Rev 267 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
267 | daniel-mar | 1 | # Obfuscated filters |
2 | |||
3 | ## Location |
||
4 | |||
5 | Obfuscated standalone filters: |
||
6 | - Windows resource: RCDATA\16001\0 |
||
7 | - MacOS resource: 'DATA' 16001 |
||
8 | |||
9 | Normal standalone filters: |
||
10 | - Windows resource: PARM\16000\0 |
||
11 | - MacOS resource: 'PARM' 16000 |
||
12 | |||
270 | daniel-mar | 13 | The obfuscation methods are stored in **make.c** |
14 | |||
267 | daniel-mar | 15 | ## Obfuscation "Version 3" |
16 | |||
17 | Introduced in **Filter Foundry 1.7.0.5** [30-Jul-2021] |
||
18 | |||
19 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
||
20 | |||
270 | daniel-mar | 21 | Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30 |
267 | daniel-mar | 22 | (this field is not used in the `PARM` resource). |
23 | |||
270 | daniel-mar | 24 | The rand() function is a bit altered: |
25 | |||
26 | int randInRange(int min, int max) { |
||
27 | double scale = 1.0 / (RAND_MAX + 1); |
||
28 | double range = (double)max - (double)min + 1; |
||
29 | return min + (int)(rand() * scale * range); |
||
30 | } |
||
31 | |||
32 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
||
33 | |||
34 | int rand_openwatcom(unsigned int* seed) { |
||
35 | *seed = *seed * 1103515245L + 12345L; |
||
36 | return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */ |
||
37 | } |
||
38 | |||
39 | 64 bit plugin is built with Visual VC++ which has following formula: |
||
40 | |||
41 | int rand_msvcc(unsigned int* seed) { |
||
42 | *seed = *seed * 214013L + 2531011L; |
||
43 | return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */ |
||
44 | } |
||
45 | |||
267 | daniel-mar | 46 | ## Obfuscation "Version 2" |
47 | |||
48 | Introduced in **Filter Foundry 1.7b1** [20-Sep-2019] |
||
49 | |||
50 | It is compiler-independant! |
||
51 | |||
52 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
||
53 | |||
54 | x32 = 0x95d4a68f; |
||
55 | for(i = size, p = pparm; i--;) { |
||
270 | daniel-mar | 56 | x32 ^= x32 << 13; |
57 | x32 ^= x32 >> 17; |
||
58 | x32 ^= x32 << 5; |
||
59 | *p++ ^= x32; |
||
267 | daniel-mar | 60 | } |
61 | |||
62 | ## Obfuscation "Version 1" |
||
63 | |||
64 | Introduced in **Filter Foundry 1.4b8,9,10** |
||
65 | |||
66 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
||
67 | |||
68 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
||
69 | |||
70 | srand(0xdc43df3c); |
||
71 | for(i = size, p = pparm; i--;) { |
||
72 | *p++ ^= rand(); |
||
73 | } |