Hey! Hypixel Skyblock RUclipsr here, Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years. I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them. Love seeing stuff like this. Thanks for the fun watch!
Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.
Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!
came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.
Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar
@@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible
25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.
@@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think
Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.
ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.
17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.
Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code
@@walksanator yeah i was going to mention Recaf 4.X it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it
You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.
I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things. Smart attacker would obviously not simply fork the repository. But not all attackers are smart.
the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.
java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.
Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?
the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.
I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.
It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX
Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware
I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.
Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.
The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.
i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for. some of the odd client names are most likely some obscure minecraft launchers i havent heard of before. I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game. I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.
also its not a hot take to say java is stupid lol i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice. i assume it was chosen because it was easy for him to get in to. Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen. Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.
Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/ Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.
actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code. they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.
minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.
Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)
@@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat
this is literally so easy to decompile and u can tell by the libraries its using what it does would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode
The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.
am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix? And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java
I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant
used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)
When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the RUclips video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.
Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity
I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.
I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am. Edit: fair enough.
Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web
That is discord token decryption. Discord thought it would be a funny joke to encrypt tokens with the video id being the visible part. Really, it didn't do jackshit. The part of the code likely looks for the regex pertaining to the token and then decrypts with the os crypt key.
I took a look a little bit at skyhanni and it had weird shit going on so i never used the mod. a few things I remember is it tried to talk to discord. (malware in modpacks do that because they send the session id to their discord so they can log into ur acc and steal all your items)
Mods talk to discord using Rich Presence (local Discord API) to dynamically change the “actively playing” information in your discord profile. Anything else that looked weird to you? I'll try my best to explain it!
XD 1. It's really funny that someone who clearly doesn't take the time calls Java stupid. 2. Lunar Is a Modded MC client with it's own suite of stuff. (which also makes this a threat to that modded client. 3. It actively unloads itself on world loading for the player (Single Player/MP) 4. Forge mod loader (which this mod is for) allows for some final variable abuse. 5. as for JDK, you are good getting the latest long-term release one, as it supports backwards sets. 6. The reason 'DECRYPT_MODE' failed for you, was because you failed to include the `` private static final int DECRYPT_MODE `` which was set to Cipher.DECRYPT_MODE; -- This is just an example of chat GPT being dumb with variable names, which caught you off gaurd. 7. It Targets MS accounts, Lunar Accounts (Modded game client), Discord accounts, Feather (MC modded accounts thing), Pizzaclient which is a supposed account protection scheme I have to put it this way.. for someone seriously promoting Synk, the way you talk about java... makes me geniunely question synks usefulness entirely, if you who does this kind of cyper ops on the regular... can't even take the time to understand the basic premises of java, without resorting to insulting it.. because you failed to understand the prerequisites. I'll admit that Forge&Fabric Modded minecraft do some 'funnybusiness' with java, and preform things normal java doesn't allow (such as messing with final variables in some actions, and delaying when they are 'assigned', so that you can assign a final in one class then give it data later down the line (which works assuming you actually assigned some data before calling it, which was done here) the amount of modded clients & cheat mods for the major servers is just nutty as hell.
Hey! Hypixel Skyblock RUclipsr here,
Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years.
I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them.
Love seeing stuff like this. Thanks for the fun watch!
W toadstar
skiblox
Love your Ironman series Toad, love to see content creators on technical videos like this
W 🔥❤️🔥
Skyblock mentioned
Hi toad btw
Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.
Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!
Im interested now what’s your ign (I guess you are playing skyblock)
As a player of hypixel skyblock. RAT's are really common. You can find multiple in a week depending on what you do.
Its due to the fact that the game is an MMO, so the in game items can be given real life value.
came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.
@@alefnull lmao same
as soon as I saw "Minecraft Malware" in the title I immediately knew it was about hypixel skyblock lmao
@@frostiefopsthen "1.8.9" I i was like *real*
25:14 I've been rick rolled too much by now to recognize this regex.
same
I laughed a little when he didn't recognize it. Took me about half a second.
Yes
What does it do?
best part was the indirect java roast (but loved the other two minutes as well)
Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar
And to pay attention to the 4.X snapshots as that's what we're working on right now.
@@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible
@@mattcoleywe don't talk much but recaf is seriously an awesome tool. I use it way more than I expected to
@@mattcoleyoc im finding you here 😂
25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.
Isnt pizza client another cheat mod which the dev turned into malware?
Yeah its basically impossible to find a version of pizza without a rat@komos63
@@komos63 nope its not malware, only the versions that random ppl send to u are
@@AnEnderNon thats exactly what someone who hid a rat in one would say🤔🐀
@@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think
"Java is just stupid and annoying." -John as well as every Java dev.
Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.
@@Wyvernxx_🤓
@@coolnormalandwelladjusted Average kid on youtube:
@@Wyvernxx_ well considering my RUclips account is 12 years old it would be strange if I were a child.
@@coolnormalandwelladjustedThere are full grown adults that act like 9 year olds. Just sayin' 😉
ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.
17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.
Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code
Recaf has both
@@walksanator yeah i was going to mention Recaf 4.X
it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it
You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.
I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things.
Smart attacker would obviously not simply fork the repository. But not all attackers are smart.
he was likely a victim of a scam attempt, there are bots in-game that dm you and try to make you download these mods
Imagine spending this MUCH time making an info stealer to get people's lunar client accounts
creating software takes a lot of time, regardless of if its malicious or not
I mean alt accounts sell very good
it takes like 3 hours to make
the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.
IRL Trading in Skyblock pays good IRL money
java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.
Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?
the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.
@@havesta can confirm, it is mine
I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.
It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX
Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware
I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.
Termium is the easy way, for anyone learning about this from this reply(0 people lol)
Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.
finally another malware deobfuscation video, they are so interesting
The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.
private main function, best way to protect a program is to make it not runnable
"I do know maybe LITTLE bit about malware"
-John Hammond 2024
OKAY JOHNNY YOU'RE GOING DOWN FOR CALLING JAVA STUPID (in all seriousness, great video, keep it up 😉)
i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for.
some of the odd client names are most likely some obscure minecraft launchers i havent heard of before.
I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game.
I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.
also its not a hot take to say java is stupid lol
i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice.
i assume it was chosen because it was easy for him to get in to.
Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen.
Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.
qol in this context is a jokey term for a cheat
@@ai-spacedestructor Considering they did that with bedrock edition and people hate it I don't see why they should
@@XtraKawaii the programming language really isnt the problem with bedrock, its one of the few things actually ok about it.
Pizza client is a "safe" cheat mod which has a thing to prevent session id stealers or malware to launch. it's probably bypassing it
Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/
Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.
Yeah that was a bust..
actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code.
they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.
minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.
some dude said "yea first" 🤢
"Yea first" 🤢
Not even Minecrafters are safe from malware....
they get so much
Minecraft mods load as full programs w/ access to Kernel APIs, they DO NOT run in a sandbox.
bro i coded one of these i was going to sell it but lost motivation coding it
Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)
@@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat
this is literally so easy to decompile and u can tell by the libraries its using what it does
would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode
25:13 that start is way worse than just a regex
why?
Google it
@@repomansez try typing that in as the "watch?=XXXX" on a youtube url :)
@@k1ngjulien_ oh. Saw the XcQ though, not doing it.
I love me some Rickroll!
The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.
Agreed Java is one of the dumbest languages I ever tried to learn.
I love how you completely made a thumbnail in the exact style Minecraft RUclipsrs make them
i just pissed on my wall
How did it feel ?
hell yeah
Lets fucking goo
> opens video about malware analysis
> pisses on wall
> refuses to elaborate
> leaves
fucking chad
am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix?
And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java
I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant
It was rather painful watching him do the java stuff honestly
recaf > jd-gui any day of the week
Is this available in your Repo? I have a reverse engineering env. Would love to dissect this too
Repeat after me: public static void main(String[] args) {}
John: private static void Main() {}
i did not expect a john hammond skyblock crossover but hell yeah
Fire video once again John! I've loved minecraft and malware analysis for a long time now, it's great to see you bridging the gap (since log4j ofc)
Needed that sublime select thing at work today thank you
Just using an actual Java IDE would probably make it much much easier LMFAO
now where does the rickroll link get used
25:14 did it- is it printing out the youtube link to rick astley’s never going to give you up?????
Yes.
Do more minecraft mod deobfuscations in the future please, love your videos
Are those shell extensions or is it an ancient GNOME release?
Would there be any repercussion for spamming the C&C server with garage data/fake tokens?
used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)
Pizza client is a hack client
no its a "quality of life" mod that improves minecraft experience (fr)
When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the RUclips video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.
In Java boilerplate is not a design flaw but love. Boilerplate == love
is it just me or is the snyk link missing from the description?
Good catch, thank you, fixed!
Finally! Another malware deobfuscation!!
Amazing job, always fun to see you deobfuscating stuff, especially java...
the mic quality in the sponsor segment damn
Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity
As someone who dabbles in mod making, the part where you tried to get it to work is sooo relatable lol
I love how using any language starts with printing hello world.
theres no way the rickroll url is in the decrypted strings
One of the strings is literally a Rick Roll. (The letters/numbers inside the parenthesis before the RegEx and another after "modifiers")
i did not expect a minecraft skyblock mod on here 😭😭😭😭
Of course it's a Skyblock mod. That doesn't surprise me _at all._
You might wanna use a better decompiler, such as Fernflower.
Appreciate the rickroll youtube id just also being there lmao
that is how discord stores your token
discord do be funi
Pizza client is a cheat client for skyblock that has session token protection. The malware disables it before doing stuff 25:20
Also, this mod is skidded from github, I recognize that request format and obfuscation
I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.
bruh they really are out here doing anything they can to steal 50 dollars of minecraft items
Whats wrong with quality
i have it downloaded what do i do?
change your passwords to everything it steals
Change all passwords and get rid of it. If lucky you have preserved most of your data
.. minecraft modders have weird ads these days
I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am.
Edit: fair enough.
why am I not surprised it’s a skyblock mod
25:14 that is the url slug for Never Gonna Give You Up
Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web
no, use a virtual machine to test malware instead.
Say it with me now, public static void main string brackets args.
25:14 nah that's rickroll lmfao
imagine that a malware that john Deobfuscating have a comment that say john please dont go further
why is the youtube video ID for the rickroll video in there
That is discord token decryption. Discord thought it would be a funny joke to encrypt tokens with the video id being the visible part. Really, it didn't do jackshit. The part of the code likely looks for the regex pertaining to the token and then decrypts with the os crypt key.
Amazing video once again 😄👏,
it has been a problem for years
Yeah... obfuscation is nice - but what to do if the code int't... there? :D
Not surprised. Give it up to the no lifers of hypixel Skyblock hackers
Aw hell nah bro everytime i check in with Minecraft this shi happens
For some accounts on a kids game is wild 💀
I mean, how Java can be readble
25:15 I know a rickroll when I see one
I don't think that's encryption, it's just encoding it
"pizzaclient" is another mod that is paid to use and the malware is getting the token for using that mod
Lol, I never expected mc on this channel ngl
Wild, there's even a rick roll in there. dQw
Looks like he was probably stealing Skyblock info and pulling accounts
I don't get the encrypted strings, what are they for?
hiding the real strings from someone using control F and searching for discord
@@Capiosus Aight, thanks
Its also a really noob friendly way to make your malware harder to detect
@@nothingnothing1799 ohh true, thabk you brothar
I need to find someone of your caliber to in Debian Linux. (I'm migrating back to Linux after a 20-year hiatus. )
I took a look a little bit at skyhanni and it had weird shit going on so i never used the mod. a few things I remember is it tried to talk to discord. (malware in modpacks do that because they send the session id to their discord so they can log into ur acc and steal all your items)
of course I think i had the actual mod and didnt like it was talking to discord
Mods talk to discord using Rich Presence (local Discord API) to dynamically change the “actively playing” information in your discord profile.
Anything else that looked weird to you? I'll try my best to explain it!
Free ma boi dreamys
minecraft 1.8.9 (the version that this mod runs on) runs java 8, not the latest java
RECAF >> JD-GUI
He doesn't know shit about Java malware analysis, don't expect him to do research lmfao
@@GatoCoder True, true..
I love these videos, please make more.
XD
1. It's really funny that someone who clearly doesn't take the time calls Java stupid.
2. Lunar Is a Modded MC client with it's own suite of stuff. (which also makes this a threat to that modded client.
3. It actively unloads itself on world loading for the player (Single Player/MP)
4. Forge mod loader (which this mod is for) allows for some final variable abuse.
5. as for JDK, you are good getting the latest long-term release one, as it supports backwards sets.
6. The reason 'DECRYPT_MODE' failed for you, was because you failed to include the `` private static final int DECRYPT_MODE `` which was set to Cipher.DECRYPT_MODE;
-- This is just an example of chat GPT being dumb with variable names, which caught you off gaurd.
7. It Targets MS accounts, Lunar Accounts (Modded game client), Discord accounts, Feather (MC modded accounts thing), Pizzaclient which is a supposed account protection scheme
I have to put it this way.. for someone seriously promoting Synk, the way you talk about java... makes me geniunely question synks usefulness entirely, if you who does this kind of cyper ops on the regular... can't even take the time to understand the basic premises of java, without resorting to insulting it.. because you failed to understand the prerequisites.
I'll admit that Forge&Fabric Modded minecraft do some 'funnybusiness' with java, and preform things normal java doesn't allow (such as messing with final variables in some actions, and delaying when they are 'assigned', so that you can assign a final in one class then give it data later down the line (which works assuming you actually assigned some data before calling it, which was done here)
the amount of modded clients & cheat mods for the major servers is just nutty as hell.
This guy knows nothing about Java or anything related to java reverse engineering. Dunning kruger effect in action.
i would recomand recaf for this
no way hypixel skyblock