View Single Post
Old 12-25-2014, 06:05
MarcElBichon MarcElBichon is offline
Join Date: Jan 2002
Posts: 205
Rept. Given: 204
Rept. Rcvd 154 Times in 55 Posts
Thanks Given: 88
Thanks Rcvd at 135 Times in 43 Posts
MarcElBichon Reputation: 100-199 MarcElBichon Reputation: 100-199
ProtectionID v6.6.7

Note: There is currently 1 false positive 'hit' from Microsoft, I will try and contact them to get this
whitelisted, but there is a high probability (like on the halloween release) that other
antiviruses will jump on the bandwagon and blacklist the file again shortly after release.

The only current 'solution' is to whitelist / exclude the folder you put ProtectionID into.

* updated - update system has been tweaked to work with the new file url format (direct links wont work anymore)
- this does mean that older versions wont be able to update to the latest version but thats
not really fixable unfortunately and i'll put information about this on the homepage
* bugfix - bugfix in the .net core scanner, I rounded pointers, instead of the actual length value, was quite
an obscure bug as it worked on all the exe's I tested before, but Hookahice found one exe
in the 24th october beta release, but I didnt get the info until after the public halloween
release, so i've added the fix in now (thanks Hookahice)
* tweak - msi / cab scanning reports to the status window now (cosmetic)
* new - added detection for epic games unreal development kit udk installers
* new - added fnv32 to hashing function list
* tweak - file hashing reports the time taken to complete the hashing and the count of hashing functions executed
and bytes / sec (not sure how accurate that is though and in some cases it'll show 0 bytes / sec
simply because the hashing took less than a second)
* new - added in data directory processing report (its in the configuration settings, and is disabled by default)
Scan configuration -> Show Data Directory Info (items reported in lower case mean they are present
but have either no size or no va)
* new - added in sentinel ldk detection, thanks to whoever posted the output log on pastebin, which helped me
to add this in (might have been easier though if you emailed me with a url ) as it was a lucky
* new - added in timedatestamp review (idea was from this)
so I wrote a function for it (still work in progress)
* new - added in some new detections (work in progress)
* tweak - some more cosmetic output fixes
* new - added in fuzzy detection for a new protector (work in progress) (denuvo)
* tweak - steam api usage detection tweaked (mostly for x64 targets)
* tweak - ads (ntfs data streams) processing can now report the internet zone setting for the file
(if for example, it was downloaded) - this setting is in the configuration options
(and is disabled by default) - you would also need to enable the
'(ADS) Show ntfs stream info (if present)' setting as they are paired
* tweak - some cosmetic alterations on text and configuration settings
* tweak - .net stream names are now reported
* tweak - neolite detection got tweaked, one crap signature removed and code sped up a lot
* tweak - version info reporting now checks the buffer for white space and if the buffer is just
spaces or blank / empty then the output is suppressed
* update - .net core detections increased -> agiledotnetrt, eazfuscator, cryptoobfuscator, dotfuscator
* update - version info - reporting of version info vs_fixedfile info stuff (work in progress)
* update - .net core can report entropy of the #Strings (ansi) and #US (unicode) stream(s) (if present)
- this is in the configuration setting and is disabled by default
* new - added in detection for ubisoft 'ubx' packer
* update - pespin x64 detection updated
* update - yummy gameshield detection updated (thx CrAaAzzzyy)
* bugfix - appended data / overlay offset calculation had a bug on some rare exe's where the last section
physical size was greater than the virtual size, which threw off the calculation..
its also assumed that no overlay data can exist after the digital signature (if present)
as that would break the signature...
* new - pretty experimental (ie: not tested a lot) ssdeep hashing code added into the choices for file hashing
(check the configuration settings)
* tweak - windows 10 current preview builds recognised for the latest versions (windows defender still doesnt
like ProtectionID, so you'll have to add it to the exclusion lists for the meantime)..
* coming - taggant v2 support as/when I see some live samples to work from
* cosmetic - copyright year adjusted to 2015 (not having that old issue happen again)
* bugfix - bugfix / sanity check added in the crypto scanner, license scanner, and cdkey and serial functions,
i was sent some badly damaged executables from hypn0 (thanks), which reproduced the bugs
and allowed a relatively easy fix.. very much appreciated, as they were relatively obscure
* update - new setting - report all section entropies added, its off by default, if you enable it it will report
the entropy for each section present in the scanned file.. this can obviously cause a slowdown
in the scanning which is why I defaulted to make it disabled..
* bugfix - bugfix in reporting the version fixed file info..a register got trashed and should have been preserved
it is now.. thanks again to hypn0 - definitely getting his bugfinder achievement this month
* fix - some buffers were not always wiped, leading to crap output.. now fixed
* bugfix - installer_rtpatch_scan had a misbalanced stack (typo bug I think), which sometimes lead to a register
mismatch messagebox.. (thanks hypn0)
* bugfix - fixed bug in zipworx_scan which could lead to a crash (thanks hypn0)
* bugfix - fixed bug in hmimys_scan scan (thanks hypn0)
* bugfix - fixed bug in ea access scan that could lead to a crash (thanks hypn0)
* bugfix - sanity / range check added to imphash code.. (thanks hypn0)
* bugfix - fix in digital signature processing where a serial wasnt present
* bugfix - fixed bug in nullsoft installer scan (thanks hypn0)
* bugfix - installer_gkwaresfx_scan had a bug where edx and ecx werent preserved, leading to a 'register mismatch'
messagebox if detected (thanks hypn0)
* bugfix - range / sanity check added into safedisc scan code (thanks hypn0)
* bugfix - range / sanity check added into solidshield scan code (thanks hypn0)
* added - launch4j detection (also has extra info if you enabled that in the configuration) - have fun Chester Fritz
* tweak - revised code for appended data size and offset calculation.. need to monitor this one
* update - pecompact detection updated, it now reports the internal version of the protection (thanks for the files hypn0)
* bugfix - internal file version core could crash if the version info data size was incorrect (we use an internal routine and
to calculate the size if the windows api fails.. which happens sometimes).. this was a very rare and obscure
bug (hard to replicate) - thanks to hypn0 I found and patched it (successfully I hope)
* bugfix - added some range checking in the convert_* functions, as a crash could occour in some very damaged files (very rare)
* bugfix - check_gamehouse.asm had some range checking added, as it'd crash on particularly malformed files..
* bugfix - check_upx.asm had some range checking added, as it'd crash on particularly malformed files

Last edited by MarcElBichon; 12-25-2014 at 06:18.
Reply With Quote
The Following 11 Users Gave Reputation+1 to MarcElBichon For This Useful Post:
alephz (12-25-2014), chessgod101 (12-25-2014), computerline (12-25-2014), Molasar (12-27-2014), niculaita (12-26-2014), nikre (12-25-2014), TechLord (12-31-2014), VodoleY (12-25-2014), XorRanger (12-25-2014), zeuscane (12-25-2014)
The Following User Says Thank You to MarcElBichon For This Useful Post:
Indigo (07-19-2019)