diff --git a/BurnOutSharp/ExecutableType/Microsoft/Headers/MSDOSExecutableHeader.cs b/BurnOutSharp/ExecutableType/Microsoft/Headers/MSDOSExecutableHeader.cs
index 74d6ef52..5e7751bf 100644
--- a/BurnOutSharp/ExecutableType/Microsoft/Headers/MSDOSExecutableHeader.cs
+++ b/BurnOutSharp/ExecutableType/Microsoft/Headers/MSDOSExecutableHeader.cs
@@ -124,6 +124,11 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
#endregion
+ ///
+ /// All data after the last item in the header but before the new EXE header address
+ ///
+ public byte[] ExecutableData;
+
public static MSDOSExecutableHeader Deserialize(Stream stream, bool asStub = true)
{
MSDOSExecutableHeader idh = new MSDOSExecutableHeader();
@@ -152,6 +157,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved1[i] = stream.ReadUInt16();
}
+
idh.OEMIdentifier = stream.ReadUInt16();
idh.OEMInformation = stream.ReadUInt16();
idh.Reserved2 = new ushort[Constants.ERES2WDS];
@@ -159,7 +165,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved2[i] = stream.ReadUInt16();
}
+
idh.NewExeHeaderAddr = stream.ReadInt32();
+ idh.ExecutableData = stream.ReadBytes(idh.NewExeHeaderAddr - (int)stream.Position);
return idh;
}
@@ -192,6 +200,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved1[i] = content.ReadUInt16(ref offset);
}
+
idh.OEMIdentifier = content.ReadUInt16(ref offset);
idh.OEMInformation = content.ReadUInt16(ref offset);
idh.Reserved2 = new ushort[Constants.ERES2WDS];
@@ -199,7 +208,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved2[i] = content.ReadUInt16(ref offset);
}
+
idh.NewExeHeaderAddr = content.ReadInt32(ref offset);
+ idh.ExecutableData = content.ReadBytes(ref offset, idh.NewExeHeaderAddr - offset);
return idh;
}
diff --git a/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs b/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs
index 3cd55763..55437574 100644
--- a/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs
+++ b/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs
@@ -92,28 +92,28 @@ namespace BurnOutSharp.ExecutableType.Microsoft
// - .tls *1 protection Thread-local storage (object only)
//
// Here is a list of non-standard sections whose contents are read by various protections:
- // X - CODE *1 protection WTM CD Protect
+ // X - CODE 2 protections SafeDisc, WTM CD Protect
// X - .grand *1 protection CD-Cops / DVD-Cops
// X - .init *1 protection SolidShield
- // - .NOS0 *1 protection UPX (NOS Variant) [Used as endpoint]
- // - .NOS1 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .pec2 *1 protection PE Compact [Unconfirmed]
// X - .txt2 *1 protection SafeDisc
- // - .UPX0 *1 protection UPX [Used as endpoint]
- // - .UPX1 *1 protection UPX [Used as endpoint]
//
- // Here is a list of non-standard sections whose existence are checked by various protections:
+ // Here is a list of non-standard sections whose data is not read by various protections:
// - .brick 1 protection StarForce
// - .cenega 1 protection Cenega ProtectDVD
// - .icd* 1 protection CodeLock
// - .ldr 1 protection 3PLock
// - .ldt 1 protection 3PLock
// - .nicode 1 protection Armadillo
+ // - .NOS0 *1 protection UPX (NOS Variant) [Used as endpoint]
+ // - .NOS1 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .pec1 1 protection PE Compact
// - .securom 1 protection SecuROM
// - .sforce 1 protection StarForce
// - stxt371 1 protection SafeDisc
// - stxt774 1 protection SafeDisc
+ // - .UPX0 *1 protection UPX [Used as endpoint]
+ // - .UPX1 *1 protection UPX [Used as endpoint]
// - .vob.pcd 1 protection VOB ProtectCD
// - _winzip_ 1 protection WinZip SFX
//
diff --git a/BurnOutSharp/PackerType/CExe.cs b/BurnOutSharp/PackerType/CExe.cs
index 816292f2..ff1fc051 100644
--- a/BurnOutSharp/PackerType/CExe.cs
+++ b/BurnOutSharp/PackerType/CExe.cs
@@ -1,7 +1,6 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
-using System.Linq;
using BurnOutSharp.ExecutableType.Microsoft;
using BurnOutSharp.Matching;
@@ -14,37 +13,31 @@ namespace BurnOutSharp.PackerType
///
public bool ShouldScan(byte[] magic) => true;
- ///
- private List GetContentMatchSets()
- {
- // TODO: Obtain a sample to find where this string is in a typical executable
- return new List
- {
- // %Wo�a6.�a6.�a6.�a6.�{6.�.).�f6.��).�`6.��0.�`6.�
- new ContentMatchSet(
- new ContentMatch(new byte?[]
- {
- 0x25, 0x57, 0x6F, 0xC1, 0x61, 0x36, 0x01, 0x92,
- 0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92,
- 0x61, 0x36, 0x00, 0x92, 0x7B, 0x36, 0x01, 0x92,
- 0x03, 0x29, 0x12, 0x92, 0x66, 0x36, 0x01, 0x92,
- 0x89, 0x29, 0x0A, 0x92, 0x60, 0x36, 0x01, 0x92,
- 0xD9, 0x30, 0x07, 0x92, 0x60, 0x36, 0x01, 0x92
- }, end: 200), "CExe"),
- };
- }
-
///
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
{
// Get the sections from the executable, if possible
- var sections = pex?.SectionTable;
- if (sections == null)
+ var stub = pex?.DOSStubHeader;
+ if (stub == null)
return null;
- var contentMatchSets = GetContentMatchSets();
- if (contentMatchSets != null && contentMatchSets.Any())
- return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
+ var matchers = new List
+ {
+ // %Wo�a6.�a6.�a6.�a6.�{6.�.).�f6.��).�`6.��0.�`6.�
+ new ContentMatchSet(new byte?[]
+ {
+ 0x25, 0x57, 0x6F, 0xC1, 0x61, 0x36, 0x01, 0x92,
+ 0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92,
+ 0x61, 0x36, 0x00, 0x92, 0x7B, 0x36, 0x01, 0x92,
+ 0x03, 0x29, 0x12, 0x92, 0x66, 0x36, 0x01, 0x92,
+ 0x89, 0x29, 0x0A, 0x92, 0x60, 0x36, 0x01, 0x92,
+ 0xD9, 0x30, 0x07, 0x92, 0x60, 0x36, 0x01, 0x92
+ }, "CExe")
+ };
+
+ string match = MatchUtil.GetFirstMatch(file, pex.DOSStubHeader.ExecutableData, matchers, includeDebug);
+ if (!string.IsNullOrWhiteSpace(match))
+ return match;
return null;
}