Fix AV false-positives by packing executables

2 years ago · b5978dc7c4
parent 1271d099e7
commit b5978dc7c4
5 changed files with 72 additions and 12 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -7,15 +7,14 @@ on:
 jobs: 
  build:
    runs-on: ubuntu-20.04
-    container: debian:bullseye
    steps: 
      - uses: actions/checkout@v2

      - name: Install compilers
        run: |
-          apt update
-          apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64
-          apt install -y wget make zip
+          sudo apt update
+          sudo apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64
+          sudo apt install -y wget make zip

      - name: Compile
        run: |
--- a/bundle_calibre_plugin.sh
+++ b/bundle_calibre_plugin.sh
@ -13,6 +13,23 @@ pushd keyextract
 # Compile C programs: 
 make

+base64 decrypt_win32.exe > decrypt_win32_b64.txt
+base64 decrypt_win64.exe > decrypt_win64_b64.txt
+
+# Base64-encode binaries and place them inside decryptor.py: 
+sed "/@@@CALIBRE_DECRYPTOR_WIN32_B64@@@/ {
+    r decrypt_win32_b64.txt
+    d
+}" -i ../keyextractDecryptor.py
+
+sed "/@@@CALIBRE_DECRYPTOR_WIN64_B64@@@/ {
+    r decrypt_win64_b64.txt
+    d
+}" -i ../keyextractDecryptor.py
+
+rm decrypt_win32_b64.txt decrypt_win64_b64.txt
+rm decrypt_win32.exe decrypt_win64.exe
+
 popd

 # Delete cache
@ -20,7 +37,7 @@ rm -r __pycache__
 rm *.pyc

 # Set module ID. This needs to be changed if any of the module ZIPs change.
-echo -n "2022-05-14-02" > module_id.txt
+echo -n "2022-06-15-01" > module_id.txt

 # Copy LICENSE and README.md so it'll be included in the ZIP.
 cp ../LICENSE LICENSE
--- a/calibre-plugin/init.py
+++ b/calibre-plugin/init.py
@ -192,14 +192,27 @@ class DeACSM(FileTypePlugin):

                if islinux: 
                    # Also extract EXE files needed for WINE ADE key extraction
-                    names = [ "keyextract/decrypt_win32.exe", "keyextract/decrypt_win64.exe" ]
-                    lib_dict = self.load_resources(names)
-                    for entry, data in lib_dict.items():
-                        file_path = os.path.join(rand_path, entry.split('/')[1])
-                        f = open(file_path, "wb")
-                        f.write(data)
+                    # EXE files are obfuscated with base64 so that stupid AV programs
+                    # don't flag this whole plugin as malicious. 
+                    # See keyextractDecryptor.py and the folder "keyextract" for more information.
+
+                    try: 
+                        print("{0} v{1}: Extracting WINE key tools ...".format(PLUGIN_NAME, PLUGIN_VERSION))
+                        from keyextractDecryptor import get_win32_data, get_win64_data
+
+                        file32 = os.path.join(rand_path, "decrypt_win32.exe")
+                        f = open(file32, "wb")
+                        f.write(get_win32_data())
                        f.close()

+                        file64 = os.path.join(rand_path, "decrypt_win64.exe")
+                        f = open(file64, "wb")
+                        f.write(get_win64_data())   
+                        f.close()
+                    except:
+                        print("{0} v{1}: Error while extracting packed WINE ADE key extraction EXE files ".format(PLUGIN_NAME, PLUGIN_VERSION))
+                        traceback.print_exc()
+
                
                # Write module ID
                if id_plugin is not None: 
--- a/calibre-plugin/keyextract/Makefile
+++ b/calibre-plugin/keyextract/Makefile
@ -5,7 +5,7 @@ clean:
 	rm decrypt_win32.exe decrypt_win64.exe 2>/dev/null || /bin/true

 decrypt_win32.exe: main.c Makefile
-	i686-w64-mingw32-gcc main.c -O2 -o decrypt_win32.exe -lcrypt32
+	i686-w64-mingw32-gcc main.c -Os -o decrypt_win32.exe -lcrypt32
 	i686-w64-mingw32-strip decrypt_win32.exe

 decrypt_win64.exe: main.c Makefile
--- a/calibre-plugin/keyextractDecryptor.py
+++ b/calibre-plugin/keyextractDecryptor.py
@ -0,0 +1,31 @@
+
+# NOTE: 
+# This file contains the two Windows executables "decrypt_win32.exe" and "decrypt_win64.exe"
+# in base64-encoded form. The source code for these files can be found inside the main.c file
+# in the "keyextract" directory. It's only ~200 lines of harmless C source code.
+
+# These two programs are used only for Linux-based OSes, in order to run them in a WINE 
+# environment to extract ADE account data from an ADE instance running in WINE. 
+
+# Because these programs are decrypting data that belongs to another program (account data
+# from ADE), various antivirus programs might detect them as malicious and try to block the
+# plugin. As these executables aren't needed on Windows and MacOS (only on Linux), they 
+# are included here in obfuscated form and are only extracted when on Linux. This should make
+# antivirus programs shut up and stop reporting this plugin as a virus. 
+
+import base64
+
+def get_win32_data(): 
+    return base64.b64decode(data_win32)
+
+def get_win64_data(): 
+    return base64.b64decode(data_win64)
+
+
+data_win32 = """
+@@@CALIBRE_DECRYPTOR_WIN32_B64@@@
+"""
+
+data_win64 = """
+@@@CALIBRE_DECRYPTOR_WIN64_B64@@@
+"""