SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-14 05:36:07 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Convert JoWood to section based; add notes

Browse Source
This commit is contained in:
Matt Nadareski
2021-08-31 22:56:57 -07:00
parent 801eef5f37
commit 593d4a35b7
3 changed files with 79 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
BurnOutSharp/ProtectionType/JoWooDXProt.cs
View File

@@ -1,53 +0,0 @@
using System;
using System.Collections.Generic;
using System.Linq;
using BurnOutSharp.Matching;
namespace BurnOutSharp.ProtectionType
{
public class JoWooDXProt : IContentCheck
{
/// <inheritdoc/>
public List<ContentMatchSet> GetContentMatchSets()
{
return new List<ContentMatchSet>
{
// @HC09
new ContentMatchSet(new byte?[] { 0x40, 0x48, 0x43, 0x30, 0x39, 0x20, 0x20, 0x20, 0x20 }, "JoWooD X-Prot v2"),
new ContentMatchSet(new List<byte?[]>
{
// .ext
new byte?[] { 0x2E, 0x65, 0x78, 0x74, 0x20, 0x20, 0x20, 0x20 },
// kernel32.dll + (char)0x00 + (char)0x00 + (char)0x00 + VirtualProtect
new byte?[]
{
0x6B, 0x65, 0x72, 0x6E, 0x65, 0x6C, 0x33, 0x32,
0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x00, 0x56,
0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x50, 0x72,
0x6F, 0x74, 0x65, 0x63, 0x74
},
}, GetVersion, "JoWooD X-Prot"),
// TODO: This is likely a section header name. When converting, check this
// It also likely goes along with the above. Not sure how yet
// .ext
new ContentMatchSet(
new ContentMatch(new byte?[] { 0x2E, 0x65, 0x78, 0x74, 0x20, 0x20, 0x20, 0x20 }, end: 2048),
"JoWooD X-Prot v1"),
};
}
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null;
public static string GetVersion(string file, byte[] fileContent, List<int> positions)
{
int position = positions[1]--; // TODO: Verify this subtract
char[] version = new ArraySegment<byte>(fileContent, position + 67, 8).Select(b => (char)b).ToArray();
return $"{version[0]}.{version[2]}.{version[4]}.{version[6]}{version[7]}";
}
}
}

79
BurnOutSharp/ProtectionType/JoWood.cs Normal file
View File

@@ -0,0 +1,79 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using BurnOutSharp.ExecutableType.Microsoft;
using BurnOutSharp.Matching;
namespace BurnOutSharp.ProtectionType
{
// Interesting note: the former protection "Xtreme-Protector" was found to be a
// subset of the JoWood X-Prot checks, more specifically the XPROT section check
// that now outputs a version of v1.4+.
public class JoWood : IContentCheck
{
/// <inheritdoc/>
public List<ContentMatchSet> GetContentMatchSets() => null;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug = false)
{
// Get the sections from the executable, if possible
PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0);
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the .ext section, if it exists
var extSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).Equals(".ext "));
if (extSection != null)
{
// Get the .dcrtext section, if it exists
var dcrtextSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).Equals(".dcrtext"));
if (dcrtextSection != null)
{
int sectionAddr = (int)dcrtextSection.PointerToRawData;
int sectionEnd = sectionAddr + (int)dcrtextSection.VirtualSize;
var matchers = new List<ContentMatchSet>
{
// kernel32.dll + (char)0x00 + (char)0x00 + (char)0x00 + VirtualProtect
new ContentMatchSet(
new ContentMatch(new byte?[]
{
0x6B, 0x65, 0x72, 0x6E, 0x65, 0x6C, 0x33, 0x32,
0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x00, 0x56,
0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x50, 0x72,
0x6F, 0x74, 0x65, 0x63, 0x74
}, start: sectionAddr, end: sectionEnd),
GetVersion, "JoWood X-Prot"),
};
string match = MatchUtil.GetFirstMatch(file, fileContent, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
return "JoWood X-Prot v1.0-v1.3";
}
// Get the HC09 section, if it exists
var hc09Section = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).Equals("HC09 "));
if (hc09Section != null)
return "JoWood X-Prot v2"; // TODO: Can we get more granular with the version?
// Get the XPROT section, if it exists
var xprotSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).Equals("XPROT "));
if (xprotSection != null)
return "JoWood X-Prot v1.4+"; // TODO: Can we get more granular with the version?
return null;
}
public static string GetVersion(string file, byte[] fileContent, List<int> positions)
{
int position = positions[0];
char[] version = new ArraySegment<byte>(fileContent, position + 67, 8).Select(b => (char)b).ToArray();
return new string(version);
}
}
}

21
BurnOutSharp/ProtectionType/XtremeProtector.cs
View File

@@ -1,21 +0,0 @@
using System.Collections.Generic;
using BurnOutSharp.Matching;
namespace BurnOutSharp.ProtectionType
{
public class XtremeProtector : IContentCheck
{
/// <inheritdoc/>
public List<ContentMatchSet> GetContentMatchSets()
{
return new List<ContentMatchSet>
{
// XPROT
new ContentMatchSet(new byte?[] { 0x58, 0x50, 0x52, 0x4F, 0x54, 0x20, 0x20, 0x20 }, "Xtreme-Protector"),
};
}
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null;
}
}