mirror of
https://github.com/SabreTools/BinaryObjectScanner.git
synced 2026-07-09 02:16:46 +00:00
Make packer and protection code more consistent
This commit is contained in:
@@ -13,7 +13,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Known to detect versions 5.0.0.3 - 8.1.0.0
|
||||
var name = exe.ProductName;
|
||||
string? name = exe.ProductName;
|
||||
if (name.OptionalStartsWith("AutoPlay Media Studio", StringComparison.OrdinalIgnoreCase))
|
||||
return $"AutoPlay Media Studio {GetVersion(exe)}";
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// <see href="https://www.virustotal.com/gui/file/0e0a93cba8163cef9c979cbb49a6f15604956b9441aba6fb9e9f0c6897cc73ed/details"/>
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
if (name.OptionalContains("GP-Install"))
|
||||
return "GP-Install";
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// <see href="https://www.virustotal.com/gui/file/867726b7afc1b2343651497bbbe35618f781bb82491a2a768922117c44a897d3/details"/>
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
if (name.OptionalContains("GkWare Self extractor"))
|
||||
return "GkWare SFX";
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ namespace BinaryObjectScanner.Packer
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("InstallAnywhere Self Extractor", StringComparison.OrdinalIgnoreCase))
|
||||
return $"InstallAnywhere {GetVersion(exe)}";
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ namespace BinaryObjectScanner.Packer
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
if (name.OptionalEquals("Intel(R) Installation Framework", StringComparison.OrdinalIgnoreCase)
|
||||
|| name.OptionalEquals("Intel Installation Framework", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
|
||||
@@ -10,7 +10,7 @@ namespace BinaryObjectScanner.Packer
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.InternalName;
|
||||
string? name = exe.InternalName;
|
||||
if (name.OptionalEquals("Wextract", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Microsoft CAB SFX {GetVersion(exe)}";
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ namespace BinaryObjectScanner.Packer
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.AssemblyDescription;
|
||||
string? name = exe.AssemblyDescription;
|
||||
if (name.OptionalStartsWith("Nullsoft Install System"))
|
||||
return $"NSIS {name!.Substring("Nullsoft Install System".Length).Trim()}";
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Known to detect versions 7.0.5.1 - 9.1.0.0
|
||||
var name = exe.LegalCopyright;
|
||||
string? name = exe.LegalCopyright;
|
||||
if (name.OptionalStartsWith("Setup Engine", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Setup Factory {GetVersion(exe)}";
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// <see href="https://www.virustotal.com/gui/file/43b5791a7d87830025efae0db8f1cc5a02b6001f4703b0189adf1412cdbe22ac/details"/>
|
||||
var name = exe.AssemblyDescription;
|
||||
string? name = exe.AssemblyDescription;
|
||||
if (name.OptionalContains("Smart Install Maker"))
|
||||
return "Smart Install Maker";
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ namespace BinaryObjectScanner.Packer
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// <see href="https://www.virustotal.com/gui/file/ad876d9aa59a2c51af776ce7c095af69f41f2947c6a46cfe87a724ecf8745084/details"/>
|
||||
var name = exe.AssemblyDescription;
|
||||
string? name = exe.AssemblyDescription;
|
||||
if (name.OptionalEquals("Spoon Installer"))
|
||||
return "Spoon Installer";
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ namespace BinaryObjectScanner.Packer
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.AssemblyDescription;
|
||||
string? name = exe.AssemblyDescription;
|
||||
if (name.OptionalContains("WinRAR archiver"))
|
||||
return "WinRAR SFX";
|
||||
|
||||
|
||||
@@ -42,28 +42,33 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalEquals("ByteShield Client"))
|
||||
return $"ByteShield Activation Client {exe.GetInternalVersion()}";
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
name = exe.InternalName;
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
if (name.OptionalEquals("ByteShield"))
|
||||
return $"ByteShield Activation Client {exe.GetInternalVersion()}";
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
name = exe.OriginalFilename;
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
if (name.OptionalEquals("ByteShield.EXE"))
|
||||
return $"ByteShield Activation Client {exe.GetInternalVersion()}";
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "LineRider2.exe" in Redump entry 6236
|
||||
if (name.OptionalEquals("ByteShield Client"))
|
||||
return $"ByteShield Activation Client {exe.GetInternalVersion()}";
|
||||
|
||||
// Found in "ByteShield.dll" in Redump entry 6236
|
||||
name = exe.ExportTable?.ExportDirectoryTable?.Name;
|
||||
|
||||
// Found in "ByteShield.dll" in Redump entry 6236
|
||||
if (name.OptionalEquals("ByteShield Client"))
|
||||
return "ByteShield Component Module";
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.Comments;
|
||||
string? name = exe.Comments;
|
||||
if (name.OptionalContains("CDCheck utlity for Microsoft Game Studios"))
|
||||
return "Microsoft Game Studios CD Check";
|
||||
|
||||
|
||||
@@ -181,7 +181,7 @@ namespace BinaryObjectScanner.Protection
|
||||
// Found in "bib.dll" in IA item "https://archive.org/details/cover_202501"
|
||||
// This contains the version section that the Content Check looked for. There are likely other sections
|
||||
// that may contain it. Update when more are found.
|
||||
var strs = exe.GetFirstSectionStrings("DATA");
|
||||
var strs = exe.GetFirstSectionStrings(".data") ?? exe.GetFirstSectionStrings("DATA");
|
||||
if (strs != null)
|
||||
{
|
||||
var match = strs.Find(s => s.Contains(" ver. ") && (s.Contains("CD-Cops, ") || s.Contains("DVD-Cops, ")));
|
||||
|
||||
@@ -9,7 +9,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.InternalName;
|
||||
string? name = exe.InternalName;
|
||||
|
||||
if (name.OptionalEquals("CDKey", StringComparison.OrdinalIgnoreCase))
|
||||
return "CD-Key / Serial";
|
||||
|
||||
|
||||
@@ -25,8 +25,9 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in "AbeWincw.dll" in Redump entry 116358 and in "TOYSGMcw.dll" in the "TOYSTORY" installation folder from Redump entry 12354.
|
||||
var name = exe.ProductName;
|
||||
if (name.OptionalEquals("ChannelWare Utilities"))
|
||||
return "Channelware";
|
||||
|
||||
@@ -43,11 +44,13 @@ namespace BinaryObjectScanner.Protection
|
||||
return "Channelware";
|
||||
|
||||
name = exe.FileDescription;
|
||||
|
||||
// Found in "cwuninst.exe" in the "Channelware" folder installed from Redump entry 12354.
|
||||
if (name.OptionalEquals("Channelware Launcher Uninstall"))
|
||||
return "Channelware";
|
||||
|
||||
name = exe.LegalTrademarks;
|
||||
|
||||
// Found in "CWAuto.dll" and "Upgrader.exe" in the "TOYSTORY" installation folder from Redump entry 12354.
|
||||
if (name.OptionalEquals("Channelware"))
|
||||
return "Channelware";
|
||||
|
||||
@@ -24,9 +24,10 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in "Code-Lock.ocx" in Code-Lock version 2.35.
|
||||
// Also worth noting is the File Description for this file, which is "A future for you, a challenge for the rest.".
|
||||
var name = exe.ProductName;
|
||||
if (name.OptionalStartsWith("Code-Lock", StringComparison.OrdinalIgnoreCase))
|
||||
return $"ChosenBytes Code-Lock {exe.ProductVersion}";
|
||||
|
||||
|
||||
@@ -20,9 +20,10 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// TODO: Figure out why this check doesn't work.
|
||||
// Found in "autorun.exe" in CopyKiller V3.64, V3.99, and V3.99a.
|
||||
var name = exe.ProductName;
|
||||
if (name.OptionalStartsWith("CopyKiller", StringComparison.OrdinalIgnoreCase))
|
||||
return "CopyKiller V3.64+";
|
||||
|
||||
|
||||
@@ -62,10 +62,6 @@ namespace BinaryObjectScanner.Protection
|
||||
// Checks for Professional
|
||||
// PEX checks intentionally only detect Professional
|
||||
|
||||
var sections = exe.SectionTable;
|
||||
if (sections == null)
|
||||
return null;
|
||||
|
||||
if (exe.OverlayStrings != null)
|
||||
{
|
||||
// Checks if main executable contains reference to optgraph.dll.
|
||||
|
||||
@@ -38,8 +38,9 @@ namespace BinaryObjectScanner.Protection
|
||||
// Get the CrypKey version from the VersionInfo, if it exists
|
||||
string version = exe.GetVersionInfoString("CrypKey Version") ?? string.Empty;
|
||||
|
||||
string? name = exe.CompanyName;
|
||||
|
||||
// Found in 'cki32k.dll'
|
||||
var name = exe.CompanyName;
|
||||
if (name.OptionalStartsWith("CrypKey"))
|
||||
return $"CrypKey {version}".TrimEnd();
|
||||
|
||||
@@ -53,8 +54,9 @@ namespace BinaryObjectScanner.Protection
|
||||
if (name.OptionalStartsWith("CrypKey"))
|
||||
return $"CrypKey {version}".TrimEnd();
|
||||
|
||||
// Found in 'cki32k.dll'
|
||||
name = exe.LegalCopyright;
|
||||
|
||||
// Found in 'cki32k.dll'
|
||||
if (name.OptionalContains("CrypKey"))
|
||||
return $"CrypKey {version}".TrimEnd();
|
||||
|
||||
|
||||
@@ -36,8 +36,9 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
// All current checks for Denuvo Anti-Cheat come from Doom Eternal Update 1 (Steam Depot 782332, Manifest 7064393210727378308).
|
||||
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "denuvo-anti-cheat.sys".
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalEquals("Denuvo Anti-Cheat Driver", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Denuvo Anti-Cheat";
|
||||
|
||||
@@ -62,8 +63,7 @@ namespace BinaryObjectScanner.Protection
|
||||
// https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/_denuvoComplete.2.sg
|
||||
|
||||
// Denuvo Protector
|
||||
if (exe.OptionalHeader?.Magic == OHMN.PE32Plus
|
||||
&& exe.EntryPointData != null)
|
||||
if (exe.OptionalHeader?.Magic == OHMN.PE32Plus && exe.EntryPointData != null)
|
||||
{
|
||||
byte?[] denuvoProtector =
|
||||
[
|
||||
@@ -84,7 +84,7 @@ namespace BinaryObjectScanner.Protection
|
||||
new byte[] {
|
||||
0x44, 0x65, 0x6E, 0x75, 0x76, 0x6F, 0x20, 0x54,
|
||||
0x69, 0x6D, 0x69, 0x6E, 0x67,
|
||||
}, "Denuvo")
|
||||
}, "Denuvo")
|
||||
};
|
||||
var timingMatch = MatchUtil.GetFirstMatch(file, exe.EntryPointData, timingMatchers, includeDebug);
|
||||
|
||||
|
||||
@@ -28,20 +28,23 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Found in "Start.exe" in IA item "Nova_DellBigWIGDVD_USA"/Redump entry 108588.
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalEquals("DigiGuard3 Client"))
|
||||
return $"DigiGuard3";
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "Start.exe" in IA item "Nova_DellBigWIGDVD_USA"/Redump entry 108588.
|
||||
if (name.OptionalEquals("DigiGuard3 Client"))
|
||||
return "DigiGuard3";
|
||||
|
||||
name = exe.LegalTrademarks;
|
||||
|
||||
// Found in "Start.exe" in IA item "Nova_DellBigWIGDVD_USA"/Redump entry 108588.
|
||||
if (name.OptionalEquals("DigiGuard"))
|
||||
return $"DigiGuard";
|
||||
return "DigiGuard";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "PJS3.exe" in IA item "Nova_DellBigWIGDVD_USA"/Redump entry 108588.
|
||||
name = exe.ProductName;
|
||||
if (name.OptionalEquals("Greenleaf Wrapper3"))
|
||||
return $"DigiGuard";
|
||||
return "DigiGuard";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -40,8 +40,9 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "IOSLinksys.dll" (Redump entries 31914, 46743, 46961, 79284, and 79374).
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("IOSLinkNT", StringComparison.OrdinalIgnoreCase))
|
||||
return "DiscGuard";
|
||||
|
||||
@@ -49,13 +50,15 @@ namespace BinaryObjectScanner.Protection
|
||||
if (name.OptionalStartsWith("TTR Technologies DiscGuard (tm)", StringComparison.OrdinalIgnoreCase))
|
||||
return $"DiscGuard {GetVersion(exe)}";
|
||||
|
||||
// Found in "T29.dll" (Redump entry 31914).
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "T29.dll" (Redump entry 31914).
|
||||
if (name.OptionalStartsWith("DiscGuard (tm)", StringComparison.OrdinalIgnoreCase))
|
||||
return "DiscGuard";
|
||||
|
||||
// Found in "IOSLinksys.dll" (Redump entries 31914, 46743, 46961, 79284, and 79374).
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "IOSLinksys.dll" (Redump entries 31914, 46743, 46961, 79284, and 79374).
|
||||
if (name.OptionalStartsWith("TTR Technologies Ltd. DiscGuard (tm)", StringComparison.OrdinalIgnoreCase))
|
||||
return "DiscGuard";
|
||||
|
||||
|
||||
@@ -21,17 +21,20 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
|
||||
if (!string.IsNullOrEmpty(name) && name!.Contains("EA Anticheat"))
|
||||
return "EA Anti Cheat";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
|
||||
if (!string.IsNullOrEmpty(name) && name!.Contains("EA Anticheat"))
|
||||
return "EA Anti Cheat";
|
||||
|
||||
name = exe.InternalName;
|
||||
|
||||
// Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
|
||||
if (!string.IsNullOrEmpty(name) && name!.Equals("skyfall"))
|
||||
return "EA Anti Cheat";
|
||||
|
||||
@@ -24,7 +24,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "VideoHorrorSociety.exe" ("Video Horror Society", Patch 1.0.70309, Steam).
|
||||
if (!string.IsNullOrEmpty(name) && name!.Contains("Easy Anti-Cheat Bootstrapper (EOS)"))
|
||||
return "Easy Anti-Cheat (EOS Version)";
|
||||
@@ -51,6 +52,7 @@ namespace BinaryObjectScanner.Protection
|
||||
// "EasyAntiCheat Service" -> "EasyAntiCheat.exe", which is found installed in "Program Files (x86)\EasyAntiCheat" and "EasyAntiCheat_Setup.exe" ("Intruder", Update 2287, Steam).
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in multiple files, including "VideoHorrorSociety.exe" ("Video Horror Society", Patch 1.0.70309, Steam) and "start_protected_game.exe" ("VRChat", Version 2022.2.2p2, Oculus).
|
||||
if (!string.IsNullOrEmpty(name) && name!.Contains("Easy Anti-Cheat Bootstrapper (EOS)"))
|
||||
return "Easy Anti-Cheat (EOS Version)";
|
||||
|
||||
@@ -9,7 +9,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalContains("EReg MFC Application"))
|
||||
return $"EA CdKey Registration Module {exe.GetInternalVersion()}";
|
||||
else if (name.OptionalContains("Registration code installer program"))
|
||||
@@ -18,6 +19,7 @@ namespace BinaryObjectScanner.Protection
|
||||
return $"EA DRM Protection {exe.GetInternalVersion()}";
|
||||
|
||||
name = exe.InternalName;
|
||||
|
||||
if (name.OptionalEquals("CDCode", StringComparison.Ordinal))
|
||||
return $"EA CdKey Registration Module {exe.GetInternalVersion()}";
|
||||
|
||||
|
||||
@@ -13,7 +13,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalStartsWith("Games for Windows - LIVE Zero Day Piracy Protection", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Games for Windows LIVE - Zero Day Piracy Protection Module {exe.GetInternalVersion()}";
|
||||
else if (name.OptionalStartsWith("Games for Windows", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -34,9 +34,10 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// TODO: Fix the following checks, as this information is visible via Windows Explorer but isn't currently being seen by BOS.
|
||||
// Found in "HCPSMng.exe".
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("HCPS Manager", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Hexalock AutoLock 4.5";
|
||||
|
||||
@@ -44,8 +45,9 @@ namespace BinaryObjectScanner.Protection
|
||||
if (name.OptionalStartsWith("HCPS Loader", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Hexalock AutoLock 4.5";
|
||||
|
||||
// Found in both "HCPSMng.exe" and in the file typically named "Start_Here.exe".
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in both "HCPSMng.exe" and in the file typically named "Start_Here.exe".
|
||||
if (name.OptionalStartsWith("HCPS", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Hexalock AutoLock 4.5";
|
||||
|
||||
@@ -57,7 +59,7 @@ namespace BinaryObjectScanner.Protection
|
||||
if (strs.Exists(s => s.Contains("mfint.dll")))
|
||||
return "Hexalock Autolock";
|
||||
}
|
||||
|
||||
|
||||
// Get the code/CODE section strings, if they exist
|
||||
strs = exe.GetFirstSectionStrings("code") ?? exe.GetFirstSectionStrings("CODE");
|
||||
if (strs != null)
|
||||
@@ -66,7 +68,7 @@ namespace BinaryObjectScanner.Protection
|
||||
if (strs.Exists(s => s.Contains("mfint.dll")))
|
||||
return "Hexalock Autolock";
|
||||
}
|
||||
|
||||
|
||||
// Get the UPX1 section strings, if they exist
|
||||
strs = exe.GetFirstSectionStrings("UPX1");
|
||||
if (strs != null)
|
||||
@@ -75,7 +77,7 @@ namespace BinaryObjectScanner.Protection
|
||||
if (strs.Exists(s => s.Contains("mfint.dll")))
|
||||
return "Hexalock Autolock";
|
||||
}
|
||||
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -15,15 +15,18 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalContains("ImpulseReactor Dynamic Link Library"))
|
||||
return $"Impulse Reactor Core Module {exe.GetInternalVersion()}";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalContains("ImpulseReactor Dynamic Link Library"))
|
||||
return $"Impulse Reactor Core Module {exe.GetInternalVersion()}";
|
||||
|
||||
name = exe.OriginalFilename;
|
||||
|
||||
if (name.OptionalContains("ReactorActivate.exe"))
|
||||
return $"Stardock Product Activation {exe.GetInternalVersion()}";
|
||||
|
||||
@@ -45,7 +48,7 @@ namespace BinaryObjectScanner.Protection
|
||||
if (containsCheck && containsCheck2)
|
||||
return $"Impulse Reactor Core Module {exe.GetInternalVersion()}";
|
||||
else if (containsCheck && !containsCheck2)
|
||||
return $"Impulse Reactor";
|
||||
return "Impulse Reactor";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -50,13 +50,11 @@ namespace BinaryObjectScanner.Protection
|
||||
}
|
||||
|
||||
// Get the HC09 section, if it exists
|
||||
bool hc09Section = exe.ContainsSection("HC09 ", exact: true);
|
||||
if (hc09Section)
|
||||
if (exe.ContainsSection("HC09 ", exact: true))
|
||||
return "JoWood X-Prot v2"; // TODO: Can we get more granular with the version?
|
||||
|
||||
// Get the XPROT section, if it exists
|
||||
var xprotSection = exe.ContainsSection("XPROT ", exact: true);
|
||||
if (xprotSection)
|
||||
if (exe.ContainsSection("XPROT ", exact: true))
|
||||
return "JoWood X-Prot v1.4+"; // TODO: Can we get more granular with the version?
|
||||
|
||||
return null;
|
||||
|
||||
@@ -26,7 +26,7 @@ namespace BinaryObjectScanner.Protection
|
||||
// TODO: Investigate if there are any viable checks for the game EXE itself.
|
||||
// "Styx" is found as the File Description and Product Name in "KalypsoLauncher.dll", but checks aren't included due to the risk of false positives.
|
||||
|
||||
var name = exe.InternalName;
|
||||
string? name = exe.InternalName;
|
||||
|
||||
// Found in "KalypsoLauncher.dll" in Redump entry 95617.
|
||||
if (name.OptionalContains("KalypsoLauncher.dll"))
|
||||
|
||||
@@ -21,14 +21,16 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Should be present on all LabelGate CD2 discs (Redump entry 95010 and product ID SVWC-7185).
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("MAGIQLIP2 Installer", StringComparison.OrdinalIgnoreCase))
|
||||
return $"LabelGate CD2 Media Player";
|
||||
return "LabelGate CD2 Media Player";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalStartsWith("MQSTART", StringComparison.OrdinalIgnoreCase))
|
||||
return $"LabelGate CD2 Media Player";
|
||||
return "LabelGate CD2 Media Player";
|
||||
|
||||
// Get the .data/DATA section strings, if they exist
|
||||
var strs = exe.GetFirstSectionStrings(".data") ?? exe.GetFirstSectionStrings("DATA");
|
||||
|
||||
@@ -9,7 +9,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.ProductName;
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in "Register.dll" in IA item "MGIPhotoSuite4.0AndPhotoVista2.02001".
|
||||
if (name.OptionalEquals("MGI Registration Utility", StringComparison.Ordinal))
|
||||
|
||||
@@ -62,7 +62,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc cref="Interfaces.IExecutableCheck{T}.CheckExecutable(string, T, bool)"/>
|
||||
internal static string? CDillaCheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in in "cdilla52.dll" from C-Dilla LMS version 3.24.010.
|
||||
if (name.OptionalEquals("32-bit C-Dilla DLL", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -47,10 +47,11 @@ namespace BinaryObjectScanner.Protection
|
||||
if (exe.FindGenericResource("CactusPJ").Count > 0)
|
||||
return "PlayJ Music Player (Cactus Data Shield 200)";
|
||||
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in various files in "Les Paul & Friends" (Barcode 4 98806 834170).
|
||||
var name = exe.ProductName;
|
||||
if (name.OptionalEquals("CDS300", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Cactus Data Shield 300";
|
||||
return "Cactus Data Shield 300";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -14,7 +14,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc cref="Interfaces.IExecutableCheck{T}.CheckExecutable(string, T, bool)"/>
|
||||
internal static string? FLEXnetCheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.ProductName;
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in "IsSvcInstDanceEJay7.dll" in IA item "computer200709dvd" (Dance eJay 7).
|
||||
if (name.OptionalEquals("FLEXnet Activation Toolkit", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using SabreTools.Hashing;
|
||||
using SabreTools.Matching;
|
||||
using SabreTools.Matching.Paths;
|
||||
@@ -21,31 +20,24 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc cref="Interfaces.IExecutableCheck{T}.CheckExecutable(string, T, bool)"/>
|
||||
internal static string? RipGuardCheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "RGASDEV.SYS" in the Black Lagoon Season 1 DVD Steelbook box set (Geneon ID 12970).
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalEquals("rgasdev", StringComparison.OrdinalIgnoreCase))
|
||||
return "RipGuard";
|
||||
|
||||
// Found in "RGASDEV.SYS" in the Black Lagoon Season 1 DVD Steelbook box set (Geneon ID 12970).
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "RGASDEV.SYS" in the Black Lagoon Season 1 DVD Steelbook box set (Geneon ID 12970).
|
||||
if (name.OptionalEquals("rgasdev", StringComparison.OrdinalIgnoreCase))
|
||||
return "RipGuard";
|
||||
|
||||
if (!string.IsNullOrEmpty(file) && File.Exists(file))
|
||||
// So far, every seemingly-randomly named EXE on RipGuard discs have a consistent hash.
|
||||
if (exe.Length == 49_152)
|
||||
{
|
||||
try
|
||||
{
|
||||
var fi = new FileInfo(file);
|
||||
|
||||
// So far, every seemingly-randomly named EXE on RipGuard discs have a consistent hash.
|
||||
if (fi.Length == 49_152)
|
||||
{
|
||||
var sha1 = HashTool.GetFileHash(file, HashType.SHA1);
|
||||
if (string.Equals(sha1, "6A7B8545800E0AB252773A8CD0A2185CA2497938", StringComparison.OrdinalIgnoreCase))
|
||||
return "RipGuard";
|
||||
}
|
||||
}
|
||||
catch { }
|
||||
var sha1 = HashTool.GetFileHash(file, HashType.SHA1);
|
||||
if (string.Equals(sha1, "6A7B8545800E0AB252773A8CD0A2185CA2497938", StringComparison.OrdinalIgnoreCase))
|
||||
return "RipGuard";
|
||||
}
|
||||
|
||||
return null;
|
||||
|
||||
@@ -97,23 +97,24 @@ namespace BinaryObjectScanner.Protection
|
||||
return "SafeCast";
|
||||
}
|
||||
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "32bit\Tax02\cdac14ba.dll" in IA item "TurboTax Deluxe Tax Year 2002 for Wndows (2.00R)(Intuit)(2002)(352282)".
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalEquals("SafeCast2", StringComparison.OrdinalIgnoreCase))
|
||||
return "SafeCast";
|
||||
|
||||
// Found in "cdac01ba.dll" from IA item "ejay_nestle_trial".
|
||||
// TODO: Figure out a reasonable way to parse version.
|
||||
if (name.OptionalEquals("CdaC01BA", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeCast";
|
||||
return "SafeCast";
|
||||
|
||||
// Found in "C2CDEL.EXE" in IA item "britney-spears-special-edition-cd-rom".
|
||||
if (name.OptionalEquals("32-bit SafeCast Copy To Clear Delete", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeCast";
|
||||
return "SafeCast";
|
||||
|
||||
// Found in "C2C.DLL" in IA item "britney-spears-special-edition-cd-rom".
|
||||
if (name.OptionalEquals("32-bit SafeCast Shell Copy To Clear DLL", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeCast";
|
||||
return "SafeCast";
|
||||
|
||||
// Found in "SCRfrsh.exe" in Redump entry 102979.
|
||||
if (name.OptionalEquals("32-bit SafeCast Toolkit", StringComparison.OrdinalIgnoreCase))
|
||||
@@ -121,14 +122,15 @@ namespace BinaryObjectScanner.Protection
|
||||
|
||||
// Found in "CDAC14BA.DLL" in Redump entry 95524.
|
||||
if (name.OptionalEquals("32-bit SafeCast Anchor Installer", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeCast";
|
||||
return "SafeCast";
|
||||
|
||||
// Found in "CDAC21BA.DLL" in Redump entry 95524.
|
||||
if (name.OptionalEquals("32-bit CdaC20BA", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeCast";
|
||||
return "SafeCast";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in hidden resource of "32bit\Tax02\cdac14ba.dll" in IA item "TurboTax Deluxe Tax Year 2002 for Wndows (2.00R)(Intuit)(2002)(352282)".
|
||||
name = exe.ProductName;
|
||||
if (name.OptionalEquals("SafeCast Windows NT", StringComparison.OrdinalIgnoreCase))
|
||||
return "SafeCast";
|
||||
|
||||
|
||||
@@ -81,7 +81,8 @@ namespace BinaryObjectScanner.Protection
|
||||
return "Macrovision SecDrv Update Installer";
|
||||
}
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Present in "Diag.exe" files from SafeDisc 4.50.000+.
|
||||
if (name.OptionalEquals("SafeDisc SRV Tool APP", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeDisc SRV Tool APP {GetSafeDiscDiagExecutableVersion(exe)}";
|
||||
@@ -90,8 +91,9 @@ namespace BinaryObjectScanner.Protection
|
||||
if (name.OptionalEquals("Macrovision SecDrv Update", StringComparison.OrdinalIgnoreCase))
|
||||
return "Macrovision SecDrv Update Installer";
|
||||
|
||||
// Present on all "CLOKSPL.DLL" versions before SafeDisc 1.06.000. Found on Redump entries 61731 and 66004.
|
||||
name = exe.ProductName;
|
||||
|
||||
// Present on all "CLOKSPL.DLL" versions before SafeDisc 1.06.000. Found on Redump entries 61731 and 66004.
|
||||
if (name.OptionalEquals("SafeDisc CDROM Protection System", StringComparison.OrdinalIgnoreCase))
|
||||
return "SafeDisc 1.00.025-1.01.044";
|
||||
|
||||
@@ -109,9 +111,10 @@ namespace BinaryObjectScanner.Protection
|
||||
else if (name.OptionalEquals("SafeDisc AuthServ APP", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SafeDisc AuthServ APP {GetSafeDiscAuthServVersion(exe)}";
|
||||
|
||||
name = exe.FileDescription;
|
||||
|
||||
// Present on all "CLOKSPL.EXE" versions before SafeDisc 1.06.000. Found on Redump entries 61731 and 66004.
|
||||
// Only found so far on SafeDisc 1.00.025-1.01.044, but the report is currently left generic due to the generic nature of the check.
|
||||
name = exe.FileDescription;
|
||||
if (name.OptionalEquals("SafeDisc", StringComparison.OrdinalIgnoreCase))
|
||||
return "SafeDisc";
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ namespace BinaryObjectScanner.Protection
|
||||
var resultsList = new List<string>();
|
||||
|
||||
// Check for generic indications of Macrovision protections first.
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Present in "secdrv.sys" files found in SafeDisc 2.80.010+.
|
||||
if (name.OptionalEquals("Macrovision SECURITY Driver", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -18,15 +18,17 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Found in scvfy.exe on "Charley Pride - A Tribute to Jim Reeves" (barcode "7 816190222-2 4").
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("scvfy MFC Application", StringComparison.OrdinalIgnoreCase))
|
||||
return $"MediaCloQ";
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in scvfy.exe on "Charley Pride - A Tribute to Jim Reeves" (barcode "7 816190222-2 4").
|
||||
if (name.OptionalStartsWith("scvfy MFC Application", StringComparison.OrdinalIgnoreCase))
|
||||
return "MediaCloQ";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in scvfy.exe on "Charley Pride - A Tribute to Jim Reeves" (barcode "7 816190222-2 4").
|
||||
if (name.OptionalStartsWith("scvfy Application", StringComparison.OrdinalIgnoreCase))
|
||||
return $"MediaCloQ";
|
||||
return "MediaCloQ";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -18,12 +18,14 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Used to detect "LicGen.exe", found on "All That I Am" by Santana (Barcode 8 2876-59773-2 6)
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("LicGen Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"MediaMax CD-3";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalStartsWith("LicGen Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"MediaMax CD-3";
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ namespace BinaryObjectScanner.Protection
|
||||
if (exe.ContainsSection(".neac0", exact: true) || exe.ContainsSection(".neac1", exact: true))
|
||||
return "NEAC Protect";
|
||||
|
||||
var name = exe.ProductName;
|
||||
string? name = exe.ProductName;
|
||||
|
||||
// Found in "NeacSafe64.sys" and "NeacSafe.sys".
|
||||
// TODO: Fix Product Name not being properly grabbed from the file.
|
||||
|
||||
@@ -35,7 +35,7 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
// TODO: Investigate if there are any viable checks for the game EXE itself.
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "GameGuard.des" in Redump entry 90526 and 99598, and "Soulworker" (Steam Depot 1377581, Manifest 5092481117079359342).
|
||||
if (name.OptionalContains("nProtect GameGuard Launcher"))
|
||||
|
||||
@@ -9,8 +9,9 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.InternalName;
|
||||
|
||||
// TODO: Is this too broad in general?
|
||||
var name = exe.InternalName;
|
||||
if (name.OptionalStartsWith("EReg", StringComparison.OrdinalIgnoreCase))
|
||||
return $"Executable-Based Online Registration {exe.GetInternalVersion()}";
|
||||
|
||||
|
||||
@@ -19,41 +19,43 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.LegalTrademarks;
|
||||
|
||||
// Found in many different OpenMG related files ("Touch" by Amerie).
|
||||
var name = exe.LegalTrademarks;
|
||||
if (name.OptionalStartsWith("OpenMG", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
name = exe.FileDescription;
|
||||
|
||||
// Found in "OMGDBP.OCX" ("Touch" by Amerie).
|
||||
name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("LGDiscComp Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "OMGDWRAP.DLL" ("Touch" by Amerie).
|
||||
if (name.OptionalStartsWith("LGDSimplePlayer Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "OMGLGD.DLL" ("Touch" by Amerie).
|
||||
if (name.OptionalStartsWith("omglgd Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "OMGUTILS.DLL" ("Touch" by Amerie).
|
||||
if (name.OptionalStartsWith("OpenMG Utility", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "SALWRAP.DLL" ("Touch" by Amerie).
|
||||
if (name.OptionalStartsWith("Secure Application Loader Wrapper", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "SDKHM.DLL" ("Touch" by Amerie).
|
||||
// Not every copy of this file has this File Description (Redump entry 95010).
|
||||
if (name.OptionalStartsWith("SDKHM (KEEP)", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
// Found in "SDKHM.EXE" ("Touch" by Amerie).
|
||||
// Not every copy of this file has this File Description (Redump entry 95010).
|
||||
if (name.OptionalStartsWith("SDKHM (KEPT)", StringComparison.OrdinalIgnoreCase))
|
||||
return $"OpenMG";
|
||||
return "OpenMG";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -12,11 +12,13 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalEquals("Origin", StringComparison.OrdinalIgnoreCase))
|
||||
return "Origin";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalEquals("Origin", StringComparison.OrdinalIgnoreCase))
|
||||
return "Origin";
|
||||
|
||||
|
||||
@@ -16,20 +16,23 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "PlayJ.exe" (https://web.archive.org/web/20010417025347/http://dlp.playj.com:80/playj/PlayJIns266.exe) and "CACTUSPJ.exe" ("Volumia!" by Puur (Barcode 7 43218 63282 2) (Discogs Release Code [r795427])).
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("PlayJ Music Player", StringComparison.OrdinalIgnoreCase))
|
||||
return $"PlayJ Music Player";
|
||||
return "PlayJ Music Player";
|
||||
|
||||
name = exe.FileDescription;
|
||||
|
||||
// Found in "PJSTREAM.DLL" ("Volumia!" by Puur (Barcode 7 43218 63282 2) (Discogs Release Code [r795427])).
|
||||
name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("EVAUX32 Module", StringComparison.OrdinalIgnoreCase))
|
||||
return $"PlayJ Music Player Component";
|
||||
return "PlayJ Music Player Component";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found in "PlayJ.exe" (https://web.archive.org/web/20010417025347/http://dlp.playj.com:80/playj/PlayJIns266.exe) and "CACTUSPJ.exe" ("Volumia!" by Puur (Barcode 7 43218 63282 2) (Discogs Release Code [r795427])).
|
||||
name = exe.ProductName;
|
||||
if (name.OptionalStartsWith("PlayJ", StringComparison.OrdinalIgnoreCase))
|
||||
return $"PlayJ";
|
||||
return "PlayJ";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -131,7 +131,7 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
// TODO: Figure out why resources for "RNBOVTMP.DLL", "SENTTEMP.DLL", "SNTI386.DLL", and "SX32W.DL_"/"SX32W.DLL" aren't getting read properly, causing checks for these files to not work.
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "RNBOVTMP.DLL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
|
||||
if (name.OptionalEquals("Rainbow Technologies Virtual Device Driver", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -18,8 +18,14 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Get the .data section strings, if they exist
|
||||
var strs = exe.GetFirstSectionStrings(".data");
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found in "RngInterstitial.dll" in the RealArcade installation directory in IA item "Nova_RealArcadeCD_USA".
|
||||
if (name.OptionalContains("RngInterstitial"))
|
||||
return "RealArcade";
|
||||
|
||||
// Get the .data/DATA section strings, if they exist
|
||||
var strs = exe.GetFirstSectionStrings(".data") ?? exe.GetFirstSectionStrings("DATA");
|
||||
if (strs != null)
|
||||
{
|
||||
// Found in "rebound.exe" in the installation directory for "Rebound" in IA item "Nova_RealArcadeCD_USA".
|
||||
@@ -27,11 +33,6 @@ namespace BinaryObjectScanner.Protection
|
||||
return "RealArcade";
|
||||
}
|
||||
|
||||
// Found in "RngInterstitial.dll" in the RealArcade installation directory in IA item "Nova_RealArcadeCD_USA".
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalContains("RngInterstitial"))
|
||||
return "RealArcade";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -116,7 +116,7 @@ namespace BinaryObjectScanner.Protection
|
||||
}
|
||||
|
||||
// Alf.dll
|
||||
var name = exe.ProductName;
|
||||
string? name = exe.ProductName;
|
||||
if (name.OptionalEquals("DFA Unlock Dll"))
|
||||
return $"SecuROM DFA Unlock v{exe.GetInternalVersion()}";
|
||||
|
||||
@@ -453,7 +453,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// </summary>
|
||||
private static string? CheckProductActivation(PortableExecutable exe)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
if (name.OptionalContains("SecuROM PA"))
|
||||
return $"SecuROM Product Activation v{exe.GetInternalVersion()}";
|
||||
|
||||
|
||||
@@ -11,9 +11,11 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.InternalName;
|
||||
|
||||
// Only works on stub generated from running the program yourself
|
||||
if (exe.InternalName.OptionalEquals("SmarteSECURE"))
|
||||
return "SmartE";
|
||||
if (name.OptionalEquals("SmarteSECURE"))
|
||||
return "SmartE";
|
||||
|
||||
var sections = exe.SectionTable ?? [];
|
||||
|
||||
|
||||
@@ -16,13 +16,15 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.InternalName;
|
||||
|
||||
// Found in "IALib.DLL" in IA item "TAFSEERVER4SETUP"
|
||||
var name = exe.InternalName;
|
||||
if (name.OptionalEquals("Softlock Protected Application"))
|
||||
return "SoftLock";
|
||||
|
||||
// Found in "IALib.DLL" in IA item "TAFSEERVER4SETUP"
|
||||
name = exe.Comments;
|
||||
|
||||
// Found in "IALib.DLL" in IA item "TAFSEERVER4SETUP"
|
||||
if (name.OptionalEquals("Softlock Protected Application"))
|
||||
return "SoftLock";
|
||||
|
||||
@@ -56,8 +58,8 @@ namespace BinaryObjectScanner.Protection
|
||||
// and dialog boxes. See if any of those are unique to SoftLock.
|
||||
|
||||
// Found in "TafseerVer4.exe" in IA item "TAFSEERVER4SETUP"
|
||||
var strings = exe.GetFirstSectionStrings(".section") ?? [];
|
||||
if (strings.Exists(s => s.Contains("SOFTLOCKPROTECTION")))
|
||||
var strs = exe.GetFirstSectionStrings(".section") ?? [];
|
||||
if (strs.Exists(s => s.Contains("SOFTLOCKPROTECTION")))
|
||||
return "SoftLock";
|
||||
|
||||
// Investigate if the ".section" section is an indicator of SoftLock
|
||||
|
||||
@@ -17,7 +17,8 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
// TODO: Investigate ".pseudo" section found in "tvdm.dll" in Redump entry 68166.
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalStartsWith("DVM Library", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SolidShield {exe.GetInternalVersion()}";
|
||||
|
||||
@@ -36,9 +37,9 @@ namespace BinaryObjectScanner.Protection
|
||||
return $"SolidShield {GetInternalVersion(exe)}";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalStartsWith("Solidshield Activation Library", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SolidShield Core.dll {exe.GetInternalVersion()}";
|
||||
|
||||
else if (name.OptionalStartsWith("Solidshield Library", StringComparison.OrdinalIgnoreCase))
|
||||
return $"SolidShield Core.dll {exe.GetInternalVersion()}";
|
||||
|
||||
|
||||
@@ -19,9 +19,7 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
#region File Description
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// There are some File Description checks that are currently too generic to use.
|
||||
// "Host Library" - Found in "protect.dll" in Redump entry 81756.
|
||||
@@ -30,7 +28,7 @@ namespace BinaryObjectScanner.Protection
|
||||
|
||||
// Found in "sfdrvrem.exe" in Redump entry 102677.
|
||||
if (name.OptionalContains("FrontLine Drivers Removal Tool"))
|
||||
return $"StarForce FrontLine Driver Removal Tool";
|
||||
return "StarForce FrontLine Driver Removal Tool";
|
||||
|
||||
// Found in "protect.exe" in Redump entry 94805.
|
||||
if (name.OptionalContains("FrontLine Protection GUI Application"))
|
||||
@@ -46,27 +44,21 @@ namespace BinaryObjectScanner.Protection
|
||||
|
||||
// TODO: Find a sample of this check.
|
||||
if (name.OptionalContains("Protected Module"))
|
||||
return $"StarForce 5";
|
||||
|
||||
#endregion
|
||||
|
||||
#region Legal Copyright
|
||||
return "StarForce 5";
|
||||
|
||||
name = exe.LegalCopyright;
|
||||
|
||||
if (name.OptionalStartsWith("(c) Protection Technology")) // (c) Protection Technology (StarForce)?
|
||||
return $"StarForce {exe.GetInternalVersion()}";
|
||||
else if (name.OptionalContains("Protection Technology")) // Protection Technology (StarForce)?
|
||||
return $"StarForce {exe.GetInternalVersion()}";
|
||||
|
||||
#endregion
|
||||
|
||||
#region Trade Name
|
||||
name = exe.TradeName;
|
||||
|
||||
// FrontLine ProActive (digital activation), samples:
|
||||
// https://dbox.tools/titles/pc/46450FA4/
|
||||
// https://dbox.tools/titles/pc/4F430FA0/
|
||||
// https://dbox.tools/titles/pc/53450FA1/
|
||||
name = exe.TradeName;
|
||||
if (name.OptionalContains("FL ProActive"))
|
||||
return "FrontLine ProActive";
|
||||
|
||||
@@ -75,10 +67,6 @@ namespace BinaryObjectScanner.Protection
|
||||
if (name.OptionalContains("SF Crypto"))
|
||||
return "StarForce Crypto";
|
||||
|
||||
#endregion
|
||||
|
||||
#region Internal Name
|
||||
|
||||
// TODO: Decide if internal name checks are safe to use.
|
||||
name = exe.InternalName;
|
||||
|
||||
@@ -98,8 +86,6 @@ namespace BinaryObjectScanner.Protection
|
||||
// else if (name.OptionalEquals("protect.exe", StringComparison.Ordinal))
|
||||
// return $"StarForce {Tools.Utilities.GetInternalVersion(exe)}";
|
||||
|
||||
#endregion
|
||||
|
||||
// Check the export name table
|
||||
if (exe.ExportTable?.ExportNameTable?.Strings != null)
|
||||
{
|
||||
|
||||
@@ -11,7 +11,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalContains("Steam Autorun Setup"))
|
||||
return "Steam";
|
||||
else if (name.OptionalContains("Steam Client API"))
|
||||
@@ -22,6 +23,7 @@ namespace BinaryObjectScanner.Protection
|
||||
return "Steam";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalContains("Steam Autorun Setup"))
|
||||
return "Steam";
|
||||
else if (name.OptionalContains("Steam Client API"))
|
||||
|
||||
@@ -24,13 +24,15 @@ namespace BinaryObjectScanner.Protection
|
||||
// - TagesClient.exe
|
||||
// - TagesClient.dat (Does not always exist)
|
||||
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalStartsWith("TagesSetup", StringComparison.OrdinalIgnoreCase))
|
||||
return $"TAGES Driver Setup {GetVersion(exe)}";
|
||||
else if (name.OptionalStartsWith("Tagès activation client", StringComparison.OrdinalIgnoreCase))
|
||||
return $"TAGES Activation Client {GetVersion(exe)}";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalStartsWith("Application TagesSetup", StringComparison.OrdinalIgnoreCase))
|
||||
return $"TAGES Driver Setup {GetVersion(exe)}";
|
||||
else if (name.OptionalStartsWith("T@GES", StringComparison.OrdinalIgnoreCase))
|
||||
|
||||
@@ -10,9 +10,9 @@ namespace BinaryObjectScanner.Protection
|
||||
{
|
||||
// Check the dialog box resources
|
||||
if (exe.FindDialogByTitle("321Studios Activation").Count > 0)
|
||||
return $"321Studios Online Activation";
|
||||
return "321Studios Online Activation";
|
||||
else if (exe.FindDialogByTitle("321Studios Phone Activation").Count > 0)
|
||||
return $"321Studios Online Activation";
|
||||
return "321Studios Online Activation";
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -23,31 +23,36 @@ namespace BinaryObjectScanner.Protection
|
||||
// TODO: Add version number finding
|
||||
// TODO: Come to an agreement as to what the version should be
|
||||
|
||||
string? name = exe.CompanyName;
|
||||
|
||||
// Found in Redump entry 114428
|
||||
// Found in Alpha Protocol -- TODO: Get Redump ID(s)
|
||||
var name = exe.CompanyName;
|
||||
if (name.OptionalStartsWith("Uniloc USA"))
|
||||
return "Uniloc SoftAnchor";
|
||||
|
||||
// Found in Alpha Protocol -- TODO: Get Redump ID(s)
|
||||
name = exe.InternalName;
|
||||
|
||||
// Found in Alpha Protocol -- TODO: Get Redump ID(s)
|
||||
if (name.OptionalStartsWith("saAudit"))
|
||||
return "Uniloc SoftAnchor";
|
||||
|
||||
// Found in Redump entry 114428
|
||||
name = exe.LegalCopyright;
|
||||
|
||||
// Found in Redump entry 114428
|
||||
if (name.OptionalContains("Uniloc"))
|
||||
return "Uniloc SoftAnchor";
|
||||
|
||||
// Found via https://www.pcgamingwiki.com/wiki/Football_Manager_2010
|
||||
name = exe.OriginalFilename;
|
||||
|
||||
// Found via https://www.pcgamingwiki.com/wiki/Football_Manager_2010
|
||||
if (name.OptionalEquals("saAudit.dll"))
|
||||
return "Uniloc SoftAnchor";
|
||||
if (name.OptionalEquals("saui.dll"))
|
||||
return "Uniloc SoftAnchor";
|
||||
|
||||
// Found via https://www.pcgamingwiki.com/wiki/Football_Manager_2010
|
||||
name = exe.ProductName;
|
||||
|
||||
// Found via https://www.pcgamingwiki.com/wiki/Football_Manager_2010
|
||||
if (name.OptionalStartsWith("saAudit"))
|
||||
return "Uniloc SoftAnchor";
|
||||
|
||||
|
||||
@@ -14,7 +14,8 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalContains("Ubisoft Connect Installer"))
|
||||
return "Uplay / Ubisoft Connect";
|
||||
else if (name.OptionalContains("Ubisoft Connect Service"))
|
||||
@@ -29,9 +30,10 @@ namespace BinaryObjectScanner.Protection
|
||||
return "Uplay / Ubisoft Connect";
|
||||
else if (name.OptionalContains("Uplay launcher"))
|
||||
return "Uplay / Ubisoft Connect";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
// There's also a variant that looks like "Uplay <version> installer"
|
||||
name = exe.ProductName;
|
||||
if (name.OptionalContains("Ubisoft Connect"))
|
||||
return "Uplay / Ubisoft Connect";
|
||||
else if (name.OptionalContains("Uplay"))
|
||||
|
||||
@@ -18,8 +18,9 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
// Found on "All That I Am" by Santana (Barcode 8 2876-59773-2 6)
|
||||
var name = exe.FileDescription;
|
||||
if (name.OptionalStartsWith("Windows Media Data Session Licensing Engine", StringComparison.OrdinalIgnoreCase))
|
||||
return "Windows Media Data Session DRM";
|
||||
|
||||
|
||||
@@ -12,15 +12,18 @@ namespace BinaryObjectScanner.Protection
|
||||
/// <inheritdoc/>
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
var name = exe.FileDescription;
|
||||
string? name = exe.FileDescription;
|
||||
|
||||
if (name.OptionalContains("Copy Protection Viewer"))
|
||||
return "WTM Protection Viewer";
|
||||
|
||||
name = exe.LegalTrademarks;
|
||||
|
||||
if (name.OptionalContains("WTM Copy Protection"))
|
||||
return "WTM Protection Viewer";
|
||||
|
||||
name = exe.ProductName;
|
||||
|
||||
if (name.OptionalContains("WTM Copy Protection Viewer"))
|
||||
return "WTM Protection Viewer";
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ namespace BinaryObjectScanner.Protection
|
||||
public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
|
||||
{
|
||||
// Get the .rdata section strings, if they exist
|
||||
List<string>? strs = exe.GetFirstSectionStrings(".rdata");
|
||||
var strs = exe.GetFirstSectionStrings(".rdata");
|
||||
if (strs != null)
|
||||
{
|
||||
if (strs.Exists(s => s.Contains("XCP.DAT")))
|
||||
|
||||
Reference in New Issue
Block a user