Steps to remove(?) cd/dvd-cops content check #196

New Issue

claunia · 2026-01-29T21:07:03Z

claunia commented

2026-01-29 21:07:03 +00:00

Originally created by @HeroponRikiBestest on GitHub (May 11, 2025).

I'm going to make a PR for this, but I'm opening this issue because I need to know a few things before I do. I'm specifically referring to this section:

public class CDDVDCops : IContentCheck, IExecutableCheck<NewExecutable>, IExecutableCheck<PortableExecutable>, IPathCheck
    {
        // TODO: Investigate reference to "CD32COPS.DLL" in "WETFLIPP.QZ_" in IA item "[redacted]".
        /// <inheritdoc/>
        public string? CheckContents(string file, byte[] fileContent, bool includeDebug)
        {
            // TODO: Obtain a sample to find where this string is in a typical executable
            var contentMatchSets = new List<ContentMatchSet>
            {
                // TODO: Remove from here once it's confirmed that no PE executables contain this string
                // CD-Cops,  ver. 
                new(new byte?[]
                {
                    0x43, 0x44, 0x2D, 0x43, 0x6F, 0x70, 0x73, 0x2C,
                    0x20, 0x20, 0x76, 0x65, 0x72, 0x2E, 0x20
                }, GetVersion, "CD-Cops (Unconfirmed - Please report to us on Github)"),

                // // DVD-Cops,  ver. 
                new(new byte?[]
                {
                    0x44, 0x56, 0x44, 0x2D, 0x43, 0x6F, 0x70, 0x73,
                    0x2C, 0x20, 0x20, 0x76, 0x65, 0x72, 0x2E, 0x20
                }, GetVersion, "DVD-Cops (Unconfirmed - Please report to us on Github)"),
            };

            return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
        }

Where it performs an NE/PE content check for CD-Cops, ver. or DVD-Cops, ver. .

The questions I have:

Is there any way this check would ever be handleable for NE? NE doesn't have sections, so I'm not sure how you avoid a content check
Why is that WETFLIPP.QZ_ sample mentioned here? It (or any other files in that sample) doesn't match either byte array.
Are there any known samples for this? I have some, but not enough for me to be super confident.
Two of my 3 samples are NE DVD-Cops samples. Even with --debug, the second string doesn't match. The issue is that, at least in the samples I have, there's only one space between "," and "ver" and not two. That said, I wouldn't be surprised if there are samples out there that do have two spaces. What's the best way to handle "some arbitrary number of spaces (up to a certain amount?)" for these byte arrays?

Samples, if necessary:
CD-Cops, PE
https://archive.org/details/cover_202501
https://archive.org/download/cover_202501/BTBXXXXX300.iso/setup32%2Fbib.dll

DVD-Cops, NE
https://archive.org/details/der-brockhaus-multimedial-2002-premium
https://archive.org/download/der-brockhaus-multimedial-2002-premium/BMM2002PDVD.iso/Bmm%2FBMM.exe
https://archive.org/details/der-brockhaus-multimedial-2003-premium
https://archive.org/download/der-brockhaus-multimedial-2003-premium/BMM2003PDVD.iso/Bmm%2Fbmm.exe

Originally created by @HeroponRikiBestest on GitHub (May 11, 2025). I'm going to make a PR for this, but I'm opening this issue because I need to know a few things before I do. I'm specifically referring to this section: ```cs public class CDDVDCops : IContentCheck, IExecutableCheck<NewExecutable>, IExecutableCheck<PortableExecutable>, IPathCheck { // TODO: Investigate reference to "CD32COPS.DLL" in "WETFLIPP.QZ_" in IA item "[redacted]". /// <inheritdoc/> public string? CheckContents(string file, byte[] fileContent, bool includeDebug) { // TODO: Obtain a sample to find where this string is in a typical executable var contentMatchSets = new List<ContentMatchSet> { // TODO: Remove from here once it's confirmed that no PE executables contain this string // CD-Cops, ver. new(new byte?[] { 0x43, 0x44, 0x2D, 0x43, 0x6F, 0x70, 0x73, 0x2C, 0x20, 0x20, 0x76, 0x65, 0x72, 0x2E, 0x20 }, GetVersion, "CD-Cops (Unconfirmed - Please report to us on Github)"), // // DVD-Cops, ver. new(new byte?[] { 0x44, 0x56, 0x44, 0x2D, 0x43, 0x6F, 0x70, 0x73, 0x2C, 0x20, 0x20, 0x76, 0x65, 0x72, 0x2E, 0x20 }, GetVersion, "DVD-Cops (Unconfirmed - Please report to us on Github)"), }; return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); } ``` Where it performs an NE/PE content check for `CD-Cops, ver. ` or `DVD-Cops, ver. `. The questions I have: - Is there any way this check would ever be handleable for NE? NE doesn't have sections, so I'm not sure how you avoid a content check - Why is that WETFLIPP.QZ_ sample mentioned here? It (or any other files in that sample) doesn't match either byte array. - Are there any known samples for this? I have some, but not enough for me to be super confident. - Two of my 3 samples are NE DVD-Cops samples. Even with --debug, the second string doesn't match. The issue is that, at least in the samples I have, there's only one space between "," and "ver" and not two. That said, I wouldn't be surprised if there are samples out there that do have two spaces. What's the best way to handle "some arbitrary number of spaces (up to a certain amount?)" for these byte arrays? Samples, if necessary: CD-Cops, PE https://archive.org/details/cover_202501 https://archive.org/download/cover_202501/BTBXXXXX300.iso/setup32%2Fbib.dll DVD-Cops, NE https://archive.org/details/der-brockhaus-multimedial-2002-premium https://archive.org/download/der-brockhaus-multimedial-2002-premium/BMM2002PDVD.iso/Bmm%2FBMM.exe https://archive.org/details/der-brockhaus-multimedial-2003-premium https://archive.org/download/der-brockhaus-multimedial-2003-premium/BMM2003PDVD.iso/Bmm%2Fbmm.exe

claunia closed this issue

2026-01-29 21:07:03 +00:00

claunia commented

2026-01-29 21:07:03 +00:00

@mnadareski commented on GitHub (May 11, 2025):

Most NE content checks are handled by a full-file read as it is. There are other examples of this and I do not like it. But at least it keeps it constrained to NE-only, which tend to be smaller files. There are technically sections in NE, but much less attention has been put into NE in general due to the prevalence of protections specific to PE.
The investigation comment was added in this commit: 0287284909
You're running into the exact reason why this content check has lived so long. Much of this file was hearsay.
In byte arrays, it's difficult to have "any number of spaces" between. The best are unknown or variable bytes, denoted by null. If you have examples that directly counteract what's here, then an update can be done to update or remove the existing one.

@mnadareski commented on GitHub (May 11, 2025): - Most NE content checks are handled by a full-file read as it is. There are other examples of this and I do not like it. But at least it keeps it constrained to NE-only, which tend to be smaller files. There are technically sections in NE, but much less attention has been put into NE in general due to the prevalence of protections specific to PE. - The investigation comment was added in this commit: https://github.com/SabreTools/BinaryObjectScanner/commit/0287284909596747e0fd02bd97fa2ece05a3123c - You're running into the exact reason why this content check has lived so long. Much of this file was hearsay. - In byte arrays, it's difficult to have "any number of spaces" between. The best are unknown or variable bytes, denoted by `null`. If you have examples that directly counteract what's here, then an update can be done to update or remove the existing one.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SabreTools/BinaryObjectScanner#196