Rev 317 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 317 | Rev 329 | ||
---|---|---|---|
Line 32... | Line 32... | ||
32 | This is done to check the integrity of the deobfuscation. |
32 | This is done to check the integrity of the deobfuscation. |
33 | 33 | ||
34 | Also, the xor-shifting is intentionally incompatible with version 4 |
34 | Also, the xor-shifting is intentionally incompatible with version 4 |
35 | (to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF. |
35 | (to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF. |
36 | 36 | ||
- | 37 | The DWORD value `0x00000005` will be stored at field `unknown2` |
|
- | 38 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
- | 39 | ||
- | 40 | While generating and applying the random data stream, the bytes |
|
- | 41 | 0x30..0x33 (the location where the version info is stored) are skipped, |
|
- | 42 | like in version 3. |
|
- | 43 | ||
37 | ### Obfuscation "Version 4" |
44 | ### Obfuscation "Version 4" |
38 | 45 | ||
39 | Introduced in **Filter Foundry 1.7.0.7** |
46 | Introduced in **Filter Foundry 1.7.0.7** |
40 | 47 | ||
41 | It is not compiler-dependant, but different between every standalone filter. |
48 | It is not compiler-dependant, but different between every standalone filter. |
Line 45... | Line 52... | ||
45 | to store the seed into the `deobfusc()` function. |
52 | to store the seed into the `deobfusc()` function. |
46 | The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517` |
53 | The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517` |
47 | This allows that 32-bit and 64-bit filters are "cross built". |
54 | This allows that 32-bit and 64-bit filters are "cross built". |
48 | 55 | ||
49 | (Theoretical) Macintosh version: |
56 | (Theoretical) Macintosh version: |
50 | Obfuscation and deobfuscation has the seed 0x52830517, since the |
57 | Obfuscation and deobfuscation has the seed `0x52830517`, since the |
51 | manipulation of the binary code is not implemented. |
58 | manipulation of the binary code is not implemented. |
52 | 59 | ||
53 | Algorithm: XOR-Shift like in version 2, but the seed is individual for |
60 | Algorithm: XOR-Shift like in version 2, but the seed is individual for |
54 | each individual built standalone filter. |
61 | each individual built standalone filter. |
55 | 62 | ||
56 | The DWORD value "0x00000004" will be stored at position 0x30 (this field is not used in the `PARM` resource). |
63 | The DWORD value `0x00000004` will be stored at field `unknown2` |
- | 64 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
- | 65 | ||
- | 66 | While generating and applying the random data stream, the bytes |
|
- | 67 | 0x30..0x33 (the location where the version info is stored) are skipped, |
|
- | 68 | like in version 3. |
|
57 | 69 | ||
58 | ### Obfuscation "Version 3" |
70 | ### Obfuscation "Version 3" |
59 | 71 | ||
60 | Introduced in **Filter Foundry 1.7.0.5** |
72 | Introduced in **Filter Foundry 1.7.0.5** |
61 | 73 | ||
62 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
74 | A random seed is chosen and written to field `unknown2` (byte 0x30..0x33). |
- | 75 | ||
- | 76 | Then, the `PARM` resource will be obfuscated by applying an XOR operation to a random data stream: |
|
- | 77 | ||
- | 78 | unsigned char *p; |
|
- | 79 | *p++ ^= (int)(rand() * 1.0 / (RAND_MAX + 1) * 256); |
|
- | 80 | ||
- | 81 | Bytes 0x30..0x33 (the location where the seed is stored) are skipped. |
|
63 | 82 | ||
64 | Algorithm: XOR with a modified `rand()`-stream with seed that is stored at position 0x30 |
83 | The `rand()` operation is compiler-dependant, and therefore the resource cannot be exchanged between plugins. |
65 | (this field is not used in the `PARM` resource). |
- | |
66 | 84 | ||
67 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
85 | 32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula: |
68 | 86 | ||
69 | int rand_openwatcom(unsigned int* seed) { |
87 | int rand_openwatcom(unsigned int* seed) { |
70 | *seed = *seed * 1103515245L + 12345L; |
88 | *seed = *seed * 1103515245L + 12345L; |
Line 80... | Line 98... | ||
80 | 98 | ||
81 | ### Obfuscation "Version 2" |
99 | ### Obfuscation "Version 2" |
82 | 100 | ||
83 | Introduced in **Filter Foundry 1.7b1** |
101 | Introduced in **Filter Foundry 1.7b1** |
84 | 102 | ||
85 | It is compiler-independant! |
103 | It is compiler-independent! |
86 | 104 | ||
87 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
105 | Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`. |
88 | 106 | ||
89 | x32 = 0x95d4a68f; |
107 | x32 = 0x95d4a68f; |
90 | for(i = size, p = pparm; i--;) { |
108 | for(i = size, p = pparm; i--;) { |
Line 96... | Line 114... | ||
96 | 114 | ||
97 | ### Obfuscation "Version 1" |
115 | ### Obfuscation "Version 1" |
98 | 116 | ||
99 | Introduced in **Filter Foundry 1.4b8,9,10** |
117 | Introduced in **Filter Foundry 1.4b8,9,10** |
100 | 118 | ||
101 | It is compiler-dependant, therefore the resource cannot be exchanged between plugins! |
119 | It is compiler-dependant, and therefore the resource cannot be exchanged between plugins! |
102 | 120 | ||
103 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
121 | Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`. |
104 | 122 | ||
105 | srand(0xdc43df3c); |
123 | srand(0xdc43df3c); |
106 | for(i = size, p = pparm; i--;) { |
124 | for(i = size, p = pparm; i--;) { |