using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;
namespace BurnOutSharp.ProtectionType
{
///
/// HexaLock AutoLock was a copy protection scheme that requied users to buy so-called "CD-RX" media that contained a special session pre-burned to it in order to burn their protect media.
/// Sales page for CD-RX media: http://www.image-src.com/services/hexalock.asp
/// Hexalock AutoLock was also able to be used with pressed CD-ROMs (Source: https://web.archive.org/web/20110828214830/http://hexalock.co.il/copyprotection/cdrom).
/// It also allowed you to protect multimedia documents, such as documents or pictures.
/// The official website is now dead, but there are a few archives made (https://web.archive.org/web/20110904233743/http://hexalock.co.il/).
/// There don't appear to be any archives of the "CD-RX" media available, though it appears that some are still for sale on Amazon:
/// https://www.amazon.cn/dp/B000F3RPCI + https://www.amazon.cn/dp/B000F3PJA8
/// CD-RX media makes use of twin sectors as one of the aspects of the formats copy protection (Source: https://twitter.com/RibShark/status/1551660315489730561)
/// These twin sectors are presumably what the Hexalock AutoLock marketing refers to as VDH (Virtual Digital Hologram) (https://web.archive.org/web/20120616004438/http://hexalock.co.il/copyprotection/vdh).
/// It appears that some versions of "Operation Flashpoint" contain Hexaock AutoLock (Source: https://www.cdmediaworld.com/hardware/cdrom/cd_protections_hexalock.shtml).
/// HexaLock AutoLock 4.5 official download archive: https://web.archive.org/web/20070228235538/http://hexalock.com:80/45/alw_45_march_3_2006.exe
/// HexaLock AutoLock 4.7 official download archive: https://web.archive.org/web/20140801060304/http://hexalock.co.il/downloads/files/Psetup.exe
/// There appears to be another form of copy protection created by HexaLock called HexDVDR, but I have not been able to find a copy of it preserved (Source: https://web.archive.org/web/20140801060150/http://hexalock.co.il/news/2008-03-20/).
/// There is an example EXE protected using HexDVDR provided that is still online (https://web.archive.org/web/20140802144000/http://hexalock.co.il/downloads/files/Protected%20Img.zip).
/// Patents relating to this protection:
/// https://patentimages.storage.googleapis.com/64/d6/b1/91127b030d3503/US20060259975A1.pdf
/// https://patentimages.storage.googleapis.com/52/5b/3a/aee21ff4d987e9/US20060123483A1.pdf
/// Special thanks to Ribshark for looking into this protection and sharing his research on the topic!
///
public class HexalockAutoLock : IPathCheck, IPortableExecutableCheck
{
///
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// TODO: Fix the following checks, as this information is visible via Windows Explorer but isn't currently being seen by BOS.
// Found in "HCPSMng.exe".
string name = pex.FileDescription;
if (!string.IsNullOrWhiteSpace(name) && name.StartsWith("HCPS Manager", StringComparison.OrdinalIgnoreCase))
return $"Hexalock AutoLock 4.5";
// Found in the file typically named "Start_Here.exe".
if (!string.IsNullOrWhiteSpace(name) && name.StartsWith("HCPS Loader", StringComparison.OrdinalIgnoreCase))
return $"Hexalock AutoLock 4.5";
// Found in both "HCPSMng.exe" and in the file typically named "Start_Here.exe".
name = pex.ProductName;
if (!string.IsNullOrWhiteSpace(name) && name.StartsWith("HCPS", StringComparison.OrdinalIgnoreCase))
return $"Hexalock AutoLock 4.5";
return null;
}
///
public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files)
{
var matchers = new List
{
// "Start_Here.exe" is the default name used in HexaLock AutoLock 4.5.
new PathMatchSet(new List
{
new PathMatch("Start_Here.exe", useEndsWith: true),
new PathMatch("MFINT.DLL", useEndsWith: true),
new PathMatch("MFIMP.DLL", useEndsWith: true),
}, "Hexalock AutoLock 4.5"),
// Used for PDF protection in HexaLock AutoLock 4.7. "Start.exe" likely has some internal strings that can be checked.
new PathMatchSet(new List
{
new PathMatch("kleft.ipf", useEndsWith: true),
new PathMatch("ReadPFile.exe", useEndsWith: true),
new PathMatch("Start.exe", useEndsWith: true),
}, "HexaLock AutoLock 4.7 PDF DRM"),
// Should be present in all known versions.
new PathMatchSet(new List
{
new PathMatch("MFINT.DLL", useEndsWith: true),
new PathMatch("MFIMP.DLL", useEndsWith: true),
}, "HexaLock AutoLock"),
// Found inside the file typically named "Start_Here.exe" in version 4.5.
new PathMatchSet(new PathMatch("HCPSMng.exe", useEndsWith: true), "HexaLock AutoLock 4.5"),
};
return MatchUtil.GetAllMatches(files, matchers, any: false);
}
///
public string CheckFilePath(string path)
{
var matchers = new List
{
// Found to be the default name used in HexaLock AutoLock 4.5.
new PathMatchSet(new PathMatch("Start_Here.exe", useEndsWith: true), "HexaLock AutoLock 4.5"),
// Found to be contained in HexaLock AutoLock 4.5 and 4.7.
new PathMatchSet(new PathMatch("MFINT.DLL", useEndsWith: true), "HexaLock AutoLock"),
new PathMatchSet(new PathMatch("MFIMP.DLL", useEndsWith: true), "HexaLock AutoLock"),
// Used for PDF protection in HexaLock AutoLock 4.7.
new PathMatchSet(new PathMatch("kleft.ipf", useEndsWith: true), "HexaLock AutoLock 4.7 PDF DRM"),
new PathMatchSet(new PathMatch("ReadPFile.exe", useEndsWith: true), "HexaLock AutoLock 4.7 PDF DRM"),
// Found inside the file typically named "Start_Here.exe" in version 4.5.
new PathMatchSet(new PathMatch("HCPSMng.exe", useEndsWith: true), "HexaLock AutoLock 4.5"),
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
}
}
}