From 53c8b630fabf3f70d65e9b4eeffe25d7ac44b2a7 Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:21:19 +0200 Subject: [PATCH 1/6] Add rules for AntiCheat.TheiaAntiTamper --- descriptions/AntiCheat.TheiaAntiTamper.md | 6 ++++++ rules.ini | 1 + tests/types/AntiCheat.TheiaAntiTamper | 12 ++++++++++++ 3 files changed, 19 insertions(+) create mode 100644 descriptions/AntiCheat.TheiaAntiTamper.md create mode 100644 tests/types/AntiCheat.TheiaAntiTamper diff --git a/descriptions/AntiCheat.TheiaAntiTamper.md b/descriptions/AntiCheat.TheiaAntiTamper.md new file mode 100644 index 000000000..357ce8dab --- /dev/null +++ b/descriptions/AntiCheat.TheiaAntiTamper.md @@ -0,0 +1,6 @@ +Theia is an anti-tamper system that protects games from being tampered with. +It is developed by the Hungarian company [**ZeroITLab**](https://zeroitlab.com/). +Theia provides detections for tools commonly used to reverse engineer games such as IDA Pro, X64DBG and pe-bear. +Further it "packs" the game such that the main game binary on disk is useless and must be decrypted to be analyzed. +Theia also includes runtime page encryption, this means that the memory is encrypted at runtime and decrypted on demand. +Theia features an option to remove all branding, this option is used on EA games like Battlefield, all strings that mention "Theia" are then replaced with "PACKER". diff --git a/rules.ini b/rules.ini index 7488953e1..de88b2fa3 100644 --- a/rules.ini +++ b/rules.ini @@ -254,6 +254,7 @@ PunkBuster[] = (?:^|/)pbsv\.dll$ PunkBuster[] = (?:^|/)Punkbuster(?:$|/) Ricochet = (?:^|/)Randgrid\.sys$ TenProtect = (?:^|/)TP3Helper\.exe$ +TheiaAntiTamper = (?:^|/)preloader.*\.dll$ XIGNCODE3 = \.xem$ [SDK] diff --git a/tests/types/AntiCheat.TheiaAntiTamper b/tests/types/AntiCheat.TheiaAntiTamper new file mode 100644 index 000000000..a80356411 --- /dev/null +++ b/tests/types/AntiCheat.TheiaAntiTamper @@ -0,0 +1,12 @@ +/preloader.dll +/preloader_s.dll +/preloader_l.dll +preloader.dll +preloader_s.dll +preloader_l.dll +Win64/preloader.dll +Win64/preloader_s.dll +Win64/preloader_l.dll +Sub/Win64/preloader.dll +Sub/Win64/preloader_s.dll +Sub/Win64/preloader_l.dll From 50de37f42dc38e252b694e9e1726e5a0bb020728 Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:32:20 +0200 Subject: [PATCH 2/6] Rename AntiCheat.TheiaAntiTamper to AntiCheat.TheiaAntiTamper.txt --- .../{AntiCheat.TheiaAntiTamper => AntiCheat.TheiaAntiTamper.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/types/{AntiCheat.TheiaAntiTamper => AntiCheat.TheiaAntiTamper.txt} (100%) diff --git a/tests/types/AntiCheat.TheiaAntiTamper b/tests/types/AntiCheat.TheiaAntiTamper.txt similarity index 100% rename from tests/types/AntiCheat.TheiaAntiTamper rename to tests/types/AntiCheat.TheiaAntiTamper.txt From c3f44f31787a6157cff5d7dc3713d0ffbe2d706f Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 18:47:02 +0200 Subject: [PATCH 3/6] Update rules.ini --- rules.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules.ini b/rules.ini index de88b2fa3..ee8323197 100644 --- a/rules.ini +++ b/rules.ini @@ -254,7 +254,7 @@ PunkBuster[] = (?:^|/)pbsv\.dll$ PunkBuster[] = (?:^|/)Punkbuster(?:$|/) Ricochet = (?:^|/)Randgrid\.sys$ TenProtect = (?:^|/)TP3Helper\.exe$ -TheiaAntiTamper = (?:^|/)preloader.*\.dll$ +TheiaAntiTamper = (?:^|/)preloader(?:_.)?\.dll$ XIGNCODE3 = \.xem$ [SDK] From 07dae6cfa83b92668f4ed2f4263bf7382ef5d5cb Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:37:56 +0200 Subject: [PATCH 4/6] Remove _s pattern from tests --- tests/types/AntiCheat.TheiaAntiTamper.txt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/types/AntiCheat.TheiaAntiTamper.txt b/tests/types/AntiCheat.TheiaAntiTamper.txt index a80356411..05aecdc59 100644 --- a/tests/types/AntiCheat.TheiaAntiTamper.txt +++ b/tests/types/AntiCheat.TheiaAntiTamper.txt @@ -1,12 +1,8 @@ /preloader.dll -/preloader_s.dll /preloader_l.dll preloader.dll -preloader_s.dll preloader_l.dll Win64/preloader.dll -Win64/preloader_s.dll Win64/preloader_l.dll Sub/Win64/preloader.dll -Sub/Win64/preloader_s.dll Sub/Win64/preloader_l.dll From 72ecc91d73c0ae8f30cd51934c5be0625ef8bd32 Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:38:39 +0200 Subject: [PATCH 5/6] Update rules.ini Remove _s pattern --- rules.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules.ini b/rules.ini index ee8323197..119a6e000 100644 --- a/rules.ini +++ b/rules.ini @@ -254,7 +254,7 @@ PunkBuster[] = (?:^|/)pbsv\.dll$ PunkBuster[] = (?:^|/)Punkbuster(?:$|/) Ricochet = (?:^|/)Randgrid\.sys$ TenProtect = (?:^|/)TP3Helper\.exe$ -TheiaAntiTamper = (?:^|/)preloader(?:_.)?\.dll$ +TheiaAntiTamper = (?:^|/)preloader(?:_l)?\.dll$ XIGNCODE3 = \.xem$ [SDK] From 6a795c42e464677f114cbddb70a3c15437217ff7 Mon Sep 17 00:00:00 2001 From: thug-shaker <130842565+thug-shaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:42:27 +0200 Subject: [PATCH 6/6] Shorten description --- descriptions/AntiCheat.TheiaAntiTamper.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/descriptions/AntiCheat.TheiaAntiTamper.md b/descriptions/AntiCheat.TheiaAntiTamper.md index 357ce8dab..c7c946b19 100644 --- a/descriptions/AntiCheat.TheiaAntiTamper.md +++ b/descriptions/AntiCheat.TheiaAntiTamper.md @@ -1,6 +1,2 @@ -Theia is an anti-tamper system that protects games from being tampered with. -It is developed by the Hungarian company [**ZeroITLab**](https://zeroitlab.com/). +Theia is an anti-tamper system developed by [**ZeroITLab**](https://zeroitlab.com/). Theia provides detections for tools commonly used to reverse engineer games such as IDA Pro, X64DBG and pe-bear. -Further it "packs" the game such that the main game binary on disk is useless and must be decrypted to be analyzed. -Theia also includes runtime page encryption, this means that the memory is encrypted at runtime and decrypted on demand. -Theia features an option to remove all branding, this option is used on EA games like Battlefield, all strings that mention "Theia" are then replaced with "PACKER".