Skip to content

Add support for ExeLock Executable File Protector#1

Open
ZenoArrows wants to merge 5 commits into
russdill:masterfrom
ZenoArrows:exelock
Open

Add support for ExeLock Executable File Protector#1
ZenoArrows wants to merge 5 commits into
russdill:masterfrom
ZenoArrows:exelock

Conversation

@ZenoArrows
Copy link
Copy Markdown

@ZenoArrows ZenoArrows commented May 11, 2026
edited
Loading

ExeLock is a NeoLite variant that uses Deflate64 and one extra obfuscation step. It can be detected by looking at use_zlib in the header.

The single extra obfuscation step is that in the executable sections all relative call instructions have been changed using the following logic during compression:

if target is within the section:
  new address = relative address + instruction offset # relative to the start of the section
else:
  new address = relative address - section size # relative from to end of the section?

I think the intention was to make both cases relative to the bounds of the section with the sign bit marking whether it's relative to the start or the end of the section. However in the latter case they seem to have forgotten that the address is still relative to the current call instruction, but that could've simply been some extra obfuscation.

ExeLock is used as a packer for RollerCoaster Tycoon 1 and 2, having a convenient unpacker is helpful in studying one of the last games that still used mostly hand-written assembly. It's important to note that the original CD release of RCT2 was additionally protected by SecuROM and this script does not patch out any DRM scheme.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZenoArrows