Took a deeper look at the executable. Don't know why it was packed in this manner, the actual files being replaced are just compressed in the resouce
DLL files are going to be overwritten and the installer itself will just do some checkups to see where its installed and whatever necessary, as much as I can see.
microsoft.windowsapicodepack.shell
try
{
string rsDirectory = string.Empty;
string steamDirectory = GenUtil.GetSteamDirectory();
if (!string.IsNullOrEmpty(steamDirectory))
{
rsDirectory = Path.Combine(steamDirectory, "SteamApps\\common\\Rocksmith2014");
if (!Directory.Exists(rsDirectory))
{
foreach (Tuple<string, string> installRegKey in GenUtil.InstallRegKeys)
{
if (!string.IsNullOrEmpty(GenUtil.GetStringValueFromRegistry(installRegKey.Item1, installRegKey.Item2)))
break;
}
rsDirectory = GenUtil.GetCustomRSFolder(steamDirectory);
if (string.IsNullOrEmpty(rsDirectory) || !rsDirectory.smethod_0())
{
int num = (int) MessageBox.Show("We were unable to detect your Rocksmith 2014 folder, please select it manually!", "Your help is required!");
return GenUtil.smethod_1();
}
}
else if (!File.Exists(Path.Combine(rsDirectory, "cache.psarc")))
{
rsDirectory = GenUtil.smethod_1();
if (rsDirectory == string.Empty)
{
int num = (int) MessageBox.Show("We were unable to detect your Rocksmith 2014 folder, and you didn't give us a valid RS Folder.", "Closing Application");
Application.Exit();
}
}
}
return rsDirectory;
}
catch (Exception ex)
{
int num = (int) MessageBox.Show("<Warning> GetStreamDirectory, " + ex.Message);
}
return string.Empty;
}
[Click and drag to move]
<data name="D3DX9_42" type="System.Byte[], mscorlib">
<value>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0K
JAAAAAAAAADdbzcvmQ5ZfJkOWXyZDll8SnxafZMOWXxKfFx9FQ5ZfEp8XX2NDll8jHFcfbAOWXyMcV19
lg5ZfIxxWn2KDll8SnxYfZoOWXyZDlh8Gg5ZfKCOUH2dDll8oI5ZfZgOWXygjqZ8mA5ZfKCOW32YDll8
...........
#IRONY (lol!)
if (!File.Exists(Path.Combine(installLocation, "IGG-GAMES.COM.url")) && !File.Exists(Path.Combine(installLocation, "SmartSteamEmu.ini")) && !File.Exists(Path.Combine(installLocation, "GAMESTORRENT.CO.url")) && !File.Exists(Path.Combine(installLocation, "Codex.ini")) && !File.Exists(Path.Combine(installLocation, "Skidrow.ini")) && GUI.CheckExecutable(installLocation))
return;
int num = (int) MessageBox.Show("CustomsForge doesn't support pirated / stolen copies of Rocksmith 2014!", "ARGGGG", MessageBoxButtons.OK, MessageBoxIcon.Hand);
Process.Start(https://store.steampowered.com/app/221680/);
Environment.Exit(1);
All that to patch the import table of the EXE for the game and add D3DX9
The old HASH of your EXE should be this:
GUI.HASH_EXE = new byte[32]
{
(byte) 167,
(byte) 37,
(byte) 132,
(byte) 97,
(byte) 16,
(byte) 29,
(byte) 160,
(byte) 32,
(byte) 23,
(byte) 7,
(byte) 245,
(byte) 194,
(byte) 114,
(byte) 186,
(byte) 170,
(byte) 98,
(byte) 163,
(byte) 211,
(byte) 209,
(byte) 11,
(byte) 61,
(byte) 34,
(byte) 19,
(byte) 192,
(byte) 208,
(byte) 242,
(byte) 28,
(byte) 200,
(byte) 59,
(byte) 69,
(byte) 136,
(byte) 218
};
After patching, should be:
GUI.HASH_EXE_NEW = new byte[32]
{
(byte) 13,
(byte) 66,
(byte) 226,
byte.MaxValue,
(byte) 60,
(byte) 122,
(byte) 246,
(byte) 132,
(byte) 62,
(byte) 203,
(byte) 129,
(byte) 37,
(byte) 156,
(byte) 198,
(byte) 79,
(byte) 29,
(byte) 222,
(byte) 250,
(byte) 19,
(byte) 151,
(byte) 183,
(byte) 206,
(byte) 83,
(byte) 253,
(byte) 207,
(byte) 10,
(byte) 5,
(byte) 208,
(byte) 182,
(byte) 26,
(byte) 13,
(byte) 195
};
All in all, verified it's clean as described. Common AVs will complain because it's packed with a really common .NET packer used in malware all the time. I repacked it for myself and it works fine with no alerts using a different packer.
-Sandy