Jump to content
Rotwood Early Access is Available Now!

Question about criptography

RedDagger

Recommended Posts

Mantak

Mantak

Posted
Posted

RedDagger: Very intersting! And yes, it is very suspicious.

If you want change Refrigerator capacity you need this :

public class RefrigeratorConfig_DoPostConfigureComplete
        {
            // Token: 0x06000005 RID: 5 RVA: 0x000020B0 File Offset: 0x000002B0
            [MethodImpl(MethodImplOptions.NoInlining)]
            public static void Postfix(GameObject go)
            {
                go.AddOrGet<Storage>().capacityKg *= 10f;
            }

}

Compiled version of this mod should have about 4kb. But this very suspicious mod have 45kb. And mod author use some Obfuscator, which is also very suspicious. Reading obfuscated .net code is very difficult, so I cant tell what this doing. And note that every ONi mod can do nearly everything. For example download some malware :), or worse, start playing Chinese Anthem and sign you to Comunist party!!!!!

Link to comment
Share on other sites
SharraShimada

SharraShimada

Posted
Posted

Its also possible the author just use decryption methods by default, to prevent others from just stealing his mods. Mod theft is unfortunately a common thing these days. Maybe someone could check if a installed mod from this author makes connections to some IPs out there, and report back.

Link to comment
Share on other sites
Mantak

Mantak

Posted
Posted
4 hours ago, SharraShimada said:

Its also possible the author just use decryption methods by default, to prevent others from just stealing his mods. Mod theft is unfortunately a common thing these days. Maybe someone could check if a installed mod from this author makes connections to some IPs out there, and report back.

There is new crime industry ??? Mods Stealing ??!!!??

 

Look, since my childhood I want to be some KingPin or something. I Always want invented some diabolical plan, like flood countryes with slightly worn pencil with reasonable price. And then when everyone is addicted to drawing, Price will rise... MUHHAAAAAAAAhAAAA!!!

 

But stealing mods...... This is much better, Great Idea. Do you know some people ?????? Can you introduce me ??? Look I do some quick stealing !!!

1123621191_Aaarrggghtoomanycolors!!.thumb.jpg.90a1395f01e2ce9f1e84140af73bf07d.jpg

 

I'll name it on your behalf " AAAArgghtttt, too many colors !!!! (if you take SharraShimada and remove and add few Letter you simply get: AAAArgghtttt, too many colors )

 

And Now I flood Afganistan with this mod. (Off course this is only begining!)

But it will really help if You can introduce me to right person, Pretty please, it is my child dream...

Link to comment
Share on other sites
asquared31415

asquared31415

Posted
Posted

This mod appears to call into Kernel32.dll and do things involving memory manipulation of other processes.  Not 100% sure, it's heavily obfuscated, but there are references to names like OpenProcess, WriteProcessMemory, and GetProcAddress.

Additionally, the subscribe/view ratio on Steam seems particularly high, even for a simple mod, and especially for a non-english mod.  The lack of comments and reviews also seems odd for that may subscribers.  I would assume the creator has used some form of bot or something to pump up numbers, but I cannot confirm that in any way beyond noticing numbers look funny.

 

I highly suggest all users to NOT USE THIS MOD AT ALL, unsubscribe from steam, and delete the folder from their mods folder in mods/Steam/2085674575

Link to comment
Share on other sites
Cairath

Cairath

Posted
Posted

Hey @Ipsquiggle @fatheroctopus, do you have any power over the workshop to remove that person's mods and block him from uploading new ones? I took a look at this and while there's a tiny part that is the actual mod, but better part of the dlls are malicious - I am almost entirely certain it's a crypto miner. That person dropped a big number of tiny 1-liner mods in 1 day -- unfortunately they all seem to have had something extra.

Link to comment
Share on other sites
RedDagger

RedDagger

Posted
  • Author
Posted
23 hours ago, Cairath said:

Hey @Ipsquiggle @fatheroctopus, do you have any power over the workshop to remove that person's mods and block him from uploading new ones? I took a look at this and while there's a tiny part that is the actual mod, but better part of the dlls are malicious - I am almost entirely certain it's a crypto miner. That person dropped a big number of tiny 1-liner mods in 1 day -- unfortunately they all seem to have had something extra.

I'm not sure how this could be a cryptominer. While it is true that the code is obfuscated, it is easy to see which libraries the code is using. It has references to cryptography and System IO, but I did not find anything related to connecting to the Internet, which would be very inportant for a cryptominer.

Maybe it could be some type of ransomware, but I did not find any non-obfuscated String telling the user to contact any Internet Address to pay for a key.

Link to comment
Share on other sites
JoeW

JoeW

Posted
Posted

I am not going to assume this is something nefarious, but all the same they have been removed. The community should be able to review code and that code should not be obfuscated. I have clarified the post that the workshop links to with this information. 

Thanks for the heads up everybody. 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Please be aware that the content of this thread may be outdated and no longer applicable.

Go to topic listing
×
×
  • Create New...