[Discussion] Why would Elitepvpers allow this?

~~Goofie~~ · 02/09/2016, 11:35

Hello,

I've downloaded Dymer Online client and they are using Torque with his "HWID" system and .dll, I was suspicious about the .dll, so I ran it on virus total:

26 / 54 detection's claiming it's a virus:
"Variant.Kazy"

I'm quoting from
"The Kazy Trojan is a malware threat that first surfaced in 2010. According to ESG PC security analysts, the Kazy Trojan has been associated with a variety of different criminal activities, including keyloggers, phishing scams and data theft. The Kazy Trojan is only as strong as its payload. This is because the Kazy Trojan is a dropper Trojan, designed to install malware onto infected computer systems. Criminals can use the Kazy Trojan to install practically any kind of malware onto their victim's computer, including but not limited to spyware, adware, remote access tools, keyloggers, rogue security programs, rootkits and scareware of all kinds."

This .dll is even more infected then the heaviest infected sro_client.exe I've ever seen and yet, it's still allowed.

At the moment this servers are using same .dll:
Dymer.dll
Titan.dll
Conflict.dll
VictorSRO.dll

With this much detection it must be some kind of malware in that .dll or there must be some really outdated coding that would cause detection, this is absurd and in my opinion all threads/servers using this .dll should be closed instantly.

I would request a moderator to take a look on this, I warn players that play on this servers to get a virus scan done or re-format their windows and change all their password from a clean machine.

Thanks.

magicanoo · 02/09/2016, 11:52

This is false-positive due to Packing software (I use a cracked packing software which is widely used by other people who spread malware, so it is read as a positive because of these people).
This is the virustotal scan for the "unpacked" DLL :

Not bad, tho. Keep trying, son.

~~Goofie~~ · 02/09/2016, 11:53

Quote:

Originally Posted by magicanoo

This is the virustotal scan for the "unpacked" DLL :

Not bad, tho. Keep trying, son.

Seems like someone switched .dll after a while?

LastThief* · 02/09/2016, 11:54

What kind of bs is this ? You are clearly referring to Torque which I have seen the source code itself and the detection is just because of the heavy packing. Quit the **** and gtfo nobody cares about your 1337 experience.

~~Goofie~~ · 02/09/2016, 11:56

Quote:

Originally Posted by LastThief*

What kind of bs is this ? You are clearly referring to Torque which I have seen the source code itself and the detection is just because of the heavy packing. Quit the **** and gtfo nobody cares about your 1337 experience.

The excuse is that your .dll is packed.

Alright, this is also packed:

You do not get 26 detection(s) by encrypting your software, that's just pure bullshit.

:Also:
If you encrypted a software you would get detected for "confusion" or "suspicious" behavior, not for having a "Trojan.Kazy"

:And:
I believe your .dll is coded in C++ and not C#, why would you have to encrypt / pack it?

magicanoo · 02/09/2016, 12:05

Quote:

Originally Posted by Goofie

Seems like someone switched .dll after a while?

I uploaded both even though they're the same from the same "Release" folder in the visual studio project. Also, virustotal wouldn't put them together if they weren't identical.

Quote:

Originally Posted by Goofie

The excuse is that your .dll is packed.

Alright, this is also packed:

You do not get 26 detection(s) by encrypting your software, that's just pure bullshit.

:Also:
If you encrypted a software you would get detected for "confusion" or "suspicious" behavior, not for having a "Trojan.Kazy"
:And:
I believe your .dll is coded in C++ and not C#, why would you have to encrypt it?

Confuser is a .NET packer you idiot. You can get all false-positive if you're using an old and cracked packing program which is flagged due to the abuse of other people. I pack it to protect the strings and prevent debuggers/virtual machine usage.

~~Goofie~~ · 02/09/2016, 12:07

Quote:

Originally Posted by magicanoo

Confuser is a .NET packer you idiot. You can get all false-positive if you're using an old and cracked packing program which is flagged due to the abuse of other people. I pack it to protect the strings and prevent debuggers/virtual machine usage.

I rest my case, even if you pack something it will not give you 26 detection(s). Plain and simple.

I'm glad that I scanned that .dll before running it on my PC.

Bizzyyyyy · 02/09/2016, 12:09

Now this thread is really ridiculous

You must be really mad that your SUPER**** hwid "feature" isnt even close to torques..
The fact is that you released plenty of databases, backstabbing your customers, changed your name few times cause your bad reputation while magicanoo has never done such a thing.
I knew you are an idiot but this move went beyond stupidity

~~Goofie~~ · 02/09/2016, 12:11

Quote:

Originally Posted by Bizzyyyyy

Now this thread is really ridiculous
You must be really mad that your SUPER**** hwid "feature" isnt even close to torques..
The fact is that you released plenty of databases, backstabbing your customers, changed your name few times cause your bad reputation while magicanoo has never done such a thing.
I knew you are an idiot but this move went beyond stupidity

If you wanna shoot yourself in the foot, then go ahead and do that. I would not personally play on servers that has that heavy detected files.

This has nothing to do about my features, this is about the Silkroad community and the few players that actually remains.

magicanoo · 02/09/2016, 12:13

Quote:

Originally Posted by Goofie

I rest my case, even if you pack something it will not give you 26 detection(s). Plain and simple.

I'm glad that I scanned that .dll before running it on my PC.

You wanted to run it on your PC to try and steal the **** inside? you should've just asked me for the packet, son.

~~Goofie~~ · 02/09/2016, 12:13

Quote:

Originally Posted by magicanoo

You can get all false-positive if you're using an old and cracked packing program which is flagged due to the abuse of other people.

You know that all created files has it own md5/sha right?

And if your statement was even close to being "right" then my SUPERMIKE.exe would be even more detected because I use a cracked packer.

So ConfusserEx v0.3.0 gives a lot of infections you say, then how come your Torque .exe's isn't even as infected as your .dll?

:Oh yeah:
Off-topic, I de-compiled parts of your code.

Spoiler

Quote:

Originally Posted by magicanoo

You wanted to run it on your PC to try and steal the shit inside? you should've just asked me for the packet, son.

Actually wanted to test a few stuff on the Torque protection, but when I saw that infected .dll I removed the client from my PC.

magicanoo · 02/09/2016, 12:18

Quote:

Originally Posted by Goofie

You know that all created files has it own md5/sha right?

And if your statement was even close to being "right" then my SUPERMIKE.exe would be even more detected because I use a cracked packer.

Actually wanted to test a few stuff on the Torque protection, but when I saw that infected .dll I removed the client from my PC.

There is something called "Packer signature" which is changeable among different packing programs.
I'm glad that you deleted it from your PC, you shouldn't play with fire you know

~~Goofie~~ · 02/09/2016, 12:21

Quote:

Originally Posted by magicanoo

There is something called "Packer signature" which is changeable among different packing programs.
I'm glad that you deleted it from your PC, you shouldn't play with fire you know

So you mean that someone choose your packet signature of all packet signatures out there? Seems legit.

Weird that nobody used my packet signature yet then, even do my Filter have been existing longer then your hwid.dll. That's really "strange/odd" to me.

PortalDark · 02/09/2016, 12:27

First off, this dll is totally optional(that doent make it right, though but ill get on that in a sec)

Since we have NOTHING to trust the exe, im gonma ask this once and only once.

As for a routine check, send me an unpacked dll as a PM, and ill check

Why im asking this? If the file's infection is due to this, then an unpacked spftware will be safe

As a safe proof regarding this request, if i do not receive the unpacked dll within reasonable amount of days, since i have no other source to trust, ill apply the general malware rule and remove the thread

As for this thread, it is title alone is enough to bait spammers

#closed