SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-11 05:35:15 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity
Files
4ff4c2afefe6abbf92bab7b6fc52c36b60c8d558
BinaryObjectScanner/BinaryObjectScanner.Protection/Gefest.cs
Matt Nadareski e118418a23 Move protection scans to their own library 
This change also removes a couple of things from `BurnOutSharp.Tools.Utilities` that are no longer needed there. Linear executables are included in the scanning classes. Update the guides accordingly.
2023-03-09 23:19:27 -05:00

70 lines
3.0 KiB
C#
Raw Blame History

using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using BinaryObjectScanner.Interfaces;
using BinaryObjectScanner.Matching;
using BinaryObjectScanner.Wrappers;
namespace BinaryObjectScanner.Protection
{
/// <summary>
/// Gefest Protection System is a completely unknown protection. There is only one known sample (Redump entry 93700), and no useful information online that's been found as of yet.
/// It's unknown if the errors present in the only known sample are a manufacturing error, or if they're related to the protection.
/// Despite this sample supposedly being the "[License Version]", no license key check appears to take place.
/// The sample is protected by a seemingly unrelated packer. Until that packer can be investigated further, here's the infomation that can be found online about it:
/// https://itsafety.net/report/20210912-9edb2d29cbdf1ac7e24fb32d99c1347a-splintercell-exe_general-threat
/// https://xakep.ru/2003/10/06/20015/
/// https://j3qx.wordpress.com/2008/12/20/%D0%BF%D0%B8%D1%80%D0%B0%D1%82%D1%81%D0%BA%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B0%D1%88%D0%BA%D0%B8-%D0%B8%D0%BB%D0%B8-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BE%D1%82-7wolf/
/// http://www.imho.ws/showthread.php?t=34225
/// </summary>
public class Gefest : IPathCheck, IPortableExecutableCheck
{
/// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the header padding strings, if it exists
if (pex.HeaderPaddingStrings != null)
{
string match = pex.HeaderPaddingStrings.FirstOrDefault(s => s.Contains("Gefest Protection System"));
if (match != null)
return $"Gefest Protection System {GetVersion(match)}";
}
return null;
}
/// <inheritdoc/>
public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
{
var matchers = new List<PathMatchSet>
{
// Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
};
return MatchUtil.GetAllMatches(files, matchers, any: true);
}
/// <inheritdoc/>
public string CheckFilePath(string path)
{
var matchers = new List<PathMatchSet>
{
// Possibly related file "31AD0095.fil" that appears to contain intentional errors found in Redump entry 93700.
};
return MatchUtil.GetFirstMatch(path, matchers, any: true);
}
private static string GetVersion(string match)
{
match = match.Trim('*').Trim();
return match.Substring("Gefest Protection System ".Length);
}
}
}
Reference in New Issue View Git Blame Copy Permalink