Subversion Repositories filter_foundry

Rev

Rev 276 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
267 daniel-mar 1 
# Obfuscated filters
2 
 
272 daniel-mar 3 
## Resource location
267 daniel-mar 4 
 
5 
Obfuscated standalone filters:
6 
- Windows resource: RCDATA\16001\0
7 
- MacOS resource: 'DATA' 16001
8 
 
9 
Normal standalone filters:
10 
- Windows resource: PARM\16000\0
11 
- MacOS resource: 'PARM' 16000
12 
 
271 daniel-mar 13 
## Implementation
270 daniel-mar 14 
 
271 daniel-mar 15 
Defined in **ff.h**, implemented in **make.c**:
267 daniel-mar 16 
 
276 daniel-mar 17 
    void obfusc(PARM_T* pparm, unsigned int seed);
271 daniel-mar 18 
    void deobfusc(PARM_T* pparm);
19 
 
276 daniel-mar 20 
### Obfuscation "Version 4"
21 
 
22 
Introduced in **Filter Foundry 1.7.0.7** [08-Aug-2021]
23 
 
24 
It is not compiler-dependant, but different between every standalone filter.
25 
 
277 daniel-mar 26 
Windows version:
276 daniel-mar 27 
The binary code of the 8BF file will be manipulated during building
28 
in order to store the seed into the `deobfusc()` function.
277 daniel-mar 29 
The placeholder value is OBFUSC_V4_DEFAULT_SEED 0x52830517
276 daniel-mar 30 
This allows that 32 bit and 64 bit filters are "cross built".
31 
 
277 daniel-mar 32 
(Theoretical) Macintosh version:
33 
Obfuscation and deobfuscation has the seed 0x52830517, since the
34 
manipulation of the binary code is not implemented.
35 
 
276 daniel-mar 36 
Algorithm: XOR shift like in version 2, but the seed is individual for
37 
each individual built standalone filter.
38 
 
39 
The value "4" will be stored at position 0x30 (this field is not used in the `PARM` resource).
40 
 
271 daniel-mar 41 
### Obfuscation "Version 3"
42 
 
267 daniel-mar 43 
Introduced in **Filter Foundry 1.7.0.5** [30-Jul-2021]
44 
 
45 
It is compiler-dependant, therefore the resource cannot be exchanged between plugins!
46 
 
270 daniel-mar 47 
Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30
267 daniel-mar 48 
(this field is not used in the `PARM` resource).
49 
 
270 daniel-mar 50 
32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula:
51 
 
52 
    int rand_openwatcom(unsigned int* seed) {
53 
            *seed = *seed * 1103515245L + 12345L;
54 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
55 
    }
56 
 
271 daniel-mar 57 
64 bit plugin is built with Visual C++ which has following formula:
270 daniel-mar 58 
 
59 
    int rand_msvcc(unsigned int* seed) {
272 daniel-mar 60 
            *seed = *seed * 214013L + 2531011L;
61 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
270 daniel-mar 62 
    }
63 
 
271 daniel-mar 64 
### Obfuscation "Version 2"
267 daniel-mar 65 
 
66 
Introduced in **Filter Foundry 1.7b1** [20-Sep-2019]
67 
 
68 
It is compiler-independant!
69 
 
70 
Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`.
71 
 
72 
    x32 = 0x95d4a68f;
73 
    for(i = size, p = pparm; i--;) {
272 daniel-mar 74 
            x32 ^= x32 << 13;
75 
            x32 ^= x32 >> 17;
76 
            x32 ^= x32 << 5;
77 
            *p++ ^= x32;
267 daniel-mar 78 
    }
79 
 
271 daniel-mar 80 
### Obfuscation "Version 1"
267 daniel-mar 81 
 
82 
Introduced in **Filter Foundry 1.4b8,9,10**
83 
 
84 
It is compiler-dependant, therefore the resource cannot be exchanged between plugins!
85 
 
86 
Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`.
87 
 
88 
    srand(0xdc43df3c);
89 
    for(i = size, p = pparm; i--;) {
272 daniel-mar 90 
            *p++ ^= rand();
271 daniel-mar 91 
    }
92 
 
93 
The plugin is built with Visual C++ which has following formula:
94 
 
95 
    int rand_msvcc(unsigned int* seed) {
272 daniel-mar 96 
            *seed = *seed * 214013L + 2531011L;
97 
            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */
271 daniel-mar 98 
    }
99