Rev 317 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 317 | Rev 329 | ||
|---|---|---|---|
| Line 32... | Line 32... | ||
| 32 | This is done to check the integrity of the deobfuscation. |
32 | This is done to check the integrity of the deobfuscation. |
| 33 | 33 | ||
| 34 | Also, the xor-shifting is intentionally incompatible with version 4 |
34 | Also, the xor-shifting is intentionally incompatible with version 4 |
| 35 | (to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF. |
35 | (to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF. |
| 36 | 36 | ||
| - | 37 | The DWORD value `0x00000005` will be stored at field `unknown2` |
|
| - | 38 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
| - | 39 | ||
| - | 40 | While generating and applying the random data stream, the bytes |
|
| - | 41 | 0x30..0x33 (the location where the version info is stored) are skipped, |
|
| - | 42 | like in version 3. |
|
| - | 43 | ||
| 37 | ### Obfuscation "Version 4" |
44 | ### Obfuscation "Version 4" |
| 38 | 45 | ||
| 39 | Introduced in **Filter Foundry 1.7.0.7** |
46 | Introduced in **Filter Foundry 1.7.0.7** |
| 40 | 47 | ||
| 41 | It is not compiler-dependant, but different between every standalone filter. |
48 | It is not compiler-dependant, but different between every standalone filter. |
| Line 45... | Line 52... | ||
| 45 | to store the seed into the `deobfusc()` function. |
52 | to store the seed into the `deobfusc()` function. |
| 46 | The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517` |
53 | The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517` |
| 47 | This allows that 32-bit and 64-bit filters are "cross built". |
54 | This allows that 32-bit and 64-bit filters are "cross built". |
| 48 | 55 | ||
| 49 | (Theoretical) Macintosh version: |
56 | (Theoretical) Macintosh version: |
| 50 | Obfuscation and deobfuscation has the seed 0x52830517, since the |
57 | Obfuscation and deobfuscation has the seed `0x52830517`, since the |
| 51 | manipulation of the binary code is not implemented. |
58 | manipulation of the binary code is not implemented. |
| 52 | 59 | ||
| 53 | Algorithm: XOR-Shift like in version 2, but the seed is individual for |
60 | Algorithm: XOR-Shift like in version 2, but the seed is individual for |
| 54 | each individual built standalone filter. |
61 | each individual built standalone filter. |
| 55 | 62 | ||
| 56 | The DWORD value "0x00000004" will be stored at position 0x30 (this field is not used in the `PARM` resource). |
63 | The DWORD value `0x00000004` will be stored at field `unknown2` |
| - | 64 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
| - | 65 | ||
| - | 66 | While generating and applying the random data stream, the bytes |
|
| - | 67 | 0x30..0x33 (the location where the version info is stored) are skipped, |
|
| - | 68 | like in version 3. |
|
| 57 | 69 | ||
| 58 | ### Obfuscation "Version 3" |
70 | ### Obfuscation "Version 3" |
| 59 | 71 | ||
| 60 | Introduced in **Filter Foundry 1.7.0.5** |
72 | Introduced in **Filter Foundry 1.7.0.5** |
| 61 | 73 | ||
| 62 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
74 | A random seed is chosen and written to field `unknown2` (byte 0x30..0x33). |
| - | 75 | ||
| - | 76 | Then, the `PARM` resource will be obfuscated by applying an XOR operation to a random data stream: |
|
| - | 77 | ||
| - | 78 | unsigned char *p; |
|
| - | 79 | *p++ ^= (int)(rand() * 1.0 / (RAND_MAX + 1) * 256); |
|
| - | 80 | ||
| - | 81 | Bytes 0x30..0x33 (the location where the seed is stored) are skipped. |
|
| 63 | 82 | ||
| 64 | Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30 |
83 | The `rand()` operation is compiler-dependant, and therefore the resource cannot be exchanged between plugins. |
| 65 | (this field is not used in the `PARM` resource). |
- | |
| 66 | 84 | ||
| 67 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
85 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
| 68 | 86 | ||
| 69 | int rand_openwatcom(unsigned int* seed) { |
87 | int rand_openwatcom(unsigned int* seed) { |
| 70 | *seed = *seed * 1103515245L + 12345L; |
88 | *seed = *seed * 1103515245L + 12345L; |
| Line 80... | Line 98... | ||
| 80 | 98 | ||
| 81 | ### Obfuscation "Version 2" |
99 | ### Obfuscation "Version 2" |
| 82 | 100 | ||
| 83 | Introduced in **Filter Foundry 1.7b1** |
101 | Introduced in **Filter Foundry 1.7b1** |
| 84 | 102 | ||
| 85 | It is compiler-independant! |
103 | It is compiler-independent! |
| 86 | 104 | ||
| 87 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
105 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
| 88 | 106 | ||
| 89 | x32 = 0x95d4a68f; |
107 | x32 = 0x95d4a68f; |
| 90 | for(i = size, p = pparm; i--;) { |
108 | for(i = size, p = pparm; i--;) { |
| Line 96... | Line 114... | ||
| 96 | 114 | ||
| 97 | ### Obfuscation "Version 1" |
115 | ### Obfuscation "Version 1" |
| 98 | 116 | ||
| 99 | Introduced in **Filter Foundry 1.4b8,9,10** |
117 | Introduced in **Filter Foundry 1.4b8,9,10** |
| 100 | 118 | ||
| 101 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
119 | It is compiler-dependant, and therefore the resource cannot be exchanged between plugins! |
| 102 | 120 | ||
| 103 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
121 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
| 104 | 122 | ||
| 105 | srand(0xdc43df3c); |
123 | srand(0xdc43df3c); |
| 106 | for(i = size, p = pparm; i--;) { |
124 | for(i = size, p = pparm; i--;) { |