From b5978dc7c4aa1bf340258ff5bd13e9bc12666bc2 Mon Sep 17 00:00:00 2001 From: Florian Bach Date: Wed, 15 Jun 2022 19:29:55 +0200 Subject: [PATCH] Fix AV false-positives by packing executables --- .github/workflows/main.yml | 7 +++--- bundle_calibre_plugin.sh | 19 +++++++++++++++- calibre-plugin/__init__.py | 25 +++++++++++++++------ calibre-plugin/keyextract/Makefile | 2 +- calibre-plugin/keyextractDecryptor.py | 31 +++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 12 deletions(-) create mode 100644 calibre-plugin/keyextractDecryptor.py diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 153c945..d3ad9ee 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,15 +7,14 @@ on: jobs: build: runs-on: ubuntu-20.04 - container: debian:bullseye steps: - uses: actions/checkout@v2 - name: Install compilers run: | - apt update - apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 - apt install -y wget make zip + sudo apt update + sudo apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 + sudo apt install -y wget make zip - name: Compile run: | diff --git a/bundle_calibre_plugin.sh b/bundle_calibre_plugin.sh index 04578b9..bf1aae1 100755 --- a/bundle_calibre_plugin.sh +++ b/bundle_calibre_plugin.sh @@ -13,6 +13,23 @@ pushd keyextract # Compile C programs: make +base64 decrypt_win32.exe > decrypt_win32_b64.txt +base64 decrypt_win64.exe > decrypt_win64_b64.txt + +# Base64-encode binaries and place them inside decryptor.py: +sed "/@@@CALIBRE_DECRYPTOR_WIN32_B64@@@/ { + r decrypt_win32_b64.txt + d +}" -i ../keyextractDecryptor.py + +sed "/@@@CALIBRE_DECRYPTOR_WIN64_B64@@@/ { + r decrypt_win64_b64.txt + d +}" -i ../keyextractDecryptor.py + +rm decrypt_win32_b64.txt decrypt_win64_b64.txt +rm decrypt_win32.exe decrypt_win64.exe + popd # Delete cache @@ -20,7 +37,7 @@ rm -r __pycache__ rm *.pyc # Set module ID. This needs to be changed if any of the module ZIPs change. -echo -n "2022-05-14-02" > module_id.txt +echo -n "2022-06-15-01" > module_id.txt # Copy LICENSE and README.md so it'll be included in the ZIP. cp ../LICENSE LICENSE diff --git a/calibre-plugin/__init__.py b/calibre-plugin/__init__.py index dc8e0f3..5c6f57d 100644 --- a/calibre-plugin/__init__.py +++ b/calibre-plugin/__init__.py @@ -192,14 +192,27 @@ class DeACSM(FileTypePlugin): if islinux: # Also extract EXE files needed for WINE ADE key extraction - names = [ "keyextract/decrypt_win32.exe", "keyextract/decrypt_win64.exe" ] - lib_dict = self.load_resources(names) - for entry, data in lib_dict.items(): - file_path = os.path.join(rand_path, entry.split('/')[1]) - f = open(file_path, "wb") - f.write(data) + # EXE files are obfuscated with base64 so that stupid AV programs + # don't flag this whole plugin as malicious. + # See keyextractDecryptor.py and the folder "keyextract" for more information. + + try: + print("{0} v{1}: Extracting WINE key tools ...".format(PLUGIN_NAME, PLUGIN_VERSION)) + from keyextractDecryptor import get_win32_data, get_win64_data + + file32 = os.path.join(rand_path, "decrypt_win32.exe") + f = open(file32, "wb") + f.write(get_win32_data()) f.close() + file64 = os.path.join(rand_path, "decrypt_win64.exe") + f = open(file64, "wb") + f.write(get_win64_data()) + f.close() + except: + print("{0} v{1}: Error while extracting packed WINE ADE key extraction EXE files ".format(PLUGIN_NAME, PLUGIN_VERSION)) + traceback.print_exc() + # Write module ID if id_plugin is not None: diff --git a/calibre-plugin/keyextract/Makefile b/calibre-plugin/keyextract/Makefile index 2e2b5b7..f25d6b8 100644 --- a/calibre-plugin/keyextract/Makefile +++ b/calibre-plugin/keyextract/Makefile @@ -5,7 +5,7 @@ clean: rm decrypt_win32.exe decrypt_win64.exe 2>/dev/null || /bin/true decrypt_win32.exe: main.c Makefile - i686-w64-mingw32-gcc main.c -O2 -o decrypt_win32.exe -lcrypt32 + i686-w64-mingw32-gcc main.c -Os -o decrypt_win32.exe -lcrypt32 i686-w64-mingw32-strip decrypt_win32.exe decrypt_win64.exe: main.c Makefile diff --git a/calibre-plugin/keyextractDecryptor.py b/calibre-plugin/keyextractDecryptor.py new file mode 100644 index 0000000..a202a68 --- /dev/null +++ b/calibre-plugin/keyextractDecryptor.py @@ -0,0 +1,31 @@ + +# NOTE: +# This file contains the two Windows executables "decrypt_win32.exe" and "decrypt_win64.exe" +# in base64-encoded form. The source code for these files can be found inside the main.c file +# in the "keyextract" directory. It's only ~200 lines of harmless C source code. + +# These two programs are used only for Linux-based OSes, in order to run them in a WINE +# environment to extract ADE account data from an ADE instance running in WINE. + +# Because these programs are decrypting data that belongs to another program (account data +# from ADE), various antivirus programs might detect them as malicious and try to block the +# plugin. As these executables aren't needed on Windows and MacOS (only on Linux), they +# are included here in obfuscated form and are only extracted when on Linux. This should make +# antivirus programs shut up and stop reporting this plugin as a virus. + +import base64 + +def get_win32_data(): + return base64.b64decode(data_win32) + +def get_win64_data(): + return base64.b64decode(data_win64) + + +data_win32 = """ +@@@CALIBRE_DECRYPTOR_WIN32_B64@@@ +""" + +data_win64 = """ +@@@CALIBRE_DECRYPTOR_WIN64_B64@@@ +"""