diff --git a/BurnOutSharp/ProtectionType/Gefest.cs b/BurnOutSharp/ProtectionType/Gefest.cs
new file mode 100644
index 00000000..a1b8b252
--- /dev/null
+++ b/BurnOutSharp/ProtectionType/Gefest.cs
@@ -0,0 +1,84 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using BurnOutSharp.Interfaces;
+using BurnOutSharp.Matching;
+using BurnOutSharp.Wrappers;
+
+namespace BurnOutSharp.ProtectionType
+{
+ ///
+ /// Gefest Protection System is a completely unknown protection. There is only one known sample (Redump entry 93700), and no useful information online that's been found as of yet.
+ /// It's unknown if the errors present in the only known sample are a manufacturing error, or if they're related to the protection.
+ /// Despite this sample supposedly being the "[License Version]", no license key check appears to take place.
+ /// The sample is protected by a seemingly unrelated packer. Until that packer can be investigated further, here's the infomation that can be found online about it:
+ /// https://itsafety.net/report/20210912-9edb2d29cbdf1ac7e24fb32d99c1347a-splintercell-exe_general-threat
+ /// https://xakep.ru/2003/10/06/20015/
+ /// https://j3qx.wordpress.com/2008/12/20/%D0%BF%D0%B8%D1%80%D0%B0%D1%82%D1%81%D0%BA%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B0%D1%88%D0%BA%D0%B8-%D0%B8%D0%BB%D0%B8-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BE%D1%82-7wolf/
+ /// http://www.imho.ws/showthread.php?t=34225
+ ///
+ public class Gefest : IPathCheck, IPortableExecutableCheck
+ {
+ ///
+ public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+ {
+ // Get the sections from the executable, if possible
+ var sections = pex?.SectionTable;
+ if (sections == null)
+ return null;
+
+ // Get the HeaderPaddingData, if it exists
+ if (pex.HeaderPaddingData != null)
+ {
+ var matchers = new List
+ {
+ // Found in "FDMASTER.EXE" in Redump entry 93700.
+ // Gefest Protection System
+ new ContentMatchSet(new byte?[]
+ {
+ 0x47, 0x65, 0x66, 0x65, 0x73, 0x74, 0x20, 0x50,
+ 0x72, 0x6F, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6F,
+ 0x6E, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D
+ }, GetVersion, "Gefest Protection System"),
+ };
+
+ string match = MatchUtil.GetFirstMatch(file, pex.HeaderPaddingData, matchers, includeDebug);
+ if (!string.IsNullOrWhiteSpace(match))
+ return match;
+ }
+
+ return null;
+ }
+
+ ///
+ public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files)
+ {
+ var matchers = new List
+ {
+ // Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
+ };
+
+ return MatchUtil.GetAllMatches(files, matchers, any: true);
+ }
+
+ ///
+ public string CheckFilePath(string path)
+ {
+ var matchers = new List
+ {
+ // Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
+ };
+
+ return MatchUtil.GetFirstMatch(path, matchers, any: true);
+ }
+
+ public static string GetVersion(string file, byte[] fileContent, List positions)
+ {
+ // TODO: Verify that this works properly with other samples. Look at possibly ending the version string at the first 0x20 character.
+ int position = positions[0];
+ char[] version = new ArraySegment(fileContent, position + 25, 30).Select(b => (char)b).ToArray();
+ return new string(version);
+ }
+ }
+}
diff --git a/BurnOutSharp/ProtectionType/Macrovision.SafeDisc.cs b/BurnOutSharp/ProtectionType/Macrovision.SafeDisc.cs
index 97e572aa..c88d962b 100644
--- a/BurnOutSharp/ProtectionType/Macrovision.SafeDisc.cs
+++ b/BurnOutSharp/ProtectionType/Macrovision.SafeDisc.cs
@@ -115,6 +115,38 @@ namespace BurnOutSharp.ProtectionType
new PathMatchSet(new PathMatch("drvmgt.dll", useEndsWith: true), GetSafeDiscDrvmgtVersion, "SafeDisc"),
new PathMatchSet(new PathMatch("secdrv.sys", useEndsWith: true), GetSafeDiscSecdrvVersion, "SafeDisc Security Driver"),
+ // The SD0XXX.dll files appear to solely contain custom strings that allowed the publisher to customize the SafeDisc error messages. They are currently only known to be used by EA.
+ // Each file appears to contain strings for a specific language each.
+ // There is one non EA game that makes reference to "SD0809.dll", but doesn't include it (IA item "rayman.-raving.-rabbids.-hebrew.-dvd").
+ // TODO: Add a generic check to detect this type of string that appears to be present in all of these DLLs:
+ // "d:\DiceCanada\BoosterPack2\Installers\BF2XpackInstaller\Safedisk\SafeDiscDLLs\DLLs\Release\SD0816.pdb" (Redump entry 65569).
+
+ // Found in Redump entries 20729 and 65569.
+ new PathMatchSet(new PathMatch("SD040e.dll", useEndsWith: true), "SafeDisc"),
+
+ // Found in Redump entry 65569.
+ new PathMatchSet(new PathMatch("SD0c0a.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD040b.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD040c.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041d.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0404.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0405.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0406.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0407.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0409.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0410.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0411.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0412.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0413.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0414.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0415.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0416.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0804.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0809.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0816.dll", useEndsWith: true), "SafeDisc"),
+
// Used to distribute SafeDisc driver updates over the internet. Two distinct versions known to exist, with Microsoft also having distributed the later update as well.
// Version 1: https://web.archive.org/web/20040614184055/http://www.macrovision.com:80/products/safedisc/safedisc.exe
// Version 2: https://web.archive.org/web/20051104123646/http://www.macrovision.com/products/safedisc/safedisc.exe
@@ -125,7 +157,7 @@ namespace BurnOutSharp.ProtectionType
// Name check overmatches with a seemingly completely unrelated application, ironically included on at least one SafeDisc game (Redump entry 34828).
// new PathMatchSet(new PathMatch("mcp.dll", useEndsWith: true), "SafeDisc (Version 1.45.011-1.50.020)"),
- // Found in Redump entry 58455.
+ // Found in Redump entry 58455 and 65569.
// Unknown if it's a game specific file, but it contains the stxt371 and stxt774 sections.
// new PathMatchSet(new PathMatch("CoreDLL.dll", useEndsWith: true), "SafeDisc"),
@@ -158,11 +190,43 @@ namespace BurnOutSharp.ProtectionType
new PathMatchSet(new PathMatch("drvmgt.dll", useEndsWith: true), GetSafeDiscDrvmgtVersion, "SafeDisc"),
new PathMatchSet(new PathMatch("secdrv.sys", useEndsWith: true), GetSafeDiscSecdrvVersion, "SafeDisc Security Driver"),
+ // The SD0XXX.dll files appear to solely contain custom strings that allowed the publisher to customize the SafeDisc error messages. They are currently only known to be used by EA.
+ // Each file appears to contain strings for a specific language each.
+ // There is one non EA game that makes reference to "SD0809.dll", but doesn't include it (IA item "rayman.-raving.-rabbids.-hebrew.-dvd").
+ // TODO: Add a generic check to detect this type of string that appears to be present in all of these DLLs:
+ // "d:\DiceCanada\BoosterPack2\Installers\BF2XpackInstaller\Safedisk\SafeDiscDLLs\DLLs\Release\SD0816.pdb" (Redump entry 65569).
+
+ // Found in Redump entries 20729 and 65569.
+ new PathMatchSet(new PathMatch("SD040e.dll", useEndsWith: true), "SafeDisc"),
+
+ // Found in Redump entry 65569.
+ new PathMatchSet(new PathMatch("SD0c0a.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD040b.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD040c.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041d.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD041e.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0404.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0405.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0406.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0407.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0409.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0410.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0411.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0412.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0413.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0414.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0415.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0416.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0804.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0809.dll", useEndsWith: true), "SafeDisc"),
+ new PathMatchSet(new PathMatch("SD0816.dll", useEndsWith: true), "SafeDisc"),
+
// Found in Redump entries 28810 and 30555.
// Name check overmatches with a seemingly completely unrelated application, ironically included on at least one SafeDisc game (Redump entry 34828).
// new PathMatchSet(new PathMatch("mcp.dll", useEndsWith: true), "SafeDisc (Version 1.45.011-1.50.020)"),
- // Found in Redump entry 58455.
+ // Found in Redump entry 58455 and 65569.
// Unknown if it's a game specific file, but it contains the stxt371 and stxt774 sections.
// new PathMatchSet(new PathMatch("CoreDLL.dll", useEndsWith: true), "SafeDisc"),
diff --git a/BurnOutSharp/ProtectionType/nProtect.cs b/BurnOutSharp/ProtectionType/nProtect.cs
new file mode 100644
index 00000000..fc802d13
--- /dev/null
+++ b/BurnOutSharp/ProtectionType/nProtect.cs
@@ -0,0 +1,118 @@
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using BurnOutSharp.Interfaces;
+using BurnOutSharp.Matching;
+using BurnOutSharp.Tools;
+using BurnOutSharp.Wrappers;
+
+namespace BurnOutSharp.ProtectionType
+{
+ ///
+ /// nProtect (AKA INCA Internet) (https://nprotect.com/) is a Korean software company that produces several DRM products.
+ ///
+ /// nProtect GameGuard (https://nprotect.com/kr/b2b/prod_gg.html) is anti-cheat software used in a fair amount of online games.
+ /// Partial list of games that use GameGuard: https://en.wikipedia.org/wiki/NProtect_GameGuard.
+ ///
+ /// nProtect KeyCrypt is an anti-keylogging product that seemingly has other DRM functions as well, such as shutting down processes it deems unnecessary (https://en.wikipedia.org/wiki/INCA_Internet#nProtect_Netizen,_nProtect_Personal,_nProtect_Keycrypt)
+ /// TODO: Verify the exact functions of KeyCrypt.
+ ///
+ /// Official sites for KeyCrypt (it is unknown what the difference between them are, as both are still online and active at the same time):
+ /// https://nprotect.com/kr/b2b/prod_kcv.html
+ /// https://nprotect.com/kr/b2b/prod_kcv65.html
+ ///
+ /// Official documents about KeyCrypt:
+ /// https://nprotect.com/nprotect_pdf/nProtect_KeyCryptV.pdf
+ /// https://nprotect.com/nprotect_pdf/nProtect_KeyCrypt.pdf
+ ///
+ public class nProtect : IPathCheck, IPortableExecutableCheck
+ {
+ // TODO: Add LE checks for "npkcrypt.vxd" in Redump entry 90526.
+ // TODO: Add text check for the string mentioned in https://github.com/mnadareski/BurnOutSharp/issues/154.
+
+ ///
+ public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+ {
+ // Get the sections from the executable, if possible
+ var sections = pex?.SectionTable;
+ if (sections == null)
+ return null;
+
+ // TODO: Investigate if there are any viable checks for the game EXE itself.
+
+ string name = pex.FileDescription;
+
+ // Found in "GameGuard.des" in Redump entry 90526 and 99598.
+ if (name?.Contains("nProtect GameGuard Launcher") == true)
+ return $"nProtect GameGuard ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkcrypt.dll" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Driver Support Dll") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkcrypt.sys" and "npkcusb.sys" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Driver") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkpdb.dll" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Program Database DLL") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ name = pex.ProductName;
+
+ // Found in "GameGuard.des" in Redump entry 90526 and 99598.
+ if (name?.Contains("nProtect GameGuard Launcher") == true)
+ return $"nProtect GameGuard ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkcrypt.dll" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Driver Support Dll") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkcrypt.sys" and "npkcusb.sys" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Driver") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ // Found in "npkpdb.dll" in Redump entry 90526.
+ if (name?.Contains("nProtect KeyCrypt Program Database DLL") == true)
+ return $"nProtect KeyCrypt ({Utilities.GetInternalVersion(pex)})";
+
+ return null;
+ }
+
+ ///
+ public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files)
+ {
+ var matchers = new List
+ {
+ // Found in "MSSetup.exe" in Redump entry 90526 and "mhfSetup_f40_1000.exe" and Redump entry 99598.
+ new PathMatchSet(new PathMatch("GameGuard.des", useEndsWith: true), "nProtect GameGuard"),
+
+ // Found in "MSSetup.exe" in Redump entry 90526.
+ new PathMatchSet(new PathMatch("npkcrypt.dll", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcrypt.sys", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcrypt.vxd", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcusb.sys", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkpdb.dll", useEndsWith: true), "nProtect KeyCrypt"),
+ };
+
+ return MatchUtil.GetAllMatches(files, matchers, any: true);
+ }
+
+ ///
+ public string CheckFilePath(string path)
+ {
+ var matchers = new List
+ {
+ // Found in "MSSetup.exe" in Redump entry 90526.
+ new PathMatchSet(new PathMatch("GameGuard.des", useEndsWith: true), "nProtect GameGuard"),
+ new PathMatchSet(new PathMatch("npkcrypt.dll", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcrypt.sys", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcrypt.vxd", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkcusb.sys", useEndsWith: true), "nProtect KeyCrypt"),
+ new PathMatchSet(new PathMatch("npkpdb.dll", useEndsWith: true), "nProtect KeyCrypt"),
+ };
+
+ return MatchUtil.GetFirstMatch(path, matchers, any: true);
+ }
+ }
+}
diff --git a/README.md b/README.md
index 55801df5..d01ae191 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
| Executable-Based Online Registration | True | False | Possibly too broad |
| Freelock | False | True | |
| Games for Windows - Live | True | True | |
+| Gefest Protection System | True | False | |
| Hexalock AutoLock | True | True | |
| Impulse Reactor / Stardock Product Activation | True | True | |
| IndyVCD | False | True | Unconfirmed¹ |
@@ -70,6 +71,8 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
| LaserLok | True | True | |
| MediaCloQ | True | True | |
| MediaMax CD3 | True | True | |
+| nProtect GameGuard | True | True | |
+| nProtect KeyCrypt | True | True | |
| OpenMG | True | True | |
| Origin | True | True | |
| phenoProtect | False | False | Text file check only |