RedDagger Posted August 5, 2020 Share Posted August 5, 2020 Hey ppl, I was using dnSpy to look into a few mods to have ideas for my own. One of the mods in the Steam Workshop have a bunch of criptography functions in it. Does anyone have any ideas what it is all about? link to the mod Attached is the dll as I write this. mod_with_criptography.7z Link to comment Share on other sites More sharing options...
SharraShimada Posted August 5, 2020 Share Posted August 5, 2020 I guess ist code to spy on gamers for the chinese government? Jokes aside, why dont you ask the mod creator? Link to comment Share on other sites More sharing options...
Mantak Posted August 5, 2020 Share Posted August 5, 2020 RedDagger: Very intersting! And yes, it is very suspicious. If you want change Refrigerator capacity you need this : public class RefrigeratorConfig_DoPostConfigureComplete { // Token: 0x06000005 RID: 5 RVA: 0x000020B0 File Offset: 0x000002B0 [MethodImpl(MethodImplOptions.NoInlining)] public static void Postfix(GameObject go) { go.AddOrGet<Storage>().capacityKg *= 10f; } } Compiled version of this mod should have about 4kb. But this very suspicious mod have 45kb. And mod author use some Obfuscator, which is also very suspicious. Reading obfuscated .net code is very difficult, so I cant tell what this doing. And note that every ONi mod can do nearly everything. For example download some malware :), or worse, start playing Chinese Anthem and sign you to Comunist party!!!!! Link to comment Share on other sites More sharing options...
Sanchozz Posted August 5, 2020 Share Posted August 5, 2020 i did a quick check with dnSpy all of this man's mods were uploaded between May 3rd and 7th and they all contain very suspicious obfuscated code Link to comment Share on other sites More sharing options...
SharraShimada Posted August 6, 2020 Share Posted August 6, 2020 Its also possible the author just use decryption methods by default, to prevent others from just stealing his mods. Mod theft is unfortunately a common thing these days. Maybe someone could check if a installed mod from this author makes connections to some IPs out there, and report back. Link to comment Share on other sites More sharing options...
Mantak Posted August 6, 2020 Share Posted August 6, 2020 4 hours ago, SharraShimada said: Its also possible the author just use decryption methods by default, to prevent others from just stealing his mods. Mod theft is unfortunately a common thing these days. Maybe someone could check if a installed mod from this author makes connections to some IPs out there, and report back. There is new crime industry ??? Mods Stealing ??!!!?? Look, since my childhood I want to be some KingPin or something. I Always want invented some diabolical plan, like flood countryes with slightly worn pencil with reasonable price. And then when everyone is addicted to drawing, Price will rise... MUHHAAAAAAAAhAAAA!!! But stealing mods...... This is much better, Great Idea. Do you know some people ?????? Can you introduce me ??? Look I do some quick stealing !!! I'll name it on your behalf " AAAArgghtttt, too many colors !!!! (if you take SharraShimada and remove and add few Letter you simply get: AAAArgghtttt, too many colors ) And Now I flood Afganistan with this mod. (Off course this is only begining!) But it will really help if You can introduce me to right person, Pretty please, it is my child dream... Link to comment Share on other sites More sharing options...
asquared31415 Posted August 6, 2020 Share Posted August 6, 2020 This mod appears to call into Kernel32.dll and do things involving memory manipulation of other processes. Not 100% sure, it's heavily obfuscated, but there are references to names like OpenProcess, WriteProcessMemory, and GetProcAddress. Additionally, the subscribe/view ratio on Steam seems particularly high, even for a simple mod, and especially for a non-english mod. The lack of comments and reviews also seems odd for that may subscribers. I would assume the creator has used some form of bot or something to pump up numbers, but I cannot confirm that in any way beyond noticing numbers look funny. I highly suggest all users to NOT USE THIS MOD AT ALL, unsubscribe from steam, and delete the folder from their mods folder in mods/Steam/2085674575 Link to comment Share on other sites More sharing options...
Cairath Posted August 6, 2020 Share Posted August 6, 2020 Hey @Ipsquiggle @fatheroctopus, do you have any power over the workshop to remove that person's mods and block him from uploading new ones? I took a look at this and while there's a tiny part that is the actual mod, but better part of the dlls are malicious - I am almost entirely certain it's a crypto miner. That person dropped a big number of tiny 1-liner mods in 1 day -- unfortunately they all seem to have had something extra. Link to comment Share on other sites More sharing options...
suicide commando Posted August 7, 2020 Share Posted August 7, 2020 I think it would be a good idea for everyone to report this to steam so they can remove said mods. Link to comment Share on other sites More sharing options...
RedDagger Posted August 7, 2020 Author Share Posted August 7, 2020 23 hours ago, Cairath said: Hey @Ipsquiggle @fatheroctopus, do you have any power over the workshop to remove that person's mods and block him from uploading new ones? I took a look at this and while there's a tiny part that is the actual mod, but better part of the dlls are malicious - I am almost entirely certain it's a crypto miner. That person dropped a big number of tiny 1-liner mods in 1 day -- unfortunately they all seem to have had something extra. I'm not sure how this could be a cryptominer. While it is true that the code is obfuscated, it is easy to see which libraries the code is using. It has references to cryptography and System IO, but I did not find anything related to connecting to the Internet, which would be very inportant for a cryptominer. Maybe it could be some type of ransomware, but I did not find any non-obfuscated String telling the user to contact any Internet Address to pay for a key. Link to comment Share on other sites More sharing options...
Cairath Posted August 7, 2020 Share Posted August 7, 2020 I can be wrong about that being a miner, however there's no denying that it's extremely shady. Link to comment Share on other sites More sharing options...
JoeW Posted August 7, 2020 Share Posted August 7, 2020 I am not going to assume this is something nefarious, but all the same they have been removed. The community should be able to review code and that code should not be obfuscated. I have clarified the post that the workshop links to with this information. Thanks for the heads up everybody. Link to comment Share on other sites More sharing options...
SharraShimada Posted August 8, 2020 Share Posted August 8, 2020 I think we have to thank you. Most of the gamers wont know about how mods work, they just want to use them. And if the mods are fuzzy, they´ll never know. Link to comment Share on other sites More sharing options...
SharraShimada Posted August 8, 2020 Share Posted August 8, 2020 I´ve got a queston about removed mods. If they are removed from steam workshop, are they also removed from the game at next startup? If so, okay. If not, you @JoeW may want to place a note at steam for all the players who have the mods still installed. Link to comment Share on other sites More sharing options...
suxkar Posted August 11, 2020 Share Posted August 11, 2020 From a user that didn't even imagine something like this (whatever it is) could be a thing, thanks for the heads up and the cyber policing Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.
Please be aware that the content of this thread may be outdated and no longer applicable.