Sonic and Sega Retro Message Board: ATTENTION: "Sonic Gather Battle" fangame is malware - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
  • 3 Pages +
  • 1
  • 2
  • 3
    Locked
    Locked Forum

ATTENTION: "Sonic Gather Battle" fangame is malware

#16 User is offline CpChan 

Posted 11 December 2017 - 04:01 PM

  • Posts: 4
  • Joined: 26-November 17
  • Gender:Female
  • Location:Starlight Zone, South Island
  • Project:Project: FUTURE
Man, every time I hear about this- Which is a lot, considering it's still ongoing as of this post- it continues to horrify me. I can completely, unabashedly understand the desire to protect one's work, but when it gets to a point of insanity like this.. You put more effort into protecting your game than your game itself. It goes wholly illegal. How do you even get to this point? It's scary- beyond scary.

Plus.. I'm still having trouble figuring out what he's trying to protect at this point. :v:

#17 User is offline Perfect Chaos Zero 

Posted 11 December 2017 - 04:07 PM

  • Notoriously Inebriated
  • Posts: 183
  • Joined: 09-October 08
  • Gender:Male
  • Wiki edits:1
Please read what gerbilsoft said in terms of the "keylogging".

Yes it's fucked up but it's not AS intense as some are making it out to be. Either way, it's been handled rather neatly and soundly by the community. Game is dead and the dev's bullshit exposed. Hardly necessary to keep beating a dead horse and NO, Aaron Webber does not need to be bothered about this. The dragon's dead, the fan gaming community policed itself as usual. SGB's installer no longer installs, the game no longer runs. GG The End.

#18 User is offline Xeal 

Posted 11 December 2017 - 04:10 PM

  • Posts: 1213
  • Joined: 06-March 14
  • Gender:Male
  • Location:Rock spinning around a nuclear powerhouse
  • Project:College

View PostMotorRoach, on 11 December 2017 - 10:11 AM, said:

Can't say I'm surprised. The guy has been showing signs of being neurotic for a good couple of years, to the point he would delete his won videos a few days later for no reason, and if you dared to use any of his work, he would deem his game as canceled until you removed anything that is his (even if you just used it for a Flash animation nobody gives a heck about). His ego is just that far up his ass that he doesn't knows when he's crossing the line.

His sprites aren't even that good either. Yes, they are good looking, but most of them are Sonic edits. It's nothing worth bragging about, let alone going this far.


This. Fucking this,

I remember 5-6 years ago how every now and then he'd just come up and say "shit's canceled" and when asked why would divulge into "wahhh people are stealing muh sprites" (sprites of which I've never even seen credit for, but someone can correct me on this).

Which is why I'm not even surprised with this level of paranoid idiocy. He's that much of a paranoid twat to whine and constantly cancel his shit over things that he never even proved. (He claimed numerous times his sprites were stolen and not in my memory did I ever see him show proof of this).

#19 User is offline Chris Highwind 

Posted 11 December 2017 - 08:48 PM

  • Posts: 2035
  • Joined: 30-August 08
  • Gender:Male
  • Location:Mooresville, NC
  • Project:Slacking
  • Wiki edits:13
After seeing the extent to which this DRM is going to to protect reused assets, suddenly Mania and Forces' DRM look like they were released on GOG.com.

#20 User is offline DarkVDee 

Posted 11 December 2017 - 09:13 PM

  • Vampire Pixel Artist
  • Posts: 297
  • Joined: 08-November 15
  • Gender:Male
  • Location:California
  • Project:Sonic: Haven Home World
Here's my reply to this


#21 User is offline ThatShannonWoman 

Posted 11 December 2017 - 10:03 PM

  • Posts: 1
  • Joined: 18-September 17
  • Gender:Female
  • Location:Piloting Cybuster. Totally.
  • Project:Being amazing
I know I'm not the most active poster, but since this is something that's now been gaining more traction and is getting reported on even, I thought I'd share a vid of it. https://www.youtube....h?v=e_mrxssK4E8

I'm thinking this would not be the press the guy wanted. But regardless he's achieved it.

#22 User is offline WAC 

Posted 11 December 2017 - 11:46 PM

  • william
  • Posts: 4492
  • Joined: 05-April 10
  • Gender:Male
  • Wiki edits:2
Welp. I hope it never impacted my computer in anyway. :argh: Never bothered to play it, but it was on my computer from the time I downloaded all of the Sage 2016 games.

#23 User is offline Amnimator 

Posted 12 December 2017 - 06:03 AM

  • Posts: 222
  • Joined: 15-April 13
  • Gender:Male

View PostICEknight, on 11 December 2017 - 02:15 PM, said:

More damage than a SEGA representative saying that a Sonic game has viruses?

View PostOkamikurainya, on 11 December 2017 - 02:25 PM, said:

If it stays within the fangame community, it's fine. Trying to get a SEGA representative to comment on it can backfire horrifically in many ways.
My point is getting it to silently boil is how you get a SEGA representative to come at this at its worst. A bunch of kids whining about viruses to various SEGA social media would lead to a much worse outcome than, "hey, check this thing out" when it's small. Plus, why ask them to publicly comment? More like, "You guys should probably send a C&D".

Regardless, I'm sure SEGA knows about it at this point without anyone needing to tell them - just yesterday I saw this on the front page of r/PCGaming and /v/ as well as the home page of many Sonic related fan-sites. I'm saying stopping it when it's small would much more likely end in a peaceful outcome. If a bunch of kids started talking about their PCs infected with malware to SEGA social media, that would lead to the same outcome, but worse. Mix that with sensationalist titles like, "New Sonic Game comes with Malware!" and you're in for a spicy situation. Them finding out through a few people in Twitter vs them finding out about this through sensationalist titles that can fall on their head, and a bunch of kids installing malware.
This post has been edited by Amnimator: 12 December 2017 - 06:28 AM

#24 User is offline Stink Terios 

Posted 12 December 2017 - 07:29 AM

  • Posts: 65
  • Joined: 12-September 09
I hope people post "his" sprites everywhere :v:

e: Here they are: www.mediafire.com/file/j7t2g45e567e6md/second+seelkding+dude.zip
Hyperlinking seems to be broken btw.

Oh God, fucking Seelkadom from that dumb flash animation is in this game?
This post has been edited by Stink Terios: 12 December 2017 - 07:56 AM

#25 User is offline Okamikurainya 

Posted 12 December 2017 - 08:57 AM

  • Posts: 209
  • Joined: 12-April 13
  • Gender:Male
  • Location:Somewhere in Africa
  • Project:Sonic: Time Attacked - MAX

View PostAmnimator, on 12 December 2017 - 06:03 AM, said:

My point is getting it to silently boil is how you get a SEGA representative to come at this at its worst. A bunch of kids whining about viruses to various SEGA social media would lead to a much worse outcome than, "hey, check this thing out" when it's small. Plus, why ask them to publicly comment? More like, "You guys should probably send a C&D".

Regardless, I'm sure SEGA knows about it at this point without anyone needing to tell them - just yesterday I saw this on the front page of r/PCGaming and /v/ as well as the home page of many Sonic related fan-sites. I'm saying stopping it when it's small would much more likely end in a peaceful outcome. If a bunch of kids started talking about their PCs infected with malware to SEGA social media, that would lead to the same outcome, but worse. Mix that with sensationalist titles like, "New Sonic Game comes with Malware!" and you're in for a spicy situation. Them finding out through a few people in Twitter vs them finding out about this through sensationalist titles that can fall on their head, and a bunch of kids installing malware.


A bunch of kids wouldn't though... This particular attack is tailor made against a very specific type of "consumer" and many playing it blind would simply consider it simply a glitchy fangame if they stumbled upon the "DRM", without understanding the possible ramifications of someone else having their MAC address and such.

Anyhow, the game is dead and the fangame community handled it well, there was no slow boil and no need to overtly let Sega in on it.
This post has been edited by Okamikurainya: 12 December 2017 - 08:58 AM

#26 User is offline Amnimator 

Posted 12 December 2017 - 10:53 AM

  • Posts: 222
  • Joined: 15-April 13
  • Gender:Male
Yeah, thankfully the situation finished as soon as it started, and I think I might have overestimated how much damage that one guy could've caused. However, I could totally see this getting messy had it been a more popular fangame.

It wasn't a targeted attack at all. Looking up "Sims 3 infinite money hack" while the game was still running would trigger the ""DRM"". The ""DRM"" having the capabilities of grabbing credit-card information, tracking browser history, and what-not. You'll get spicy sensationalist articles, "New Sonic game has Malware" weeks after Force's release, kids installing viruses on their PC because of a fangame, and instead of SEGA just dealing with it as they have in the past, they get pressured to take action. This is a once in a blue moon situation, but as already mentioned in this PR sensitive age, they're more likely to take action if pressured into it, so better to stop it before it becomes something large-scale. I get the feeling keeping quiet during situations like these can ultimately make things worse. I think informing them to do a C&D early on prevents that whole situation from happening, better for us, better for them.

Still curious as to what mind set you need to rip sprites, modify them, and add malware to stop people from using them themselves. This is too intrusive to just exist to scare people off; he did this full well knowing he could end up with a criminal record. On the other end of the spectrum, you have people giving away the source code and assets of their fangames for people to build upon despite spending months/years of work.
This post has been edited by Amnimator: 12 December 2017 - 12:33 PM

#27 User is offline Techokami 

Posted 12 December 2017 - 12:57 PM

  • For use only on NTSC Genesis systems
  • Posts: 1286
  • Joined: 19-November 05
  • Gender:Male
  • Location:HoleNet!
  • Project:Sonic Edge
  • Wiki edits:63

View PostStink Terios, on 12 December 2017 - 07:29 AM, said:

I hope people post "his" sprites everywhere :v:/>

e: Here they are: www.mediafire.com/file/j7t2g45e567e6md/second+seelkding+dude.zip
Hyperlinking seems to be broken btw.

Oh God, fucking Seelkadom from that dumb flash animation is in this game?

Hey I'm seeing sprites of mine in here. Does he credit anyone in his game at all for assets?

#28 User is offline GerbilSoft 

Posted 12 December 2017 - 01:41 PM

  • RickRotate'd.
  • Posts: 2836
  • Joined: 11-January 03
  • Gender:Male
  • Location:USA
  • Project:Gens/GS
  • Wiki edits:5,000 + one spin

View PostAmnimator, on 12 December 2017 - 10:53 AM, said:

Still curious as to what mind set you need to rip sprites, modify them, and add malware to stop people from using them themselves.

The same mindset as the Gateway 3DS team, who added code to brick 3DSes if used with "counterfeit" Gateway cards. (An earlier version of the Gateway firmware triggered this even on "legitimate" Gateway cards.)

View PostTechokami, on 12 December 2017 - 12:57 PM, said:

Hey I'm seeing sprites of mine in here. Does he credit anyone in his game at all for assets?

There's no README, and I can't run the game properly in order to view an in-game credits screen, so I would assume "no".
This post has been edited by GerbilSoft: 12 December 2017 - 01:42 PM
Reason for edit: +credits

#29 User is offline GerbilSoft 

Posted 13 December 2017 - 12:20 AM

  • RickRotate'd.
  • Posts: 2836
  • Joined: 11-January 03
  • Gender:Male
  • Location:USA
  • Project:Gens/GS
  • Wiki edits:5,000 + one spin
So I ran the current version [2017/12/12, MD5: 87840922fc346d73b3615a9007f742a8] through some API loggers. Here's some of the more interesting information i saw in the various API loggers.

Note that the game isn't fully loading for me anymore. I know that when it did fully load before, there was some logged direct access to "\\.\C:", which is raw disk I/O to the primary hard disk. This is something that shouldn't be done.

Part of the game is listed as "syslib.dll" for some reason. I assume this is part of the executable packer and/or Hack Detection.

syslib.dll marks lots of pages as RWX, which doesn't seem right:
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
12935	10:44:26.294 PM	1	syslib.dll	VirtualProtect ( 0x0043efe0, 5, PAGE_EXECUTE_READWRITE, 0x0018f9e8 )	TRUE		0.0000035
[duplicate syscalls for other pages]



It then enumerates all top-level windows and gets their window titles.
Note that it uses ANSI APIs.
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
18352	10:44:26.935 PM	1	syslib.dll	GetDesktopWindow (  )	0x00010010		0.0000079
18353	10:44:26.935 PM	1	syslib.dll	GetTopWindow ( 0x00010010 )	0x0001005c		0.0000119
18354	10:44:26.935 PM	1	syslib.dll	GetWindowTextA ( 0x0001005c, 0x01463900, 764 )	11		0.0000060
18355	10:44:26.935 PM	1	USER32.dll	RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "MSCTFIME UI", 22 )	STATUS_SUCCESS		0.0000003
18356	10:44:26.935 PM	1	syslib.dll	GetWindow ( 0x0001005c, GW_HWNDNEXT )	0x00010056		0.0000004
18357	10:44:26.935 PM	1	syslib.dll	GetWindowTextA ( 0x00010056, 0x01463900, 764 )	11		0.0000013
18358	10:44:26.935 PM	1	USER32.dll	RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "Default IME", 22 )	STATUS_SUCCESS		0.0000002



The program then searches for "Cheat Engine", "Cheat Engine 5.0.0", etc., from 5.0.0 all the way up to 6.9.9.
Why not use a regex when searching through the top-level windows?
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
18701	10:44:26.966 PM	1	syslib.dll	FindWindowA ( NULL, "Cheat Engine" )	NULL	0 = The operation completed successfully. 	0.0000804
[duplicates with different titles removed]



The program then successfully loads "b.dll", but that DLL doesn't exist...
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
20305	10:44:27.169 PM	1	syslib.dll	LoadLibraryA ( "b.dll" )	0x10000000		0.0000193



After "b.dll" initializes and runs, syslib.dll unloads it. (...or at least tries to unload it)
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
20401	10:44:27.169 PM	1	syslib.dll	FreeLibrary ( 0x10000000 )	FALSE	126 = The specified module could not be found. 	0.0000032



Some other notable API calls:
21370	10:44:27.263 PM	1	syslib.dll	FindWindowA ( "All Heroes Gather", NULL )	NULL	0 = The operation completed successfully. 	0.0000084
21374	10:44:27.263 PM	1	syslib.dll	GetPrivateProfileStringA ( "Love", "pass", "Null", 0x00473240, 15, ".\control.cfg" )	4		0.0002558
22771	10:44:27.404 PM	1	syslib.dll	GetVersion (  )	498139398		0.0000011
22772	10:44:27.404 PM	1	syslib.dll	GetComputerNameA ( 0x00473240, 0x004731b4 )	TRUE		0.0026639



Note the GetComputerNameA() call. I'm not sure why a game would need this.

After this point, the module name changes from syslib.dll to other DLLs, possibly due to frame pointer shenanigans.

More interesting API calls: (Note that not all of these may be from the game itself.)
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
22844	10:44:27.404 PM	1	MSVCR80.dll	CreateFileA ( "savedata", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0x0018fd48, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL )	INVALID_HANDLE_VALUE	2 = The system cannot find the file specified. 	0.0001673
22958	10:44:27.419 PM	1	WININET.dll	GetUserNameExA ( NameSamCompatible, "", 0x0018fd54 )	TRUE		0.0065100
23362	10:44:27.450 PM	1	WININET.dll	GetSidSubAuthorityCount ( 0x0018fc8c )	0x0018fc8d		0.0000057
23392	10:44:27.466 PM	1	WININET.dll	RegCreateKeyExA ( HKEY_CURRENT_USER, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings", 0, NULL, 0, KEY_READ | KEY_CREATE_SUB_KEY | KEY_SET_VALUE, NULL, 0x0018fd3c, 0x0018fd38 )	ERROR_SUCCESS		0.7101292
23434	10:44:28.169 PM	1	WININET.dll	RegQueryValueExA ( 0x00000184, "SyncMode5", NULL, 0x0018fd1c, 0x0018fd18, 0x0018fd20 )	ERROR_FILE_NOT_FOUND	2 = The system cannot find the file specified. 	0.0000341
23451	10:44:28.169 PM	1	WININET.dll	RegOpenKeyExW ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache", 0, KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE, 0x0018fd48 )	ERROR_SUCCESS		0.0001374



Something here compares the executable filename to IEXPLORE.EXE and EXPLORER.EXE. This might be part of WININET itself, and not directly related to SGB:
26364	10:44:28.497 PM	1	WININET.dll	GetModuleFileNameA ( NULL, 0x0018fc9c, 261 )	55		0.0000114
26374	10:44:28.497 PM	1	WININET.dll	StrRChrA ( "C:\Users\David\Desktop\GatherBattle_Final\SonicSAGE.exe", NULL, '\' )	0x0018fcc5		0.0000356
26436	10:44:28.497 PM	1	WININET.dll	CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "IEXPLORE.EXE", -1 )	3		0.0000131
26442	10:44:28.497 PM	1	WININET.dll	CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "EXPLORER.EXE", -1 )	3		0.0000007



HTTP accesses: (Note that the actual HTTP call wasn't logged, but this has the URL.)
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
33457	10:44:29.154 PM	1	WININET.dll	StrCmpNICA ( "https", "https://od.lk/s/125410148_", 5 )	0		0.0000005



I don't know why it would be setting values here...
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
34009	10:44:29.200 PM	1	WININET.dll	RegSetValueExW ( 0x00000248, "ProxyEnable", 0, REG_DWORD, 0x0018fc20, 4 )	ERROR_SUCCESS		0.0000364
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
34112	10:44:29.216 PM	1	WININET.dll	RegSetValueExW ( 0x0000024c, "SavedLegacySettings", 0, REG_BINARY, 0x002fc990, 184 )	ERROR_SUCCESS		0.0000400



Control returns to syslib.dll:
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
424398	10:45:17.310 PM	1	syslib.dll	CreateFileA ( "savedata", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL )	0x000002fc		0.0001234
424413	10:45:17.310 PM	1	syslib.dll	SetFileTime ( 0x000002fc, NULL, NULL, 0x01463900 )	TRUE		0.0001422
424563	10:45:17.325 PM	1	syslib.dll	GetSystemDirectoryA ( 0x01463900, 200 )	19		0.0000044



The game enables opt-in DEP after initialization is complete:
#	Time of Day	Thread	Module	API	Return Value	Error	Duration
515685	10:45:29.388 PM	1	syslib.dll	SetProcessDEPPolicy ( 1 )	TRUE		0.0003822



Unfortunately, the game exits for me here, possibly due to tripped "anti-cheat" functionality.

However, given the requireAdministrator flag and the unnecessary use of system information, I would still recommend backup/reformat/reinstall if you ever ran this game on your system.

I'll do another lookover later to see if I missed anything useful. (I didn't see the HTTP requests, probably because it got lost in all the noise of all the other API calls.)

EDIT: I found the https://od.lk/ access, but not whatsmyip or sonicbattle.ga. Either they didn't happen because the game didn't load fully (more likely), or those calls were removed from today's update (less likely). Either way, the fact that *any* https access is present when it's not indicated in any sort of README or privacy policy is a problem.
This post has been edited by GerbilSoft: 13 December 2017 - 12:36 AM
Reason for edit: +od.lk

#30 User is offline Techokami 

Posted 13 December 2017 - 01:29 PM

  • For use only on NTSC Genesis systems
  • Posts: 1286
  • Joined: 19-November 05
  • Gender:Male
  • Location:HoleNet!
  • Project:Sonic Edge
  • Wiki edits:63

View PostGerbilSoft, on 12 December 2017 - 01:41 PM, said:

View PostTechokami, on 12 December 2017 - 12:57 PM, said:

Hey I'm seeing sprites of mine in here. Does he credit anyone in his game at all for assets?

There's no README, and I can't run the game properly in order to view an in-game credits screen, so I would assume "no".

Well, that makes me feel a bit salty! He took sprites from my Sonic Rush and Sonic Colors DS enemy sheets, my Zero rip from Advance 2, and Egg Fighter sprites from the endeavor to rip everything from Sonic Unleashed on J2ME.

  • 3 Pages +
  • 1
  • 2
  • 3
    Locked
    Locked Forum

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users