He Sent Me Minecraft Malware (Java Deobfuscation)
Вставка
- Опубліковано 7 лис 2024
- jh.live/snyk || Try Snyk for free and find vulnerabilities in your code and applications! ➡ jh.live/snyk
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricet...
Learn Coding: jh.live/codecr...
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
Hey! Hypixel Skyblock UA-camr here,
Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years.
I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them.
Love seeing stuff like this. Thanks for the fun watch!
W toadstar
skiblox
Love your Ironman series Toad, love to see content creators on technical videos like this
W 🔥❤️🔥
Skyblock mentioned
Hi toad btw
Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.
Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!
Im interested now what’s your ign (I guess you are playing skyblock)
As a player of hypixel skyblock. RAT's are really common. You can find multiple in a week depending on what you do.
Its due to the fact that the game is an MMO, so the in game items can be given real life value.
came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.
@@alefnull lmao same
as soon as I saw "Minecraft Malware" in the title I immediately knew it was about hypixel skyblock lmao
@@frostiefopsthen "1.8.9" I i was like *real*
25:14 I've been rick rolled too much by now to recognize this regex.
same
I laughed a little when he didn't recognize it. Took me about half a second.
Yes
What does it do?
Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar
And to pay attention to the 4.X snapshots as that's what we're working on right now.
@@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible
@@mattcoleywe don't talk much but recaf is seriously an awesome tool. I use it way more than I expected to
@@mattcoleyoc im finding you here 😂
best part was the indirect java roast (but loved the other two minutes as well)
25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.
Isnt pizza client another cheat mod which the dev turned into malware?
Yeah its basically impossible to find a version of pizza without a rat@komos63
@@komos63 nope its not malware, only the versions that random ppl send to u are
@@AnEnderNon thats exactly what someone who hid a rat in one would say🤔🐀
@@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think
"Java is just stupid and annoying." -John as well as every Java dev.
Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.
@@Wyvernxx_🤓
@@coolnormalandwelladjusted Average kid on youtube:
@@Wyvernxx_ well considering my UA-cam account is 12 years old it would be strange if I were a child.
@@coolnormalandwelladjustedThere are full grown adults that act like 9 year olds. Just sayin' 😉
Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code
Recaf has both
@@walksanator yeah i was going to mention Recaf 4.X
it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it
17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.
ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.
You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.
private main function, best way to protect a program is to make it not runnable
I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things.
Smart attacker would obviously not simply fork the repository. But not all attackers are smart.
he was likely a victim of a scam attempt, there are bots in-game that dm you and try to make you download these mods
Imagine spending this MUCH time making an info stealer to get people's lunar client accounts
creating software takes a lot of time, regardless of if its malicious or not
I mean alt accounts sell very good
it takes like 3 hours to make
the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.
IRL Trading in Skyblock pays good IRL money
The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.
java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.
Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?
the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.
@@havesta can confirm, it is mine
finally another malware deobfuscation video, they are so interesting
i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for.
some of the odd client names are most likely some obscure minecraft launchers i havent heard of before.
I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game.
I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.
also its not a hot take to say java is stupid lol
i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice.
i assume it was chosen because it was easy for him to get in to.
Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen.
Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.
qol in this context is a jokey term for a cheat
@@ai-spacedestructor Considering they did that with bedrock edition and people hate it I don't see why they should
@@XtraKawaii the programming language really isnt the problem with bedrock, its one of the few things actually ok about it.
I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.
It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX
Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware
I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.
Termium is the easy way, for anyone learning about this from this reply(0 people lol)
Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.
actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code.
they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.
recaf > jd-gui any day of the week
Pizza client is a "safe" cheat mod which has a thing to prevent session id stealers or malware to launch. it's probably bypassing it
OKAY JOHNNY YOU'RE GOING DOWN FOR CALLING JAVA STUPID (in all seriousness, great video, keep it up 😉)
Needed that sublime select thing at work today thank you
Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/
Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.
Yeah that was a bust..
this is literally so easy to decompile and u can tell by the libraries its using what it does
would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode
The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.
25:13 that start is way worse than just a regex
why?
Google it
@@repomansez try typing that in as the "watch?=XXXX" on a youtube url :)
@@k1ngjulien_ oh. Saw the XcQ though, not doing it.
I love me some Rickroll!
minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.
i just pissed on my wall
How did it feel ?
hell yeah
Lets fucking goo
> opens video about malware analysis
> pisses on wall
> refuses to elaborate
> leaves
fucking chad
"I do know maybe LITTLE bit about malware"
-John Hammond 2024
I love how you completely made a thumbnail in the exact style Minecraft UA-camrs make them
some dude said "yea first" 🤢
"Yea first" 🤢
am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix?
And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java
I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant
It was rather painful watching him do the java stuff honestly
Pizza client is a hack client
no its a "quality of life" mod that improves minecraft experience (fr)
Repeat after me: public static void main(String[] args) {}
John: private static void Main() {}
Fire video once again John! I've loved minecraft and malware analysis for a long time now, it's great to see you bridging the gap (since log4j ofc)
Not even Minecrafters are safe from malware....
they get so much
Minecraft mods load as full programs w/ access to Kernel APIs, they DO NOT run in a sandbox.
bro i coded one of these i was going to sell it but lost motivation coding it
Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)
@@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat
Whats wrong with quality
Is this available in your Repo? I have a reverse engineering env. Would love to dissect this too
25:14 did it- is it printing out the youtube link to rick astley’s never going to give you up?????
Yes.
i did not expect a john hammond skyblock crossover but hell yeah
You might wanna use a better decompiler, such as Fernflower.
now where does the rickroll link get used
Do more minecraft mod deobfuscations in the future please, love your videos
the mic quality in the sponsor segment damn
Are those shell extensions or is it an ancient GNOME release?
Would there be any repercussion for spamming the C&C server with garage data/fake tokens?
used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)
When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the UA-cam video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.
Finally! Another malware deobfuscation!!
In Java boilerplate is not a design flaw but love. Boilerplate == love
theres no way the rickroll url is in the decrypted strings
is it just me or is the snyk link missing from the description?
Good catch, thank you, fixed!
25:14 that is the url slug for Never Gonna Give You Up
As someone who dabbles in mod making, the part where you tried to get it to work is sooo relatable lol
Pizza client is a cheat client for skyblock that has session token protection. The malware disables it before doing stuff 25:20
Also, this mod is skidded from github, I recognize that request format and obfuscation
Just using an actual Java IDE would probably make it much much easier LMFAO
Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity
25:15 I know a rickroll when I see one
i have it downloaded what do i do?
change your passwords to everything it steals
Change all passwords and get rid of it. If lucky you have preserved most of your data
i would recomand recaf for this
i did not expect a minecraft skyblock mod on here 😭😭😭😭
Amazing video once again 😄👏,
Amazing job, always fun to see you deobfuscating stuff, especially java...
.. minecraft modders have weird ads these days
One of the strings is literally a Rick Roll. (The letters/numbers inside the parenthesis before the RegEx and another after "modifiers")
I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.
Free ma boi dreamys
25:14 nah that's rickroll lmfao
I love how using any language starts with printing hello world.
it has been a problem for years
I mean, how Java can be readble
bruh they really are out here doing anything they can to steal 50 dollars of minecraft items
Of course it's a Skyblock mod. That doesn't surprise me _at all._
RECAF >> JD-GUI
He doesn't know shit about Java malware analysis, don't expect him to do research lmfao
@@GatoCoder True, true..
use recaf instead of jd-gui.
I don't think that's encryption, it's just encoding it
I like the modid.
not the only one who saw that lmfao
I love these videos, please make more.
Say it with me now, public static void main string brackets args.
I need to find someone of your caliber to in Debian Linux. (I'm migrating back to Linux after a 20-year hiatus. )
"pizzaclient" is another mod that is paid to use and the malware is getting the token for using that mod
I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am.
Edit: fair enough.
Wild, there's even a rick roll in there. dQw
Yeah... obfuscation is nice - but what to do if the code int't... there? :D
I don't get the encrypted strings, what are they for?
hiding the real strings from someone using control F and searching for discord
@@Capiosus Aight, thanks
Its also a really noob friendly way to make your malware harder to detect
@@nothingnothing1799 ohh true, thabk you brothar
why am I not surprised it’s a skyblock mod
Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web
no, use a virtual machine to test malware instead.
imagine that a malware that john Deobfuscating have a comment that say john please dont go further
For some accounts on a kids game is wild 💀
Aw hell nah bro everytime i check in with Minecraft this shi happens
Lol, I never expected mc on this channel ngl
Not surprised. Give it up to the no lifers of hypixel Skyblock hackers
is java good for malware dev
I recommend Lua or Rust. You need to be able to run your “software” even if the “customer” doesn’t have Java installed.
Depends on who you are targeting, I guess.
no unless minecraft, obfuscation is minimal and everything "decompiles" back to java source code.
using a language that compiles to binaries work much better
Looks like he was probably stealing Skyblock info and pulling accounts
no way hypixel skyblock
minecraft 1.8.9 (the version that this mod runs on) runs java 8, not the latest java
Alr
You look awesome sir ❤