortableExecutableCheck + { + /// + public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug) + { + // Get the sections from the executable, if possible + var sections = pex?.SectionTable; + if (sections == null) + return null; + + // Get the HeaderPaddingData, if it exists + if (pex.HeaderPaddingData != null) + { + var matchers = new List + { + // Found in "FDMASTER.EXE" in Redump entry 93700. + // Gefest Protection System + new ContentMatchSet(new byte?[] + { + 0x47, 0x65, 0x66, 0x65, 0x73, 0x74, 0x20, 0x50, + 0x72, 0x6F, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6F, + 0x6E, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D + }, GetVersion, "Gefest Protection System"), + }; + + string match = MatchUtil.GetFirstMatch(file, pex.HeaderPaddingData, matchers, includeDebug); + if (!string.IsNullOrWhiteSpace(match)) + return match; + } + + return null; + } + + /// + public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) + { + var matchers = new List + { + // Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700. + }; + + return MatchUtil.GetAllMatches(files, matchers, any: true); + } + + /// + public string CheckFilePath(string path) + { + var matchers = new List + { + // Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700. + }; + + return MatchUtil.GetFirstMatch(path, matchers, any: true); + } + + public static string GetVersion(string file, byte[] fileContent, List positions) + { + // TODO: Verify that this works properly with other samples. Look at possibly ending the version string at the first 0x20 character. + int position = positions[0]; + char[] version = new ArraySegment(fileContent, position + 25, 30).Select(b => (char)b).ToArray(); + return new string(version); + } + } +} diff --git a/README.md b/README.md index ff10677a..d01ae191 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain | Executable-Based Online Registration | True | False | Possibly too broad | | Freelock | False | True | | | Games for Windows - Live | True | True | | +| Gefest Protection System | True | False | | | Hexalock AutoLock | True | True | | | Impulse Reactor / Stardock Product Activation | True | True | | | IndyVCD | False | True | Unconfirmed¹ |