Rev 267 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 267 | daniel-mar | 1 | # Obfuscated filters |
| 2 | |||
| 3 | ## Location |
||
| 4 | |||
| 5 | Obfuscated standalone filters: |
||
| 6 | - Windows resource: RCDATA\16001\0 |
||
| 7 | - MacOS resource: 'DATA' 16001 |
||
| 8 | |||
| 9 | Normal standalone filters: |
||
| 10 | - Windows resource: PARM\16000\0 |
||
| 11 | - MacOS resource: 'PARM' 16000 |
||
| 12 | |||
| 270 | daniel-mar | 13 | The obfuscation methods are stored in **make.c** |
| 14 | |||
| 267 | daniel-mar | 15 | ## Obfuscation "Version 3" |
| 16 | |||
| 17 | Introduced in **Filter Foundry 1.7.0.5** [30-Jul-2021] |
||
| 18 | |||
| 19 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
||
| 20 | |||
| 270 | daniel-mar | 21 | Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30 |
| 267 | daniel-mar | 22 | (this field is not used in the `PARM` resource). |
| 23 | |||
| 270 | daniel-mar | 24 | The rand() function is a bit altered: |
| 25 | |||
| 26 | int randInRange(int min, int max) { |
||
| 27 | double scale = 1.0 / (RAND_MAX + 1); |
||
| 28 | double range = (double)max - (double)min + 1; |
||
| 29 | return min + (int)(rand() * scale * range); |
||
| 30 | } |
||
| 31 | |||
| 32 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
||
| 33 | |||
| 34 | int rand_openwatcom(unsigned int* seed) { |
||
| 35 | *seed = *seed * 1103515245L + 12345L; |
||
| 36 | return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */ |
||
| 37 | } |
||
| 38 | |||
| 39 | 64 bit plugin is built with Visual VC++ which has following formula: |
||
| 40 | |||
| 41 | int rand_msvcc(unsigned int* seed) { |
||
| 42 | *seed = *seed * 214013L + 2531011L; |
||
| 43 | return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */ |
||
| 44 | } |
||
| 45 | |||
| 267 | daniel-mar | 46 | ## Obfuscation "Version 2" |
| 47 | |||
| 48 | Introduced in **Filter Foundry 1.7b1** [20-Sep-2019] |
||
| 49 | |||
| 50 | It is compiler-independant! |
||
| 51 | |||
| 52 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
||
| 53 | |||
| 54 | x32 = 0x95d4a68f; |
||
| 55 | for(i = size, p = pparm; i--;) { |
||
| 270 | daniel-mar | 56 | x32 ^= x32 << 13; |
| 57 | x32 ^= x32 >> 17; |
||
| 58 | x32 ^= x32 << 5; |
||
| 59 | *p++ ^= x32; |
||
| 267 | daniel-mar | 60 | } |
| 61 | |||
| 62 | ## Obfuscation "Version 1" |
||
| 63 | |||
| 64 | Introduced in **Filter Foundry 1.4b8,9,10** |
||
| 65 | |||
| 66 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
||
| 67 | |||
| 68 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
||
| 69 | |||
| 70 | srand(0xdc43df3c); |
||
| 71 | for(i = size, p = pparm; i--;) { |
||
| 72 | *p++ ^= rand(); |
||
| 73 | } |