Rev 345 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 345 | Rev 347 | ||
---|---|---|---|
Line 12... | Line 12... | ||
12 | 12 | ||
13 | ## Implementation |
13 | ## Implementation |
14 | 14 | ||
15 | Defined in **ff.h**, implemented in **obfusc.c**: |
15 | Defined in **ff.h**, implemented in **obfusc.c**: |
16 | 16 | ||
17 | // Implements Obfusc V5 on Windows and Obfusc V4 on MacOS. |
17 | // Implements Obfusc V6. |
18 | // Returns a seed that needs to be stored in the executable code. |
18 | // Returns a seed that needs to be stored in the executable code. |
19 | uint32_t obfusc(PARM_T* pparm); |
19 | uint64_t obfusc(PARM_T* pparm); |
20 | 20 | ||
21 | // In V1+V2: Seed is hardcoded |
21 | // In V1+V2: Seed is hardcoded |
22 | // In V3: Seed is in PARM (field "unknown2") |
22 | // In V3: Seed is in PARM (field "unknown2") |
23 | // In V4+V5: Seed is in the program code and will me modified with a binary search+replace |
23 | // In V4-V6: Seed is in the program code and will me modified with a binary search+replace |
24 | void deobfusc(PARM_T* pparm); |
24 | void deobfusc(PARM_T* pparm); |
25 | 25 | ||
- | 26 | ### Obfuscation "Version 6" |
|
- | 27 | ||
- | 28 | Introduced in **Filter Foundry 1.7.0.10** |
|
- | 29 | ||
- | 30 | The CRC32b checksum of the PARM (with `unknown1,2,3` set to 0) |
|
- | 31 | will be written to `unknown1`. |
|
- | 32 | ||
- | 33 | Then, the PARM will be XORed with a random data stream of seed #1, |
|
- | 34 | and then XORed with a random data stream of seed #2. |
|
- | 35 | The algorithm is the XORshift which was introcuced in obfuscation version 2. |
|
- | 36 | Unlike obfuscation version 3-5, while generating and applying the random data |
|
- | 37 | stream, no bytes are skipped. |
|
- | 38 | ||
- | 39 | Seed #1 and seed #2 are merged in a 64-bit "initial seed" which is stored |
|
- | 40 | in the executable. |
|
- | 41 | ||
- | 42 | (Theoretical) Macintosh version: |
|
- | 43 | Obfuscation and deobfuscation has the seed `0x38AD972A52830517`, since the |
|
- | 44 | manipulation of the binary code is currently not implemented. |
|
- | 45 | ||
- | 46 | The DWORD value `0x00000006` will be stored at field `unknown2` |
|
- | 47 | (byte 0x30..0x33; the field is not used in the `PARM` resource). |
|
- | 48 | ||
- | 49 | During de-obfuscation, the program will check if the checksum in `unknown1` |
|
- | 50 | matches. If it does not match, the data will be discarded. |
|
- | 51 | ||
26 | ### Obfuscation "Version 5" |
52 | ### Obfuscation "Version 5" |
27 | 53 | ||
28 | Introduced in **Filter Foundry 1.7.0.8** |
54 | Introduced in **Filter Foundry 1.7.0.8** |
29 | 55 | ||
30 | Obfuscation version 5 is the same as version 4, but there is a constraint |
56 | Obfuscation version 5 is the same as version 4, but there is a constraint |