SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-04-29 01:50:24 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Convert ImpulseReactor to section based; add notes

Browse Source
This commit is contained in:
Matt Nadareski
2021-09-01 10:27:16 -07:00
parent 5a4e3caea8
commit 8705cac648
1 changed files with 50 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
BurnOutSharp/ProtectionType/ImpulseReactor.cs
View File

@@ -1,58 +1,74 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using BurnOutSharp.ExecutableType.Microsoft;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
namespace BurnOutSharp.ProtectionType
{
// Note that this set of checks also contains "Stardock Product Activation"
// This is intentional, as that protection is highly related to Impulse Reactor
public class ImpulseReactor : IContentCheck, IPathCheck
{
/// <inheritdoc/>
public List<ContentMatchSet> GetContentMatchSets()
{
return new List<ContentMatchSet>
{
new ContentMatchSet(new List<byte?[]>
{
// CVPInitializeClient
new byte?[]
{
0x43, 0x56, 0x50, 0x49, 0x6E, 0x69, 0x74, 0x69,
0x61, 0x6C, 0x69, 0x7A, 0x65, 0x43, 0x6C, 0x69,
0x65, 0x6E, 0x74
},
public List<ContentMatchSet> GetContentMatchSets() => null;
// A + (char)0x00 + T + (char)0x00 + T + (char)0x00 + L + (char)0x00 + I + (char)0x00 + S + (char)0x00 + T + (char)0x00 + (char)0x00 + (char)0x00 + E + (char)0x00 + L + (char)0x00 + E + (char)0x00 + M + (char)0x00 + E + (char)0x00 + N + (char)0x00 + T + (char)0x00 + (char)0x00 + (char)0x00 + N + (char)0x00 + O + (char)0x00 + T + (char)0x00 + A + (char)0x00 + T + (char)0x00 + I + (char)0x00 + O + (char)0x00 + N + (char)0x00
new byte?[]
{
0x41, 0x00, 0x54, 0x00, 0x54, 0x00, 0x4C, 0x00,
0x49, 0x00, 0x53, 0x00, 0x54, 0x00, 0x00, 0x00,
0x45, 0x00, 0x4C, 0x00, 0x45, 0x00, 0x4D, 0x00,
0x45, 0x00, 0x4E, 0x00, 0x54, 0x00, 0x00, 0x00,
0x4E, 0x00, 0x4F, 0x00, 0x54, 0x00, 0x41, 0x00,
0x54, 0x00, 0x49, 0x00, 0x4F, 0x00, 0x4E
},
}, Utilities.GetFileVersion, "Impulse Reactor"),
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug = false)
{
// Get the sections from the executable, if possible
PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0);
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the .rdata section, if it exists
var rdataSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rdata"));
if (rdataSection != null)
{
int sectionAddr = (int)rdataSection.PointerToRawData;
int sectionEnd = sectionAddr + (int)rdataSection.VirtualSize;
// CVPInitializeClient
new ContentMatchSet(new byte?[]
byte?[] check = new byte?[]
{
0x43, 0x56, 0x50, 0x49, 0x6E, 0x69, 0x74, 0x69,
0x61, 0x6C, 0x69, 0x7A, 0x65, 0x43, 0x6C, 0x69,
0x65, 0x6E, 0x74
}, "Impulse Reactor"),
};
}
};
bool containsCheck = fileContent.FirstPosition(check, out int position, start: sectionAddr, end: sectionEnd);
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null;
// A + (char)0x00 + T + (char)0x00 + T + (char)0x00 + L + (char)0x00 + I + (char)0x00 + S + (char)0x00 + T + (char)0x00 + (char)0x00 + (char)0x00 + E + (char)0x00 + L + (char)0x00 + E + (char)0x00 + M + (char)0x00 + E + (char)0x00 + N + (char)0x00 + T + (char)0x00 + (char)0x00 + (char)0x00 + N + (char)0x00 + O + (char)0x00 + T + (char)0x00 + A + (char)0x00 + T + (char)0x00 + I + (char)0x00 + O + (char)0x00 + N + (char)0x00
byte?[] check2 = new byte?[]
{
0x41, 0x00, 0x54, 0x00, 0x54, 0x00, 0x4C, 0x00,
0x49, 0x00, 0x53, 0x00, 0x54, 0x00, 0x00, 0x00,
0x45, 0x00, 0x4C, 0x00, 0x45, 0x00, 0x4D, 0x00,
0x45, 0x00, 0x4E, 0x00, 0x54, 0x00, 0x00, 0x00,
0x4E, 0x00, 0x4F, 0x00, 0x54, 0x00, 0x41, 0x00,
0x54, 0x00, 0x49, 0x00, 0x4F, 0x00, 0x4E
};
bool containsCheck2 = fileContent.FirstPosition(check2, out int position2, start: sectionAddr, end: sectionEnd);
if (containsCheck && containsCheck2)
return $"Impulse Reactor Core Module {Utilities.GetFileVersion(file, fileContent, new List<int> { position, position2 })}" + (includeDebug ? $" (Index {position}, {position2})" : string.Empty);
else if (containsCheck && !containsCheck2)
return $"Impulse Reactor" + (includeDebug ? $" (Index {position})" : string.Empty);
}
return null;
}
/// <inheritdoc/>
public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
{
// TODO: Verify if these are AND or OR
var matchers = new List<PathMatchSet>
{
new PathMatchSet(new PathMatch("ImpulseReactor.dll", useEndsWith: true), Utilities.GetFileVersion, "Impulse Reactor"),
new PathMatchSet(new PathMatch("ImpulseReactor.dll", useEndsWith: true), Utilities.GetFileVersion, "Impulse Reactor Core Module"),
new PathMatchSet(new PathMatch("ReactorActivate.exe", useEndsWith: true), Utilities.GetFileVersion, "Stardock Product Activation"),
};
return MatchUtil.GetAllMatches(files, matchers, any: true);
@@ -61,9 +77,11 @@ namespace BurnOutSharp.ProtectionType
/// <inheritdoc/>
public string CheckFilePath(string path)
{
// TODO: Verify if these are AND or OR
var matchers = new List<PathMatchSet>
{
new PathMatchSet(new PathMatch("ImpulseReactor.dll", useEndsWith: true), Utilities.GetFileVersion, "Impulse Reactor"),
new PathMatchSet(new PathMatch("ImpulseReactor.dll", useEndsWith: true), Utilities.GetFileVersion, "Impulse Reactor Core Module"),
new PathMatchSet(new PathMatch("ReactorActivate.exe", useEndsWith: true), Utilities.GetFileVersion, "Stardock Product Activation"),
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);