Im watching you for a couple years now, and i love this deep dive. As someone with a casual intrest in software security this is amazing. Please keep doing those. The length of the video might be problematic for the youtube algorithm but i want to tell you i love it!
Have no idea the process for about 2 hour video but have fun watching and learning how professionals doing reverse engineering till the end while feeling imposter syndrome. Thank you
even if I did plenty of malware analysis myself, I still picked up a few extra tricks from this video. Thank you John, your analysis was amazingly done and I loved it from start to finish!
Super detailed analysis and I'm quite happy to see much of the cyber security scene come together to show how this attack would work. Makes me sad to see some developer tried to mess with mods. This is another example of why you don't need 10,000 different launchers.
❤ Thanks for covering this. And I would like to give my full appreciation for you and the community for looking into this. Your guys quick and Understandable analysis has helped restore peace of mind for many people in the CS2 community.
Great Video! Fantastic help, and teaching tool. AS a person who was effected by this hack and spect several days on wireshark watching activity; it's great to see what it was actually doing!!!
Thanks for your video, Eric! I originally approached this in Ghidra, but that function that packs the exe into all those mov instructions doesn't de-compile in Ghidra (or IDA for that matter). Asked about it in the OALabs server, and Xusheng, one of the Binja devs, has been SUPER helpful as he helped me take a look at it in Binja. :)
Using nixos, binja seems to be the only thing that works out of the box. IDA does its own installation thingy that fails, and ghidra explodes because of java issues
This video is amazing!!! Love to watch you work!! I think a really good video if possible, when you unpack another malware or whatever, do a live stream and maybe have people from the white hat would on with you and make a really fun live vid!!! I wish this video was longer lol. I always learn so much from your videos!
woah i was lisrening not realizing this was fresh, john i enjoy the content and i'm a 2nd year in cybersec (in part thanks to ur vids) so thanks for inspiring me
You should make a script/app to have a grey window with a low opacity placed where your camera is so you can still see through but know what we can't see on the video!
Woke up sunday morning and somehow this came up on my feed so I was laying in bed half asleep watching this. I don't even watch any other malware/reverse engineering videos.
Each compiler has a different startup, but as you go through samples, you will learn the paths to the user main code. There's also other paths, potentially, but I usually just go through the entry point. Another good thing you can do is use different languages (Rust, C++, C) and compile exes and dlls and figure out the path to user main. Can help a lot using a PDB as well. Make sure you also try different tool chains, like MSVC and G++ will generate different startup code and a different path to user main.
I've used a ton of game mods in the past. Also downloaded indie games from around the internet. Stupid in hindsight probably. I'm pretty sure i've seen dll around. It might not be typically nefarious, but is there a way for me to check? I take it a normal microsoft defender search won't pick up on the PEB thingamajig.
Hello John, I’m wondering what’s the best decompiler in ur opinion, Binary ninja, IDA or Ghidra? It will be helpful if you can made a video for it! Thanks for reading and BTW I love this video’
I think it can really depend on what you are doing, but, Binja is REALLY good for malware. I have really been enjoying it. Ghidra is good for collaborations, with it's server capabilities. It is a bit more obtuse to use, but it's still good. I haven't used IDA, much at all, so I can't really tell you how that compares. For this video, I originally approached the de-compilation in Ghidra, but some things let me to try out Binja (Mainly that big function that doesn't de-compile with Ghidra at all. I really liked the de-compilation of stage 2 with Binja, so John and I decided to use Binja for the entire video, but I will say there are one or two places where Ghidra does a better job interpreting the disassembly and generating a better de-comp. All in all, it doesn't hurt to know/use multiple tools!
Steam's workshop is generally safe, as well as Nexus. Nexus specifically runs mods through virustotal, and if that's not possible it'll have to be manually reviewed.
I don't remember if you mentioned it at the specific part it comes up in the stage 2 binary, but stage 2 also grabs the syscall value out of the virtual protect function from ntdll and calls it manually by writing the machine code to one of those allocations it makes. Such sophisticated techniques for such a dud payload! Haha! 🙏
@@gooniesfan7911 I am not sure if they needed to do this on most windows machines, or not. It's perplexing, because I would say it's not a novice technique. detection can be really fickle. The big reason they are using the NtVirtualProtect calls is to write an inline hook in that name mangled V8 export that the binary will call on occasion. I do this all the time in my DLL mods, though, and all I do is import the function normally. They rarely get flagged by anti virus, too. Sometimes they do, but it's hard to tell what caused it, some times.
@@gooniesfan7911 I don't know that it does. I think it would effect some stuff from the C++ std library, as it changes over time code wise, as well as possible the types of optimizations available, which could change the generated machine code, and maybe some different registers for holding values. Who knows with the obfuscation, too. The specific compiler would be needed if you wanted to recreate the malware from scratch and get an identical re-compilation. They do this a lot with old games.
ayo nord, man if you might find time to sit down, write up a roadmap on how to understand this shit in depth, would truly appreciate it or a send a link
Isn't it possible to essentially create constant list out of the dll name / function name list so binja could replace the hardcoded values with the constant name? That would simplify the "lookup".
The reason the python code had the else output as well in the for-else loop is because else runs if there is no break in the original for-loop, if you put break after printing everything out it wouldn't have ran. Nothing big but just a sidenote.
This whole situation feels like a warning shot. With gaming increasingly relying on mods and user-generated content, there needs to be a system in place that helps safeguard players. This could be stricter moderation, better security on mod distribution sites, or even in-game warnings for players about the risks of third-party mods. In the end, this incident underscores an important reality: that even in a community built around fun and creativity, we have to stay vigilant to protect ourselves from evolving cybersecurity threats.
Well, we actually have a lot of this. Game will warn you that using mods is risky. Nexus mods sends things to Virus Total, posts that report publicly on the mod page, and if there's something suspicious, they have someone verify it, internally.
A warning doesn't really go far. People read less and less the more we progress as an information age society. The responsibility should be on the site hosting these third party mods.
> or even in-game warnings for players about the risks of third-party mods. This will do literally nothing. People will press "okay" and continue anyway.
regardless of how the mod developer's machine got infected, or the end exfiltrated information. This could easily be seen as an exploit of being able to get passed AV/AM by not having the payload not explicitly written directly in the dll or exe (this could happen in mac and Linux as well kind of) to then have that injected application be executed, and because it never existed as a file AV/AM never gets a chance to evaluate it. at some point AV/AM would need to have access to active memory in order to intervene, but this functionality is almost necessary for JIT in the first place.
I would assume this malware would be reused as it's quite an effort to obfuscate all these within a dll for a crypto wallet that very few people from the target audience would use. I know that even from the few victims the threat actor would still make a lot in return, but still this quite an effort, assuming the person who pushed the update to the CS2 mod is the same who did for the GTA5 one.
I looked up flare and the model was odd, no priceing on most pages when I did, it was confusing, is there a open scr or self hosted ver that could use LLMs or other tech to check?
A few years ago this happened in Minecraft. When you got a infected plugin it would infect all the other plug-ins and when devolopers published an update on the forums the chain contenued
I was the 1k like but I also didn't understand a single word and idk why I watched expecting it to suddenly understand it. But then the bitcoin site popped up and I completely agreed that is was sussy sus 😏
I got a serious question. Where is the difference in a password of lets say 24 characters of just random placed 0 and 1 and a mixed password with letters, numbers and special characters within the same amount of characters? Beside the max possibilties of course. Edit: had a typo
They didn't say anything about being more safer, but people that don't have their game on steam (Microsoft) and for consoles to have custom maps and assets. Also the dickering is insane for steam workshop for some reason, stuff like this could happen anywhere
I think it's just important that we understand the risks. Most of my mods are DLLs that don't have any exports, because they are meant to inject themselves into the game and patch code and data. This makes it harder to determine what is and isn't malware, although FastMath.dll with no exports is a dead giveaway. My mods are also all open source, and if anyone wanted to, they could compile it, themselves.
I love the content, I love the educational aspects of it I detest that this opens with "more often than not, the [mod] will be malware" Can we please not with the fearmongering? I've been playing and modding games for 15 years and can count on one hand the number of malicious mods I've downloaded. The vast majority, as long as you're coming from a reputable source, are perfectly fine. Yes, there is a chance it slips through the cracks and you can get bad actors hiding in plain sight, but that definitely doesn't constitue "more often than not". The ONLY defense I can see in this is if it's very specifically talking about game hacks and game trainers, which are not "mods", they're cheats and hacks. Very, very big difference, and when lacking context within the first 30 seconds of a video from a cyber security expert, can be horrifically misleading. Do better, John, please.
You already stated the stipulation, "as long as you're coming from a reputable source". How many reputable sources are out there? Single digits? Compared to all the possible sources on the Internet? (spam, ads, any number of the RUclips video offering mods downloads, Mega, Google Drive, gofile, etc..). Thinking of forums like Nexus Mods or CurseForge is just two places-- not a majority.
@@_JohnHammond At best, that's an ignorant take. At worst, it's malicious. Nexus has over 10 billion downloads, Steam Workshop is built into the most popular storefront in PC gaming. If you search for anything on PC modding, you'd be hard-pressed to find a malicious source over Nexus, Steam, ModDB or the official forums. I'm not disagreeing that there's few of them, but the mod in question you're talking about came from the official game forum. What you're saying is akin to "every word document you download is malicious because there are more malicious sources than there are safe". Yes, sure, on paper it's not wrong, but it's not using common sense either. Most word documents you'd be downloading aren't coming from a sketchy website, it's coming from a source you trust. So please, don't make silly blanket statements that all mods are bad, it's a bad take and hurts the wonderful modding communities out there. Instead, educate that even trusted sources can be unsafe and to take proper precautions.
But that isn't always something you want to look at. We started from entry, because we can track down the order of things. With the second stage, this brings you to some library code and the function that sends the data to the C2, but you don't really get to see how this function gets called, because the function that calls it is a dead end.
Your introduction is ridiculously alarmist. "nothing is safe! Your mods are hiding malware!" This shit happens. There are always bad faith actors. There is insentive from the communities that host these mods to make sure they are safe because it's also a threat to their own operation too..
As someone studying Cyber Security, who is currently doing Malware and Exploit Analysis, this is such amazing content. Thanks John
Ohhh this will be good. When John posts a video of that length, you open Obsidian and start taking notes.
Notes like how to or how to not......? 😂
Im watching you for a couple years now, and i love this deep dive. As someone with a casual intrest in software security this is amazing. Please keep doing those. The length of the video might be problematic for the youtube algorithm but i want to tell you i love it!
Have no idea the process for about 2 hour video but have fun watching and learning how professionals doing reverse engineering till the end while feeling imposter syndrome. Thank you
even if I did plenty of malware analysis myself, I still picked up a few extra tricks from this video. Thank you John, your analysis was amazingly done and I loved it from start to finish!
Super detailed analysis and I'm quite happy to see much of the cyber security scene come together to show how this attack would work. Makes me sad to see some developer tried to mess with mods. This is another example of why you don't need 10,000 different launchers.
I love videos like this. Watching John investigate how it all come together, is very interessing to watch.
This is exactly how Disney got busted with BeamNG mods. Crazy to see in yet another place and thanks for the breakdown! Fascinating stuff.
disney? beamng? what happened?
@@TheWanderingNeko quick search says someone at diney download a beamng malware mod which got the company infected and data stolen.
this was a lot of fun going through this with you! great education, thanks john
Wow. Impressive skills. Don't mess with John Hammond!! Thanks for posting something so in depth.
❤ Thanks for covering this. And I would like to give my full appreciation for you and the community for looking into this. Your guys quick and Understandable analysis has helped restore peace of mind for many people in the CS2 community.
It hit very close to home, for me. I don't like people destroying my hobby. :(
Banger video, not enough long form C/C++ RE content on RUclips!
Impressive. Good video. Thanks for sharing random 1am video suggestion but good stuff.
Usually dont comment but this was a great one! Love the indepth talk. Thinking about going for maldevacademy right after finishing up my OSCP
Great Video! Fantastic help, and teaching tool. AS a person who was effected by this hack and spect several days on wireshark watching activity; it's great to see what it was actually doing!!!
Having seen the bit from low level and mentioning this was on the way, I've been waiting. Oh boy, did this deliver on what I wanted.
Really love these longer vids of you reverse engineering malware or dissecting through the code of malicious files :)
The binja virus is spreading.
Thanks for your video, Eric! I originally approached this in Ghidra, but that function that packs the exe into all those mov instructions doesn't de-compile in Ghidra (or IDA for that matter). Asked about it in the OALabs server, and Xusheng, one of the Binja devs, has been SUPER helpful as he helped me take a look at it in Binja. :)
ghidragang ghidragang ghidragang
wow its my favourite f5 youtuber
@@LowLevelTV Even low level is cheating on IDA now. Poor thing.
Using nixos, binja seems to be the only thing that works out of the box. IDA does its own installation thingy that fails, and ghidra explodes because of java issues
Love the longform videos! Great stuff!
This video is amazing!!! Love to watch you work!! I think a really good video if possible, when you unpack another malware or whatever, do a live stream and maybe have people from the white hat would on with you and make a really fun live vid!!! I wish this video was longer lol. I always learn so much from your videos!
1:25:18 is this related to minecraft?? Default Minecraft port is 25565
probably just a random port commonly open
@@blorger I suggest you're both right
This port being the default for Minecraft servers makes it a commonly open port
Wow you are thorough. great analysis. great video!
woah i was lisrening not realizing this was fresh, john i enjoy the content and i'm a 2nd year in cybersec (in part thanks to ur vids) so thanks for inspiring me
OH THIS IS A PEBWALKING malware! omfg i was just researching this yt algo strikes again
@@xprowler404x This malware does some really cool stuff! Does some "manual" syscalls, too...
You're always awesome to watch John, never cease to amaze me with your level of expertise at such a young age!
A very moreish sample. Thanks for the shoutout!
You should make a script/app to have a grey window with a low opacity placed where your camera is so you can still see through but know what we can't see on the video!
Woke up sunday morning and somehow this came up on my feed so I was laying in bed half asleep watching this. I don't even watch any other malware/reverse engineering videos.
That was amazing. learnt a lot from that. keep up the good work.
Port 25565? as a minecraft kid that gave me whiplash
Interesting breakdown John. Binary Ninja definitely is incredible. Got lost a bit in some of the __scrt functions.
Each compiler has a different startup, but as you go through samples, you will learn the paths to the user main code. There's also other paths, potentially, but I usually just go through the entry point.
Another good thing you can do is use different languages (Rust, C++, C) and compile exes and dlls and figure out the path to user main. Can help a lot using a PDB as well. Make sure you also try different tool chains, like MSVC and G++ will generate different startup code and a different path to user main.
I really liked this in-depth reverse engineering video. I want to see more like this.
thnx for this master piece John 🙂🙏
these videos are awesome. Incredible work
The binary ninja you have used is - is that free edition ?
Yes! Everything we did in this video was done with the free version!
I've used a ton of game mods in the past. Also downloaded indie games from around the internet. Stupid in hindsight probably. I'm pretty sure i've seen dll around. It might not be typically nefarious, but is there a way for me to check? I take it a normal microsoft defender search won't pick up on the PEB thingamajig.
Hello John, I’m wondering what’s the best decompiler in ur opinion, Binary ninja, IDA or Ghidra? It will be helpful if you can made a video for it! Thanks for reading and BTW I love this video’
I think it can really depend on what you are doing, but, Binja is REALLY good for malware. I have really been enjoying it. Ghidra is good for collaborations, with it's server capabilities. It is a bit more obtuse to use, but it's still good. I haven't used IDA, much at all, so I can't really tell you how that compares.
For this video, I originally approached the de-compilation in Ghidra, but some things let me to try out Binja (Mainly that big function that doesn't de-compile with Ghidra at all. I really liked the de-compilation of stage 2 with Binja, so John and I decided to use Binja for the entire video, but I will say there are one or two places where Ghidra does a better job interpreting the disassembly and generating a better de-comp.
All in all, it doesn't hurt to know/use multiple tools!
@@nordgaren2358Thanks for replying! Just wondering which should I buy lol, but it looks like Binja is the best choice for now I guess.
Yeah, very good and I learned a lot. Thanks 🖤
Always been lacking trust to download Mods for games... 😩 Cheers for this in-depth long video! 💛🌟👍
Steam's workshop is generally safe, as well as Nexus. Nexus specifically runs mods through virustotal, and if that's not possible it'll have to be manually reviewed.
I learn a lot from this. This is my first experience of reverse engineering.
Keep at it!
The man himself
Your effort on this one didn't go unnoticed my friend :)
What a video! 🥇
i'm drunk, have no background in cybersecurity, and entertained as hell by this.
Game announcements get posted to steam and paradox forums
I have no idea what this is or whats going on, but im here
I don't remember if you mentioned it at the specific part it comes up in the stage 2 binary, but stage 2 also grabs the syscall value out of the virtual protect function from ntdll and calls it manually by writing the machine code to one of those allocations it makes.
Such sophisticated techniques for such a dud payload! Haha!
🙏
@@gooniesfan7911 I am not sure if they needed to do this on most windows machines, or not. It's perplexing, because I would say it's not a novice technique.
detection can be really fickle. The big reason they are using the NtVirtualProtect calls is to write an inline hook in that name mangled V8 export that the binary will call on occasion. I do this all the time in my DLL mods, though, and all I do is import the function normally. They rarely get flagged by anti virus, too. Sometimes they do, but it's hard to tell what caused it, some times.
@@gooniesfan7911 I don't know that it does. I think it would effect some stuff from the C++ std library, as it changes over time code wise, as well as possible the types of optimizations available, which could change the generated machine code, and maybe some different registers for holding values.
Who knows with the obfuscation, too.
The specific compiler would be needed if you wanted to recreate the malware from scratch and get an identical re-compilation. They do this a lot with old games.
ayo nord, man if you might find time to sit down, write up a roadmap on how to understand this shit in depth, would truly appreciate it or a send a link
@@bugzorc can you find me on Discord?
@@nordgaren2358 yah sure what's ur @
Isn't it possible to essentially create constant list out of the dll name / function name list so binja could replace the hardcoded values with the constant name? That would simplify the "lookup".
Right now the only way I can figure out how to do this is to make some enums.
The reason the python code had the else output as well in the for-else loop is because else runs if there is no break in the original for-loop, if you put break after printing everything out it wouldn't have ran. Nothing big but just a sidenote.
It was just because of the decomp. Ghidra shows it much clearer.
The code is actually pseudo C
@nordgaren2358 I don't think you replied to the right comment my guy
Ohh, you are talking about his python code for the hashing algo. Yes. My bad.
Exactly this type of content!
This is definitely one of your better videos (at least for us reverse engineering nerds)
who new Seth Rogan was into RE as much as weed 😯
This whole situation feels like a warning shot. With gaming increasingly relying on mods and user-generated content, there needs to be a system in place that helps safeguard players. This could be stricter moderation, better security on mod distribution sites, or even in-game warnings for players about the risks of third-party mods. In the end, this incident underscores an important reality: that even in a community built around fun and creativity, we have to stay vigilant to protect ourselves from evolving cybersecurity threats.
Well, we actually have a lot of this. Game will warn you that using mods is risky. Nexus mods sends things to Virus Total, posts that report publicly on the mod page, and if there's something suspicious, they have someone verify it, internally.
A warning doesn't really go far. People read less and less the more we progress as an information age society. The responsibility should be on the site hosting these third party mods.
> or even in-game warnings for players about the risks of third-party mods.
This will do literally nothing. People will press "okay" and continue anyway.
@@nordgaren2358 virustotal is only useful if the program is well known though
@@JamesHalloway_24 There's always a risk, correct. However, in the majority of cases viruses added to mods tend to be "malware as service" additions.
regardless of how the mod developer's machine got infected, or the end exfiltrated information. This could easily be seen as an exploit of being able to get passed AV/AM by not having the payload not explicitly written directly in the dll or exe (this could happen in mac and Linux as well kind of) to then have that injected application be executed, and because it never existed as a file AV/AM never gets a chance to evaluate it. at some point AV/AM would need to have access to active memory in order to intervene, but this functionality is almost necessary for JIT in the first place.
I would assume this malware would be reused as it's quite an effort to obfuscate all these within a dll for a crypto wallet that very few people from the target audience would use. I know that even from the few victims the threat actor would still make a lot in return, but still this quite an effort, assuming the person who pushed the update to the CS2 mod is the same who did for the GTA5 one.
Yea, I am interested to see if this sample shows up again with a different function. The packing was interesting.
I looked up flare and the model was odd, no priceing on most pages when I did, it was confusing, is there a open scr or self hosted ver that could use LLMs or other tech to check?
Self hosted what?
The 11/13 date for that mod creator’s password showing up in flare at the end is concerning…
"more often than not" seems a bit of a stretch
I think he means if you're just download mods off the internet, as he mentioned trusted modding sites right after.
"More often than not" seems a bit hyperbolic. My 2000+ mods in Skyrim beg to differ.
Finish the sentence...
"more often than not" is an insane way to open this
A few years ago this happened in Minecraft.
When you got a infected plugin it would infect all the other plug-ins and when devolopers published an update on the forums the chain contenued
That was much worse than this, actually. This could have been pretty bad, too, but fracturizer was nuts!
Really? Do you remember the name of the author/plugin? I'm struggling to recall this situation 😵💫
@@afraid2letgo just look up fracturiser
John is that the MX master 4?
I was the 1k like but I also didn't understand a single word and idk why I watched expecting it to suddenly understand it. But then the bitcoin site popped up and I completely agreed that is was sussy sus 😏
XD
OMG, this is so good, I wanted to deep dive into some dammn dlls, I know some
Do i know wtf is going on? No.. are you blowing my mind.. yes..
oh my god finally another reverse engineering video
Been trying to find more interesting malware, so we can have more of these RE videos. :) Send it our way, if you find some!
Came here for cities skylines, stayed for reverse engineering and some sleuthing!
I got a serious question. Where is the difference in a password of lets say 24 characters of just random placed 0 and 1 and a mixed password with letters, numbers and special characters within the same amount of characters? Beside the max possibilties of course.
Edit: had a typo
That's pretty much it. Max possibilities skyrocket, because it's exponential each character you add.
You got a nice chair
Sick stuff, loved it!
Wow you watched that hour and a half (EDIT: actually almost 2 hours) video fast!!
nice brother
your smart.
Paradox use to allow mods through steamfor CS1, they stopped because they said thier own proprietary would be safer 🙄
They still allow through Steam for CS1. Paradox Mods is for CS2 only.
They didn't say anything about being more safer, but people that don't have their game on steam (Microsoft) and for consoles to have custom maps and assets. Also the dickering is insane for steam workshop for some reason, stuff like this could happen anywhere
And that's why you use air-gapped hardware wallets for crypto-currencies...
More please. :)
Meh. I'm going to continue using mods in my games. Downloading ANY program you cannot personally verify as safe is risky, and yet you do it every day.
I think it's just important that we understand the risks. Most of my mods are DLLs that don't have any exports, because they are meant to inject themselves into the game and patch code and data. This makes it harder to determine what is and isn't malware, although FastMath.dll with no exports is a dead giveaway. My mods are also all open source, and if anyone wanted to, they could compile it, themselves.
I love the content, I love the educational aspects of it
I detest that this opens with "more often than not, the [mod] will be malware"
Can we please not with the fearmongering? I've been playing and modding games for 15 years and can count on one hand the number of malicious mods I've downloaded. The vast majority, as long as you're coming from a reputable source, are perfectly fine.
Yes, there is a chance it slips through the cracks and you can get bad actors hiding in plain sight, but that definitely doesn't constitue "more often than not".
The ONLY defense I can see in this is if it's very specifically talking about game hacks and game trainers, which are not "mods", they're cheats and hacks. Very, very big difference, and when lacking context within the first 30 seconds of a video from a cyber security expert, can be horrifically misleading.
Do better, John, please.
You already stated the stipulation, "as long as you're coming from a reputable source". How many reputable sources are out there? Single digits? Compared to all the possible sources on the Internet? (spam, ads, any number of the RUclips video offering mods downloads, Mega, Google Drive, gofile, etc..). Thinking of forums like Nexus Mods or CurseForge is just two places-- not a majority.
@@_JohnHammond steam workshop, paradox forums, sometimes for minecraft, the server of the project but have to be looked up, and github
@@_JohnHammond At best, that's an ignorant take. At worst, it's malicious.
Nexus has over 10 billion downloads, Steam Workshop is built into the most popular storefront in PC gaming. If you search for anything on PC modding, you'd be hard-pressed to find a malicious source over Nexus, Steam, ModDB or the official forums.
I'm not disagreeing that there's few of them, but the mod in question you're talking about came from the official game forum.
What you're saying is akin to "every word document you download is malicious because there are more malicious sources than there are safe". Yes, sure, on paper it's not wrong, but it's not using common sense either. Most word documents you'd be downloading aren't coming from a sketchy website, it's coming from a source you trust.
So please, don't make silly blanket statements that all mods are bad, it's a bad take and hurts the wonderful modding communities out there. Instead, educate that even trusted sources can be unsafe and to take proper precautions.
@@Prodigy1329 So you didn't finish the sentence?
@@schwingedeshaehers Look up fractureiser.
Holy crap i wish i could do this
next time just go to 0x1000
But that isn't always something you want to look at. We started from entry, because we can track down the order of things. With the second stage, this brings you to some library code and the function that sends the data to the C2, but you don't really get to see how this function gets called, because the function that calls it is a dead end.
There's a lot of ways to RE the same sample :)
"More often than not, the mod will be malware" That's just false. Don't spread lies.
You have one example that was short lived. It's most likely that your risk is significantly below 0.1% - not 50.1%.
@@AaronKreider You will need to list sources for this claim.
GENIOOO i
"more often than not"? *really bro?*
He means random mods off the internet.
John when are we getting an official John Hammond onlyfans?
Downloading mod for game is safe when the modding method is sandboxed and don't allow DLL injection like CS2...
That's not true either, unfortunately.
4?!
5
I see no 7 so 7!!!
Who wants to become a global hacker?
6
3
2
Your introduction is ridiculously alarmist. "nothing is safe! Your mods are hiding malware!"
This shit happens. There are always bad faith actors. There is insentive from the communities that host these mods to make sure they are safe because it's also a threat to their own operation too..
Nothing is safe, though, and telling people that it is, is doing them a disservice.
bro talks *at* people
“More often than not”…. Not even close. I’d go so far as to say the vast majority of Mods do not have malware
Have to finish the sentence...
1
More malware 😊😊😊😊 malware 2025 📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈📈