Subversion Repositories filter_foundry

Rev

Rev 272 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
267 daniel-mar 1 
# Obfuscated filters
2 
 
272 daniel-mar 3 
## Resource location
267 daniel-mar 4 
 
5 
Obfuscated standalone filters:
6 
- Windows resource: RCDATA\16001\0
7 
- MacOS resource: 'DATA' 16001
8 
 
9 
Normal standalone filters:
10 
- Windows resource: PARM\16000\0
11 
- MacOS resource: 'PARM' 16000
12 
 
271 daniel-mar 13 
## Implementation
270 daniel-mar 14 
 
271 daniel-mar 15 
Defined in **ff.h**, implemented in **make.c**:
267 daniel-mar 16 
 
276 daniel-mar 17 
    void obfusc(PARM_T* pparm, unsigned int seed);
271 daniel-mar 18 
    void deobfusc(PARM_T* pparm);
19 
 
276 daniel-mar 20 
### Obfuscation "Version 4"
21 
 
22 
Introduced in **Filter Foundry 1.7.0.7** [08-Aug-2021]
23 
 
24 
It is not compiler-dependant, but different between every standalone filter.
25 
 
26 
The binary code of the 8BF file will be manipulated during building
27 
in order to store the seed into the `deobfusc()` function.
28 
This allows that 32 bit and 64 bit filters are "cross built".
29 
 
30 
Algorithm: XOR shift like in version 2, but the seed is individual for
31 
each individual built standalone filter.
32 
 
33 
The value "4" will be stored at position 0x30 (this field is not used in the `PARM` resource).
34 
 
271 daniel-mar 35 
### Obfuscation "Version 3"
36 
 
267 daniel-mar 37 
Introduced in **Filter Foundry 1.7.0.5** [30-Jul-2021]
38 
 
39 
It is compiler-dependant, therefore the resource cannot be exchanged between plugins!
40 
 
270 daniel-mar 41 
Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30
267 daniel-mar 42 
(this field is not used in the `PARM` resource).
43 
 
270 daniel-mar 44 
32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula:
45 
 
46 
    int rand_openwatcom(unsigned int* seed) {
47 
            *seed = *seed * 1103515245L + 12345L;
48 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
49 
    }
50 
 
271 daniel-mar 51 
64 bit plugin is built with Visual C++ which has following formula:
270 daniel-mar 52 
 
53 
    int rand_msvcc(unsigned int* seed) {
272 daniel-mar 54 
            *seed = *seed * 214013L + 2531011L;
55 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
270 daniel-mar 56 
    }
57 
 
271 daniel-mar 58 
### Obfuscation "Version 2"
267 daniel-mar 59 
 
60 
Introduced in **Filter Foundry 1.7b1** [20-Sep-2019]
61 
 
62 
It is compiler-independant!
63 
 
64 
Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`.
65 
 
66 
    x32 = 0x95d4a68f;
67 
    for(i = size, p = pparm; i--;) {
272 daniel-mar 68 
            x32 ^= x32 << 13;
69 
            x32 ^= x32 >> 17;
70 
            x32 ^= x32 << 5;
71 
            *p++ ^= x32;
267 daniel-mar 72 
    }
73 
 
271 daniel-mar 74 
### Obfuscation "Version 1"
267 daniel-mar 75 
 
76 
Introduced in **Filter Foundry 1.4b8,9,10**
77 
 
78 
It is compiler-dependant, therefore the resource cannot be exchanged between plugins!
79 
 
80 
Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`.
81 
 
82 
    srand(0xdc43df3c);
83 
    for(i = size, p = pparm; i--;) {
272 daniel-mar 84 
            *p++ ^= rand();
271 daniel-mar 85 
    }
86 
 
87 
The plugin is built with Visual C++ which has following formula:
88 
 
89 
    int rand_msvcc(unsigned int* seed) {
272 daniel-mar 90 
            *seed = *seed * 214013L + 2531011L;
91 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
271 daniel-mar 92 
    }
93