ATTENTION: "Sonic Gather Battle" fangame is malware

Discussion in 'Fangaming Discussion' started by GerbilSoft, Dec 11, 2017.

  1. I know I'm not the most active poster, but since this is something that's now been gaining more traction and is getting reported on even, I thought I'd share a vid of it. [media]https://www.youtube.com/watch?v=e_mrxssK4E8[/media]

    I'm thinking this would not be the press the guy wanted. But regardless he's achieved it.
     
  2. Willie

    Willie

    Willie Member
    4,537
    1
    18
    Welp. I hope it never impacted my computer in anyway. :argh: Never bothered to play it, but it was on my computer from the time I downloaded all of the Sage 2016 games.
     
  3. Amnimator

    Amnimator

    Member
    224
    0
    16
    My point is getting it to silently boil is how you get a SEGA representative to come at this at its worst. A bunch of kids whining about viruses to various SEGA social media would lead to a much worse outcome than, "hey, check this thing out" when it's small. Plus, why ask them to publicly comment? More like, "You guys should probably send a C&D".

    Regardless, I'm sure SEGA knows about it at this point without anyone needing to tell them - just yesterday I saw this on the front page of r/PCGaming and /v/ as well as the home page of many Sonic related fan-sites. I'm saying stopping it when it's small would much more likely end in a peaceful outcome. If a bunch of kids started talking about their PCs infected with malware to SEGA social media, that would lead to the same outcome, but worse. Mix that with sensationalist titles like, "New Sonic Game comes with Malware!" and you're in for a spicy situation. Them finding out through a few people in Twitter vs them finding out about this through sensationalist titles that can fall on their head, and a bunch of kids installing malware.
     
  4. Stink Terios

    Stink Terios

    Member
    76
    2
    8
    I hope people post "his" sprites everywhere :v:

    e: Here they are: www.mediafire.com/file/j7t2g45e567e6md/second+seelkding+dude.zip
    Hyperlinking seems to be broken btw.

    Oh God, fucking Seelkadom from that dumb flash animation is in this game?
     
  5. Okamikurainya

    Okamikurainya

    Member
    212
    1
    16
    Somewhere in Africa
    Sonic: Time Attacked - MAX
    A bunch of kids wouldn't though... This particular attack is tailor made against a very specific type of "consumer" and many playing it blind would simply consider it simply a glitchy fangame if they stumbled upon the "DRM", without understanding the possible ramifications of someone else having their MAC address and such.

    Anyhow, the game is dead and the fangame community handled it well, there was no slow boil and no need to overtly let Sega in on it.
     
  6. Amnimator

    Amnimator

    Member
    224
    0
    16
    Yeah, thankfully the situation finished as soon as it started, and I think I might have overestimated how much damage that one guy could've caused. However, I could totally see this getting messy had it been a more popular fangame.

    It wasn't a targeted attack at all. Looking up "Sims 3 infinite money hack" while the game was still running would trigger the ""DRM"". The ""DRM"" having the capabilities of grabbing credit-card information, tracking browser history, and what-not. You'll get spicy sensationalist articles, "New Sonic game has Malware" weeks after Force's release, kids installing viruses on their PC because of a fangame, and instead of SEGA just dealing with it as they have in the past, they get pressured to take action. This is a once in a blue moon situation, but as already mentioned in this PR sensitive age, they're more likely to take action if pressured into it, so better to stop it before it becomes something large-scale. I get the feeling keeping quiet during situations like these can ultimately make things worse. I think informing them to do a C&D early on prevents that whole situation from happening, better for us, better for them.

    Still curious as to what mind set you need to rip sprites, modify them, and add malware to stop people from using them themselves. This is too intrusive to just exist to scare people off; he did this full well knowing he could end up with a criminal record. On the other end of the spectrum, you have people giving away the source code and assets of their fangames for people to build upon despite spending months/years of work.
     
  7. Techokami

    Techokami

    For use only on NTSC Genesis systems Researcher
    1,317
    3
    18
    HoleNet!
    Sonic Edge
    Hey I'm seeing sprites of mine in here. Does he credit anyone in his game at all for assets?
     
  8. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,894
    24
    18
    USA
    rom-properties
    The same mindset as the Gateway 3DS team, who added code to brick 3DSes if used with "counterfeit" Gateway cards. (An earlier version of the Gateway firmware triggered this even on "legitimate" Gateway cards.)

    There's no README, and I can't run the game properly in order to view an in-game credits screen, so I would assume "no".
     
  9. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,894
    24
    18
    USA
    rom-properties
    So I ran the current version [2017/12/12, MD5: 87840922fc346d73b3615a9007f742a8] through some API loggers. Here's some of the more interesting information i saw in the various API loggers.

    Note that the game isn't fully loading for me anymore. I know that when it did fully load before, there was some logged direct access to "\\.\C:", which is raw disk I/O to the primary hard disk. This is something that shouldn't be done.

    Part of the game is listed as "syslib.dll" for some reason. I assume this is part of the executable packer and/or Hack Detection.

    syslib.dll marks lots of pages as RWX, which doesn't seem right:
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 12935   10:44:26.294 PM 1   syslib.dll  VirtualProtect ( 0x0043efe0, 5, PAGE_EXECUTE_READWRITE, 0x0018f9e8 )    TRUE        0.0000035
    4. [duplicate syscalls for other pages]
    5.  
    It then enumerates all top-level windows and gets their window titles.
    Note that it uses ANSI APIs.
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 18352   10:44:26.935 PM 1   syslib.dll  GetDesktopWindow (  )   0x00010010      0.0000079
    4. 18353   10:44:26.935 PM 1   syslib.dll  GetTopWindow ( 0x00010010 ) 0x0001005c      0.0000119
    5. 18354   10:44:26.935 PM 1   syslib.dll  GetWindowTextA ( 0x0001005c, 0x01463900, 764 )  11      0.0000060
    6. 18355   10:44:26.935 PM 1   USER32.dll  RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "MSCTFIME UI", 22 )   STATUS_SUCCESS      0.0000003
    7. 18356   10:44:26.935 PM 1   syslib.dll  GetWindow ( 0x0001005c, GW_HWNDNEXT )   0x00010056      0.0000004
    8. 18357   10:44:26.935 PM 1   syslib.dll  GetWindowTextA ( 0x00010056, 0x01463900, 764 )  11      0.0000013
    9. 18358   10:44:26.935 PM 1   USER32.dll  RtlUnicodeToMultiByteN ( 0x01463900, 763, 0x0018fca4, "Default IME", 22 )   STATUS_SUCCESS      0.0000002
    10.  
    The program then searches for "Cheat Engine", "Cheat Engine 5.0.0", etc., from 5.0.0 all the way up to 6.9.9.
    Why not use a regex when searching through the top-level windows?
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 18701   10:44:26.966 PM 1   syslib.dll  FindWindowA ( NULL, "Cheat Engine" )    NULL    0 = The operation completed successfully.   0.0000804
    4. [duplicates with different titles removed]
    5.  
    The program then successfully loads "b.dll", but that DLL doesn't exist...
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 20305   10:44:27.169 PM 1   syslib.dll  LoadLibraryA ( "b.dll" )    0x10000000      0.0000193
    4.  
    After "b.dll" initializes and runs, syslib.dll unloads it. (...or at least tries to unload it)
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 20401   10:44:27.169 PM 1   syslib.dll  FreeLibrary ( 0x10000000 )  FALSE   126 = The specified module could not be found.  0.0000032
    4.  
    Some other notable API calls:
    Code (Text):
    1.  
    2. 21370   10:44:27.263 PM 1   syslib.dll  FindWindowA ( "All Heroes Gather", NULL )   NULL    0 = The operation completed successfully.   0.0000084
    3. 21374   10:44:27.263 PM 1   syslib.dll  GetPrivateProfileStringA ( "Love", "pass", "Null", 0x00473240, 15, ".\control.cfg" )    4       0.0002558
    4. 22771   10:44:27.404 PM 1   syslib.dll  GetVersion (  ) 498139398       0.0000011
    5. 22772   10:44:27.404 PM 1   syslib.dll  GetComputerNameA ( 0x00473240, 0x004731b4 ) TRUE        0.0026639
    6.  
    Note the GetComputerNameA() call. I'm not sure why a game would need this.

    After this point, the module name changes from syslib.dll to other DLLs, possibly due to frame pointer shenanigans.

    More interesting API calls: (Note that not all of these may be from the game itself.)
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 22844   10:44:27.404 PM 1   MSVCR80.dll CreateFileA ( "savedata", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0x0018fd48, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL )    INVALID_HANDLE_VALUE    2 = The system cannot find the file specified.  0.0001673
    4. 22958   10:44:27.419 PM 1   WININET.dll GetUserNameExA ( NameSamCompatible, "", 0x0018fd54 )    TRUE        0.0065100
    5. 23362   10:44:27.450 PM 1   WININET.dll GetSidSubAuthorityCount ( 0x0018fc8c )  0x0018fc8d      0.0000057
    6. 23392   10:44:27.466 PM 1   WININET.dll RegCreateKeyExA ( HKEY_CURRENT_USER, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings", 0, NULL, 0, KEY_READ | KEY_CREATE_SUB_KEY | KEY_SET_VALUE, NULL, 0x0018fd3c, 0x0018fd38 )   ERROR_SUCCESS       0.7101292
    7. 23434   10:44:28.169 PM 1   WININET.dll RegQueryValueExA ( 0x00000184, "SyncMode5", NULL, 0x0018fd1c, 0x0018fd18, 0x0018fd20 )  ERROR_FILE_NOT_FOUND    2 = The system cannot find the file specified.  0.0000341
    8. 23451   10:44:28.169 PM 1   WININET.dll RegOpenKeyExW ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache", 0, KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE, 0x0018fd48 )  ERROR_SUCCESS       0.0001374
    9.  
    Something here compares the executable filename to IEXPLORE.EXE and EXPLORER.EXE. This might be part of WININET itself, and not directly related to SGB:
    Code (Text):
    1.  
    2. 26364   10:44:28.497 PM 1   WININET.dll GetModuleFileNameA ( NULL, 0x0018fc9c, 261 )    55      0.0000114
    3. 26374   10:44:28.497 PM 1   WININET.dll StrRChrA ( "C:\Users\David\Desktop\GatherBattle_Final\SonicSAGE.exe", NULL, '\' )   0x0018fcc5      0.0000356
    4. 26436   10:44:28.497 PM 1   WININET.dll CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "IEXPLORE.EXE", -1 )   3       0.0000131
    5. 26442   10:44:28.497 PM 1   WININET.dll CompareStringA ( LOCALE_INVARIANT, NORM_IGNORECASE, "SonicSAGE.exe", -1, "EXPLORER.EXE", -1 )   3       0.0000007
    6.  
    HTTP accesses: (Note that the actual HTTP call wasn't logged, but this has the URL.)
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 33457   10:44:29.154 PM 1   WININET.dll StrCmpNICA ( "https", "https://od.lk/s/125410148_", 5 ) 0       0.0000005
    4.  
    I don't know why it would be setting values here...
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 34009   10:44:29.200 PM 1   WININET.dll RegSetValueExW ( 0x00000248, "ProxyEnable", 0, REG_DWORD, 0x0018fc20, 4 )   ERROR_SUCCESS       0.0000364
    4. #   Time of Day Thread  Module  API Return Value    Error   Duration
    5. 34112   10:44:29.216 PM 1   WININET.dll RegSetValueExW ( 0x0000024c, "SavedLegacySettings", 0, REG_BINARY, 0x002fc990, 184 )    ERROR_SUCCESS       0.0000400
    6.  
    Control returns to syslib.dll:
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 424398  10:45:17.310 PM 1   syslib.dll  CreateFileA ( "savedata", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ) 0x000002fc      0.0001234
    4. 424413  10:45:17.310 PM 1   syslib.dll  SetFileTime ( 0x000002fc, NULL, NULL, 0x01463900 )  TRUE        0.0001422
    5. 424563  10:45:17.325 PM 1   syslib.dll  GetSystemDirectoryA ( 0x01463900, 200 ) 19      0.0000044
    6.  
    The game enables opt-in DEP after initialization is complete:
    Code (Text):
    1.  
    2. #   Time of Day Thread  Module  API Return Value    Error   Duration
    3. 515685  10:45:29.388 PM 1   syslib.dll  SetProcessDEPPolicy ( 1 )   TRUE        0.0003822
    4.  
    Unfortunately, the game exits for me here, possibly due to tripped "anti-cheat" functionality.

    However, given the requireAdministrator flag and the unnecessary use of system information, I would still recommend backup/reformat/reinstall if you ever ran this game on your system.

    I'll do another lookover later to see if I missed anything useful. (I didn't see the HTTP requests, probably because it got lost in all the noise of all the other API calls.)

    EDIT: I found the https://od.lk/ access, but not whatsmyip or sonicbattle.ga. Either they didn't happen because the game didn't load fully (more likely), or those calls were removed from today's update (less likely). Either way, the fact that *any* https access is present when it's not indicated in any sort of README or privacy policy is a problem.
     
  10. Techokami

    Techokami

    For use only on NTSC Genesis systems Researcher
    1,317
    3
    18
    HoleNet!
    Sonic Edge
    Well, that makes me feel a bit salty! He took sprites from my Sonic Rush and Sonic Colors DS enemy sheets, my Zero rip from Advance 2, and Egg Fighter sprites from the endeavor to rip everything from Sonic Unleashed on J2ME.
     
  11. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,894
    24
    18
    USA
    rom-properties
    Today's build [2017/12/13, MD5: 1ea2dc0770c8b3c0be9c0db2e0e1d755, SHA256: 54a1a37429107946105bb2934f78cd95c85123f82330963d687112ffee28fde0] apparently adds VM blocking, so you can't use a virtual machine anymore. So much for whoever said the guy was going to "open-source" it.

    Also he removed the MD5 from the download page, probably so he can accuse more people of "cheating".
     
  12. Stink Terios

    Stink Terios

    Member
    76
    2
    8
    VM blocking? I didn't even know that was a thing.
     
  13. MotorRoach

    MotorRoach

    Member
    249
    0
    16
    That's totally not a suspicious element to include into your game at all. He's tooooootally innocent. :V
     
  14. Chris Highwind

    Chris Highwind

    Member
    2,085
    11
    18
    Statesville, NC
    Slacking
    Wow, just...wow. He seriously doesn't want people to steal his stolen stuff, does he? I hope he realizes he's just making things worse for himself.
     
  15. winterhell

    winterhell

    Member
    1,165
    7
    18
    Next step: No download for the game, but instead it is being streamed to you like OnLive
     
  16. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    Next step after that. Straightjacket for paranoid schizophrenia patient and lots of lawsuits.
     
  17. Lanzer

    Lanzer

    The saber calls for its master... Member
    6,844
    0
    16
    Glendale, AZ
    Living life.
    This guy needs to be straight up exiled from all communities, he's a danger to himself and others. too bad we can't report him to an analyst group like Kaspersky Labs or something, really get his name on a wanted poster for spreading malware through a videogame IP.
     
  18. MoonRunestar

    MoonRunestar

    Collects the circles; runs in circles Member
    Just to repeat what I've seen elsewhere; UAC essentially grants the game full access to your file system. If you have run this once on your computer, it'd be best to nuke the hard drive from orbit and start fresh.​
    That raw disk access could allow anything. If you have backups on the same disk (why) then you shouldn't trust them either.
    We could at least spread awareness of this to those groups to get this detected by AV/AM software if that hasn't been done already. People have already made videos of this on YouTube, but judging by Google there's barely any (major) news outlets that have published articles about this.
     
  19. Lanzer

    Lanzer

    The saber calls for its master... Member
    6,844
    0
    16
    Glendale, AZ
    Living life.
    The groups idea is good, but like we all said before having this majorly spread to news outlets would cause a really bad backlash. We're on SEGA's whim and if they wanted they could go full on Nintendo and start wiping out fangames off the face of the internet. Nintendo can get away with it because all they have to do is pull out a shiny new Metroid or Mario title and all is forgiven, but SEGA doesn't have the IP power like that save for Sonic but if they are forced they will do whats needed.

    I want this guys name known and barred from communities so he can't present a problem to the fangaming community at large but I don't want fangames wiped out because of this asshole.
     
  20. Aerosol

    Aerosol

    FML and FU2 Moderator
    10,614
    79
    28
    Not where I want to be.
    Sonic (?): Coming summer of 2055...?
    Wow. He is an impressively stupid and vain person.