void MapleEncryption::mapleEncrypt(unsigned char *buf, int32_t size) {
int32_t j;
uint8_t a, c;
for (uint8_t i = 0; i < 3; i++) {
a = 0;
for (j = size; j > 0; j--) {
c = buf[size - j];
c = rol(c, 3);
c = (uint8_t)(c + j); // Guess this is supposed to be right?
c = c ^ a;
a = c;
c = ror(a, j);
c = c ^ 0xFF;
c = c + 0x48;
buf[size - j] = c;
}
a = 0;
for (j = size; j > 0; j--) {
c = buf[j - 1];
c = rol(c, 4);
c = (uint8_t)(c + j); // Guess this is supposed to be right?
c = c ^ a;
a = c;
c = c ^ 0x13;
c = ror(c, 3);
buf[j - 1] = c;
}
}
}
uint8_t F1(uint8_t x)
{
uint8_t temp1, temp2, temp3;
temp1 = ror(x);
temp1 = ror(temp1);
temp2 = ror(temp1);
temp2 = ror(temp2);
temp3 = ror(temp2);
return temp1 ^ temp2 ^ temp3;
}
int main (int argc, char* argv[]) {
char *seed, a[7], c[3];
unsigned int b,d,e,password;
if ( argc != 2 ) {
printf("Only one argument is permitted: 00BDC8667E5B\n");
exit(-1);
} else if ( strlen(argv[1]) != atse_length ) {
printf( "Incorrect parameter length, should be %d characters long\n", atse_length );
exit (-2);
}
seed = argv[1];
strncpy (a, seed, 6); //a = "ersten" 3Bytes vom seed
e = strtol(a, NULL, 16); //e = a
strncpy (c, seed + strlen(seed) - 2, 2); //c = last 2 bytes of seed?
d = strtol(c, NULL, 16) & magic2; //d = "last byte" AND 7
b = e + magic1; //
b = ror(b, d);
password = b ^ e;
printf("\nATEN 1,%X\n", password);
return 0;
}
static char * ROR1() {
CPU *c = getCPU();
setRegByte(c, ACCUM, 0xA1);
OP_CODE_INFO *o = getOP_CODE_INFO(getRegByte(c,ACCUM) & 0xFF, 0, modeAccumulator);
ror(c,o);
mu_assert("ROR1 err, ACCUM != 0x50", (0xFF & getRegByte(c,ACCUM)) == 0x50);
mu_assert("ROR1 err, CARRY != 1", getFlag(c,C) == 1);
freeOP_CODE_INFO(o);
free(c);
return 0;
}
void ARMCore::thumbDataLo(uint4 opcode, uint3 ird, uint3 irm) {
auto &rd = r[ird], rm = r[irm];
r[15] += 2;
if(opcode == 2) { SOut r = lsl(rd, rm); bitf(true, rd = r, r); } // lsls
else if(opcode == 3) { SOut r = lsr(rd, rm); bitf(true, rd = r, r); } // lsrs
else if(opcode == 4) { SOut r = asr(rd, rm); bitf(true, rd = r, r); } // asrs
else if(opcode == 7) { SOut r = ror(rd, rm); bitf(true, rd = r, r); } // rors
else if(opcode == 9) sumf(true, rd = -rm, 0, ~rm); // negs
else if(opcode == 13) bitf(true, rd = rm * rd, {rm*rd, Cf}); // muls
else alu(2*opcode+1, rd, rd, {rm,Cf}); // others are same as ARM
}
node* insert(node* root, int new_val) {
if (!root) {
root = new node();
root->val = new_val;
root->left = NULL;
root->right = NULL;
root->ht = 1;
return root;
}
else {
if (new_val < root->val) {
root->left = insert(root->left, new_val);
}
else /* (new_val > root->val) */ {
root->right = insert(root->right, new_val);
}
// Update height of acestor node as we come out of recursion
root->ht = (max(height(root->left), height(root->right))) + 1;
// Check the balance factor of the node to see if we need to rebalance
int balance = getBalance(root);
// Check the 4 cases of imbalance
if (balance < -1 && new_val < root->left->val)
return ror(root);
if (balance < -1 && new_val > root->right->val)
return rol(root);
if (balance > 1 && new_val > root->left->val) {
root->left = rol(root->left);
return ror(root);
}
if (balance < -1 && new_val < root->right->val) {
root->right = ror(root->right);
return rol(root);
}
return root;
}
}
/*
* key schedule
* inputKey: the original keys
* keys: round keys
*/
void encryptKeySchedule(const u8 * inputKey, u8 * keys ) {
const u32 *ik = (const u32*)inputKey;
u32 *rk = (u32*)keys;
int i;
for ( i = 0; i < SIMON_KEY_WORDS; i++ ) {
rk[i] = ik[i];
}
u32 temp;
for ( i = SIMON_KEY_WORDS; i < SIMON_ROUNDS; i++ ) {
temp = ror(rk[i-1], 3);
#if defined(SIMON_KEY_WORDS) && (SIMON_KEY_WORDS==4)
temp ^= rk[i-3];
#endif
temp ^= ror(temp, 1);
rk[i] = SIMON_CONST_C ^ rk[i-SIMON_KEY_WORDS] ^ temp;
if ( z[SIMON_SEQUENCE_NUMBER][(i-SIMON_KEY_WORDS)%62] == 1 ) {
rk[i] ^= 0x1;
}
}
}
void msrr_inst(ARMProc *proc, UWord instruction) {
#ifdef DEBUG
printf("Ejecutaste un msrr\n");
#endif
UWord mask;
Word operand, _bit_immediate, rotate_imm, Rm, field_mask, R, status_mode, byte_mask, byte1, byte2, byte3, byte4;
if( !cond(proc, instruction) )
return;
_bit_immediate = get_bits(instruction, 0, 8);
rotate_imm = get_bits(instruction, 8, 4);
Rm = get_bits(instruction, 0, 4);
field_mask = get_bits(instruction, 16, 4);
R = get_bits(instruction, 22, 1);
if( get_bits(instruction, 25, 1, 0))
operand = ror(_bit_immediate, rotate_imm * 2);
else
operand = Rm;
if( (operand & 0x06FFFF00) != 0 )
#ifdef DEBUG
printf("UNPREDICTABLE\n");
#endif
if( get_bits(field_mask, 0, 1) ) byte1 = 0x000000FF; else byte1 = 0x00000000;
if( get_bits(field_mask, 1, 1) ) byte2 = 0x0000FF00; else byte2 = 0x00000000;
if( get_bits(field_mask, 2, 1) ) byte3 = 0x00FF0000; else byte3 = 0x00000000;
if( get_bits(field_mask, 3, 1) ) byte4 = 0xFF000000; else byte4 = 0x00000000;
byte_mask = byte1 | byte2 | byte3 | byte4;
status_mode = get_status(proc, status_m);
if( !R ){
if( status_mode == mode_fiq || status_mode == mode_irq || status_mode == mode_svc || status_mode == mode_abt || status_mode == mode_und )
if( (operand & 0x01000020) != 0){
#ifdef DEBUG
printf("UNPREDICTABLE\n");
#endif
}else
mask = byte_mask & (0xF8000000 | 0x0000000F);
else
mask = byte_mask & 0xF8000000;
*proc->cpsr = ( *proc->cpsr & ~mask ) | (operand & mask);
}else
if( proc->spsr != NULL ){
mask = byte_mask & (0xF8000000 | 0x0000000F | 0x01000020);
*proc->spsr = (*proc->spsr & ~mask) | (operand & mask);
}else{
#ifdef DEBUG
printf("UNPREDICTABLE\n");
#endif
}
}
/*
* key schedule
* inputKey: the original keys
* keys: round keys
*/
void encryptKeySchedule(const u8 * inputKey, u8 * keys ) {
u32 *rk = (u32*)keys;
const u32 *ik = (const u32*)inputKey;
u32 l[SPECK_ROUNDS+SPECK_KEY_WORDS-2];
rk[0] = ik[0];
l[0] = ik[1];
l[1] = ik[2];
#if defined(SPECK_KEY_WORDS) && (SPECK_KEY_WORDS==4)
l[2] = ik[3];
#endif
int i;
for ( i = 0; i < SPECK_ROUNDS-1; i++ ) {
l[i+SPECK_KEY_WORDS-1] = (rk[i] + ror(l[i], SPECK_A)) ^ (u32)i;
rk[i+1] = rol(rk[i], SPECK_B) ^ l[i+SPECK_KEY_WORDS-1];
}
}
void swp_inst(ARMProc *proc, UWord instruction) {
#ifdef DEBUG
printf("Ejecutaste un swp\n");
#endif
if( !cond(proc, instruction) )
return;
ARMCoprocessorInterface *cp15;
Word cp15_reg1, temp, address, Rm, Rd;
address = *proc->r[get_bits(instruction, 16, 4)];
Rm = get_bits(instruction, 0, 4);
Rd = get_bits(instruction, 12, 4);
cp15 = proc->coprocessors[15];
cp15_reg1 = cp15->readRegister(cp15, 1);
if( !get_bits(cp15_reg1, 22, 1) ){
temp = ror(proc->readWord(proc, address), 8 * get_bits(address, 0, 2));
proc->writeWord(proc, address, *proc->r[Rm]);
*proc->r[Rd] = temp;
}else{
temp = proc->readWord(proc, address);
proc->writeWord(proc, address, *proc->r[Rm]);
*proc->r[Rd] = temp;
}
}
int calculate_hash( char *function_name )
{
int aux = 0;
unsigned long hash = 0;
while (*function_name)
{
hash = ror(hash, 13);
hash += *function_name;
function_name++;
}
while ( hash > 0 )
{
aux = aux << 8;
aux += (hash & 0x00000FF);
hash = hash >> 8;
}
hash = aux;
return htonl(hash);
}
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
VIRTUALLOCK pVirtualLock;
OUTPUTDEBUG pOutputDebug;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
UINT_PTR uiValueE;
register UINT_PTR inspect;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm {
call geteip
geteip:
pop uiLibraryAddress
}
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the module name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 5;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH || dwHashValue == VIRTUALLOCK_HASH || dwHashValue == OUTPUTDEBUG_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALLOCK_HASH )
pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == OUTPUTDEBUG_HASH )
pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// prevent our image from being swapped to the pagefile
pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
// iterate through all sections, loading them into memory.
while( uiValueE-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
uiValueC = ( uiBaseAddress + (UINT_PTR)((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// iterate through all imports until a null RVA is found (Characteristics is mis-named)
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics )
{
/*
pOutputDebug("Loading library: ");
pOutputDebug((LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ));
pOutputDebug("\n");
*/
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
if (! uiLibraryAddress) {
//pOutputDebug("Loading library FAILED\n");
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
continue;
}
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
/*
pOutputDebug("Resolving function: ");
pOutputDebug((LPCSTR)( (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ));
pOutputDebug("\n");
*/
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if there are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we iterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA = NULL;
GETPROCADDRESS pGetProcAddress = NULL;
VIRTUALALLOC pVirtualAlloc = NULL;
NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
USHORT usCounter;
// the initial location of this image in memory
ULONG_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
ULONG_PTR uiBaseAddress;
// variables for processing the kernels export table
ULONG_PTR uiAddressArray;
ULONG_PTR uiNameArray;
ULONG_PTR uiExportDir;
ULONG_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
ULONG_PTR uiHeaderValue;
ULONG_PTR uiValueA;
ULONG_PTR uiValueB;
ULONG_PTR uiValueC;
ULONG_PTR uiValueD;
ULONG_PTR uiValueE;
// STEP 0: calculate our images current base address
// we will start searching backwards from our callers return address.
uiLibraryAddress = caller();
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while (TRUE)
{
if (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef WIN_X64
uiBaseAddress = __readgsqword(0x60);
#else
#ifdef WIN_X86
uiBaseAddress = __readfsdword(0x30);
#else WIN_ARM
//uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
#endif
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while (uiValueA)
{
// get pointer to current modules name (unicode string)
uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror((DWORD)uiValueC);
// normalize to uppercase if the madule name is in lowercase
if (*((BYTE *)uiValueB) >= 'a')
{
uiValueC += *((BYTE *)uiValueB) - 0x20;
}
else
{
uiValueC += *((BYTE *)uiValueB);
}
uiValueB++;
} while (--usCounter);
// compare the hash with that of kernel32.dll
if ((DWORD)uiValueC == KERNEL32DLL_HASH)
{
// get this modules base address
uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
// get the VA of the export directory
uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
// get the VA for the array of name pointers
uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
// get the VA for the array of name ordinals
uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
usCounter = 3;
// loop while we still have imports to find
while (usCounter > 0)
{
// compute the hash values for this function name
dwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
// if we have found a function we want we get its virtual address
if (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)
{
// get the VA for the array of addresses
uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
// store this functions VA
if (dwHashValue == LOADLIBRARYA_HASH)
{
pLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));
}
else if (dwHashValue == GETPROCADDRESS_HASH)
{
pGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));
}
else if (dwHashValue == VIRTUALALLOC_HASH)
pVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
}
else if ((DWORD)uiValueC == NTDLLDLL_HASH)
{
// get this modules base address
uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
// get the VA of the export directory
uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
// get the VA for the array of name pointers
uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
// get the VA for the array of name ordinals
uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
usCounter = 1;
// loop while we still have imports to find
while (usCounter > 0)
{
// compute the hash values for this function name
dwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
// if we have found a function we want we get its virtual address
if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
{
// get the VA for the array of addresses
uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
// store this functions VA
if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
}
// we stop searching when we have found everything we need.
if (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)
break;
// get the next entry
uiValueA = DEREF(uiValueA);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
while (uiValueA--)
*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);
// itterate through all sections, loading them into memory.
uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
while (uiValueE--)
{
// uiValueB is the VA for this section
uiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);
// uiValueC if the VA for this sections data
uiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
while (uiValueD--)
*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
// get the VA of the next section
uiValueA += sizeof(IMAGE_SECTION_HEADER);
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
// itterate through all imports
while (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
// uiValueD = VA of the OriginalFirstThunk
uiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);
// itterate through all imported functions, importing by ordinal if no name present
while (DEREF(uiValueA))
{
// sanity check uiValueD as some compilers only import by FirstThunk
if (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
// get the VA of the export directory
uiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
// get the VA for the array of addresses
uiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));
// patch in the address for this imported function
DEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));
}
else
{
// get the VA of this functions import by name struct
uiValueB = (uiBaseAddress + DEREF(uiValueA));
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
}
// get the next imported function
uiValueA += sizeof(ULONG_PTR);
if (uiValueD)
uiValueD += sizeof(ULONG_PTR);
}
// get the next import
uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
// check if their are any relocations present
if (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
// and we itterate through all entries...
while (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)
{
// uiValueA = the VA for this relocation block
uiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);
// uiValueB = number of entries in this relocation block
uiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while (uiValueB--)
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)
{
*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
}
else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)
{
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
}
#ifdef WIN_ARM
// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)
{
register DWORD dwInstruction;
register DWORD dwAddress;
register WORD wImm;
// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
dwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));
// flip the words to get the instruction as expected
dwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
// sanity chack we are processing a MOV instruction...
if ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)
{
// pull out the encoded 16bit value (the high portion of the address-to-relocate)
wImm = (WORD)(dwInstruction & 0x000000FF);
wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
// apply the relocation to the target address
dwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;
// now create a new instruction with the same opcode and register param.
dwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);
// patch in the relocated address...
dwInstruction |= (DWORD)(dwAddress & 0x00FF);
dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
// now flip the instructions words and patch back into the code...
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
}
}
#endif
else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)
{
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
}
else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)
{
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
}
// get the next entry in the current relocation block
uiValueD += sizeof(IMAGE_RELOC);
}
bool GLBoxSelector::draw(GLenum which_colorbuffer)
{
bool ret = false;
if (!hidden) {
glw->makeCurrent();
GLint saved_dbuf;
glGetIntegerv(GL_DRAW_BUFFER, &saved_dbuf);
glDrawBuffer(which_colorbuffer);
GLint matmode_saved;
glGetIntegerv(GL_MATRIX_MODE, &matmode_saved);
glMatrixMode(GL_PROJECTION);
glPushMatrix();
glLoadMatrixf(projmatrix);
glMatrixMode(GL_MODELVIEW);
glPushMatrix();
GLint saved_polygonmode[2];
GLint saved_sfactor, saved_dfactor;
GLint savedPat(0), savedRepeat(0);
GLfloat savedColor[4];
GLfloat savedWidth;
bool wasEnabled = glIsEnabled(GL_LINE_STIPPLE);
bool hadBlend = glIsEnabled(GL_BLEND);
bool hadSmooth = glIsEnabled(GL_LINE_SMOOTH);
GLint hadca, hadva, hadta;
glGetIntegerv(GL_POLYGON_MODE, saved_polygonmode);
// save some values
glGetFloatv(GL_CURRENT_COLOR, savedColor);
glGetIntegerv(GL_LINE_STIPPLE_PATTERN, &savedPat);
glGetIntegerv(GL_LINE_STIPPLE_REPEAT, &savedRepeat);
glGetFloatv(GL_LINE_WIDTH, &savedWidth);
glGetIntegerv(GL_BLEND_SRC, &saved_sfactor);
glGetIntegerv(GL_BLEND_DST, &saved_dfactor);
glGetIntegerv(GL_COLOR_ARRAY, &hadca);
glGetIntegerv(GL_VERTEX_ARRAY, &hadva);
glGetIntegerv(GL_TEXTURE_COORD_ARRAY, &hadta);
if (!hadva) glEnableClientState(GL_VERTEX_ARRAY);
if (hadta) glDisableClientState(GL_TEXTURE_COORD_ARRAY);
if (hadca) glDisableClientState(GL_COLOR_ARRAY);
if (!hadSmooth) glEnable(GL_LINE_SMOOTH);
if (!hadBlend) glEnable(GL_BLEND);
glBlendFunc(GL_SRC_ALPHA, GL_ONE_MINUS_SRC_ALPHA);
// next, draw everything BUT the box with a flicker/gray area...
glColor4f(.3f, .3f, .4f, .25f);
if (wasEnabled) glDisable(GL_LINE_STIPPLE);
glPolygonMode(GL_FRONT,GL_FILL);
glLineWidth(1.f);
glLineStipple(1,0xffff);
const GLfloat verticesNonBox[] = {
0.f,0.f, 1.f,0.f, 1.f,box.v2, 0.f,box.v2, // bottom strip
0.f,box.v2, box.v1,box.v2, box.v1,1.f, 0.f,1.f, // left strip
box.v1,box.v4, 1.f,box.v4, 1.f,1.f, box.v1,1.f, // top strip
box.v3,box.v2, 1.f,box.v2, 1.f,box.v4, box.v3,box.v4 // right strip
};
glVertexPointer(2, GL_FLOAT, 0, verticesNonBox);
glDrawArrays(GL_QUADS,0,16);
glEnable(GL_LINE_STIPPLE);
//glPolygonMode(GL_FRONT, GL_LINE);
// outline.. use normal alphas
glLineWidth(4.0f);
unsigned short pat = 0xcccc;
int shift = static_cast<unsigned int>(Util::getTime() * 32.0) % 16;
pat = ror(pat,shift);
glLineStipple(1, pat);
const GLfloat verticesBox[] = {
box.v1, box.v2,
box.v3, box.v2,
box.v3, box.v4,
box.v1, box.v4,
box.v1, box.v2,
};
float dummy, colorscale = modff((Util::getTime() * 16.) / M_PI, &dummy);
const float s = (sinf(colorscale)+1.f)/2.f, c = (sinf(colorscale*1.123)+1.f)/2.f,
d = (sinf(colorscale*.8123)+1.f)/2.f;
// draw surrounding box
glColor4f(c, s, d, .75);
glVertexPointer(2, GL_FLOAT, 0, verticesBox);
glDrawArrays(GL_LINE_LOOP, 0, 5);
// draw interior 'grid'
glLineWidth(1.f);
glLineStipple(1,0xaaaa);
const GLfloat gw = (box.v3-box.v1)/3.f, gh = (box.v4-box.v2)/3.f;
const GLfloat verticesGrid[] = {
box.v1+gw, box.v2,
box.v1+gw, box.v4,
box.v1+(gw*2.f), box.v2,
box.v1+(gw*2.f), box.v4,
box.v1, box.v2+gh,
box.v3, box.v2+gh,
box.v1, box.v2+(2.f*gh),
box.v3, box.v2+(2.f*gh),
};
glVertexPointer(2, GL_FLOAT, 0, verticesGrid);
glDrawArrays(GL_LINES, 0, 8);
// restore saved OpenGL state
if (hadta) glEnableClientState(GL_TEXTURE_COORD_ARRAY);
if (hadca) glEnableClientState(GL_COLOR_ARRAY);
if (!hadva) glDisableClientState(GL_VERTEX_ARRAY);
glBlendFunc(saved_sfactor, saved_dfactor);
glPolygonMode(GL_FRONT, saved_polygonmode[0]);
glColor4fv(savedColor);
glLineStipple(savedRepeat, savedPat);
glLineWidth(savedWidth);
if (!wasEnabled) glDisable(GL_LINE_STIPPLE);
if (!hadBlend) glDisable(GL_BLEND);
if (!hadSmooth) glDisable(GL_LINE_SMOOTH);
glPopMatrix();
glMatrixMode(GL_PROJECTION);
glPopMatrix();
glMatrixMode(matmode_saved);
glDrawBuffer(saved_dbuf);
ret = true;
}
return ret;
}
PointViewSet RadiusOutlierFilter::run(PointViewPtr input)
{
bool logOutput = log()->getLevel() > LogLevel::Debug1;
if (logOutput)
log()->floatPrecision(8);
log()->get(LogLevel::Debug2) << "Process RadiusOutlierFilter...\n";
// convert PointView to PointXYZ
typedef pcl::PointCloud<pcl::PointXYZ> Cloud;
Cloud::Ptr cloud(new Cloud);
BOX3D bounds;
input->calculateBounds(bounds);
pclsupport::PDALtoPCD(input, *cloud, bounds);
pclsupport::setLogLevel(log()->getLevel());
// setup the outlier filter
pcl::RadiusOutlierRemoval<pcl::PointXYZ> ror(true);
ror.setInputCloud(cloud);
ror.setMinNeighborsInRadius(m_min_neighbors);
ror.setRadiusSearch(m_radius);
pcl::PointCloud<pcl::PointXYZ> output;
ror.setNegative(true);
ror.filter(output);
// filtered to return inliers
pcl::PointIndicesPtr inliers(new pcl::PointIndices);
ror.getRemovedIndices(*inliers);
PointViewSet viewSet;
if (inliers->indices.empty())
{
log()->get(LogLevel::Warning) << "Requested filter would remove all points. Try a larger radius/smaller minimum neighbors.\n";
viewSet.insert(input);
return viewSet;
}
// inverse are the outliers
std::vector<int> outliers(input->size()-inliers->indices.size());
for (PointId i = 0, j = 0, k = 0; i < input->size(); ++i)
{
if (i == (PointId)inliers->indices[j])
{
j++;
continue;
}
outliers[k++] = i;
}
if (!outliers.empty() && (m_classify || m_extract))
{
if (m_classify)
{
log()->get(LogLevel::Debug2) << "Labeled " << outliers.size() << " outliers as noise!\n";
// set the classification label of outlier returns as 18
// (corresponding to ASPRS LAS specification for high noise)
for (const auto& i : outliers)
{
input->setField(Dimension::Id::Classification, i, 18);
}
viewSet.insert(input);
}
if (m_extract)
{
log()->get(LogLevel::Debug2) << "Extracted " << inliers->indices.size() << " inliers!\n";
// create new PointView containing only outliers
PointViewPtr output = input->makeNew();
for (const auto& i : inliers->indices)
{
output->appendPoint(*input, i);
}
viewSet.erase(input);
viewSet.insert(output);
}
}
else
{
if (outliers.empty())
log()->get(LogLevel::Warning) << "Filtered cloud has no outliers!\n";
if (!(m_classify || m_extract))
log()->get(LogLevel::Warning) << "Must choose --classify or --extract\n";
// return the input buffer unchanged
viewSet.insert(input);
}
return viewSet;
}
/* (4.5) */
static inline UINT32
Sum1(UINT32 x)
{
return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25));
}
/* (4.4) */
static inline UINT32 Sum0(UINT32 x)
{
return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22));
}
