SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-10 13:52:16 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Merge branch 'master' of https://github.com/mnadareski/BurnOutSharp

Browse Source
This commit is contained in:
Matt Nadareski
2022-12-14 16:48:52 -08:00
parent 386c86f04f 3f5a66f170
commit e8aef1596b
4 changed files with 271 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
BurnOutSharp/ProtectionType/Gefest.cs Normal file
View File

@@ -0,0 +1,84 @@
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
using BurnOutSharp.Wrappers;
namespace BurnOutSharp.ProtectionType
{
/// <summary>
/// Gefest Protection System is a completely unknown protection. There is only one known sample (Redump entry 93700), and no useful information online that's been found as of yet.
/// It's unknown if the errors present in the only known sample are a manufacturing error, or if they're related to the protection.
/// Despite this sample supposedly being the "[License Version]", no license key check appears to take place.
/// The sample is protected by a seemingly unrelated packer. Until that packer can be investigated further, here's the infomation that can be found online about it:
/// https://itsafety.net/report/20210912-9edb2d29cbdf1ac7e24fb32d99c1347a-splintercell-exe_general-threat
/// https://xakep.ru/2003/10/06/20015/
/// https://j3qx.wordpress.com/2008/12/20/%D0%BF%D0%B8%D1%80%D0%B0%D1%82%D1%81%D0%BA%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B0%D1%88%D0%BA%D0%B8-%D0%B8%D0%BB%D0%B8-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BE%D1%82-7wolf/
/// http://www.imho.ws/showthread.php?t=34225
/// </summary>
public class Gefest : IPathCheck, IPortableExecutableCheck
{
/// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the HeaderPaddingData, if it exists
if (pex.HeaderPaddingData != null)
{
var matchers = new List<ContentMatchSet>
{
// Found in "FDMASTER.EXE" in Redump entry 93700.
// Gefest Protection System
new ContentMatchSet(new byte?[]
{
0x47, 0x65, 0x66, 0x65, 0x73, 0x74, 0x20, 0x50,
0x72, 0x6F, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6F,
0x6E, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D
}, GetVersion, "Gefest Protection System"),
};
string match = MatchUtil.GetFirstMatch(file, pex.HeaderPaddingData, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
return null;
}
/// <inheritdoc/>
public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
{
var matchers = new List<PathMatchSet>
{
// Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
};
return MatchUtil.GetAllMatches(files, matchers, any: true);
}
/// <inheritdoc/>
public string CheckFilePath(string path)
{
var matchers = new List<PathMatchSet>
{
// Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
}
public static string GetVersion(string file, byte[] fileContent, List<int> positions)
{
// TODO: Verify that this works properly with other samples. Look at possibly ending the version string at the first 0x20 character.
int position = positions[0];
char[] version = new ArraySegment<byte>(fileContent, position + 25, 30).Select(b => (char)b).ToArray();
return new string(version);
}
}
}

68
BurnOutSharp/ProtectionType/Macrovision.SafeDisc.cs
View File

@@ -115,6 +115,38 @@ namespace BurnOutSharp.ProtectionType
new PathMatchSet(new PathMatch("drvmgt.dll", useEndsWith: true), GetSafeDiscDrvmgtVersion, "SafeDisc"),
new PathMatchSet(new PathMatch("secdrv.sys", useEndsWith: true), GetSafeDiscSecdrvVersion, "SafeDisc Security Driver"),
// The SD0XXX.dll files appear to solely contain custom strings that allowed the publisher to customize the SafeDisc error messages. They are currently only known to be used by EA.
// Each file appears to contain strings for a specific language each.
// There is one non EA game that makes reference to "SD0809.dll", but doesn't include it (IA item "rayman.-raving.-rabbids.-hebrew.-dvd").
// TODO: Add a generic check to detect this type of string that appears to be present in all of these DLLs:
// "d:\DiceCanada\BoosterPack2\Installers\BF2XpackInstaller\Safedisk\SafeDiscDLLs\DLLs\Release\SD0816.pdb" (Redump entry 65569).
// Found in Redump entries 20729 and 65569.
new PathMatchSet(new PathMatch("SD040e.dll", useEndsWith: true), "SafeDisc"),
// Found in Redump entry 65569.
new PathMatchSet(new PathMatch("SD0c0a.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD040b.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD040c.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041d.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0404.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0405.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0406.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0407.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0409.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0410.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0411.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0412.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0413.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0414.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0415.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0416.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0804.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0809.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0816.dll", useEndsWith: true), "SafeDisc"),
// Used to distribute SafeDisc driver updates over the internet. Two distinct versions known to exist, with Microsoft also having distributed the later update as well.
// Version 1: https://web.archive.org/web/20040614184055/http://www.macrovision.com:80/products/safedisc/safedisc.exe
// Version 2: https://web.archive.org/web/20051104123646/http://www.macrovision.com/products/safedisc/safedisc.exe
@@ -125,7 +157,7 @@ namespace BurnOutSharp.ProtectionType
// Name check overmatches with a seemingly completely unrelated application, ironically included on at least one SafeDisc game (Redump entry 34828).
// new PathMatchSet(new PathMatch("mcp.dll", useEndsWith: true), "SafeDisc (Version 1.45.011-1.50.020)"),
// Found in Redump entry 58455.
// Found in Redump entry 58455 and 65569.
// Unknown if it's a game specific file, but it contains the stxt371 and stxt774 sections.
// new PathMatchSet(new PathMatch("CoreDLL.dll", useEndsWith: true), "SafeDisc"),
@@ -158,11 +190,43 @@ namespace BurnOutSharp.ProtectionType
new PathMatchSet(new PathMatch("drvmgt.dll", useEndsWith: true), GetSafeDiscDrvmgtVersion, "SafeDisc"),
new PathMatchSet(new PathMatch("secdrv.sys", useEndsWith: true), GetSafeDiscSecdrvVersion, "SafeDisc Security Driver"),
// The SD0XXX.dll files appear to solely contain custom strings that allowed the publisher to customize the SafeDisc error messages. They are currently only known to be used by EA.
// Each file appears to contain strings for a specific language each.
// There is one non EA game that makes reference to "SD0809.dll", but doesn't include it (IA item "rayman.-raving.-rabbids.-hebrew.-dvd").
// TODO: Add a generic check to detect this type of string that appears to be present in all of these DLLs:
// "d:\DiceCanada\BoosterPack2\Installers\BF2XpackInstaller\Safedisk\SafeDiscDLLs\DLLs\Release\SD0816.pdb" (Redump entry 65569).
// Found in Redump entries 20729 and 65569.
new PathMatchSet(new PathMatch("SD040e.dll", useEndsWith: true), "SafeDisc"),
// Found in Redump entry 65569.
new PathMatchSet(new PathMatch("SD0c0a.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD040b.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD040c.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041d.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0404.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0405.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0406.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0407.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0409.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0410.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0411.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0412.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0413.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0414.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0415.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0416.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0804.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0809.dll", useEndsWith: true), "SafeDisc"),
new PathMatchSet(new PathMatch("SD0816.dll", useEndsWith: true), "SafeDisc"),
// Found in Redump entries 28810 and 30555.
// Name check overmatches with a seemingly completely unrelated application, ironically included on at least one SafeDisc game (Redump entry 34828).
// new PathMatchSet(new PathMatch("mcp.dll", useEndsWith: true), "SafeDisc (Version 1.45.011-1.50.020)"),
// Found in Redump entry 58455.
// Found in Redump entry 58455 and 65569.
// Unknown if it's a game specific file, but it contains the stxt371 and stxt774 sections.
// new PathMatchSet(new PathMatch("CoreDLL.dll", useEndsWith: true), "SafeDisc"),

118
BurnOutSharp/ProtectionType/nProtect.cs Normal file
View File

@@ -0,0 +1,118 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
using BurnOutSharp.Wrappers;
namespace BurnOutSharp.ProtectionType
{
/// <summary>
/// nProtect (AKA INCA Internet) (https://nprotect.com/) is a Korean software company that produces several DRM products.
///
/// nProtect GameGuard (https://nprotect.com/kr/b2b/prod_gg.html) is anti-cheat software used in a fair amount of online games.
/// Partial list of games that use GameGuard: https://en.wikipedia.org/wiki/NProtect_GameGuard.
///
/// nProtect KeyCrypt is an anti-keylogging product that seemingly has other DRM functions as well, such as shutting down processes it deems unnecessary (https://en.wikipedia.org/wiki/INCA_Internet#nProtect_Netizen,_nProtect_Personal,_nProtect_Keycrypt)
/// TODO: Verify the exact functions of KeyCrypt.
///
/// Official sites for KeyCrypt (it is unknown what the difference between them are, as both are still online and active at the same time):
/// https://nprotect.com/kr/b2b/prod_kcv.html
/// https://nprotect.com/kr/b2b/prod_kcv65.html
///
/// Official documents about KeyCrypt:
/// https://nprotect.com/nprotect_pdf/nProtect_KeyCryptV.pdf
/// https://nprotect.com/nprotect_pdf/nProtect_KeyCrypt.pdf
/// </summary>
public class nProtect : IPathCheck, IPortableExecutableCheck
{
// TODO: Add LE checks for "npkcrypt.vxd" in Redump entry 90526.
// TODO: Add text check for the string mentioned in https://github.com/mnadareski/BurnOutSharp/issues/154.
/// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// TODO: Investigate if there are any viable checks for the game EXE itself.
string name = pex.FileDescription;
// Found in "GameGuard.des" in Redump entry 90526 and 99598.
if (name?.Contains("nProtect GameGuard Launcher") == true)
return $"nProtect GameGuard ({Utilities.GetInternalVersion(pex)})";
// Found in "npkcrypt.dll" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Driver Support Dll") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
// Found in "npkcrypt.sys" and "npkcusb.sys" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Driver") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
// Found in "npkpdb.dll" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Program Database DLL") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
name = pex.ProductName;
// Found in "GameGuard.des" in Redump entry 90526 and 99598.
if (name?.Contains("nProtect GameGuard Launcher") == true)
return $"nProtect GameGuard ({Utilities.GetInternalVersion(pex)})";
// Found in "npkcrypt.dll" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Driver Support Dll") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
// Found in "npkcrypt.sys" and "npkcusb.sys" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Driver") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
// Found in "npkpdb.dll" in Redump entry 90526.
if (name?.Contains("nProtect KeyCrypt Program Database DLL") == true)
return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
return null;
}
/// <inheritdoc/>
public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
{
var matchers = new List<PathMatchSet>
{
// Found in "MSSetup.exe" in Redump entry 90526 and "mhfSetup_f40_1000.exe" and Redump entry 99598.
new PathMatchSet(new PathMatch("GameGuard.des", useEndsWith: true), "nProtect GameGuard"),
// Found in "MSSetup.exe" in Redump entry 90526.
new PathMatchSet(new PathMatch("npkcrypt.dll", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcrypt.sys", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcrypt.vxd", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcusb.sys", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkpdb.dll", useEndsWith: true), "nProtect KeyCrypt"),
};
return MatchUtil.GetAllMatches(files, matchers, any: true);
}
/// <inheritdoc/>
public string CheckFilePath(string path)
{
var matchers = new List<PathMatchSet>
{
// Found in "MSSetup.exe" in Redump entry 90526.
new PathMatchSet(new PathMatch("GameGuard.des", useEndsWith: true), "nProtect GameGuard"),
new PathMatchSet(new PathMatch("npkcrypt.dll", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcrypt.sys", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcrypt.vxd", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkcusb.sys", useEndsWith: true), "nProtect KeyCrypt"),
new PathMatchSet(new PathMatch("npkpdb.dll", useEndsWith: true), "nProtect KeyCrypt"),
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
}
}
}

3
README.md
View File

@@ -58,6 +58,7 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
| Executable-Based Online Registration | True | False | Possibly too broad |
| Freelock | False | True | |
| Games for Windows - Live | True | True | |
| Gefest Protection System | True | False | |
| Hexalock AutoLock | True | True | |
| Impulse Reactor / Stardock Product Activation | True | True | |
| IndyVCD | False | True | Unconfirmed¹ |
@@ -70,6 +71,8 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
| LaserLok | True | True | |
| MediaCloQ | True | True | |
| MediaMax CD3 | True | True | |
| nProtect GameGuard | True | True | |
| nProtect KeyCrypt | True | True | |
| OpenMG | True | True | |
| Origin | True | True | |
| phenoProtect | False | False | Text file check only |