Fix AV false-positives by packing executables

2024-12-22 17:29:56 +06:00 · 2022-06-15 19:29:55 +02:00 · 2022-06-15 19:29:55 +02:00 · b5978dc7c4
commit b5978dc7c4
parent 1271d099e7
5 changed files with 72 additions and 12 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -7,15 +7,14 @@ on:
 jobs: 
  build:
    runs-on: ubuntu-20.04
    container: debian:bullseye
    steps: 
      - uses: actions/checkout@v2
      - name: Install compilers
        run: |
-          apt update
+          sudo apt update
-          apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64
+          sudo apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64
-          apt install -y wget make zip
+          sudo apt install -y wget make zip
      - name: Compile
        run: |
--- a/bundle_calibre_plugin.sh
+++ b/bundle_calibre_plugin.sh
@ -13,6 +13,23 @@ pushd keyextract
 # Compile C programs: 
 make
 base64 decrypt_win32.exe > decrypt_win32_b64.txt
 base64 decrypt_win64.exe > decrypt_win64_b64.txt
 # Base64-encode binaries and place them inside decryptor.py: 
 sed "/@@@CALIBRE_DECRYPTOR_WIN32_B64@@@/ {
    r decrypt_win32_b64.txt
    d
 }" -i ../keyextractDecryptor.py
 sed "/@@@CALIBRE_DECRYPTOR_WIN64_B64@@@/ {
    r decrypt_win64_b64.txt
    d
 }" -i ../keyextractDecryptor.py
 rm decrypt_win32_b64.txt decrypt_win64_b64.txt
 rm decrypt_win32.exe decrypt_win64.exe
 popd
 # Delete cache
@ -20,7 +37,7 @@ rm -r __pycache__
 rm *.pyc
 # Set module ID. This needs to be changed if any of the module ZIPs change.
-echo -n "2022-05-14-02" > module_id.txt
+echo -n "2022-06-15-01" > module_id.txt
 # Copy LICENSE and README.md so it'll be included in the ZIP.
 cp ../LICENSE LICENSE
--- a/calibre-plugin/init.py
+++ b/calibre-plugin/init.py
@ -192,14 +192,27 @@ class DeACSM(FileTypePlugin):
                if islinux: 
                    # Also extract EXE files needed for WINE ADE key extraction
-                    names = [ "keyextract/decrypt_win32.exe", "keyextract/decrypt_win64.exe" ]
+                    # EXE files are obfuscated with base64 so that stupid AV programs
-                    lib_dict = self.load_resources(names)
+                    # don't flag this whole plugin as malicious. 
-                    for entry, data in lib_dict.items():
+                    # See keyextractDecryptor.py and the folder "keyextract" for more information.
-                        file_path = os.path.join(rand_path, entry.split('/')[1])
+
-                        f = open(file_path, "wb")
+                    try: 
-                        f.write(data)
+                        print("{0} v{1}: Extracting WINE key tools ...".format(PLUGIN_NAME, PLUGIN_VERSION))
                        from keyextractDecryptor import get_win32_data, get_win64_data
                        file32 = os.path.join(rand_path, "decrypt_win32.exe")
                        f = open(file32, "wb")
                        f.write(get_win32_data())
                        f.close()
                        file64 = os.path.join(rand_path, "decrypt_win64.exe")
                        f = open(file64, "wb")
                        f.write(get_win64_data())   
                        f.close()
                    except:
                        print("{0} v{1}: Error while extracting packed WINE ADE key extraction EXE files ".format(PLUGIN_NAME, PLUGIN_VERSION))
                        traceback.print_exc()
                # Write module ID
                if id_plugin is not None: 
--- a/calibre-plugin/keyextract/Makefile
+++ b/calibre-plugin/keyextract/Makefile
@ -5,7 +5,7 @@ clean:
 	rm decrypt_win32.exe decrypt_win64.exe 2>/dev/null || /bin/true
 decrypt_win32.exe: main.c Makefile
-	i686-w64-mingw32-gcc main.c -O2 -o decrypt_win32.exe -lcrypt32
+	i686-w64-mingw32-gcc main.c -Os -o decrypt_win32.exe -lcrypt32
 	i686-w64-mingw32-strip decrypt_win32.exe
 decrypt_win64.exe: main.c Makefile
--- a/calibre-plugin/keyextractDecryptor.py
+++ b/calibre-plugin/keyextractDecryptor.py
@ -0,0 +1,31 @@
 # NOTE: 
 # This file contains the two Windows executables "decrypt_win32.exe" and "decrypt_win64.exe"
 # in base64-encoded form. The source code for these files can be found inside the main.c file
 # in the "keyextract" directory. It's only ~200 lines of harmless C source code.
 # These two programs are used only for Linux-based OSes, in order to run them in a WINE 
 # environment to extract ADE account data from an ADE instance running in WINE. 
 # Because these programs are decrypting data that belongs to another program (account data
 # from ADE), various antivirus programs might detect them as malicious and try to block the
 # plugin. As these executables aren't needed on Windows and MacOS (only on Linux), they 
 # are included here in obfuscated form and are only extracted when on Linux. This should make
 # antivirus programs shut up and stop reporting this plugin as a virus. 
 import base64
 def get_win32_data(): 
    return base64.b64decode(data_win32)
 def get_win64_data(): 
    return base64.b64decode(data_win64)
 data_win32 = """
@@@CALIBRE_DECRYPTOR_WIN32_B64@@@
 """
 data_win64 = """
@@@CALIBRE_DECRYPTOR_WIN64_B64@@@
 """