ProtectionID 6.5.5 - halloween public release 31/10/2013

Hi, heres the 6.5.5 public release, a lot of bugfixes and tweaks (incl the win 7 one which i still get emails for), and some new additions,
hopefully you'll like it... the last final version is probably going to be on christmas, where i will add anything missed, and fix any outstanding
bugs, then its a switch to developing pid 7 which will be quite different (and various flavors for people who just want the scanning etc)

so, please send the bug reports in for this version to the usual email address and i'll make sure to include them to the next public release (most likely 24/12/2013)

and as usual, thanks to the beta team and those who supplied files, you helped make protection id what it is today...

cdkiller - if you see this, get in touch please m8

below is the long list of the fixes / updates some were lost but this is about all i can remember doing :)

[virus total results]

https://www.virustotal.com/en-gb/file/58863c3654db45df49444fafde26ef03a2411ba305dee858cd8c9ae36c4ad415/analysis/1383250270/

SHA256: 		58863c3654db45df49444fafde26ef03a2411ba305dee858cd8c9ae36c4ad415
File name: 		protection_id.exe
Detection ratio: 	2 / 46
Analysis date: 		2013-10-31 20:11:10 UTC ( 0 minutes ago ) 

* Microsoft 	VirTool:Win32/Obfuscator.AX 
* Bkav 		HW32.TsCabk.cyiu 

both of the detections are false positives... 

the microsoft one i've known for a while (windows 8 windows defender blocked protection id during some tests, and i had 1 email about this), so 
please add it to be excluded (provided the sha256 hash matches the above one

Bkav i had never heard of until today...

have fun, hope to hear back,

/tippex

----------

2013.10.12
----------

- updated and tweaked VProtect detection code (thx to white for the files)

2013.10.03
----------

- added in unity detection (turn on compiler detection)
- updated rar detection for rar5 archives
- upgraded build environment to use masm 12, linker 12 etc... had no problems this time :)
- played a little with tls on pid 
- updated pace interlok detection (thanks HooK)

2013.07.05
----------

- updated compiler detect to detect visual basic as p-code or native (requested by Jerry)

2013.05.02
----------

- changed starforce detection to handle a false positive with an exe protected with ea access v4 or something... 
- updated ea detection to handle a new variant
- bugfix in find_import_module_owner function in handling x64 imports... 

2013.04.10	(never went live beta, just my own personal build)
----------

- change to build text, originally it was in mm/dd/yy format (masm did this.. ), so now i've converted to european format.. dd/mm/yy - cosmetic but i wanted it done :)

2013.04.06
----------

- bugfix on exe crytor 2 scan (nested call was not handled correctly.. .old buggy code) - found by Jerry
- bugfix (seh handler output junk in function names if crash happened pre scan) - found by cowsheep
- bugfix - range checking failed on the code to check if a dll was an ocx or not - found by cowsheep (seh handler bug was related to this)
- bugfix - check_cactus.asm - range checking failed on code to check dll exports - found indirectly from cowsheeps bug find above...

note: next beta will have some new routines reporting if the import tables etc are bad pre-scan.. which might help things a little

2013.03.03
----------
- changed armadillo detection code atm to not use the decompression routines as they sometimes crashed, this is temporary until i find a work around
- updated armadillo detection code to detect version 8 or higher on an exe (havent had a dll with this to test yet)

thx to deepzero for the new files

2013.03.02
----------
- cosmetic - all icons are now fine in windows 8, windows 8 seems to not like 16 color icons, which some were... so they got changed
- cosmetic / bug - the order of the tab windows in the misc tools portion somehow got messed up, now they're in the right order again
- manifest updated in resources (compiled in differently now)

2013.03.01
----------
- tweak - browse for folders (and sub folders) dialog now uses the new style dialogs (if available) 
		this can also be disabled in the configuration (old style browse folders)
- shell version is now autodetected
- cosmetic - all icons now show up properly in the pid main window under windows 8

2013.02.21
----------
- bugfix in check_unknown.asm - crashed when checking exports of a malware'd dll (exports were really bad) - thanks NikolayD


2013.02.10
----------
- updated windows version detection + product type descriptions - now detects win 8 properly
- we work in ubuntu (with wine) with no prolems (wine detection reporting added into misctools in the text window on the right)

2013.02.09
----------
- updated rlpack detection code, now detects on a file that was previously undetected - thanks to NikolayD
- recoded entropy code, now doesnt use crt, and is completely 100% asm, and a little bit faster because of it :)
	this should hopefully resolve the crt issues, and xp issue with api usage (EncodePointer and so on)
- cleaned up some code, and tweaked some other code, end result, the exe is a tiny bit smaller
- sorted out the beta os issues... the tool now runs under win9x again (and higher obviously)... joy

2013.02.08
----------
- updated deep sea obfuscator detection code, sightly changed a search pattern which then resulted in it detecting a previously undetected file
- moved over to using the latest vs2012 compilers etc, wasnt an easy task as it worked on one pc at home, broke making pdb's on my laptop and my
	office pc.... so i had a lot of tracking to do... solved it eventually though, so now we're using the latest compiler, libs and so on as
	well as being built with /safeseh stuff and other goodies

2013.02.06
----------

- bugfix in environment info in folder locations dialog, i changed a main function, knowing it would probably break something probably, but it needed changing,
	end result was it broke this code.. so environment stuff is reported correctly again now (1 line fix)
- added in code to erase the richedit undo buffer (this ate some memory up, sometimes a lot more than it should have) - perhaps this was the memory leak
	in the cab stuff?, now it seems a lot better, and we never use the undo feature anyway... i only recently noticed the memory usage jumps (about 6mb)
	that happen when using the fileopen (scan file / multiple) and the folder browser gui portions - this memory usage is from the system, and unfortunately
	can not be freed directly by me (apparently its retained for performance reasons), so using those menu items (even if you click cancel) can result in the
	memory usage really fluctuating, first time its run, its about 6mb, 2nd time and more, its about a few kb...
- bugfix for 2 scanning functions that crashed under very rare circumstances on some hand crafted exe's (good for testing)
- switched to masm 11.00.51106.1 and linker 11.00.51106.1

2013.02.05
----------

- agiledotnet detection tweaked a bit further, now reports a lot more
- smartassembly detection code got tweaked, it detected versions previously undetected and uses a 1 pass instead of (previously) a 2 pass scan method
- cab file handler code got rewritten / tweaked
- enigma detection got updated for newer version detection (version 3.90+) has a different version number style (build version...) - thanks argie

2013.02.04
----------

- detection for fastpack added
- bug fix in scanning code, where a range check was the wrong value, resukting in some (123 maximum) scans from not detecting.. doh
- detection for agiledotnet (formerly clisecure)

2013.02.03
----------

- bugfix in check_unknown.asm - added in code to safely calculate entrypoint section memory ranges and size, crash avoidance
- zprotect scan tweaked

2013.02.02
----------

- updated reporting to show the amount of scans actually executed in the file scan
- updated vmprotect scan code, using a new algo to detect it, it detected it on all the files i had which were not detected before
  	including dll's and one x64 executable

2013.02.01
----------

- mpress scan updated to detect even more files
- private exe detection updated to detect an older version
- added in some more heuristic values / detections
- pespin scan updated to detect another version
- nooby protect scan updated to  detect a version that used tls callbacks to decrypt the stub code (possibly to defeat scanners)
- enigma scan updated to detect more versions
- ea access code updated to detect latest version and report 'extra' information
- igorlock dongle detection added
- bigfish game client scanning detection bug fixed (registers not preserved)
- steam scan updated to detect newer versions, also reports extra ceg info (if present)
- gamehouse scan code adjusted to reduce a slowdown when processing imports (now significantly faster)
- rocky dongle scan updated with a new signature (one of cdkillers last code commits)
- codefort scan bugfix (one of cdkillers last code commits)
- cli secure scan code updated and tweaked
- cryptkey sdk scan code updated
- vmprotect scan code updated, a weak detection was removed (it lead to a lot of false positives, reporting v2.06 or higher was found)
- pklite scan code signatures updated to detect older versions (even though the packer is kind of 'dead')
- upack code updated, heuristics check removed which caused the scan to skip if appended data / overlay was present
- entrypoint entropy reported (might come in useful to someone)
- some new configuration settings added (be sure to check them out)
- updated rar detection to (semi) validate the header so Rar!lolololololololollo type files would be falsely deteted (thanks alex)

special thanks to hors for providing files and ideas :)

2011.03.17
----------
 
- now detects SolidShield core.dll v2.0.4.0 and newer (Assassins.Creed.Brotherhood-SKIDROW)
- since ZEIT2-RELOADED (01/2011) SolidShield 2 activation.exe is upx'ed - gets detected now too :)
- updated for SolidShield v2 DLL Wrapper (i.e. Crysis 2 Multiplayer Demo)
- Protect DiSC v10 core module detection
- added in PC Guard v5.06 (or newer) detection
- Spices .NET Obfuscator detection tweaked, does now detect on Grapheditplus v1.40 
- Gameguard v2010.11.11 (or newer) gets detected (9 Dragons German Client (2011-02-28))
- ZProtect tweaked to detect on 2 files it did not see before
- VMProtect 2.06 (or newer) gets detected on an unpackme it did not see before (thx JeRRy)
- VProtect detection tweaked, does now detect on an unpackme it did not see before (thx JeRRy)
- does now detect StarForce 32 Bit v3.06.010.008 on PsyOps Patch #1 (russian) (thx ReverseB00n)
- Shielden v2.x detection
- GameGuard Scan Module gets detected
- VMProtect detection tweaked, (thx JeRRy)
- SmartAssembly version gets reported if possible
- added in one more string check for Crypto Obfuscator for .NET,
  reduces false positives wich were reported (thx kao) :)
- BUGFIX FOR THE WIN 7 STARTUP CRASH ISSUE (thx to redblkjck), probably happened in win 8 too, should now be resolved
 
2011.02.08
----------
 
- fixed bug in DotNetGuard detection
- Goliath .NET Obfuscator detection
- Xheo DeployLX 4.x detection
- InstallAware Setup Module detection does now detect on FireDaemon.Trinity.v2.4.2669-iNViSiBLE
- Switlle Games Registrator Scan (detects game.exe signature + registrator.exe)
- StarForce v5.xx (or newer) for .NET detection
- HASP SRM Protection System Module for dotNET detection
- HASP SRM Protection Envelope for dotNET detection
- updated ProtectDiSC detection for recent Black Mirror 3 v1.01 PCGame (another build of PCD v10.2.0)
- tweaked Settec Alpha ROM detection on some korean game (released in back in 2009)
- detection of more Sentinel RMS references (Systat.SigmaPlot.v11.2-RECOiL)
- new Sentinel RMS v8.x Core.dll detection
- Rainbow Technologies USB Security Device Driver detection detection (i.e. Electric.Image.Animation.Studio.EIAS.v8.0-Lz0)
- added in specific detection of the Intel C++ 5.0 Compiler - (Football Superstars v2.1 game.exe)
- make shortcuts and desktop shortcut, and safemode shortcut now disabled by default..
  user can turn on if wanted..
