Subversion Repositories filter_foundry

# Obfuscated filters

# Obfuscated filters

## Resource location

## Resource location

Obfuscated standalone filters:

Obfuscated standalone filters:

- Windows resource: OBFS\16\0 (previously RCDATA\16001\0)

- Windows resource: OBFS\16\0 (previously RCDATA\16001\0)

- MacOS resource: 'obFS' 16 (previously 'DATA' 16001)

- MacOS resource: 'obFS' 16 (previously 'DATA' 16001)

Normal standalone filters:

Normal standalone filters:

- Windows resource: PARM\16\0 (previously PARM\16000\0)

- Windows resource: PARM\16\0 (previously PARM\16000\0)

- MacOS resource: 'PARM' 16 (previously 'PARM' 16000)

- MacOS resource: 'PARM' 16 (previously 'PARM' 16000)

## Implementation

## Implementation

Defined in **ff.h**, implemented in **obfusc.c**:

Defined in **ff.h**, implemented in **obfusc.c**:

    // In V1+V2: Seed is hardcoded

    // In V1+V2: Seed is hardcoded

    // In V3:    Seed is in PARM (field "unknown2")

    // In V3:    Seed is in PARM (field "unknown2")

    void deobfusc(PARM_T* pparm);

    void deobfusc(PARM_T* pparm);

### Obfuscation "Version 6"

### Obfuscation "Version 6"

Introduced in **Filter Foundry 1.7.0.10**

Introduced in **Filter Foundry 1.7.0.10**

First, the fields `unknown1`, `unknown2`, aned `unknown3` are set to 0.

First, the fields `unknown1`, `unknown2`, aned `unknown3` are set to 0.

A 64 bit seed will be generated.

A 64 bit seed will be generated.

On Windows, the seed is the ECMA 182 CRC64 checksum of the PARM.

On Windows, the seed is the ECMA 182 CRC64 checksum of the PARM.

On Macintosh, it stays at the default value `0x38AD972A52830517` (before 1.7.0.17) or

On Macintosh, it stays at the default value `0x38AD972A52830517` (before 1.7.0.17) or

`0x7416972a52830517` (beginning with 1.7.0.17).

`0x7416972a52830517` (beginning with 1.7.0.17).

(because the manipulation of the binary code is not implemented).

(because the manipulation of the binary code is not implemented).

Then, the CRC32b checksum of the PARM will be written to `unknown1`.

Then, the CRC32b checksum of the PARM will be written to `unknown1`.

The PARM will then be XORed with a random data stream of the lower 32 bits of the 64 bit seed.

The PARM will then be XORed with a random data stream of the lower 32 bits of the 64 bit seed.

The algorithm is the XORshift which was introcuced in obfuscation version 2.

The algorithm is the XORshift which was introcuced in obfuscation version 2.

Unlike obfuscation version 3-5, while generating and applying the random data

Unlike obfuscation version 3-5, while generating and applying the random data

stream, no bytes are skipped.

stream, no bytes are skipped.

After this, PARM will be XORed with the 64 bit seed,

After this, PARM will be XORed with the 64 bit seed,

which will be ROLed by 1 bit after each byte:

which will be ROLed by 1 bit after each byte:

    uint64_t rol_u64(uint64_t value, uint64_t by) {

    uint64_t rol_u64(uint64_t value, uint64_t by) {

        return value << by | value >> (sizeof(uint64_t) * 8 - by);

        return value << by | value >> (sizeof(uint64_t) * 8 - by);

    }

    }

The 64 bit seed is stored in the executable.

The 64 bit seed is stored in the executable.

The DWORD value `0x00000006` will be stored at field `unknown2`

The DWORD value `0x00000006` will be stored at field `unknown2`

(byte 0x30..0x33; the field is not used in the `PARM` resource).

(byte 0x30..0x33; the field is not used in the `PARM` resource).

During de-obfuscation, the program will check if the checksum in `unknown1`

During de-obfuscation, the program will check if the checksum in `unknown1`

matches. If it does not match, the data will be discarded.

matches. If it does not match, the data will be discarded.

### Obfuscation "Version 5"

### Obfuscation "Version 5"

Introduced in **Filter Foundry 1.7.0.8**

Introduced in **Filter Foundry 1.7.0.8**

Obfuscation version 5 is the same as version 4, but there is a constraint

Obfuscation version 5 is the same as version 4, but there is a constraint

that the seed must be equal to the CRC32b checksum of the deobfuscated PARM.

that the seed must be equal to the CRC32b checksum of the deobfuscated PARM.

This is done to check the integrity of the deobfuscation.

This is done to check the integrity of the deobfuscation.

Also, the xor-shifting is intentionally incompatible with version 4

Also, the xor-shifting is intentionally incompatible with version 4

(to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF.

(to avoid downgrade-attacks) by XORing the initial seed with 0xFFFFFFFF.

The DWORD value `0x00000005` will be stored at field `unknown2`

The DWORD value `0x00000005` will be stored at field `unknown2`

(byte 0x30..0x33; the field is not used in the `PARM` resource).

(byte 0x30..0x33; the field is not used in the `PARM` resource).

While generating and applying the random data stream, the bytes

While generating and applying the random data stream, the bytes

0x30..0x33 (the location where the version info is stored) are skipped,

0x30..0x33 (the location where the version info is stored) are skipped,

like in version 3.

like in version 3.

### Obfuscation "Version 4"

### Obfuscation "Version 4"

Introduced in **Filter Foundry 1.7.0.7**

Introduced in **Filter Foundry 1.7.0.7**

It is not compiler-dependant, but different between every standalone filter.

It is not compiler-dependant, but different between every standalone filter.

Windows version:

Windows version:

The binary code of the 8BF file will be manipulated during building

The binary code of the 8BF file will be manipulated during building

to store the seed into the `deobfusc()` function.

to store the seed into the `deobfusc()` function.

The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517`

The placeholder value is `OBFUSC_V4_DEFAULT_SEED 0x52830517`

This allows that 32-bit and 64-bit filters are "cross built".

This allows that 32-bit and 64-bit filters are "cross built".

(Theoretical) Macintosh version:

(Theoretical) Macintosh version:

Obfuscation and deobfuscation has the seed `0x52830517`, since the

Obfuscation and deobfuscation has the seed `0x52830517`, since the

manipulation of the binary code is not implemented.

manipulation of the binary code is not implemented.

Algorithm: XOR-Shift like in version 2, but the seed is individual for

Algorithm: XOR-Shift like in version 2, but the seed is individual for

each individual built standalone filter.

each individual built standalone filter.

The DWORD value `0x00000004` will be stored at field `unknown2`

The DWORD value `0x00000004` will be stored at field `unknown2`

(byte 0x30..0x33; the field is not used in the `PARM` resource).

(byte 0x30..0x33; the field is not used in the `PARM` resource).

While generating and applying the random data stream, the bytes

While generating and applying the random data stream, the bytes

0x30..0x33 (the location where the version info is stored) are skipped,

0x30..0x33 (the location where the version info is stored) are skipped,

like in version 3.

like in version 3.

### Obfuscation "Version 3"

### Obfuscation "Version 3"

Introduced in **Filter Foundry 1.7.0.5**

Introduced in **Filter Foundry 1.7.0.5**

A random seed is chosen and written to field `unknown2` (byte 0x30..0x33).

A random seed is chosen and written to field `unknown2` (byte 0x30..0x33).

Then, the `PARM` resource will be obfuscated by applying an XOR operation to a random data stream:

Then, the `PARM` resource will be obfuscated by applying an XOR operation to a random data stream:

    unsigned char *p;

    unsigned char *p;

    *p++ ^= (int)(rand() * 1.0 / (RAND_MAX + 1) * 256);

    *p++ ^= (int)(rand() * 1.0 / (RAND_MAX + 1) * 256);

Bytes 0x30..0x33 (the location where the seed is stored) are skipped.

Bytes 0x30..0x33 (the location where the seed is stored) are skipped.

The `rand()` operation is compiler-dependant, and therefore the resource cannot be exchanged between plugins.

The `rand()` operation is compiler-dependant, and therefore the resource cannot be exchanged between plugins.

32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula:

32 bit plugin is built with OpenWatcom (for Win95 compatibility) which has following formula:

    int rand_openwatcom(unsigned int* seed) {

    int rand_openwatcom(unsigned int* seed) {

            *seed = *seed * 1103515245L + 12345L;

            *seed = *seed * 1103515245L + 12345L;

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

    }

    }

64 bit plugin is built with Visual C++ which has following formula:

64 bit plugin is built with Visual C++ which has following formula:

    int rand_msvcc(unsigned int* seed) {

    int rand_msvcc(unsigned int* seed) {

            *seed = *seed * 214013L + 2531011L;

            *seed = *seed * 214013L + 2531011L;

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

    }

    }

### Obfuscation "Version 2"

### Obfuscation "Version 2"

Introduced in **Filter Foundry 1.7b1**

Introduced in **Filter Foundry 1.7b1**

It is compiler-independent!

It is compiler-independent!

Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`.

Algorithm: [XOR-Shift](https://de.wikipedia.org/wiki/Xorshift "XOR-Shift") with hardcoded seed `0x95d4a68f`.

    x32 = 0x95d4a68f;

    x32 = 0x95d4a68f;

    for(i = size, p = pparm; i--;) {

    for(i = size, p = pparm; i--;) {

            x32 ^= x32 << 13;

            x32 ^= x32 << 13;

            x32 ^= x32 >> 17;

            x32 ^= x32 >> 17;

            x32 ^= x32 << 5;

            x32 ^= x32 << 5;

            *p++ ^= x32;

            *p++ ^= x32;

    }

    }

### Obfuscation "Version 1"

### Obfuscation "Version 1"

Introduced in **Filter Foundry 1.4b8,9,10**

Introduced in **Filter Foundry 1.4b8,9,10**

It is compiler-dependant, and therefore the resource cannot be exchanged between plugins!

It is compiler-dependant, and therefore the resource cannot be exchanged between plugins!

Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`.

Algorithm: XOR with `rand()`-stream with hardcoded seed `0xdc43df3c`.

    srand(0xdc43df3c);

    srand(0xdc43df3c);

    for(i = size, p = pparm; i--;) {

    for(i = size, p = pparm; i--;) {

            *p++ ^= rand();

            *p++ ^= rand();

    }

    }

The plugin is built with Visual C++ which has following formula:

The plugin is built with Visual C++ which has following formula:

    int rand_msvcc(unsigned int* seed) {

    int rand_msvcc(unsigned int* seed) {

            *seed = *seed * 214013L + 2531011L;

            *seed = *seed * 214013L + 2531011L;

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

            return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

    }

    }