Subversion Repositories filter_foundry

const volatile uint32_t cObfuscV4Seed = 0x52830517; // this value will be manipulated during the building of each individual filter (see make_win.c)

int rand_msvcc(unsigned int* seed) {

        *seed = *seed * 214013L + 2531011L;

        return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

}

int rand_openwatcom(unsigned int* seed) {

        // https://github.com/open-watcom/open-watcom-v2/blob/master/bld/clib/math/c/rand.c

        *seed = *seed * 1103515245L + 12345L;

        return (*seed >> 16) & 0x7fff; /* Scale between 0 and RAND_MAX */

}

void _xorshift(unsigned char** p, uint32_t* x32, size_t num) {

        size_t i;

        unsigned char* x = *p;

        for (i = 0; i < num; i++) {

                // https://de.wikipedia.org/wiki/Xorshift

                *x32 ^= *x32 << 13;

                *x32 ^= *x32 >> 17;

                *x32 ^= *x32 << 5;

                *x++ ^= *x32;

        }

        *p = x;

}

void obfusc(PARM_T* pparm, unsigned int seed) {

        unsigned char* p;

        size_t size, seed_position;

        seed_position = offsetof(PARM_T, unknown2);

        size = sizeof(PARM_T);

        // Version 4 obfuscation

        // Filter Foundry >= 1.7.0.7

        p = (unsigned char*)pparm;

        _xorshift(&p, &seed, seed_position);

        *((unsigned int*)p) = 4; // Obfusc V4 info

        p += 4;

        _xorshift(&p, &seed, size - seed_position - 4);

}

void deobfusc(PARM_T* pparm) {

        unsigned char* p;

        size_t i;

        unsigned int seed;

        size_t size, seed_position;

        seed_position = offsetof(PARM_T, unknown2); // = offsetof(PARM_T_PREMIERE, unknown1)

        size = sizeof(PARM_T);

        seed = pparm->unknown2;

        if (seed == 0x90E364A3) { // A3 64 E3 90

                // Version 1 obfuscation, filter built with VC++ (official release by Toby Thain)

                // Filter Foundry FF >= 1.4b8,9,10

                seed = 0xdc43df3c;

                for (i = size, p = (unsigned char*)pparm; i--;) {

                        *p++ ^= rand_msvcc(&seed);

                }

        }

        else if (seed == 0xE2CFCA34) { // 34 CA CF E2

                // Version 2 obfuscation, compiler independent

                // Filter Foundry >= 1.7b1

                unsigned int x32 = 0x95d4a68f;

                for (i = size, p = (unsigned char*)pparm; i--;) {

                        x32 ^= x32 << 13;

                        x32 ^= x32 >> 17;

                        x32 ^= x32 << 5;

                        *p++ ^= x32;

                }

        }

        else if (seed == 4) { // 04 00 00 00

                // Version 4 obfuscation

                // Filter Foundry >= 1.7.0.7

                // Not compiler dependent, but individual for each build

                // It is important that this code works for both x86 and x64 indepdently from the used compiler,

                // otherwise, the cross-make x86/x64 won't work!

                uint32_t v4seed = cObfuscV4Seed; // this value will be manipulated during the building of each individual filter (see make_win.c)

                p = (unsigned char*)pparm;

                _xorshift(&p, &v4seed, seed_position);

                p += 4; // obfusc info == 4

                _xorshift(&p, &v4seed, size - seed_position - 4);

                // Filter Foundry >= 1.7.0.5 builds combines obfuscation and protection

                // when a standalone filter is built. Theoretically, you can un-protect a

                // plugin, even if it is obfuscated, just by bit-flipping the LSB of byte 0x164.

                // Therefore, we enforce that the plugin is protected!

                // Note: We don't need to check PARM_T_PREMIERE, because only PARM_T

                //       can be obfuscated by FilterFoundry.

                pparm->iProtected = 1;

        }

        else {

                // Version 3 obfuscation

                // Filter Foundry >= 1.7.0.5

                // NO loading of other implementation supported, but that doesn't matter since Obfuscation+Protection is combined in FF >= 1.7.0.5

                // Using rand() is more secure, because it differs from compiler to compiler, so

                // it is harder to read a protected 8BF plugin.

                // Note that rand() in combination with srand() is deterministic, so it is safe

                // to use it: https://stackoverflow.com/questions/55438293/does-rand-function-in-c-follows-non-determinstc-algorithm

                // Note: 32-Bit FF is built using OpenWatcom (to support Win95), while 64-Bit FF is built using Microsoft Visual C++

                srand(seed);

                p = (unsigned char*)pparm;

                for (i = 0; i < seed_position; i++) *p++ ^= rand();

                *((unsigned int*)p) = 0; // here was the seed. Fill it with 0x00000000

                p += 4;

                for (i = 0; i < size - seed_position - 4; i++) *p++ ^= rand();

                // Filter Foundry >= 1.7.0.5 builds combines obfuscation and protection

                // when a standalone filter is built. Theoretically, you can un-protect a

                // plugin, even if it is obfuscated, just by bit-flipping the LSB of byte 0x164.

                // Therefore, we enforce that the plugin is protected!

                // Note: We don't need to check PARM_T_PREMIERE, because only PARM_T

                //       can be obfuscated by FilterFoundry.

                pparm->iProtected = 1;

        }

}