From ff44c717a2145058f9529560cd206fa819679463 Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Fri, 9 Dec 2022 13:55:28 -0800 Subject: [PATCH] Convert Code-Lock to string finding --- BurnOutSharp/ProtectionType/CDSHiELDSE.cs | 1 - .../ProtectionType/ChosenBytesCodeLock.cs | 51 +++++-------------- 2 files changed, 12 insertions(+), 40 deletions(-) diff --git a/BurnOutSharp/ProtectionType/CDSHiELDSE.cs b/BurnOutSharp/ProtectionType/CDSHiELDSE.cs index afe0f1bc..06ee6327 100644 --- a/BurnOutSharp/ProtectionType/CDSHiELDSE.cs +++ b/BurnOutSharp/ProtectionType/CDSHiELDSE.cs @@ -1,7 +1,6 @@ using System.Collections.Generic; using System.Linq; using BurnOutSharp.Interfaces; -using BurnOutSharp.Matching; using BurnOutSharp.Wrappers; namespace BurnOutSharp.ProtectionType diff --git a/BurnOutSharp/ProtectionType/ChosenBytesCodeLock.cs b/BurnOutSharp/ProtectionType/ChosenBytesCodeLock.cs index 501a16d1..1b93b879 100644 --- a/BurnOutSharp/ProtectionType/ChosenBytesCodeLock.cs +++ b/BurnOutSharp/ProtectionType/ChosenBytesCodeLock.cs @@ -1,6 +1,7 @@ using System; using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Interfaces; using BurnOutSharp.Matching; using BurnOutSharp.Wrappers; @@ -19,30 +20,8 @@ namespace BurnOutSharp.ProtectionType /// Code-Lock FAQ: https://web.archive.org/web/20041205165232/http://www.chosenbytes.com/codefaq.php /// Download (Version 2.35 trial): https://web.archive.org/web/20060220121200/http://www.chosenbytes.com:80/Code-Lock_cnet.zip /// - public class ChosenBytesCodeLock : IContentCheck, IPathCheck, IPortableExecutableCheck + public class ChosenBytesCodeLock : IPathCheck, IPortableExecutableCheck { - /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug) - { - // TODO: Obtain a sample to find where this string is in a typical executable. - if (includeDebug) - { - var contentMatchSets = new List - { - // CODE-LOCK.OCX - new ContentMatchSet(new byte?[] - { - 0x43, 0x4F, 0x44, 0x45, 0x2D, 0x4C, 0x4F, 0x43, - 0x4B, 0x2E, 0x4F, 0x43, 0x58 - }, "ChosenBytes Code-Lock (Unconfirmed - Please report to us on Github)"), - }; - - return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); - } - - return null; - } - /// public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug) { @@ -53,28 +32,22 @@ namespace BurnOutSharp.ProtectionType // Found in "Code-Lock.ocx" in Code-Lock version 2.35. // Also worth noting is the File Description for this file, which is "A future for you, a challenge for the rest.". - // This check is currently broken until executable checks are overhauled. string name = pex.ProductName; if (name?.StartsWith("Code-Lock", StringComparison.OrdinalIgnoreCase) == true) return $"ChosenBytes Code-Lock {pex.ProductVersion}"; - // Get the .text section, if it exists - if (pex.ContainsSection(".text")) + // Get the .text section strings, if they exist + List strs = pex.GetFirstSectionStrings(".text"); + if (strs != null) { - var matchers = new List - { - // Found in compiled code examples created with Code-Lock 2.35. - // Code-Lock.ocx - new ContentMatchSet(new byte?[] - { - 0x43, 0x6F, 0x64, 0x65, 0x2D, 0x4C, 0x6F, 0x63, - 0x6B, 0x2E, 0x6F, 0x63, 0x78 - }, "ChosenBytes Code-Lock"), - }; + if (strs.Any(s => s.Contains("CODE-LOCK.OCX"))) + return "ChosenBytes Code-Lock"; - string match = MatchUtil.GetFirstMatch(file, pex.GetFirstSectionData(".text"), matchers, includeDebug); - if (!string.IsNullOrWhiteSpace(match)) - return match; + if (strs.Any(s => s.Contains("Code-Lock.ocx"))) + return "ChosenBytes Code-Lock"; + + if (strs.Any(s => s.Contains("CodeLock.Secure"))) + return "ChosenBytes Code-Lock"; } return null;