I know I'm not the most active poster, but since this is something that's now been gaining more traction and is getting reported on even, I thought I'd share a vid of it. [media]https://www.youtube.com/watch?v=e_mrxssK4E8[/media] I'm thinking this would not be the press the guy wanted. But regardless he's achieved it.
Welp. I hope it never impacted my computer in anyway. Never bothered to play it, but it was on my computer from the time I downloaded all of the Sage 2016 games.
My point is getting it to silently boil is how you get a SEGA representative to come at this at its worst. A bunch of kids whining about viruses to various SEGA social media would lead to a much worse outcome than, "hey, check this thing out" when it's small. Plus, why ask them to publicly comment? More like, "You guys should probably send a C&D". Regardless, I'm sure SEGA knows about it at this point without anyone needing to tell them - just yesterday I saw this on the front page of r/PCGaming and /v/ as well as the home page of many Sonic related fan-sites. I'm saying stopping it when it's small would much more likely end in a peaceful outcome. If a bunch of kids started talking about their PCs infected with malware to SEGA social media, that would lead to the same outcome, but worse. Mix that with sensationalist titles like, "New Sonic Game comes with Malware!" and you're in for a spicy situation. Them finding out through a few people in Twitter vs them finding out about this through sensationalist titles that can fall on their head, and a bunch of kids installing malware.
I hope people post "his" sprites everywhere :v: e: Here they are: www.mediafire.com/file/j7t2g45e567e6md/second+seelkding+dude.zip Hyperlinking seems to be broken btw. Oh God, fucking Seelkadom from that dumb flash animation is in this game?
A bunch of kids wouldn't though... This particular attack is tailor made against a very specific type of "consumer" and many playing it blind would simply consider it simply a glitchy fangame if they stumbled upon the "DRM", without understanding the possible ramifications of someone else having their MAC address and such. Anyhow, the game is dead and the fangame community handled it well, there was no slow boil and no need to overtly let Sega in on it.
Yeah, thankfully the situation finished as soon as it started, and I think I might have overestimated how much damage that one guy could've caused. However, I could totally see this getting messy had it been a more popular fangame. It wasn't a targeted attack at all. Looking up "Sims 3 infinite money hack" while the game was still running would trigger the ""DRM"". The ""DRM"" having the capabilities of grabbing credit-card information, tracking browser history, and what-not. You'll get spicy sensationalist articles, "New Sonic game has Malware" weeks after Force's release, kids installing viruses on their PC because of a fangame, and instead of SEGA just dealing with it as they have in the past, they get pressured to take action. This is a once in a blue moon situation, but as already mentioned in this PR sensitive age, they're more likely to take action if pressured into it, so better to stop it before it becomes something large-scale. I get the feeling keeping quiet during situations like these can ultimately make things worse. I think informing them to do a C&D early on prevents that whole situation from happening, better for us, better for them. Still curious as to what mind set you need to rip sprites, modify them, and add malware to stop people from using them themselves. This is too intrusive to just exist to scare people off; he did this full well knowing he could end up with a criminal record. On the other end of the spectrum, you have people giving away the source code and assets of their fangames for people to build upon despite spending months/years of work.
The same mindset as the Gateway 3DS team, who added code to brick 3DSes if used with "counterfeit" Gateway cards. (An earlier version of the Gateway firmware triggered this even on "legitimate" Gateway cards.) There's no README, and I can't run the game properly in order to view an in-game credits screen, so I would assume "no".
So I ran the current version [2017/12/12, MD5: 87840922fc346d73b3615a9007f742a8] through some API loggers. Here's some of the more interesting information i saw in the various API loggers. Note that the game isn't fully loading for me anymore. I know that when it did fully load before, there was some logged direct access to "\\.\C:", which is raw disk I/O to the primary hard disk. This is something that shouldn't be done. Part of the game is listed as "syslib.dll" for some reason. I assume this is part of the executable packer and/or Hack Detection. syslib.dll marks lots of pages as RWX, which doesn't seem right: Code (Text): # Time of Day Thread Module API Return Value Error Duration 12935 10:44:26.294 PM 1 syslib.dll VirtualProtect ( 0x0043efe0, 5, PAGE_EXECUTE_READWRITE, 0x0018f9e8 ) TRUE 0.0000035 [duplicate syscalls for other pages] It then enumerates all top-level windows and gets their window titles. Note that it uses ANSI APIs. Code (Text): # Time of Day Thread Module API Return Value Error Duration 18352 10:44:26.935 PM 1 syslib.dll GetDesktopWindow ( ) 0x00010010 0.0000079 18353 10:44:26.935 PM 1 syslib.dll GetTopWindow ( 0x00010010 ) 0x0001005c 0.0000119 18354 10:44:26.935 PM 1 syslib.dll GetWindowTextA ( 0x0001005c, 0x01463900, 764 ) 11 0.0000060 18355 10:44:26.935 PM 1 USER32.dll RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "MSCTFIME UI", 22 ) STATUS_SUCCESS 0.0000003 18356 10:44:26.935 PM 1 syslib.dll GetWindow ( 0x0001005c, GW_HWNDNEXT ) 0x00010056 0.0000004 18357 10:44:26.935 PM 1 syslib.dll GetWindowTextA ( 0x00010056, 0x01463900, 764 ) 11 0.0000013 18358 10:44:26.935 PM 1 USER32.dll RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "Default IME", 22 ) STATUS_SUCCESS 0.0000002 The program then searches for "Cheat Engine", "Cheat Engine 5.0.0", etc., from 5.0.0 all the way up to 6.9.9. Why not use a regex when searching through the top-level windows? Code (Text): # Time of Day Thread Module API Return Value Error Duration 18701 10:44:26.966 PM 1 syslib.dll FindWindowA ( NULL, "Cheat Engine" ) NULL 0 = The operation completed successfully. 0.0000804 [duplicates with different titles removed] The program then successfully loads "b.dll", but that DLL doesn't exist... Code (Text): # Time of Day Thread Module API Return Value Error Duration 20305 10:44:27.169 PM 1 syslib.dll LoadLibraryA ( "b.dll" ) 0x10000000 0.0000193 After "b.dll" initializes and runs, syslib.dll unloads it. (...or at least tries to unload it) Code (Text): # Time of Day Thread Module API Return Value Error Duration 20401 10:44:27.169 PM 1 syslib.dll FreeLibrary ( 0x10000000 ) FALSE 126 = The specified module could not be found. 0.0000032 Some other notable API calls: Code (Text): 21370 10:44:27.263 PM 1 syslib.dll FindWindowA ( "All Heroes Gather", NULL ) NULL 0 = The operation completed successfully. 0.0000084 21374 10:44:27.263 PM 1 syslib.dll GetPrivateProfileStringA ( "Love", "pass", "Null", 0x00473240, 15, ".\control.cfg" ) 4 0.0002558 22771 10:44:27.404 PM 1 syslib.dll GetVersion ( ) 498139398 0.0000011 22772 10:44:27.404 PM 1 syslib.dll GetComputerNameA ( 0x00473240, 0x004731b4 ) TRUE 0.0026639 Note the GetComputerNameA() call. I'm not sure why a game would need this. After this point, the module name changes from syslib.dll to other DLLs, possibly due to frame pointer shenanigans. More interesting API calls: (Note that not all of these may be from the game itself.) Code (Text): # Time of Day Thread Module API Return Value Error Duration 22844 10:44:27.404 PM 1 MSVCR80.dll CreateFileA ( "savedata", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0x0018fd48, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ) INVALID_HANDLE_VALUE 2 = The system cannot find the file specified. 0.0001673 22958 10:44:27.419 PM 1 WININET.dll GetUserNameExA ( NameSamCompatible, "", 0x0018fd54 ) TRUE 0.0065100 23362 10:44:27.450 PM 1 WININET.dll GetSidSubAuthorityCount ( 0x0018fc8c ) 0x0018fc8d 0.0000057 23392 10:44:27.466 PM 1 WININET.dll RegCreateKeyExA ( HKEY_CURRENT_USER, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings", 0, NULL, 0, KEY_READ | KEY_CREATE_SUB_KEY | KEY_SET_VALUE, NULL, 0x0018fd3c, 0x0018fd38 ) ERROR_SUCCESS 0.7101292 23434 10:44:28.169 PM 1 WININET.dll RegQueryValueExA ( 0x00000184, "SyncMode5", NULL, 0x0018fd1c, 0x0018fd18, 0x0018fd20 ) ERROR_FILE_NOT_FOUND 2 = The system cannot find the file specified. 0.0000341 23451 10:44:28.169 PM 1 WININET.dll RegOpenKeyExW ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache", 0, KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE, 0x0018fd48 ) ERROR_SUCCESS 0.0001374 Something here compares the executable filename to IEXPLORE.EXE and EXPLORER.EXE. This might be part of WININET itself, and not directly related to SGB: Code (Text): 26364 10:44:28.497 PM 1 WININET.dll GetModuleFileNameA ( NULL, 0x0018fc9c, 261 ) 55 0.0000114 26374 10:44:28.497 PM 1 WININET.dll StrRChrA ( "C:\Users\David\Desktop\GatherBattle_Final\SonicSAGE.exe", NULL, '\' ) 0x0018fcc5 0.0000356 26436 10:44:28.497 PM 1 WININET.dll CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "IEXPLORE.EXE", -1 ) 3 0.0000131 26442 10:44:28.497 PM 1 WININET.dll CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "EXPLORER.EXE", -1 ) 3 0.0000007 HTTP accesses: (Note that the actual HTTP call wasn't logged, but this has the URL.) Code (Text): # Time of Day Thread Module API Return Value Error Duration 33457 10:44:29.154 PM 1 WININET.dll StrCmpNICA ( "https", "https://od.lk/s/125410148_", 5 ) 0 0.0000005 I don't know why it would be setting values here... Code (Text): # Time of Day Thread Module API Return Value Error Duration 34009 10:44:29.200 PM 1 WININET.dll RegSetValueExW ( 0x00000248, "ProxyEnable", 0, REG_DWORD, 0x0018fc20, 4 ) ERROR_SUCCESS 0.0000364 # Time of Day Thread Module API Return Value Error Duration 34112 10:44:29.216 PM 1 WININET.dll RegSetValueExW ( 0x0000024c, "SavedLegacySettings", 0, REG_BINARY, 0x002fc990, 184 ) ERROR_SUCCESS 0.0000400 Control returns to syslib.dll: Code (Text): # Time of Day Thread Module API Return Value Error Duration 424398 10:45:17.310 PM 1 syslib.dll CreateFileA ( "savedata", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ) 0x000002fc 0.0001234 424413 10:45:17.310 PM 1 syslib.dll SetFileTime ( 0x000002fc, NULL, NULL, 0x01463900 ) TRUE 0.0001422 424563 10:45:17.325 PM 1 syslib.dll GetSystemDirectoryA ( 0x01463900, 200 ) 19 0.0000044 The game enables opt-in DEP after initialization is complete: Code (Text): # Time of Day Thread Module API Return Value Error Duration 515685 10:45:29.388 PM 1 syslib.dll SetProcessDEPPolicy ( 1 ) TRUE 0.0003822 Unfortunately, the game exits for me here, possibly due to tripped "anti-cheat" functionality. However, given the requireAdministrator flag and the unnecessary use of system information, I would still recommend backup/reformat/reinstall if you ever ran this game on your system. I'll do another lookover later to see if I missed anything useful. (I didn't see the HTTP requests, probably because it got lost in all the noise of all the other API calls.) EDIT: I found the https://od.lk/ access, but not whatsmyip or sonicbattle.ga. Either they didn't happen because the game didn't load fully (more likely), or those calls were removed from today's update (less likely). Either way, the fact that *any* https access is present when it's not indicated in any sort of README or privacy policy is a problem.
Well, that makes me feel a bit salty! He took sprites from my Sonic Rush and Sonic Colors DS enemy sheets, my Zero rip from Advance 2, and Egg Fighter sprites from the endeavor to rip everything from Sonic Unleashed on J2ME.
Today's build [2017/12/13, MD5: 1ea2dc0770c8b3c0be9c0db2e0e1d755, SHA256: 54a1a37429107946105bb2934f78cd95c85123f82330963d687112ffee28fde0] apparently adds VM blocking, so you can't use a virtual machine anymore. So much for whoever said the guy was going to "open-source" it. Also he removed the MD5 from the download page, probably so he can accuse more people of "cheating".
That's totally not a suspicious element to include into your game at all. He's tooooootally innocent.
Wow, just...wow. He seriously doesn't want people to steal his stolen stuff, does he? I hope he realizes he's just making things worse for himself.
This guy needs to be straight up exiled from all communities, he's a danger to himself and others. too bad we can't report him to an analyst group like Kaspersky Labs or something, really get his name on a wanted poster for spreading malware through a videogame IP.
Just to repeat what I've seen elsewhere; UAC essentially grants the game full access to your file system. If you have run this once on your computer, it'd be best to nuke the hard drive from orbit and start fresh.That raw disk access could allow anything. If you have backups on the same disk (why) then you shouldn't trust them either. We could at least spread awareness of this to those groups to get this detected by AV/AM software if that hasn't been done already. People have already made videos of this on YouTube, but judging by Google there's barely any (major) news outlets that have published articles about this.
The groups idea is good, but like we all said before having this majorly spread to news outlets would cause a really bad backlash. We're on SEGA's whim and if they wanted they could go full on Nintendo and start wiping out fangames off the face of the internet. Nintendo can get away with it because all they have to do is pull out a shiny new Metroid or Mario title and all is forgiven, but SEGA doesn't have the IP power like that save for Sonic but if they are forced they will do whats needed. I want this guys name known and barred from communities so he can't present a problem to the fangaming community at large but I don't want fangames wiped out because of this asshole.
