| 34,6 → 34,13 |
|---|
| Also, the xor-shifting is intentionally incompatible with version 4 |
| (to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF. |
| |
| The DWORD value `0x00000005` will be stored at field `unknown2` |
| (byte 0x30..0x33; the field is not used in the `PARM` resource). |
| |
| While generating and applying the random data stream, the bytes |
| 0x30..0x33 (the location where the version info is stored) are skipped, |
| like in version 3. |
| |
| ### Obfuscation "Version 4" |
| |
| Introduced in **Filter Foundry 1.7.0.7** |
| 47,23 → 54,34 |
|---|
| This allows that 32-bit and 64-bit filters are "cross built". |
| |
| (Theoretical) Macintosh version: |
| Obfuscation and deobfuscation has the seed 0x52830517, since the |
| Obfuscation and deobfuscation has the seed `0x52830517`, since the |
| manipulation of the binary code is not implemented. |
| |
| Algorithm: XOR-Shift like in version 2, but the seed is individual for |
| each individual built standalone filter. |
| |
| The DWORD value "0x00000004" will be stored at position 0x30 (this field is not used in the `PARM` resource). |
| The DWORD value `0x00000004` will be stored at field `unknown2` |
| (byte 0x30..0x33; the field is not used in the `PARM` resource). |
| |
| While generating and applying the random data stream, the bytes |
| 0x30..0x33 (the location where the version info is stored) are skipped, |
| like in version 3. |
| |
| ### Obfuscation "Version 3" |
| |
| Introduced in **Filter Foundry 1.7.0.5** |
| |
| It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
| A random seed is chosen and written to field `unknown2` (byte 0x30..0x33). |
| |
| Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30 |
| (this field is not used in the `PARM` resource). |
| Then, the `PARM` resource will be obfuscated by applying an XOR operation to a random data stream: |
| |
| unsigned char *p; |
| *p++ ^= (int)(rand() * 1.0 / (RAND_MAX + 1) * 256); |
| |
| Bytes 0x30..0x33 (the location where the seed is stored) are skipped. |
| |
| The `rand()` operation is compiler-dependant, and therefore the resource cannot be exchanged between plugins. |
| |
| 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
| |
| int rand_openwatcom(unsigned int* seed) { |
| 82,7 → 100,7 |
|---|
| |
| Introduced in **Filter Foundry 1.7b1** |
| |
| It is compiler-independant! |
| It is compiler-independent! |
| |
| Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
| |
| 98,7 → 116,7 |
|---|
| |
| Introduced in **Filter Foundry 1.4b8,9,10** |
| |
| It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
| It is compiler-dependant, and therefore the resource cannot be exchanged between plugins! |
| |
| Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
| |