Exetools - protection id 6.2.3 released

Exetools (https://forum.exetools.com/index.php)

- Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)

- - protection id 6.2.3 released (https://forum.exetools.com/showthread.php?t=12177)

yes, you can enable it in the settings.

and its off by default now too, the next release (lets say its probably christmas time)... will have a lot of fixes and things that were done (based on feedback) but never went live as the project sort of 'paused' when cdkiller vanished..

we have plantly Packer detector, so we feel enouth for it, we don't need total too much bullshit. so plan to release or say no it's up to yourself, not important.

i plan a christmas public release like i said, with updated signatures and so on... then the move to pid 7 is planned... if you dont like it, then simply dont download it... its not that difficult

ProtectionID 6.5.5 - halloween public release 31/10/2013

Hi, heres the 6.5.5 public release, a lot of bugfixes and tweaks (incl the win 7 one which i still get emails for), and some new additions,
hopefully you'll like it... the last final version is probably going to be on christmas, where i will add anything missed, and fix any outstanding
bugs, then its a switch to developing pid 7 which will be quite different (and various flavors for people who just want the scanning etc)

so, please send the bug reports in for this version to the usual email address and i'll make sure to include them to the next public release (most likely 24/12/2013)

and as usual, thanks to the beta team and those who supplied files, you helped make protection id what it is today...

cdkiller - if you see this, get in touch please m8

below is the long list of the fixes / updates some were lost but this is about all i can remember doing :)

[virus total results]

https://www.virustotal.com/en-gb/file/58863c3654db45df49444fafde26ef03a2411ba305dee858cd8c9ae36c4ad415/analysis/1383250270/

SHA256: 58863c3654db45df49444fafde26ef03a2411ba305dee858cd8c9ae36c4ad415
File name: protection_id.exe
Detection ratio: 2 / 46
Analysis date: 2013-10-31 20:11:10 UTC ( 0 minutes ago )

* Microsoft VirTool:Win32/Obfuscator.AX
* Bkav HW32.TsCabk.cyiu

both of the detections are false positives...

the microsoft one i've known for a while (windows 8 windows defender blocked protection id during some tests, and i had 1 email about this), so
please add it to be excluded (provided the sha256 hash matches the above one

Bkav i had never heard of until today...

have fun, hope to hear back,
Download: http://pid.gamecopyworld.com/ProtectionId.655.halloween.2013.rar

ESET Smart security don’t allow me to run.

strange, eset didnt show a thing in the virus total scan...
so ensure you downloaded it from the proper site (pid.gamecopyworld.com), if so then add an exclusion..

i have same problem for ESET !

BR

Quote:

Originally Posted by EHS4N (Post 88005)

i have same problem for ESET !

BR

Try submitting for false positive. Maybe if they see a few req for same exe, they will take more interest to correct it. None of the private beta builds are flagged, just the public release.

New release:

Quote:

http://pid.gamecopyworld.com/

Quote:

v 6.6.6
i waited 11 years for this version number ;p
core additions / changes
tweaks, updates, fixes etc... oh and moved to masm v14 and linker v14

6.6.7 coming soonish, working on a few updates.. maybe a week or so but i hope you all like v 6.6.6 :)

any bugs, ideas, false positives etc please email me (if its a false positive or something not detected please email me a link to download the file too)...

ProtectionID v6.6.7
2014-12-24

Changelog:

Quote:

Note: There is currently 1 false positive 'hit' from Microsoft, I will try and contact them to get this
whitelisted, but there is a high probability (like on the halloween release) that other
antiviruses will jump on the bandwagon and blacklist the file again shortly after release.

The only current 'solution' is to whitelist / exclude the folder you put ProtectionID into.

* updated - update system has been tweaked to work with the new file url format (direct links wont work anymore)
- this does mean that older versions wont be able to update to the latest version but thats
not really fixable unfortunately and i'll put information about this on the homepage
* bugfix - bugfix in the .net core scanner, I rounded pointers, instead of the actual length value, was quite
an obscure bug as it worked on all the exe's I tested before, but Hookahice found one exe
in the 24th october beta release, but I didnt get the info until after the public halloween
release, so i've added the fix in now (thanks Hookahice) :)
* tweak - msi / cab scanning reports to the status window now (cosmetic)
* new - added detection for epic games unreal development kit udk installers
* new - added fnv32 to hashing function list
* tweak - file hashing reports the time taken to complete the hashing and the count of hashing functions executed
and bytes / sec (not sure how accurate that is though and in some cases it'll show 0 bytes / sec
simply because the hashing took less than a second)
* new - added in data directory processing report (its in the configuration settings, and is disabled by default)
Scan configuration -> Show Data Directory Info (items reported in lower case mean they are present
but have either no size or no va)
* new - added in sentinel ldk detection, thanks to whoever posted the output log on pastebin, which helped me
to add this in (might have been easier though if you emailed me with a url :) ) as it was a lucky
find..
* new - added in timedatestamp review (idea was from this)
so I wrote a function for it (still work in progress)
* new - added in some new detections (work in progress)
* tweak - some more cosmetic output fixes
* new - added in fuzzy detection for a new protector (work in progress) (denuvo)
* tweak - steam api usage detection tweaked (mostly for x64 targets)
* tweak - ads (ntfs data streams) processing can now report the internet zone setting for the file
(if for example, it was downloaded) - this setting is in the configuration options
(and is disabled by default) - you would also need to enable the
'(ADS) Show ntfs stream info (if present)' setting as they are paired
* tweak - some cosmetic alterations on text and configuration settings
* tweak - .net stream names are now reported
* tweak - neolite detection got tweaked, one crap signature removed and code sped up a lot
* tweak - version info reporting now checks the buffer for white space and if the buffer is just
spaces or blank / empty then the output is suppressed
* update - .net core detections increased -> agiledotnetrt, eazfuscator, cryptoobfuscator, dotfuscator
* update - version info - reporting of version info vs_fixedfile info stuff (work in progress)
* update - .net core can report entropy of the #Strings (ansi) and #US (unicode) stream(s) (if present)
- this is in the configuration setting and is disabled by default
* new - added in detection for ubisoft 'ubx' packer
* update - pespin x64 detection updated
* update - yummy gameshield detection updated (thx CrAaAzzzyy)
* bugfix - appended data / overlay offset calculation had a bug on some rare exe's where the last section
physical size was greater than the virtual size, which threw off the calculation..
its also assumed that no overlay data can exist after the digital signature (if present)
as that would break the signature...
* new - pretty experimental (ie: not tested a lot) ssdeep hashing code added into the choices for file hashing
(check the configuration settings)
* tweak - windows 10 current preview builds recognised for the latest versions (windows defender still doesnt
like ProtectionID, so you'll have to add it to the exclusion lists for the meantime)..
* coming - taggant v2 support as/when I see some live samples to work from
* cosmetic - copyright year adjusted to 2015 (not having that old issue happen again) :)
* bugfix - bugfix / sanity check added in the crypto scanner, license scanner, and cdkey and serial functions,
i was sent some badly damaged executables from hypn0 (thanks), which reproduced the bugs
and allowed a relatively easy fix.. very much appreciated, as they were relatively obscure
* update - new setting - report all section entropies added, its off by default, if you enable it it will report
the entropy for each section present in the scanned file.. this can obviously cause a slowdown
in the scanning which is why I defaulted to make it disabled..
* bugfix - bugfix in reporting the version fixed file info..a register got trashed and should have been preserved
it is now.. thanks again to hypn0 - definitely getting his bugfinder achievement this month :)
* fix - some buffers were not always wiped, leading to crap output.. now fixed
* bugfix - installer_rtpatch_scan had a misbalanced stack (typo bug I think), which sometimes lead to a register
mismatch messagebox.. (thanks hypn0)
* bugfix - fixed bug in zipworx_scan which could lead to a crash (thanks hypn0)
* bugfix - fixed bug in hmimys_scan scan (thanks hypn0)
* bugfix - fixed bug in ea access scan that could lead to a crash (thanks hypn0)
* bugfix - sanity / range check added to imphash code.. (thanks hypn0)
* bugfix - fix in digital signature processing where a serial wasnt present
* bugfix - fixed bug in nullsoft installer scan (thanks hypn0)
* bugfix - installer_gkwaresfx_scan had a bug where edx and ecx werent preserved, leading to a 'register mismatch'
messagebox if detected (thanks hypn0)
* bugfix - range / sanity check added into safedisc scan code (thanks hypn0)
* bugfix - range / sanity check added into solidshield scan code (thanks hypn0)
* added - launch4j detection (also has extra info if you enabled that in the configuration) - have fun Chester Fritz
* tweak - revised code for appended data size and offset calculation.. need to monitor this one
* update - pecompact detection updated, it now reports the internal version of the protection (thanks for the files hypn0)
* bugfix - internal file version core could crash if the version info data size was incorrect (we use an internal routine and
to calculate the size if the windows api fails.. which happens sometimes).. this was a very rare and obscure
bug (hard to replicate) - thanks to hypn0 I found and patched it (successfully I hope) :)
* bugfix - added some range checking in the convert_* functions, as a crash could occour in some very damaged files (very rare)
* bugfix - check_gamehouse.asm had some range checking added, as it'd crash on particularly malformed files..
* bugfix - check_upx.asm had some range checking added, as it'd crash on particularly malformed files

Download:

Quote:

http://pid.gamecopyworld.com/dl.php?f=ProtectionId.667.December.2014.rar

that was quick, i had only updated the site 5 minutes before your post... so i think you win the ninja award today

Quote:

Originally Posted by evlncrn8 (Post 95468)

6.6.7

Unfortunately, haven't yet command line support. No way to call as '> PrID victim.exe' or '> PrID *.dll'.

Quote:

No way to call as '> PrID victim.exe' or '> PrID *.dll'.

It has command line support. You just need to add a '-scan' parameter to the command line. :)
>prid -scan victim.exe

again same as last year version, antivirus does not like this

upload a not crypted version please

what antivirus? and its documented in the nfo file about some antiviruses and false positvies.. simply add an exclusion until they get round to whitelisting..

"same as last year" .. there was more than one release in the past year m8

uploading a non crypted version isnt going to happen, its not my fault the av is a false positive on some av's and im not going to do multiple releases with stuff turned on / off, that makes maintainance a total pain

also, (this is highly ironic), if i remove the encryption (i've tested this, and indeed, this was one of the reasons crypto was added), some anti viruses see some signatures for detection and raise those as false positive.. so its a no win situation

Does anyone know what "WhiteLabel (SecuROM) protection Detected" means? What is this "Whitelabel" tag?

Quote:

Originally Posted by mcp (Post 96878)

Does anyone know what "WhiteLabel (SecuROM) protection Detected" means? What is this "Whitelabel" tag?

Looks like variant of Securom.

Quote:

Originally Posted by hypn0 (Post 96884)

Looks like variant of Securom.

Just a hunch, but I think he might have guessed that bit :P

Quote:

Originally Posted by Loki (Post 96886)

Just a hunch, but I think he might have guessed that bit :P

I'm understand, he groaned for my post. I'm guilty, really sorry. :D

Quote:

Originally Posted by evlncrn8 (Post 96349)

then upload a crypted version made by other cryptor

which cryptor would you suggest?

Quote:

Originally Posted by mcp (Post 96878)

Does anyone know what "WhiteLabel (SecuROM) protection Detected" means? What is this "Whitelabel" tag?

whitelabel means it was renamed and could be 'rebranded' (dss was one of the common names), whitelabel like on records etc

http://en.wikipedia.org/wiki/White-label_product

Quote:

Originally Posted by evlncrn8 (Post 96978)

which cryptor would you suggest?

enigma or vmprotect are ok but private cause public licenceses are antivirus blacklisted

ProtectionID v6.7.0
31-10-2015

Quote:

Some bugs fixed, some tweaks, some protection detections added, next changelog will be more detailed, as it will give me time to catch up on what i changed, and to add other things and involve the beta testers again but i wanted to get the release done for the traditional halloween release

Download:

Code:

http://pid.gamecopyworld.com/dl.php?f=ProtectionId.670.halloween.2015.rar

repack with else packer cause it is blocked as virused

no, i havent changed the crypt used on it in years, and im not planning to
and i mentioned the av is a false positive
so simple solution - add the folder to exclusions, or simply dont use it
simple as that, raising the same thing over and over is really boring

and if you see the virus total link i supplied on the home page, you'll see its 1 hit, from microsoft, which always falsely detect that, it will be whitelisted soon hopefully, but for now, the only way to get around it is add the exe to the exclusion list

also, its is NOT fucking virused... if it is, please show me the viral code oh wise one

new virustotal report -> https://www.virustotal.com/en/file/544cdc44c9cb8b9eb0043ccbd89309e88a380a1aacbcd3fb342297bd27626226/analysis/

so only a few hours after release it went to 19/55 'hits' (which i documented on the pid home page), 5 bad votes and 35 good ones, and then some attempt of a hack on the home page too, by someone looking for the source code (or anything related), looking for /jenkins folders etc... which is comical as the source isnt on the home site :)

now, as you can see, i hide nothing... the only av currently flagging pid as 'bad' is microsoft (windows defender etc), which is a false positive, and has happened for a long time, so adding the protectionid exe to the exclusion list is the only way to solve that

i've had no feedback of crashing or anything currently, so i hope that implies the release was a success

Excellent Release but can't get Context Menu to function!

What a host of wonderful features you have injected into Protection ID,
but for some reason I can't get the
'Context Menu'
configuration to work.
(Configuration > Main Configuration > Context Menu)
Sure enough I can apply a tick to the relevant box,
but after 'Applying', Closing and Restarting,
the tick has gone,
and the 'Context Menu' item does not appear.
I have it set to 'run as admin',
so what am I doing wrong?

turn off the fucking colors for a start.. it looks dumb
i guess you did it for attention, it almost worked in the opposite way...

if the context menu doesnt work, then try running protectionid as administrator and doing it then.. it should work and stick.. im guessing you're on windows 10 or similar.. which doesnt let the context menu stuff happen unless admin access is given.. also the code hasnt changed for that part in many many years, so its not a 'new' bug..

1. run as admin
2. turn on context menu
3. exit
4. dont run as admin.. should all be fine then, and pid doesnt really benefit from having admin privs anyway

Protection ID v6.7.5

Protection ID v6.7.5
24-12-2015

Quote:

I fixed some bugs and tweaked more code making things a bit more stable, I plan to add in taggant v2 support soon,
but im having trouble obtaining sample files to work from (i dont use the taggant lib), so if anyone wants to help with
that please do so.

I plan to wind down this version and start on v7 as soon as possible, most will port over relatively easily and
the goal is to make an x64, x86, gui and console versions, with most of the code being in c/c++ for portability
(asm doesnt port too easily).. and will focus on it having a scanning core initially, and some pe
(perhaps elf etc too) tools built in

If you'd like to contribute to v7 please get in touch at the email above, same goes if anyone wants to donate anything

Download:

Code:

http://pid.gamecopyworld.com/dl.php?f=ProtectionId.675.December.2015.rar

Protection ID v6.8.0 ( Halloween 2016) Released.
31-10-2016

Quote:

"Change Log :

I fixed some bugs and tweaked more code making things a bit more stable, and added some new detections.
Some bugs (like the pestuff ones) still exist, as they didnt make it to the 'fixed' list but should hopefully be addressed for the christmas / holiday season release

I also didnt find any taggant v2 samples, so that didnt make it into the release either, other things did though so i hope this release brings some pleasure to previous users."

Download Here :

Code:

http://pid.serveexchange.com/dl.php?f=ProtectionId.680.halloween.2016.rar

wow, someone noticed :)

Quote:

Originally Posted by evlncrn8 (Post 107577)

wow, someone noticed :)

I am sure that just like me, the entire reversing community would have been waiting for this release :)

Great job , I must say ! :)

@evlncrn8 out of interest, how many of your detection rules do you think would be portable to Yara? I think it could definitely improve the maintainability of the code and people can use the signatures with their favorite tools that support Yara.

Quote:

Originally Posted by mr.exodia (Post 107584)

I was thinking of the exact same thing for the past few days since the Beta version of the Protection ID was out...

Would be really nice if it could be ported to Yara :)

Thank you once again @evlncrn8 for this wonderful tool.

Just one quick suggestion :

Would it be possible to implement the Drag-and-Drop functionality in future versions if possible ?

For the last few versions we have to manually choose the file(s) or folder(s) ...

Thank you :)

Quote:

Originally Posted by TechLord (Post 107586)

For the last few versions we have to manually choose the file(s) or folder(s) ...

Make sure ProtectionID runs with the same privs as your file browser. Windows has this annoying thing were privileges with drag/drop cannot cross...

Quote:

Originally Posted by TechLord (Post 107576)

Protection ID v6.8.0 ( Halloween 2016) Released.
31-10-2016

Download Here :

Code:

http://pid.serveexchange.com/dl.php?f=ProtectionId.680.halloween.2016.rar

shows now
>>Internal server error. Please contact system administrator.

could be fixed or re-upped?
thx