He Sent Me Minecraft Malware (Java Deobfuscation)

Поділитися
Вставка
  • Опубліковано 21 лис 2024

КОМЕНТАРІ • 299

  • @Toadstar0
    @Toadstar0 4 місяці тому +551

    Hey! Hypixel Skyblock UA-camr here,
    Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years.
    I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them.
    Love seeing stuff like this. Thanks for the fun watch!

    • @_Material_
      @_Material_ 4 місяці тому +8

      W toadstar

    • @hinakagiyama_
      @hinakagiyama_ 4 місяці тому +1

      skiblox

    • @evo2611
      @evo2611 4 місяці тому +2

      Love your Ironman series Toad, love to see content creators on technical videos like this

    • @seandashine
      @seandashine 4 місяці тому

      W 🔥❤️🔥

    • @HuntingKingYT
      @HuntingKingYT 4 місяці тому +1

      Skyblock mentioned
      Hi toad btw

  • @davidarthurcole
    @davidarthurcole 4 місяці тому +308

    Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.

    • @_JohnHammond
      @_JohnHammond  4 місяці тому +64

      Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!

    • @Janibal257
      @Janibal257 4 місяці тому +7

      Im interested now what’s your ign (I guess you are playing skyblock)

  • @uxiii9537
    @uxiii9537 4 місяці тому +227

    As a player of hypixel skyblock. RAT's are really common. You can find multiple in a week depending on what you do.

    • @Capiosus
      @Capiosus 4 місяці тому +16

      Its due to the fact that the game is an MMO, so the in game items can be given real life value.

    • @alefnull
      @alefnull 4 місяці тому +11

      came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.

    • @vencedor1774
      @vencedor1774 4 місяці тому +1

      @@alefnull lmao same

    • @frostiefops
      @frostiefops 4 місяці тому +3

      as soon as I saw "Minecraft Malware" in the title I immediately knew it was about hypixel skyblock lmao

    • @HuntingKingYT
      @HuntingKingYT 4 місяці тому +3

      ​@@frostiefopsthen "1.8.9" I i was like *real*

  • @Deftera
    @Deftera 4 місяці тому +169

    25:14 I've been rick rolled too much by now to recognize this regex.

  • @rudigerheissich9800
    @rudigerheissich9800 4 місяці тому +74

    best part was the indirect java roast (but loved the other two minutes as well)

  • @ffakkee
    @ffakkee 4 місяці тому +59

    Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar

    • @mattcoley
      @mattcoley 4 місяці тому +12

      And to pay attention to the 4.X snapshots as that's what we're working on right now.

    • @ffakkee
      @ffakkee 4 місяці тому

      @@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible

    • @kneesnap1041
      @kneesnap1041 4 місяці тому +2

      ​@@mattcoleywe don't talk much but recaf is seriously an awesome tool. I use it way more than I expected to

    • @havesta
      @havesta 3 місяці тому

      @@mattcoleyoc im finding you here 😂

  • @DChad-p6t
    @DChad-p6t 4 місяці тому +48

    25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.

    • @komos63
      @komos63 4 місяці тому +3

      Isnt pizza client another cheat mod which the dev turned into malware?

    • @Mcneds
      @Mcneds 4 місяці тому +13

      Yeah its basically impossible to find a version of pizza without a rat​@komos63

    • @AnEnderNon
      @AnEnderNon 4 місяці тому +2

      @@komos63 nope its not malware, only the versions that random ppl send to u are

    • @Mcneds
      @Mcneds 3 місяці тому

      @@AnEnderNon thats exactly what someone who hid a rat in one would say🤔🐀

    • @AnEnderNon
      @AnEnderNon 3 місяці тому

      @@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think

  • @sojiro288
    @sojiro288 4 місяці тому +219

    "Java is just stupid and annoying." -John as well as every Java dev.

    • @Wyvernxx_
      @Wyvernxx_ 4 місяці тому +4

      Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.

    • @coolnormalandwelladjusted
      @coolnormalandwelladjusted 4 місяці тому +10

      @@Wyvernxx_🤓

    • @Wyvernxx_
      @Wyvernxx_ 4 місяці тому +3

      @@coolnormalandwelladjusted Average kid on youtube:

    • @coolnormalandwelladjusted
      @coolnormalandwelladjusted 4 місяці тому +7

      @@Wyvernxx_ well considering my UA-cam account is 12 years old it would be strange if I were a child.

    • @TheColonThree
      @TheColonThree 4 місяці тому +1

      ​@@coolnormalandwelladjustedThere are full grown adults that act like 9 year olds. Just sayin' 😉

  • @tman-bf3ry
    @tman-bf3ry 4 місяці тому +5

    ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.

  • @hydos0694
    @hydos0694 4 місяці тому +8

    Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code

    • @walksanator
      @walksanator 4 місяці тому

      Recaf has both

    • @slonkazoid
      @slonkazoid 4 місяці тому

      ​@@walksanator yeah i was going to mention Recaf 4.X
      it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it

  • @Hypo2011
    @Hypo2011 4 місяці тому +17

    I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things.
    Smart attacker would obviously not simply fork the repository. But not all attackers are smart.

    • @AnEnderNon
      @AnEnderNon 4 місяці тому

      he was likely a victim of a scam attempt, there are bots in-game that dm you and try to make you download these mods

  • @jezevcik_
    @jezevcik_ 4 місяці тому +4

    You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.

  • @jezevcik_
    @jezevcik_ 4 місяці тому +11

    The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.

  • @Sollace
    @Sollace 4 місяці тому +5

    17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.

  • @lorenzo42p
    @lorenzo42p 4 місяці тому +2

    private main function, best way to protect a program is to make it not runnable

  • @AACraft555
    @AACraft555 4 місяці тому +6

    finally another malware deobfuscation video, they are so interesting

  • @jezevcik_
    @jezevcik_ 4 місяці тому +13

    java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.

    • @superblaubeere27
      @superblaubeere27 3 місяці тому

      Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?

    • @havesta
      @havesta 3 місяці тому

      the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.

    • @superblaubeere27
      @superblaubeere27 3 місяці тому

      @@havesta can confirm, it is mine

  • @shadowplay56
    @shadowplay56 4 місяці тому +50

    I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.

    • @Padgriffin
      @Padgriffin 4 місяці тому

      It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX

    • @chri-k
      @chri-k 4 місяці тому +12

      Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware

    • @shadowplay56
      @shadowplay56 4 місяці тому +1

      I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.

    • @tuckertechnolord6126
      @tuckertechnolord6126 4 місяці тому +5

      Termium is the easy way, for anyone learning about this from this reply(0 people lol)

    • @CoalOres
      @CoalOres 4 місяці тому

      Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.

  • @TheCommunistRabbit
    @TheCommunistRabbit 3 місяці тому

    I love how you completely made a thumbnail in the exact style Minecraft UA-camrs make them

  • @MatinDevs
    @MatinDevs 4 місяці тому +77

    Imagine spending this MUCH time making an info stealer to get people's lunar client accounts

    • @breachbase
      @breachbase 4 місяці тому +3

      creating software takes a lot of time, regardless of if its malicious or not

    • @W0lfCL
      @W0lfCL 4 місяці тому +18

      I mean alt accounts sell very good

    • @lincolnjolley1544
      @lincolnjolley1544 4 місяці тому +2

      it takes like 3 hours to make

    • @sausas8209
      @sausas8209 4 місяці тому

      the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.

    • @648
      @648 4 місяці тому +1

      IRL Trading in Skyblock pays good IRL money

  • @ishino_ki
    @ishino_ki 4 місяці тому +8

    OKAY JOHNNY YOU'RE GOING DOWN FOR CALLING JAVA STUPID (in all seriousness, great video, keep it up 😉)

  • @nemesician_
    @nemesician_ 4 місяці тому +22

    "I do know maybe LITTLE bit about malware"
    -John Hammond 2024

  • @ai-spacedestructor
    @ai-spacedestructor 4 місяці тому +9

    i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for.
    some of the odd client names are most likely some obscure minecraft launchers i havent heard of before.
    I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game.
    I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.

    • @ai-spacedestructor
      @ai-spacedestructor 4 місяці тому

      also its not a hot take to say java is stupid lol
      i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice.
      i assume it was chosen because it was easy for him to get in to.
      Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen.
      Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.

    • @tacticalwaffle2520
      @tacticalwaffle2520 4 місяці тому

      qol in this context is a jokey term for a cheat

    • @XtraKawaii
      @XtraKawaii 4 місяці тому +3

      @@ai-spacedestructor Considering they did that with bedrock edition and people hate it I don't see why they should

    • @ai-spacedestructor
      @ai-spacedestructor 4 місяці тому +1

      @@XtraKawaii the programming language really isnt the problem with bedrock, its one of the few things actually ok about it.

  • @m4rt_
    @m4rt_ 4 місяці тому +1

    actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code.
    they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.

  • @gabbieblue
    @gabbieblue 3 місяці тому

    i did not expect a john hammond skyblock crossover but hell yeah

  • @stavratum
    @stavratum 4 місяці тому +1

    this is literally so easy to decompile and u can tell by the libraries its using what it does
    would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode

  • @RobbieSpeedyNL
    @RobbieSpeedyNL 3 місяці тому +1

    Pizza client is a "safe" cheat mod which has a thing to prevent session id stealers or malware to launch. it's probably bypassing it

  • @questwalkerko
    @questwalkerko 4 місяці тому +13

    Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/
    Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.

    • @DizzySpark
      @DizzySpark 3 місяці тому +2

      Yeah that was a bust..

  • @dacomputernerd4096
    @dacomputernerd4096 3 місяці тому +1

    The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.

  • @dkirby1906
    @dkirby1906 3 місяці тому +1

    minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.

  • @Purely_Andy
    @Purely_Andy 4 місяці тому +1

    recaf > jd-gui any day of the week

  • @vanillarodent
    @vanillarodent 3 місяці тому

    Needed that sublime select thing at work today thank you

  • @matteociocci4948
    @matteociocci4948 4 місяці тому +2

    Do more minecraft mod deobfuscations in the future please, love your videos

  • @CrypticSoundFX
    @CrypticSoundFX 4 місяці тому +1

    Fire video once again John! I've loved minecraft and malware analysis for a long time now, it's great to see you bridging the gap (since log4j ofc)

  • @updateserver
    @updateserver 4 місяці тому +4

    Is this available in your Repo? I have a reverse engineering env. Would love to dissect this too

  • @adicsbtw
    @adicsbtw 4 місяці тому +5

    am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix?
    And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java

    • @maxave7448
      @maxave7448 3 місяці тому

      I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant

    • @warpspeedscp
      @warpspeedscp 3 місяці тому

      It was rather painful watching him do the java stuff honestly

  • @noamrozen7891
    @noamrozen7891 3 місяці тому

    Amazing job, always fun to see you deobfuscating stuff, especially java...

  • @shikutoai
    @shikutoai 3 місяці тому

    When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the UA-cam video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.

  • @Radical9535
    @Radical9535 7 днів тому +1

    Agreed Java is one of the dumbest languages I ever tried to learn.

  • @dan2800
    @dan2800 4 місяці тому +6

    Repeat after me: public static void main(String[] args) {}
    John: private static void Main() {}

  • @Ikxi
    @Ikxi 4 місяці тому

    the mic quality in the sponsor segment damn

  • @norasasleep
    @norasasleep 4 місяці тому +20

    25:13 that start is way worse than just a regex

    • @repomansez
      @repomansez 4 місяці тому

      why?

    • @norasasleep
      @norasasleep 4 місяці тому

      Google it

    • @k1ngjulien_
      @k1ngjulien_ 4 місяці тому +2

      @@repomansez try typing that in as the "watch?=XXXX" on a youtube url :)

    • @repomansez
      @repomansez 4 місяці тому +5

      @@k1ngjulien_ oh. Saw the XcQ though, not doing it.

    • @diablominero
      @diablominero 4 місяці тому

      I love me some Rickroll!

  • @callummcclure2186
    @callummcclure2186 4 місяці тому +63

    Not even Minecrafters are safe from malware....

    • @penewoldahh
      @penewoldahh 4 місяці тому

      they get so much

    • @RemoteAccessGG
      @RemoteAccessGG 4 місяці тому +22

      Minecraft mods load as full programs w/ access to Kernel APIs, they DO NOT run in a sandbox.

    • @Helloworldred
      @Helloworldred 4 місяці тому +2

      bro i coded one of these i was going to sell it but lost motivation coding it

    • @ItIsJan
      @ItIsJan 4 місяці тому +17

      Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)

    • @Helloworldred
      @Helloworldred 4 місяці тому +1

      @@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat

  • @kingofichigo
    @kingofichigo 4 місяці тому

    As someone who dabbles in mod making, the part where you tried to get it to work is sooo relatable lol

  • @OrangeYTT
    @OrangeYTT 4 місяці тому +1

    Finally! Another malware deobfuscation!!

  • @fimdy6530
    @fimdy6530 4 місяці тому +30

    i just pissed on my wall

    • @ancestrall794
      @ancestrall794 4 місяці тому +4

      How did it feel ?

    • @enemyspotted9489
      @enemyspotted9489 4 місяці тому +15

      hell yeah

    • @LeaoMartelo
      @LeaoMartelo 4 місяці тому +5

      Lets fucking goo

    • @maxave7448
      @maxave7448 3 місяці тому +2

      > opens video about malware analysis
      > pisses on wall
      > refuses to elaborate
      > leaves
      fucking chad

  • @agmass
    @agmass 4 місяці тому +2

    25:14 did it- is it printing out the youtube link to rick astley’s never going to give you up?????

  • @agrefile2
    @agrefile2 3 місяці тому

    i did not expect a minecraft skyblock mod on here 😭😭😭😭

  • @vincent.7z
    @vincent.7z 4 місяці тому +29

    some dude said "yea first" 🤢

  • @amolnar7033
    @amolnar7033 2 місяці тому

    In Java boilerplate is not a design flaw but love. Boilerplate == love

  • @Noteclip
    @Noteclip 4 місяці тому +2

    Would there be any repercussion for spamming the C&C server with garage data/fake tokens?

    • @unconsciouslydrunk
      @unconsciouslydrunk 4 місяці тому

      used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)

  • @GandhiTheDerg
    @GandhiTheDerg 4 місяці тому +2

    Just using an actual Java IDE would probably make it much much easier LMFAO

  • @mrtbts
    @mrtbts 4 місяці тому +2

    now where does the rickroll link get used

  • @LARLEY_
    @LARLEY_ 4 місяці тому +5

    Pizza client is a hack client

    • @unconsciouslydrunk
      @unconsciouslydrunk 4 місяці тому

      no its a "quality of life" mod that improves minecraft experience (fr)

  • @vlOd_yt
    @vlOd_yt 4 місяці тому

    You might wanna use a better decompiler, such as Fernflower.

  • @lightning_11
    @lightning_11 4 місяці тому

    I love how using any language starts with printing hello world.

  • @mathe0457
    @mathe0457 4 місяці тому

    I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.

  • @cinderwolf32
    @cinderwolf32 4 місяці тому

    I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am.
    Edit: fair enough.

  • @zenniththefolf4888
    @zenniththefolf4888 4 місяці тому

    One of the strings is literally a Rick Roll. (The letters/numbers inside the parenthesis before the RegEx and another after "modifiers")

  • @onkelklaujo
    @onkelklaujo 4 місяці тому

    Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity

  • @Soccera0
    @Soccera0 3 місяці тому

    Are those shell extensions or is it an ancient GNOME release?

  • @sunillGD
    @sunillGD 3 місяці тому

    theres no way the rickroll url is in the decrypted strings

  • @starnumber12046
    @starnumber12046 4 місяці тому

    Pizza client is a cheat client for skyblock that has session token protection. The malware disables it before doing stuff 25:20

    • @starnumber12046
      @starnumber12046 4 місяці тому

      Also, this mod is skidded from github, I recognize that request format and obfuscation

  • @TheThxgg
    @TheThxgg 4 місяці тому +2

    is it just me or is the snyk link missing from the description?

    • @_JohnHammond
      @_JohnHammond  4 місяці тому +3

      Good catch, thank you, fixed!

  • @N0n4mek1d
    @N0n4mek1d 4 місяці тому

    imagine that a malware that john Deobfuscating have a comment that say john please dont go further

  • @HopliteSecurity
    @HopliteSecurity 4 місяці тому +3

    Amazing video once again 😄👏,

  • @CrittingOut
    @CrittingOut 4 місяці тому

    bruh they really are out here doing anything they can to steal 50 dollars of minecraft items

  • @DizzySpark
    @DizzySpark 3 місяці тому

    .. minecraft modders have weird ads these days

  • @lightning_11
    @lightning_11 4 місяці тому

    Of course it's a Skyblock mod. That doesn't surprise me _at all._

  • @Zweronz
    @Zweronz 4 місяці тому

    why am I not surprised it’s a skyblock mod

  • @じゅげむ-s6b
    @じゅげむ-s6b 4 місяці тому +2

    25:14 nah that's rickroll lmfao

  • @NAF_VR
    @NAF_VR 4 місяці тому

    25:15 I know a rickroll when I see one

  • @gabbieblue
    @gabbieblue 3 місяці тому

    25:14 that is the url slug for Never Gonna Give You Up

  • @mathgeniuszach
    @mathgeniuszach 4 місяці тому

    Say it with me now, public static void main string brackets args.

  • @gameskiller9227
    @gameskiller9227 4 місяці тому +2

    i have it downloaded what do i do?

    • @Looki2000
      @Looki2000 4 місяці тому

      change your passwords to everything it steals

    • @309electronics5
      @309electronics5 4 місяці тому

      Change all passwords and get rid of it. If lucky you have preserved most of your data

  • @JosephH
    @JosephH 4 місяці тому

    I love these videos, please make more.

  • @mosurikutenpi
    @mosurikutenpi 4 місяці тому

    Aw hell nah bro everytime i check in with Minecraft this shi happens

  • @hedaedits
    @hedaedits 3 місяці тому +1

    Free ma boi dreamys

  • @0xddcce1
    @0xddcce1 4 місяці тому

    I don't think that's encryption, it's just encoding it

  • @AEStolfo
    @AEStolfo 4 місяці тому +1

    RECAF >> JD-GUI

    • @GatoCoder
      @GatoCoder 4 місяці тому

      He doesn't know shit about Java malware analysis, don't expect him to do research lmfao

    • @AEStolfo
      @AEStolfo 4 місяці тому

      @@GatoCoder True, true..

  • @LiEnby
    @LiEnby 4 місяці тому

    why is the youtube video ID for the rickroll video in there

    • @GatoCoder
      @GatoCoder 4 місяці тому

      That is discord token decryption. Discord thought it would be a funny joke to encrypt tokens with the video id being the visible part. Really, it didn't do jackshit. The part of the code likely looks for the regex pertaining to the token and then decrypts with the os crypt key.

  • @prolib9046
    @prolib9046 4 місяці тому

    "pizzaclient" is another mod that is paid to use and the malware is getting the token for using that mod

  • @Tomagegames
    @Tomagegames 4 місяці тому

    For some accounts on a kids game is wild 💀

  • @silasclausen8297
    @silasclausen8297 4 місяці тому

    Not surprised. Give it up to the no lifers of hypixel Skyblock hackers

  • @AgentM124
    @AgentM124 4 місяці тому +1

    Wild, there's even a rick roll in there. dQw

  • @muddkipp_1
    @muddkipp_1 4 місяці тому

    it has been a problem for years

  • @vwinter
    @vwinter 4 місяці тому

    i would recomand recaf for this

  • @DePhoegonIsle
    @DePhoegonIsle 4 місяці тому +14

    XD
    1. It's really funny that someone who clearly doesn't take the time calls Java stupid.
    2. Lunar Is a Modded MC client with it's own suite of stuff. (which also makes this a threat to that modded client.
    3. It actively unloads itself on world loading for the player (Single Player/MP)
    4. Forge mod loader (which this mod is for) allows for some final variable abuse.
    5. as for JDK, you are good getting the latest long-term release one, as it supports backwards sets.
    6. The reason 'DECRYPT_MODE' failed for you, was because you failed to include the `` private static final int DECRYPT_MODE `` which was set to Cipher.DECRYPT_MODE;
    -- This is just an example of chat GPT being dumb with variable names, which caught you off gaurd.
    7. It Targets MS accounts, Lunar Accounts (Modded game client), Discord accounts, Feather (MC modded accounts thing), Pizzaclient which is a supposed account protection scheme
    I have to put it this way.. for someone seriously promoting Synk, the way you talk about java... makes me geniunely question synks usefulness entirely, if you who does this kind of cyper ops on the regular... can't even take the time to understand the basic premises of java, without resorting to insulting it.. because you failed to understand the prerequisites.
    I'll admit that Forge&Fabric Modded minecraft do some 'funnybusiness' with java, and preform things normal java doesn't allow (such as messing with final variables in some actions, and delaying when they are 'assigned', so that you can assign a final in one class then give it data later down the line (which works assuming you actually assigned some data before calling it, which was done here)
    the amount of modded clients & cheat mods for the major servers is just nutty as hell.

    • @GatoCoder
      @GatoCoder 4 місяці тому +4

      This guy knows nothing about Java or anything related to java reverse engineering. Dunning kruger effect in action.

  • @atorik1076
    @atorik1076 4 місяці тому +1

    Lol, I never expected mc on this channel ngl

  • @jfb-
    @jfb- 4 місяці тому

    why is the rickroll video id in there lol

  • @ayothatswack1290
    @ayothatswack1290 3 місяці тому

    Looks like he was probably stealing Skyblock info and pulling accounts

  • @whateverppl1229
    @whateverppl1229 4 місяці тому

    I took a look a little bit at skyhanni and it had weird shit going on so i never used the mod. a few things I remember is it tried to talk to discord. (malware in modpacks do that because they send the session id to their discord so they can log into ur acc and steal all your items)

    • @whateverppl1229
      @whateverppl1229 4 місяці тому +2

      of course I think i had the actual mod and didnt like it was talking to discord

    • @hannibal02
      @hannibal02 4 місяці тому +3

      Mods talk to discord using Rich Presence (local Discord API) to dynamically change the “actively playing” information in your discord profile.
      Anything else that looked weird to you? I'll try my best to explain it!

  • @januzi2
    @januzi2 4 місяці тому +2

    I like the modid.

    • @bwildeman99
      @bwildeman99 4 місяці тому +1

      not the only one who saw that lmfao

  • @Lhynixs12333
    @Lhynixs12333 4 місяці тому

    Lol i felt like u do stuff w/ minecraft!

  • @coffeeRequired
    @coffeeRequired 4 місяці тому

    Whats wrong with quality

  • @Clientastisch
    @Clientastisch 4 місяці тому

    Yeah... obfuscation is nice - but what to do if the code int't... there? :D

  • @Shalmaneser1
    @Shalmaneser1 4 місяці тому

    I need to find someone of your caliber to in Debian Linux. (I'm migrating back to Linux after a 20-year hiatus. )

  • @Scott769
    @Scott769 4 місяці тому

    Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web

    • @ballsack7692
      @ballsack7692 4 місяці тому

      no, use a virtual machine to test malware instead.

  • @AUATUWVSH
    @AUATUWVSH 4 місяці тому

    >iLiLiilL
    yep, its 100% superblaubeere27obfuscator-1.9.3

    • @v-y
      @v-y 4 місяці тому

      The real giveaway is the string encryption tbh, those IlIl strings were everywhere back in the day

    • @superblaubeere27
      @superblaubeere27 3 місяці тому

      I wasn't expecting to see my ancient project in one of Johns videos, but I am happy with it haha

    • @dinoBLM
      @dinoBLM 3 місяці тому

      @@superblaubeere27 used to watch your coding videos when I was learning about making my own client, its crazy to see you here. your work was great!

  • @psyGamer21
    @psyGamer21 4 місяці тому +15

    Appreciate the rickroll youtube id just also being there lmao

    • @luhuhu416
      @luhuhu416 4 місяці тому

      that is how discord stores your token

    • @AEStolfo
      @AEStolfo 4 місяці тому +1

      discord do be funi