Rev 345 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 345 | Rev 347 | ||
|---|---|---|---|
| Line 12... | Line 12... | ||
| 12 | 12 | ||
| 13 | ## Implementation |
13 | ## Implementation |
| 14 | 14 | ||
| 15 | Defined in **ff.h**, implemented in **obfusc.c**: |
15 | Defined in **ff.h**, implemented in **obfusc.c**: |
| 16 | 16 | ||
| 17 | // Implements Obfusc V5 on Windows and Obfusc V4 on MacOS. |
17 | // Implements Obfusc V6. |
| 18 | // Returns a seed that needs to be stored in the executable code. |
18 | // Returns a seed that needs to be stored in the executable code. |
| 19 | uint32_t obfusc(PARM_T* pparm); |
19 | uint64_t obfusc(PARM_T* pparm); |
| 20 | 20 | ||
| 21 | // In V1+V2: Seed is hardcoded |
21 | // In V1+V2: Seed is hardcoded |
| 22 | // In V3: Seed is in PARM (field "unknown2") |
22 | // In V3: Seed is in PARM (field "unknown2") |
| 23 | // In V4+V5: Seed is in the program code and will me modified with a binary search+replace |
23 | // In V4-V6: Seed is in the program code and will me modified with a binary search+replace |
| 24 | void deobfusc(PARM_T* pparm); |
24 | void deobfusc(PARM_T* pparm); |
| 25 | 25 | ||
| - | 26 | ### Obfuscation "Version 6" |
|
| - | 27 | ||
| - | 28 | Introduced in **Filter Foundry 1.7.0.10** |
|
| - | 29 | ||
| - | 30 | The CRC32b checksum of the PARM (with `unknown1,2,3` set to 0) |
|
| - | 31 | will be written to `unknown1`. |
|
| - | 32 | ||
| - | 33 | Then, the PARM will be XORed with a random data stream of seed #1, |
|
| - | 34 | and then XORed with a random data stream of seed #2. |
|
| - | 35 | The algorithm is the XORshift which was introcuced in obfuscation version 2. |
|
| - | 36 | Unlike obfuscation version 3-5, while generating and applying the random data |
|
| - | 37 | stream, no bytes are skipped. |
|
| - | 38 | ||
| - | 39 | Seed #1 and seed #2 are merged in a 64-bit "initial seed" which is stored |
|
| - | 40 | in the executable. |
|
| - | 41 | ||
| - | 42 | (Theoretical) Macintosh version: |
|
| - | 43 | Obfuscation and deobfuscation has the seed `0x38AD972A52830517`, since the |
|
| - | 44 | manipulation of the binary code is currently not implemented. |
|
| - | 45 | ||
| - | 46 | The DWORD value `0x00000006` will be stored at field `unknown2` |
|
| - | 47 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
| - | 48 | ||
| - | 49 | During de-obfuscation, the program will check if the checksum in `unknown1` |
|
| - | 50 | matches. If it does not match, the data will be discarded. |
|
| - | 51 | ||
| 26 | ### Obfuscation "Version 5" |
52 | ### Obfuscation "Version 5" |
| 27 | 53 | ||
| 28 | Introduced in **Filter Foundry 1.7.0.8** |
54 | Introduced in **Filter Foundry 1.7.0.8** |
| 29 | 55 | ||
| 30 | Obfuscation version 5 is the same as version 4, but there is a constraint |
56 | Obfuscation version 5 is the same as version 4, but there is a constraint |