SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-09 21:32:11 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity
Files
e920bfc69ce283de0e8a360554fa9dd62a75ede1
BinaryObjectScanner/BinaryObjectScanner.Protection/Themida.cs
Matt Nadareski e118418a23 Move protection scans to their own library 
This change also removes a couple of things from `BurnOutSharp.Tools.Utilities` that are no longer needed there. Linear executables are included in the scanning classes. Update the guides accordingly.
2023-03-09 23:19:27 -05:00

50 lines
2.5 KiB
C#
Raw Blame History

using System.Collections.Generic;
using System.Linq;
using BinaryObjectScanner.Interfaces;
using BinaryObjectScanner.Wrappers;
namespace BinaryObjectScanner.Protection
{
/// <summary>
/// Protection created by Oreans and in use since at least before 2009. Known to be used in Book/Music Collector (http://www.alwinhoogerdijk.com/2009/12/24/protecting-software-with-themida/).
/// May possibly be used in the PC release of Dynasty Warriors 7 with Xtreme Legends (https://www.pcgamingwiki.com/wiki/Dynasty_Warriors_7_with_Xtreme_Legends).
/// Themida/WinLicense/"Code Virtualize" seem to all be interconnected/related to each other, or are all at least part of the SecureEngine suite together (https://www.oreans.com/products.php).
///
/// Versions:
/// 1.8x - 1.9x (Detect-It-Easy): ArcSoft TotalMedia 3 (http://downloads.fyxm.net/ArcSoft-TotalMedia-23085.html / https://web.archive.org/web/20221114042838/http://files.fyxm.net/23/23085/totalmediatheatre3platinum_retail_tbyb_all.exe).
///
/// Further links and resources:
/// https://github.com/VenTaz/Themidie
/// https://github.com/ergrelet/unlicense
/// https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/Themida.2.sg
///
/// TODO:
/// Add/Confirm detection for WinLicense/"Code Virtualize".
/// Investigate further ArcSoft programs.
/// Investigate PUBG (possibly older versions) (https://www.pcgamingwiki.com/wiki/PUBG:_Battlegrounds).
/// </summary>
public class Themida : IPortableExecutableCheck
{
/// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the "Arcsoft " section strings, if they exist
List<string> strs = pex.GetFirstSectionStrings("Arcsoft ");
if (strs != null)
{
// Found in "uDigital Theatre.exe" in http://downloads.fyxm.net/ArcSoft-TotalMedia-23085.html (https://web.archive.org/web/20221114042838/http://files.fyxm.net/23/23085/totalmediatheatre3platinum_retail_tbyb_all.exe).
// TODO: Investigate "uDRMCheck.dll" in the same product to see if it's related to Themida, or if it's a different form of DRM.
if (strs.Any(s => s.Contains("Themida")))
return "Themida";
}
return null;
}
}
}
Reference in New Issue View Git Blame Copy Permalink