Add region tld

Addresses https://github.com/BeamMP/BeamMP-Launcher/issues/185 by
handling incomplete TCP recv despite MSG_WAITALL

Fixes running the launcher inside of wine as well as the rare instances
where this happens natively.

```
       MSG_WAITALL (since Linux 2.2)
              This flag requests that the operation block until the full request is satisfied.
              However, the call may still return less data than requested if a signal is caught,
              an error or disconnect occurs, or the next data to  be  re‐ceived is of a different type
              than that returned.  This flag has no effect for datagram sockets.

```

---

By creating this pull request, I understand that code that is AI
generated or otherwise automatically generated may be rejected without
further discussion.
I declare that I fully understand all code I pushed into this PR, and
wrote all this code myself and own the rights to this code.

.github/workflows/cmake-linux.yml

@@ -20,7 +20,7 @@ jobs:
         with:
             vcpkgArguments: 'zlib nlohmann-json openssl cpp-httplib[openssl]'
             vcpkgDirectory: '${{ runner.workspace }}/b/vcpkg'
-            vcpkgGitCommitId: '40616a5e954f7be1077ef37db3fbddbd5dcd1ca6'
+            vcpkgGitCommitId: 'b5d1a94fb7f88fd835e360fd23a45a09ceedbf48'
 
       - name: Create Build Environment
         run: cmake -E make_directory ${{github.workspace}}/build-linux

.github/workflows/cmake-windows.yml

@@ -20,7 +20,7 @@ jobs:
         with:
             vcpkgArguments: 'discord-rpc zlib nlohmann-json openssl cpp-httplib[openssl]'
             vcpkgDirectory: '${{ runner.workspace }}/b/vcpkg'
-            vcpkgGitCommitId: '40616a5e954f7be1077ef37db3fbddbd5dcd1ca6'
+            vcpkgGitCommitId: 'b5d1a94fb7f88fd835e360fd23a45a09ceedbf48'
             vcpkgTriplet: 'x64-windows-static'
 
       - name: Create Build Environment

include/Network/network.hpp

@@ -42,7 +42,7 @@ extern std::string magic;
 int KillSocket(uint64_t Dead);
 void UUl(const std::string& R);
 void UDPSend(std::string Data);
-bool CheckBytes(int32_t Bytes);
+bool CheckBytes(int32_t Bytes, int32_t Expected = -1);
 void GameSend(std::string_view Data);
 void SendLarge(std::string Data);
 std::string TCPRcv(uint64_t Sock);
@@ -56,3 +56,4 @@ void UDPClientMain(const std::string& IP, int Port);
 void TCPGameServer(const std::string& IP, int Port);
 bool SecurityWarning();
 void CoreSend(std::string data);
+int RecvWaitAll(int sockfd, char *buf, int len);

include/Options.h

@@ -20,6 +20,7 @@ struct Options {
     bool no_update = false;
     bool no_launch = false;
     const char* user_path = nullptr;
+    std::string region;
     const char **game_arguments = nullptr;
     int game_arguments_length = 0;
     const char** argv = nullptr;

include/Utils.h

@@ -336,4 +336,14 @@ namespace Utils {
             throw std::runtime_error("Game disconnected");
         }
     }
-};
+
+    inline std::string RegionToTopLevelDomain(const std::string region) {
+        if (region == "Restricted") {
+            return "beammp.ru";
+        }
+        else if (region == "Developer") {
+            return "beammp.dev";
+        }
+        return "beammp.com"; // Global
+    }
+    };

src/Config.cpp

@@ -36,6 +36,10 @@ void ParseConfig(const nlohmann::json& d) {
         CachingDirectory = std::filesystem::path(d["CachingDirectory"].get<std::string>());
         info(beammp_wide("Mod caching directory: ") + beammp_fs_string(CachingDirectory.relative_path()));
     }
+    if (d.contains("Region") && d["Region"].is_string()) {
+        options.region = d["Region"].get<std::string>();
+        info("Set the region to: " + options.region);
+    }
 
     if (d.contains("Dev") && d["Dev"].is_boolean()) {
         bool dev = d["Dev"].get<bool>();
@@ -67,14 +71,18 @@ void ConfigInit() {
         } else
             fatal("Failed to open Launcher.cfg!");
     } else {
+        if (options.region.empty())
+        {
+            options.region = "Global";
+        }
         std::ofstream cfg("Launcher.cfg");
         if (cfg.is_open()) {
             cfg <<
                 R"({
     "Port": 4444,
     "Build": "Default",
-    "CachingDirectory": "./Resources"
+    "CachingDirectory": "./Resources",
-})";
+    "Region": ")" << options.region << "\"\n}";
             cfg.close();
         } else {
             fatal("Failed to write config on disk!");

src/Network/Core.cpp

@@ -143,29 +143,28 @@ void GetServerInfo(std::string Data) {
     const std::string buffer = ([&]() -> std::string {
         int32_t Header;
         std::vector<char> data(sizeof(Header));
-        int Temp = recv(ISock, data.data(), sizeof(Header), MSG_WAITALL);
+        int Temp = RecvWaitAll(ISock, data.data(), sizeof(Header));
 
-        auto checkBytes = ([&](const int32_t bytes) -> bool {
+        auto checkBytes = ([&](const int32_t bytes, const int32_t expected = -1) -> bool {
             if (bytes == 0) {
                 return false;
             } else if (bytes < 0) {
                 return false;
             }
+            if (expected != -1 && bytes != expected) {
+                return false;
+            }
             return true;
         });
 
-        if (!checkBytes(Temp)) {
+        if (!checkBytes(Temp, sizeof(Header))) {
             return "";
         }
         memcpy(&Header, data.data(), sizeof(Header));
 
-        if (!checkBytes(Temp)) {
-            return "";
-        }
-
         data.resize(Header, 0);
-        Temp = recv(ISock, data.data(), Header, MSG_WAITALL);
+        Temp = RecvWaitAll(ISock, data.data(), Header);
-        if (!checkBytes(Temp)) {
+        if (!checkBytes(Temp, Header)) {
             return "";
         }
         return std::string(data.data(), Header);
@@ -227,7 +226,7 @@ void Parse(std::string Data, SOCKET CSocket) {
             TCPTerminate = true;
             Data.clear();
             futures.push_back(std::async(std::launch::async, []() {
-                CoreSend("B" + HTTP::Get("https://backend.beammp.com/servers-info"));
+                CoreSend("B" + HTTP::Get("https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/servers-info"));
             }));
         }
         break;

src/Network/GlobalHandler.cpp

@@ -50,17 +50,6 @@ int KillSocket(uint64_t Dead) {
     return a;
 }
 
-bool CheckBytes(uint32_t Bytes) {
-    if (Bytes == 0) {
-        debug("(Proxy) Connection closing");
-        return false;
-    } else if (Bytes < 0) {
-        debug("(Proxy) send failed with error: " + std::to_string(WSAGetLastError()));
-        return false;
-    }
-    return true;
-}
-
 void GameSend(std::string_view Data) {
     static std::mutex Lock;
     std::scoped_lock Guard(Lock);

src/Network/Http.cpp

@@ -6,6 +6,7 @@
 
 
 #include "Http.h"
+#include "Options.h"
 #include <Logger.h>
 #include <Network/network.hpp>
 #include <Startup.h>
@@ -20,45 +21,6 @@
 #include <mutex>
 #include <nlohmann/json.hpp>
 
-void WriteHttpDebug(const httplib::Client& client, const std::string& method, const std::string& target, const httplib::Result& result) try {
-    const std::filesystem::path folder = ".https_debug";
-    std::filesystem::create_directories(folder);
-    if (!std::filesystem::exists(folder / "WHAT IS THIS FOLDER.txt")) {
-        std::ofstream ignore { folder / "WHAT IS THIS FOLDER.txt" };
-        ignore << "This folder exists to help debug current issues with the backend. Do not share this folder with anyone but BeamMP staff. It contains detailed logs of any failed http requests." << std::endl;
-    }
-    const auto file = folder / (method + ".json");
-    // 1 MB limit
-    if (std::filesystem::exists(file) && std::filesystem::file_size(file) > 1'000'000) {
-        std::filesystem::rename(file, file.generic_string() + ".bak");
-    }
-
-    std::ofstream of { file, std::ios::app };
-    nlohmann::json js {
-        { "utc", std::chrono::system_clock::now().time_since_epoch().count() },
-        { "target", target },
-        { "client_info", {
-                             { "openssl_verify_result", client.get_openssl_verify_result() },
-                             { "host", client.host() },
-                             { "port", client.port() },
-                             { "socket_open", client.is_socket_open() },
-                             { "valid", client.is_valid() },
-                         } },
-    };
-    if (result) {
-        auto value = result.value();
-        js["result"] = {};
-        js["result"]["body"] = value.body;
-        js["result"]["status"] = value.status;
-        js["result"]["headers"] = value.headers;
-        js["result"]["version"] = value.version;
-        js["result"]["location"] = value.location;
-        js["result"]["reason"] = value.reason;
-    }
-    of << js.dump();
-} catch (const std::exception& e) {
-    error(e.what());
-}
 
 static size_t CurlWriteCallback(void* contents, size_t size, size_t nmemb, void* userp) {
     std::string* Result = reinterpret_cast<std::string*>(userp);
@@ -175,8 +137,8 @@ void HTTP::StartProxy() {
             { "User-Agent", "BeamMP-Launcher/" + GetVer() + GetPatch() },
             { "Accept", "*/*" }
         };
-        httplib::Client backend("https://backend.beammp.com");
+        httplib::Client backend("https://backend." + Utils::RegionToTopLevelDomain(options.region));
-        httplib::Client forum("https://forum.beammp.com");
+        httplib::Client forum("https://forum." + Utils::RegionToTopLevelDomain(options.region));
 
         const std::string pattern = ".*";
 
@@ -255,7 +217,7 @@ void HTTP::StartProxy() {
                 }
 
                 if (error) {
-                    cli_res = forum.Get("/user_avatar/forum.beammp.com/user/0/0.png", headers);
+                    cli_res = forum.Get("/user_avatar/forum." + Utils::RegionToTopLevelDomain(options.region) + "/user/0/0.png", headers);
                 }
 
             } else {

src/Network/Resources.cpp

@@ -164,7 +164,7 @@ std::vector<char> TCPRcvRaw(SOCKET Sock, uint64_t& GRcv, uint64_t Size) {
     do {
         // receive at most some MB at a time
         int Len = std::min(int(Size - Rcv), 1 * 1024 * 1024);
-        int Temp = recv(Sock, &File[Rcv], Len, MSG_WAITALL);
+        int Temp = RecvWaitAll(Sock, &File[Rcv], Len);
         if (Temp == -1 || Temp == 0) {
             debug("Recv returned: " + std::to_string(Temp));
             if (Temp == -1) {

src/Network/VehicleData.cpp

@@ -94,6 +94,7 @@ void UDPClientMain(const std::string& IP, int Port) {
     inet_pton(AF_INET, IP.c_str(), &ToServer->sin_addr);
     UDPSock = socket(AF_INET, SOCK_DGRAM, 0);
     if (!magic.empty())
+        for (int i = 0; i < 10; i++)
             UDPSend(magic);
     GameSend("P" + std::to_string(ClientID));
     TCPSend("H", TCPSock);

src/Network/VehicleEvent.cpp

@@ -28,9 +28,9 @@ int LastPort;
 std::string LastIP;
 SOCKET TCPSock = -1;
 
-bool CheckBytes(int32_t Bytes) {
+bool CheckBytes(int32_t Bytes, int32_t Expected) {
     if (Bytes == 0) {
-        debug("(TCP) Connection closing... CheckBytes(16)");
+        debug("(TCP) Connection closing...");
         Terminate = true;
         return false;
     } else if (Bytes < 0) {
@@ -39,6 +39,11 @@ bool CheckBytes(int32_t Bytes) {
         Terminate = true;
         return false;
     }
+    if (Expected != -1 && Bytes != Expected) {
+        debug(std::format("(TCP) Short recv detected, expected {} bytes, got {} bytes", Expected, Bytes));
+        Terminate = true;
+        return false;
+    }
     return true;
 }
 void UUl(const std::string& R) {
@@ -75,6 +80,24 @@ void TCPSend(const std::string& Data, uint64_t Sock) {
     } while (Sent < Size);
 }
 
+int RecvWaitAll(int sockfd, char *buf, int len) {
+    // handle MSG_WAITALL not actually filling the whole buffer
+    // happens frequently in wine, and can also happen natively when the OS pauses the execution for various reasons
+    int offset = 0;
+    while (offset < len) {
+        int recv_status = recv(sockfd, &buf[offset], len - offset, MSG_WAITALL);
+        if (recv_status == 0) {
+            // do not discard received data when the other side closes the socket cleanly
+            return offset;
+        }
+        if (recv_status == -1) {
+            return -1;
+        }
+        offset += recv_status;
+    }
+    return offset;
+}
+
 std::string TCPRcv(SOCKET Sock) {
     if (Sock == -1) {
         Terminate = true;
@@ -84,8 +107,8 @@ std::string TCPRcv(SOCKET Sock) {
     int32_t Header;
     int Temp;
     std::vector<char> Data(sizeof(Header));
-    Temp = recv(Sock, Data.data(), sizeof(Header), MSG_WAITALL);
+    Temp = RecvWaitAll(Sock, Data.data(), sizeof(Header));
-    if (!CheckBytes(Temp)) {
+    if (!CheckBytes(Temp, sizeof(Header))) {
         UUl("Socket Closed Code 3");
         return "";
     }
@@ -97,8 +120,8 @@ std::string TCPRcv(SOCKET Sock) {
     }
 
     Data.resize(Header, 0);
-    Temp = recv(Sock, Data.data(), Header, MSG_WAITALL);
+    Temp = RecvWaitAll(Sock, Data.data(), Header);
-    if (!CheckBytes(Temp)) {
+    if (!CheckBytes(Temp, Header)) {
         UUl("Socket Closed Code 5");
         return "";
     }

src/Options.cpp

@@ -92,6 +92,13 @@ void InitOptions(int argc, const char *argv[], Options &options) {
             }
             options.user_path = argv[i + 1];
             i++;
+        } else if (argument == "--region") {
+            if (i + 1 >= argc) {
+                error("You must specify a region after the `--region` argument");
+            }
+            options.region = argv[i + 1];
+            info("Set the region to: " + options.region);
+            i++;
         } else if (argument == "--" || argument == "--game") {
             options.game_arguments = &argv[i + 1];
             options.game_arguments_length = argc - i - 1;
@@ -108,6 +115,7 @@ void InitOptions(int argc, const char *argv[], Options &options) {
                 "\t--no-launch          Skip launching the game (you must launch the game manually)\n"
                 "\t--dev                Developer mode, same as --verbose --no-download --no-launch --no-update\n"
                 "\t--user-path <path>   Path to BeamNG's User Path\n"
+                "\t--region <region>    Sets a custom region, options are 'Global', and 'Restricted'\n"
                 "\t--game <args...>     Passes ALL following arguments to the game, see also `--`\n"
                 << std::flush;
             exit(0);

src/Security/BeamNG.cpp

@@ -268,7 +268,7 @@ void LegitimacyCheck() {
     std::ifstream libraryFolders(libraryFoldersPath);
     auto root = tyti::vdf::read(libraryFolders);
     for (auto folderInfo : root.childs) {
-        if (std::filesystem::exists(folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/integrity.json")){
+        if ((folderInfo.second->childs["apps"]->attribs).contains("284160") && std::filesystem::exists(folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/integrity.json")){
             GameDir = folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/";
             break;
         }

src/Security/Login.cpp

@@ -6,6 +6,7 @@
 
 
 #include "Http.h"
+#include "Options.h"
 #include "Logger.h"
 #include <filesystem>
 #include <fstream>
@@ -55,7 +56,7 @@ std::string Login(const std::string& fields) {
     }
     info("Attempting to authenticate...");
     try {
-        std::string Buffer = HTTP::Post("https://auth.beammp.com/userlogin", fields);
+        std::string Buffer = HTTP::Post("https://auth." + Utils::RegionToTopLevelDomain(options.region) + "/userlogin", fields);
 
         if (Buffer.empty()) {
             return GetFail("Failed to communicate with the auth system!");
@@ -115,7 +116,7 @@ void CheckLocalKey() {
                 }
             }
 
-            Buffer = HTTP::Post("https://auth.beammp.com/userlogin", R"({"pk":")" + Buffer + "\"}");
+            Buffer = HTTP::Post("https://auth." + Utils::RegionToTopLevelDomain(options.region) + "/userlogin", R"({"pk":")" + Buffer + "\"}");
 
             nlohmann::json d = nlohmann::json::parse(Buffer, nullptr, false);
 

src/Startup.cpp

@@ -4,7 +4,6 @@
  SPDX-License-Identifier: AGPL-3.0-or-later
 */
 
-
 #include "zip_file.h"
 #include <charconv>
 #include <cstring>
@@ -14,9 +13,9 @@
 #if defined(_WIN32)
 #elif defined(__linux__)
 #include <unistd.h>
-#elif defined (__APPLE__)
+#elif defined(__APPLE__)
-#include <unistd.h>
 #include <libproc.h>
+#include <unistd.h>
 #endif // __APPLE__
 #include "Http.h"
 #include "Logger.h"
@@ -84,7 +83,7 @@ beammp_fs_string GetEN() {
 }
 
 std::string GetVer() {
-    return "2.7";
+    return "2.8";
 }
 std::string GetPatch() {
     return ".0";
@@ -114,7 +113,7 @@ fs::path GetBP(const beammp_fs_char* P) {
     // should instead be placed in Application Support.
     proc_pidpath(pid, path, sizeof(path));
     fspath = std::string(path);
- #else
+#else
     fspath = beammp_fs_string(P);
 #endif
     fspath = fs::weakly_canonical(fspath.string() + "/..");
@@ -194,10 +193,156 @@ void CheckName() {
     }
 }
 
+#if defined(_WIN32)
+#include <wincrypt.h>
+#include <wintrust.h>
+#include <softpub.h>
+#include <iostream>
+
+#pragma comment(lib, "wintrust.lib")
+#pragma comment(lib, "crypt32.lib")
+
+bool CheckThumbprint(std::filesystem::path filepath)
+{
+    HCERTSTORE hStore = NULL;
+    HCRYPTMSG hMsg = NULL;
+
+    if (!CryptQueryObject(
+        CERT_QUERY_OBJECT_FILE,
+        filepath.wstring().c_str(),
+        CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
+        CERT_QUERY_FORMAT_FLAG_BINARY,
+        0,
+        NULL, NULL, NULL,
+        &hStore,
+        &hMsg,
+        NULL))
+    {
+        return false;
+    }
+
+    DWORD dwSignerInfo = 0;
+    if (!CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, NULL, &dwSignerInfo) || dwSignerInfo == 0)
+        return false;
+
+    PCMSG_SIGNER_INFO pSignerInfo = (PCMSG_SIGNER_INFO)LocalAlloc(LPTR, dwSignerInfo);
+    if (!CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, pSignerInfo, &dwSignerInfo))
+    {
+        LocalFree(pSignerInfo);
+        return false;
+    }
+
+    CERT_INFO certInfo = {};
+    certInfo.Issuer = pSignerInfo->Issuer;
+    certInfo.SerialNumber = pSignerInfo->SerialNumber;
+
+    PCCERT_CONTEXT pCertContext = CertFindCertificateInStore(
+        hStore,
+        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+        0,
+        CERT_FIND_SUBJECT_CERT,
+        &certInfo,
+        NULL);
+
+    if (!pCertContext)
+    {
+        LocalFree(pSignerInfo);
+        return false;
+    }
+
+    BYTE hash[64];
+    DWORD hashSize = sizeof(hash);
+
+    bool match = false;
+    if (CertGetCertificateContextProperty(pCertContext, CERT_SHA256_HASH_PROP_ID, hash, &hashSize))
+    {
+        std::string pubKeyData(
+            reinterpret_cast<const char*>(pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData),
+            pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData
+        );
+
+        std::string pubKeyHash = Utils::GetSha256HashReallyFast(pubKeyData, L"PubKey");
+        debug("pub key hash: " + pubKeyHash);
+
+        std::string fileThumbprint;
+        for (DWORD i = 0; i < hashSize; i++)
+        {
+            char buf[3];
+            sprintf_s(buf, "%02x", hash[i]);
+            fileThumbprint += buf;
+        }
+
+        debug("File thumbprint: " +fileThumbprint);
+        debug(filepath);
+
+        if (fileThumbprint == "937f055b713de69416926ed4651d65219a0a0e77d7a78c1932c007e14326da33" && pubKeyHash == "2afad4a5773b0ac449f48350ce0d09c372be0d5bcbaa6d01332ce000baffde99"){
+            match = true;
+        }
+    }
+
+    CertFreeCertificateContext(pCertContext);
+    CertCloseStore(hStore, 0);
+    LocalFree(pSignerInfo);
+
+    return match;
+}
+#include <windows.h>
+#include <wintrust.h>
+#include <Softpub.h>
+#include <filesystem>
+#include <string>
+
+#pragma comment(lib, "wintrust")
+
+bool VerifySignature(const std::filesystem::path& filePath)
+{
+    std::wstring path = filePath.wstring();
+
+    WINTRUST_FILE_INFO fileInfo = {};
+    fileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);
+    fileInfo.pcwszFilePath = path.c_str();
+    fileInfo.hFile = NULL;
+    fileInfo.pgKnownSubject = NULL;
+
+    WINTRUST_DATA winTrustData = {};
+    winTrustData.cbStruct = sizeof(WINTRUST_DATA);
+    winTrustData.dwUIChoice = WTD_UI_NONE;
+    winTrustData.dwUnionChoice = WTD_CHOICE_FILE;
+    winTrustData.pFile = &fileInfo;
+
+    winTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
+
+    GUID policyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
+
+    LONG status = WinVerifyTrust(
+        NULL,
+        &policyGUID,
+        &winTrustData
+    );
+
+    debug(filePath);
+    debug("Signature check code: " + std::to_string(status));
+
+    winTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
+    WinVerifyTrust(NULL, &policyGUID, &winTrustData);
+
+    return (status == CERT_E_UNTRUSTEDROOT);
+}
+#endif
+
 void CheckForUpdates(const std::string& CV) {
-    std::string LatestHash = HTTP::Get("https://backend.beammp.com/sha/launcher?branch=" + Branch + "&pk=" + PublicKey);
+    std::string LatestHash = HTTP::Get("https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/sha/launcher?branch=" + Branch + "&pk=" + PublicKey);
     std::string LatestVersion = HTTP::Get(
-        "https://backend.beammp.com/version/launcher?branch=" + Branch + "&pk=" + PublicKey);
+        "https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/version/launcher?branch=" + Branch + "&pk=" + PublicKey);
+
+    std::regex sha256_pattern(R"(^[a-fA-F0-9]{64}$)");
+    std::smatch match;
+
+    if (LatestHash.length() != 64 || !std::regex_match(LatestHash, match, sha256_pattern)) {
+        error("Invalid hash from backend, skipping update check.");
+        debug("Launcher hash in question: " + LatestHash);
+        return;
+    }
 
     transform(LatestHash.begin(), LatestHash.end(), LatestHash.begin(), ::tolower);
     beammp_fs_string BP(GetBP() / GetEN()), Back(GetBP() / beammp_wide("BeamMP-Launcher.back"));
@@ -211,11 +356,23 @@ void CheckForUpdates(const std::string& CV) {
             error("Auto update is NOT implemented for the Linux version. Please update manually ASAP as updates contain security patches.");
 #else
             info("Downloading Launcher update " + LatestHash);
+            std::wstring DownloadLocation = GetBP() / (beammp_wide("new_") + GetEN());
             if (HTTP::Download(
-                "https://backend.beammp.com/builds/launcher?download=true"
+                    "https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/builds/launcher?download=true"
                     "&pk="
                         + PublicKey + "&branch=" + Branch,
-                GetBP() / (beammp_wide("new_") + GetEN()), LatestHash)) {
+                    DownloadLocation, LatestHash)) {
+                if (!VerifySignature(DownloadLocation) || !CheckThumbprint(DownloadLocation)) {
+                    std::error_code ec;
+                    fs::remove(DownloadLocation, ec);
+                    if (ec) {
+                        error("Failed to remove broken launcher update");
+                    }
+                    throw std::runtime_error("The authenticity of the updated launcher could not be verified, it was corrupted or tampered with.");
+                }
+
+                info("Update signature is valid");
+
                 std::error_code ec;
                 fs::remove(Back, ec);
                 if (ec == std::errc::permission_denied) {
@@ -227,6 +384,13 @@ void CheckForUpdates(const std::string& CV) {
                 fs::rename(GetBP() / (beammp_wide("new_") + GetEN()), BP);
                 URelaunch();
             } else {
+                if (fs::exists(DownloadLocation)) {
+                    std::error_code error_code;
+                    fs::remove(DownloadLocation, error_code);
+                    if (error_code) {
+                        error("Failed to remove broken launcher update");
+                    }
+                }
                 throw std::runtime_error("Failed to download the launcher update! Please try manually updating it, https://docs.beammp.com/FAQ/Update-launcher/");
             }
 #endif
@@ -238,7 +402,6 @@ void CheckForUpdates(const std::string& CV) {
     TraceBack++;
 }
 
-
 #ifdef _WIN32
 void LinuxPatch() {
     HKEY hKey = nullptr;
@@ -351,12 +514,21 @@ void PreGame(const beammp_fs_string& GamePath) {
     info(beammp_wide("Game user path: ") + beammp_fs_string(GetGamePath()));
 
     if (!options.no_download) {
-        std::string LatestHash = HTTP::Get("https://backend.beammp.com/sha/mod?branch=" + Branch + "&pk=" + PublicKey);
+        std::string LatestHash = HTTP::Get("https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/sha/mod?branch=" + Branch + "&pk=" + PublicKey);
         transform(LatestHash.begin(), LatestHash.end(), LatestHash.begin(), ::tolower);
         LatestHash.erase(std::remove_if(LatestHash.begin(), LatestHash.end(),
                              [](auto const& c) -> bool { return !std::isalnum(c); }),
             LatestHash.end());
 
+        std::regex sha256_pattern(R"(^[a-fA-F0-9]{64}$)");
+        std::smatch match;
+
+        if (LatestHash.length() != 64 || !std::regex_match(LatestHash, match, sha256_pattern)) {
+            error("Invalid hash from backend, skipping mod update check.");
+            debug("Mod hash in question: " + LatestHash);
+            return;
+        }
+
         try {
             if (!fs::exists(GetGamePath() / beammp_wide("mods/multiplayer"))) {
                 fs::create_directories(GetGamePath() / beammp_wide("mods/multiplayer"));
@@ -376,7 +548,7 @@ void PreGame(const beammp_fs_string& GamePath) {
 
         if (FileHash != LatestHash) {
             info("Downloading BeamMP Update " + LatestHash);
-            HTTP::Download("https://backend.beammp.com/builds/client?download=true"
+            HTTP::Download("https://backend." + Utils::RegionToTopLevelDomain(options.region) + "/builds/client?download=true"
                            "&pk="
                     + PublicKey + "&branch=" + Branch,
                 ZipPath, LatestHash);