SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-04-25 07:40:04 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Add support for C-Dilla protections (#164)

Browse Source 
* Fuck C-Dilla

* Add initial detection of C-Dilla LMS/CD-Secure.

* Add a few code comments for Macrovision.

* Update README.

* Reorganize C-Dilla NE Checks

* Reorganize C-Dilla NE Checks.
* Add NE skeleton for C-Dilla and other Macrovision protections.
* Add more detections for CD-Secure 1.

* Let Macrovision return multiple protections

* Let Macrovision return multiple protections.
* Add new C-Dilla and SafeCast checks.

* why is C-Dilla so confusing

* Add additional checks for C-Dilla and SafeCast.

* Add skeleton for NE checks for SafeCast.

* Address PR comments
This commit is contained in:
TheRogueArchivist
2022-11-04 10:31:20 -06:00
committed by GitHub
parent d8ddaccf07
commit e33d6b3a0a
4 changed files with 298 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
BurnOutSharp/ProtectionType/Macrovision.CDilla.cs
View File

@@ -2,6 +2,7 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
@@ -23,17 +24,194 @@ namespace BurnOutSharp.ProtectionType
///
/// It seems that C-Dilla License Management System is a newer name for their CD-Secure product, based on this URL (https://web.archive.org/web/20050211004709/http://www.macrovision.com/products/cdsecure/downloads.shtml) leading to a download of LMS.
/// Known versions:
/// 1.31.34 (https://archive.org/details/PCDDec1995).
/// 1.31.34 (1.37.00?) (https://archive.org/details/PCDDec1995).
/// 3.23.000 (https://archive.org/details/3ds-max-4.2original).
/// 3.24.010 (https://archive.org/details/ejay_nestle_trial).
/// 3.27.000 (https://download.autodesk.com/mne/web/support/3dstudio/C-Dilla3.27.zip).
///
/// TODO:
/// Investigate C-Dilla CD-Compress.
/// Find older (pre version 3?) versions of CD-Secure. First known reference: https://web.archive.org/web/19980204101657/http://www.c-dilla.com/press/index94.html
/// Find 2.X versions of CD-Secure/LMS.
/// </summary>
public partial class Macrovision
{
// TODO: Add C-Dilla checks.
/// <inheritdoc/>
public string CDillaCheckNewExecutable(string file, NewExecutable nex, bool includeDebug)
{
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
// TODO: Implement NE checks for "CDILLA05", "CDILLA10", "CDILLA16", and "CDILLA40".
// TODO: Implement the following NE checks:
// File Description "C-Dilla LMS Uninstaller" in "CdUnin16.exe" from CD-Secure/CD-Compress version 1.31.34.
// File Description "C-Dilla RTS DLL" in "CDILLA05.DLL" from CD-Secure/CD-Compress version 1.31.34.
// File Description "C-Dilla RTS TASK" in "CDILLA10.DLL" from CD-Secure/CD-Compress version 1.31.34.
// File Description "C-Dilla Shell dialogs DLL" in "CDILLA40.DLL" from CD-Secure/CD-Compress version 1.31.34.
// Product Name "C-Dilla License Management System" in "CdUnin16.exe" from CD-Secure/CD-Compress version 1.31.34.
// Product Name "CD-Secure/CD-Compress" in "CDILLA05.DLL"/"CDILLA10.EXE" from CD-Secure/CD-Compress version 1.31.34.
// File Description "16-bit C-Dilla DLL" in "cdilla51.dll" from C-Dilla LMS version 3.24.010.
// File Description "C-Dilla 16-bit DLL" in "CDILLA40.DLL" from C-Dilla LMS version 3.27.000 for Windows 3.1/95/NT (This file specifically is known to report as version 3.15.000).
// File Description "C-Dilla Windows 3.1x RTS" in "CDILLA05.DLL"/"CDILLA10.EXE" from C-Dilla LMS version 3.27.000 for Windows 3.1.
// File Description "C-Dilla Windows 95 RTS" in "CDILLA05.DLL"/"CDILLA10.EXE" from C-Dilla LMS version 3.27.000 for Windows 95.
// File Description "C-Dilla Windows NT RTS" in "CDILLA05.DLL"/"CDILLA10.EXE"/"CDILLA16.EXE" from C-Dilla LMS version 3.27.000 for Windows NT.
// File Description "C-Dilla Windows 16-Bit RTS Installer" in "CdaIns16.dll"/"CdSetup.exe" from C-Dilla LMS version 3.27.000.
return null;
}
internal string CDillaCheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)
{
var matchers = new List<ContentMatchSet>
{
// SOFTWARE\C-Dilla\RTS
// Found in "DJMixStation\DJMixStation.exe" in IA item "ejay_nestle_trial".
new ContentMatchSet(new byte?[] {
0x53, 0x4F, 0x46, 0x54, 0x57, 0x41, 0x52, 0x45,
0x5C, 0x43, 0x2D, 0x44, 0x69, 0x6C, 0x6C, 0x61,
0x5C, 0x52, 0x54, 0x53 }, "C-Dilla License Management System"),
};
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
string name = pex.FileDescription;
// Found in in "cdilla52.dll" from C-Dilla LMS version 3.24.010.
if (name?.Equals("32-bit C-Dilla DLL", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System";
// Found in "CdaIns32.dll" and "CdSet32.exe" from version 3.27.000 of C-Dilla LMS.
if (name?.Equals("C-Dilla Windows 32-Bit RTS Installer", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
// Found in "CDILLA32.DLL"/"CDILLA64.EXE" from C-Dilla LMS version 3.27.000 for Windows 3.1.
if (name?.Equals("C-Dilla Windows 3.1x RTS", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
// Found in "CDILLA13.DLL"/"CDILLA32.DLL"/"CDILLA64.EXE" from C-Dilla LMS version 3.27.000 for Windows 95.
if (name?.Equals("C-Dilla Windows 95 RTS", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
// Found in "CDANT.SYS"/"CDILLA13.DLL"/"CDILLA32.DLL"/"CDILLA64.EXE" from C-Dilla LMSversion 3.27.000 for Windows NT.
if (name?.Equals("C-Dilla Windows NT RTS", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
// Found in "CDANTSRV.EXE" from C-Dilla LMS version 3.27.000 for Windows NT.
if (name?.Equals("C-Dilla RTS Service", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
name = pex.ProductName;
// Found in "CDANTSRV.EXE" from version 3.27.000 of C-Dilla LMS.
if (name?.Equals("CD-Secure/CD-Compress Windows NT", StringComparison.OrdinalIgnoreCase) == true)
return $"C-Dilla License Management System Version {pex.ProductVersion}";
// Check for CDSHARE/DISAG_SH sections
return null;
}
/// <inheritdoc/>
internal ConcurrentQueue<string> CDillaCheckDirectoryPath(string path, IEnumerable<string> files)
{
var matchers = new List<PathMatchSet>
{
// Found in C-Dilla CD-Secure/CD-Compress 1.31.34.
new PathMatchSet(new PathMatch("CDANT.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA05.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA10.EXE", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA40.DLL", useEndsWith: true), "C-Dilla License Management System"),
// Found in C-Dilla LMS version 3.24.010 (IA item "ejay_nestle_trial").
// TODO: Verify that all of these are exclusively part of LMS, and not SafeCast.
new PathMatchSet(new PathMatch("CdaLMS.exe", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("cdilla51.dll", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("cdilla52.dll", useEndsWith: true), "C-Dilla License Management System"),
// Found in the installer C-Dilla LMS version 3.27.000.
// The files "CdRemove.exe", "CdSet32.exe", "CdSet32.ini", "CdSetup.exe", "CdSetup.ini", and "CdUnin16.exe" are found there as well, but aren't currently checked for due to possibly being too generic.
// TODO: Add grouped check for "CdRemove.exe", "CdSet32.exe", "CdSet32.ini", "CdSetup.exe", "CdSetup.ini", and "CdUnin16.exe".
new PathMatchSet(new PathMatch("CdaIns16.dll", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CdaIns32.dll", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows 3.1.
// The files "CDILLA05.DLL", "CDILLA10.EXE", and "CDILLA40.DLL" are included as well.
// TODO: Check into what file "CDAW31X.38_" gets installed as. I wasn't able to find what it gets installed to.
new PathMatchSet(new PathMatch("CDILLA32.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA64.EXE", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows 95. All the files installed for Windows 3.1 are also installed for 95.
new PathMatchSet(new PathMatch("CDAINT2F.VXD", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDAWIN95.VXD", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA13.DLL", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows NT. All the files installed for Windows 95 and 3.1 (except for the VXD files) are also installed for NT.
new PathMatchSet(new PathMatch("CDANT.SYS", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDANTSRV.EXE", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA16.EXE", useEndsWith: true), "C-Dilla License Management System"),
};
return MatchUtil.GetAllMatches(files, matchers, any: false);
}
/// <inheritdoc/>
internal string CDillaCheckFilePath(string path)
{
var matchers = new List<PathMatchSet>
{
// Found in C-Dilla CD-Secure/CD-Compress 1.31.34.
new PathMatchSet(new PathMatch("CDANT.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA05.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA10.EXE", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA40.DLL", useEndsWith: true), "C-Dilla License Management System"),
// Found in C-Dilla LMS version 3.24.010 (IA item "ejay_nestle_trial").
// TODO: Verify that all of these are exclusively part of LMS, and not SafeCast.
new PathMatchSet(new PathMatch("CdaLMS.exe", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("cdilla51.dll", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("cdilla52.dll", useEndsWith: true), "C-Dilla License Management System"),
// Found in the installer C-Dilla LMS version 3.27.000.
// The files "CdRemove.exe", "CdSet32.exe", "CdSet32.ini", "CdSetup.exe", "CdSetup.ini", and "CdUnin16.exe" are found there as well, but aren't currently checked for due to possibly being too generic.
// TODO: Add grouped check for "CdRemove.exe", "CdSet32.exe", "CdSet32.ini", "CdSetup.exe", "CdSetup.ini", and "CdUnin16.exe".
new PathMatchSet(new PathMatch("CdaIns16.dll", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CdaIns32.dll", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows 3.1.
// The files "CDILLA05.DLL", "CDILLA10.EXE", and "CDILLA40.DLL" are included as well.
// TODO: Check into what file "CDAW31X.38_" gets installed as. I wasn't able to find what it gets installed to.
new PathMatchSet(new PathMatch("CDILLA32.DLL", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA64.EXE", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows 95. All the files installed for Windows 3.1 are also installed for 95.
new PathMatchSet(new PathMatch("CDAINT2F.VXD", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDAWIN95.VXD", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA13.DLL", useEndsWith: true), "C-Dilla License Management System"),
// Found installed in C-Dilla LMS version 3.27.000 for Windows NT. All the files installed for Windows 95 and 3.1 (except for the VXD files) are also installed for NT.
new PathMatchSet(new PathMatch("CDANT.SYS", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDANTSRV.EXE", useEndsWith: true), "C-Dilla License Management System"),
new PathMatchSet(new PathMatch("CDILLA16.EXE", useEndsWith: true), "C-Dilla License Management System"),
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
}
}
}

46
BurnOutSharp/ProtectionType/Macrovision.SafeCast.cs
View File

@@ -2,6 +2,7 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
@@ -33,6 +34,24 @@ namespace BurnOutSharp.ProtectionType
/// </summary>
public partial class Macrovision
{
/// <inheritdoc/>
public string SafeCastCheckNewExecutable(string file, NewExecutable nex, bool includeDebug)
{
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
// TODO: Implement the following NE checks:
// File Description "CdaC01A" in "cdac01aa.dll" from IA item "ejay_nestle_trial".
// File Description "CdaC01BA" in "cdac01ba.dll" from IA item "ejay_nestle_trial".
// Product name "SafeCas" in "cdac01aa.dll" from IA item "ejay_nestle_trial".
// Product name "SafeCast" in "cdac01ba.dll" from IA item "ejay_nestle_trial".
return null;
}
internal string SafeCastCheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
@@ -40,6 +59,25 @@ namespace BurnOutSharp.ProtectionType
if (sections == null)
return null;
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)
{
var matchers = new List<ContentMatchSet>
{
// SOFTWARE\C-Dilla\SafeCast
// Found in "DJMixStation\DJMixStation.exe" in IA item "ejay_nestle_trial".
new ContentMatchSet(new byte?[] {
0x53, 0x4F, 0x46, 0x54, 0x57, 0x41, 0x52, 0x45,
0x5C, 0x43, 0x2D, 0x44, 0x69, 0x6C, 0x6C, 0x61,
0x5C, 0x53, 0x61, 0x66, 0x65, 0x43, 0x61, 0x73,
0x74 }, "SafeCast"),
};
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
string name = pex.FileDescription;
if (name?.Equals("SafeCast2", StringComparison.OrdinalIgnoreCase) == true)
return $"SafeCast";
@@ -54,6 +92,10 @@ namespace BurnOutSharp.ProtectionType
{
var matchers = new List<PathMatchSet>
{
// Found in IA item "ejay_nestle_trial".
new PathMatchSet(new PathMatch("cdac01aa.dll", useEndsWith: true), "SafeCast"),
new PathMatchSet(new PathMatch("cdac01ba.dll", useEndsWith: true), "SafeCast"),
// Found in multiple versions of SafeCast, including Redump entry 83145 and IA item "TurboTax_Deluxe_Tax_Year_2002_for_Wndows_2.00R_Intuit_2002_352282".
new PathMatchSet(new PathMatch("cdac14ba.dll", useEndsWith: true), "SafeCast"),
@@ -72,6 +114,10 @@ namespace BurnOutSharp.ProtectionType
{
var matchers = new List<PathMatchSet>
{
// Found in IA item "ejay_nestle_trial".
new PathMatchSet(new PathMatch("cdac01aa.dll", useEndsWith: true), "SafeCast"),
new PathMatchSet(new PathMatch("cdac01ba.dll", useEndsWith: true), "SafeCast"),
new PathMatchSet(new PathMatch("cdac11ba.exe", useEndsWith: true), "SafeCast"),
// Found in multiple versions of SafeCast, including Redump entry 83145 and IA item "TurboTax_Deluxe_Tax_Year_2002_for_Wndows_2.00R_Intuit_2002_352282".

78
BurnOutSharp/ProtectionType/Macrovision.cs
View File

@@ -2,6 +2,8 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
@@ -13,8 +15,34 @@ namespace BurnOutSharp.ProtectionType
/// <summary>
/// This is a placeholder for all Macrovision-based protections. See partial classes for more details
/// </summary>
public partial class Macrovision : IPathCheck, IPortableExecutableCheck
public partial class Macrovision : IPathCheck, INewExecutableCheck, IPortableExecutableCheck
{
/// <inheritdoc/>
public string CheckNewExecutable(string file, NewExecutable nex, bool includeDebug)
{
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
List<string> resultsList = new List<string>();
// Run C-Dilla NE checks
string cDilla = CDillaCheckNewExecutable(file, nex, includeDebug);
if (!string.IsNullOrWhiteSpace(cDilla))
resultsList.Add(cDilla);
// Run SafeCast NE checks
string safeCast = SafeCastCheckNewExecutable(file, nex, includeDebug);
if (!string.IsNullOrWhiteSpace(safeCast))
resultsList.Add(safeCast);
if (resultsList != null && resultsList.Count > 0)
return string.Join(", ", resultsList);
return null;
}
/// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
@@ -47,20 +75,30 @@ namespace BurnOutSharp.ProtectionType
// Check for specific indications for individual Macrovision protections.
List<string> resultsList = new List<string>();
// Run C-Dilla PE checks
string cDilla = CDillaCheckPortableExecutable(file, pex, includeDebug);
if (!string.IsNullOrWhiteSpace(cDilla))
resultsList.Add(cDilla);
// Run SafeCast PE checks
string safeCast = SafeCastCheckPortableExecutable(file, pex, includeDebug);
if (!string.IsNullOrWhiteSpace(safeCast))
return safeCast;
resultsList.Add(safeCast);
// Run SafeDisc PE checks
string safeDisc = SafeDiscCheckPortableExecutable(file, pex, includeDebug);
if (!string.IsNullOrWhiteSpace(safeDisc))
return safeDisc;
resultsList.Add(safeDisc);
// Run FLEXnet PE checks
string flexnet = FLEXnetCheckPortableExecutable(file, pex, includeDebug);
if (!string.IsNullOrWhiteSpace(flexnet))
return flexnet;
resultsList.Add(flexnet);
if (resultsList != null && resultsList.Count > 0)
return string.Join(", ", resultsList);
return null;
}
@@ -70,13 +108,25 @@ namespace BurnOutSharp.ProtectionType
{
// TODO: Add all common Macrovision directory path checks here
ConcurrentQueue<string> results = new ConcurrentQueue<string>();
// Run C-Dilla directory checks
var cDilla = CDillaCheckDirectoryPath(path, files);
if (cDilla != null && !cDilla.IsEmpty)
results.AddRange(cDilla);
// Run SafeCast directory checks
var safeCast = SafeCastCheckDirectoryPath(path, files);
if (safeCast != null && !safeCast.IsEmpty)
return safeCast;
results.AddRange(safeCast);
// Run SafeDisc directory checks
var safeDisc = SafeDiscCheckDirectoryPath(path, files);
if (safeDisc != null && !safeDisc.IsEmpty)
return safeDisc;
results.AddRange(safeDisc);
if (results != null && results.Count > 0)
return results;
return MatchUtil.GetAllMatches(files, null, any: false);
}
@@ -86,13 +136,25 @@ namespace BurnOutSharp.ProtectionType
{
// TODO: Add all common Macrovision file path checks here
List<string> resultsList = new List<string>();
// Run C-Dilla file checks
string cDilla = CDillaCheckFilePath(path);
if (!string.IsNullOrWhiteSpace(cDilla))
resultsList.Add(cDilla);
// Run SafeCast file checks
string safeCast = SafeCastCheckFilePath(path);
if (!string.IsNullOrWhiteSpace(safeCast))
return safeCast;
resultsList.Add(safeCast);
// Run SafeDisc file checks
string safeDisc = SafeDiscCheckFilePath(path);
if (!string.IsNullOrWhiteSpace(safeDisc))
return safeDisc;
resultsList.Add(safeDisc);
if (resultsList != null && resultsList.Count > 0)
return string.Join(", ", resultsList);
return MatchUtil.GetFirstMatch(path, null, any: true);
}

1
README.md
View File

@@ -34,6 +34,7 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
| BD+ | False | True | |
| Bitpool | False | True | |
| ByteShield | False | True | Unconfirmed¹ |
| C-Dilla License Management Solution / CD-Secure / CD-Compress | True | True | |
| Cactus Data Shield | True | True | |
| CD-Cops / DVD-Cops | True | True | Partially unconfirmed² |
| CD-Lock | True | True | |