Hey! Hypixel Skyblock UA-camr here, Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years. I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them. Love seeing stuff like this. Thanks for the fun watch!
Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.
Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!
came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.
Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar
@@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible
25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.
@@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think
Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.
the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.
ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.
Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code
@@walksanator yeah i was going to mention Recaf 4.X it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it
17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.
java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.
Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?
the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.
You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.
I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.
It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX
Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware
I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.
Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.
I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things. Smart attacker would obviously not simply fork the repository. But not all attackers are smart.
The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.
i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for. some of the odd client names are most likely some obscure minecraft launchers i havent heard of before. I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game. I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.
also its not a hot take to say java is stupid lol i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice. i assume it was chosen because it was easy for him to get in to. Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen. Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.
Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)
@@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat
The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.
Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/ Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.
am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix? And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java
I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant
this is literally so easy to decompile and u can tell by the libraries its using what it does would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode
actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code. they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.
minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.
used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)
When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the UA-cam video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.
Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity
I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.
That is discord token decryption. Discord thought it would be a funny joke to encrypt tokens with the video id being the visible part. Really, it didn't do jackshit. The part of the code likely looks for the regex pertaining to the token and then decrypts with the os crypt key.
Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web
I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am. Edit: fair enough.
I took a look a little bit at skyhanni and it had weird shit going on so i never used the mod. a few things I remember is it tried to talk to discord. (malware in modpacks do that because they send the session id to their discord so they can log into ur acc and steal all your items)
Mods talk to discord using Rich Presence (local Discord API) to dynamically change the “actively playing” information in your discord profile. Anything else that looked weird to you? I'll try my best to explain it!
More than half of the video is just him not downloading actual IDE in 5 mins and having code checked for compilation errors and instead using unsuccessfully text editor. Just download IDE. And yes java is annoying and stupid, when you are being stupid and not using the correct tools.
XD 1. It's really funny that someone who clearly doesn't take the time calls Java stupid. 2. Lunar Is a Modded MC client with it's own suite of stuff. (which also makes this a threat to that modded client. 3. It actively unloads itself on world loading for the player (Single Player/MP) 4. Forge mod loader (which this mod is for) allows for some final variable abuse. 5. as for JDK, you are good getting the latest long-term release one, as it supports backwards sets. 6. The reason 'DECRYPT_MODE' failed for you, was because you failed to include the `` private static final int DECRYPT_MODE `` which was set to Cipher.DECRYPT_MODE; -- This is just an example of chat GPT being dumb with variable names, which caught you off gaurd. 7. It Targets MS accounts, Lunar Accounts (Modded game client), Discord accounts, Feather (MC modded accounts thing), Pizzaclient which is a supposed account protection scheme I have to put it this way.. for someone seriously promoting Synk, the way you talk about java... makes me geniunely question synks usefulness entirely, if you who does this kind of cyper ops on the regular... can't even take the time to understand the basic premises of java, without resorting to insulting it.. because you failed to understand the prerequisites. I'll admit that Forge&Fabric Modded minecraft do some 'funnybusiness' with java, and preform things normal java doesn't allow (such as messing with final variables in some actions, and delaying when they are 'assigned', so that you can assign a final in one class then give it data later down the line (which works assuming you actually assigned some data before calling it, which was done here) the amount of modded clients & cheat mods for the major servers is just nutty as hell.
no unless minecraft, obfuscation is minimal and everything "decompiles" back to java source code. using a language that compiles to binaries work much better
Hey! Hypixel Skyblock UA-camr here,
Thanks for looking at this! The Hypixel community has been overwhelmed with fake mods, and session stealers for years.
I’m glad more people are looking at this, and helping to spread awareness about fake mods, and the dangers of them.
Love seeing stuff like this. Thanks for the fun watch!
W toadstar
skiblox
Love your Ironman series Toad, love to see content creators on technical videos like this
W 🔥❤️🔥
Skyblock mentioned
Hi toad btw
Hey John! Thanks so much for looking at this sample I sent. Interesting to see how you did things differently and the same as I did in my initial analysis.
Thanks so much David!! Super sorry I didn't get back to your email but huge thanks for sending it along and letting me share in a video :) I'd love to hear what you did in your process!
Im interested now what’s your ign (I guess you are playing skyblock)
As a player of hypixel skyblock. RAT's are really common. You can find multiple in a week depending on what you do.
Its due to the fact that the game is an MMO, so the in game items can be given real life value.
came to say this. wild to see two of my worlds colliding like this - John Hammond investigating a RAT in the form of one of the primary mods i use myself.
@@alefnull lmao same
as soon as I saw "Minecraft Malware" in the title I immediately knew it was about hypixel skyblock lmao
@@frostiefopsthen "1.8.9" I i was like *real*
25:14 I've been rick rolled too much by now to recognize this regex.
same
I laughed a little when he didn't recognize it. Took me about half a second.
Yes
What does it do?
Thought it was worth pointing out that Recaf is a good tool for those who decompile, deobfuscate, and reverse engineer java/minecraft mods. It allows you to rename variables, edit bytecode, and run methods with dummy inputs without ever even unzipping the jar
And to pay attention to the 4.X snapshots as that's what we're working on right now.
@@mattcoley Woah I didnt expect to find the developer here lol. I tried out 4.x a couple of days ago and while it was a smoother more bug-free experience, i’ve gotten used to the 2.x workflow where you can pretty much right click anything to go to the definition or search references. I see it has come a long way, but i think ill stay on 2.x until there is an official 4.x release availible
@@mattcoleywe don't talk much but recaf is seriously an awesome tool. I use it way more than I expected to
@@mattcoleyoc im finding you here 😂
best part was the indirect java roast (but loved the other two minutes as well)
25:21 Pizza Client is another minecraft mod for hypixel skyblock. It comes built in with a feature to protect against session id stealing which is when another mod like the one showcased steals the session id used to log into the users minecraft account. This string is there to find that part of the mod and presumably disable the feature in order to not get detected.
Isnt pizza client another cheat mod which the dev turned into malware?
Yeah its basically impossible to find a version of pizza without a rat@komos63
@@komos63 nope its not malware, only the versions that random ppl send to u are
@@AnEnderNon thats exactly what someone who hid a rat in one would say🤔🐀
@@Mcneds i wish i made pizza client but im not good enough XD, anyway pizza client sells supporter subscription for some features, it would be dumb to rat in such a mod dont you think
"Java is just stupid and annoying." -John as well as every Java dev.
Actually, no. At least not every competent Java dev. Its just how we use our language. You could argue faults for EVERY single language, so your probably just not competent enough in Java.
@@Wyvernxx_🤓
@@coolnormalandwelladjusted Average kid on youtube:
@@Wyvernxx_ well considering my UA-cam account is 12 years old it would be strange if I were a child.
@@coolnormalandwelladjustedThere are full grown adults that act like 9 year olds. Just sayin' 😉
Imagine spending this MUCH time making an info stealer to get people's lunar client accounts
creating software takes a lot of time, regardless of if its malicious or not
I mean alt accounts sell very good
it takes like 3 hours to make
the payload is pretty crude and rudimental, its a numbers game, get the code out, and so many will try it youll end up with a good collection of accounts. you just obfuscate the payload in one way, either by hand or using AI, then copy paste that into a different methods of obfuscating and encoding, and make sure to include some vanilla minecraft code in the functions you obfuscate. Its actually just collecting a bunch of obfuscation methods and apply them all output to input, you can actually just make a script that will AI generate a basic ass info stealers, then a random sequence of obfuscation functions and pipe it through and there you go.
IRL Trading in Skyblock pays good IRL money
ratting is a big problem in the minecraft community, especially in hypixel skyblock being that the currency in the game has some value to real life money. looks like all its trying to steal is discord tokens and minecraft tokens via the lunar, feather, and pizza client.
Hey man, JD-Gui is a pretty out of date decompiler. You should look into using a decompiler such as fern flower or vine flower (a fork of fern flower) instead which can (sometimes) be faster and provide more accurate and readable code
Recaf has both
@@walksanator yeah i was going to mention Recaf 4.X
it has procyon, fernflower, and cfr. i dont remember if it has vineflower though. in any case you can run the decompiler standalone as Recaf is just a UI for it
17:57 This is likely a decompilation error. I don't know why you're not using a proper IDE for this. Would probably chop about 15 minutes off the video length.
java-deobfuacator is actually meant for deobfuscating specific obfuscator programs, such as zkm, smoke, etc. and only features transformers for those, and not generic "homemade" obfuscators such as the one used to obfuscate this malware. Especially seeing as the obfuscation this used is fairly basic, seems like it's just string encoder, renamer and some basic flow obfuscation. It's also quite outdated and doesn't really have transformers for more modern obfuscators.
Hey there, I made the obfuscator like 6 years ago (you can find it on my GitHub). You said that there are more modern obfuscation techniques which I find interesting. What has changed in those years? What is SOTA Java obfuscation nowadays?
the obfuscator used here is nothing „homemade“. it look’s definitely like superblaubeere27‘s obfuscator…. which, well is supported fully in either narumi‘s deobfuscator or the java-deobfuscator shown here.
@@havesta can confirm, it is mine
You can't generally use decompilers and expect a 100% working output, especially considering that jd-gui is pretty outdated. When you run javac, the java code gets compiled to bytecode, which is then executed by the jvm, and the d-compiler's job is to translate that bytecode back to java code, which is impossible to do perfectly, and the result of that is, for example, it trying to declare a Cipher object as a short and other errors. You might also want to consider using more modern decompilers such as CFR or Krakatau.
I was once setting up my laptop to host a Minecraft server and I kid you not, it took 3 DAMN HOURS to get the correct version of java and their JDK's, JDE's. I was on like 10 Different websites. java is just so difficult to deal with so I can understand your struggle with javaFX and such stuff.
It’s become a whole lot easier with Temurin, which is a distribution of OpenJDK. Just select the version of Java (either 8, 17 or 21) on their site, and you can get the JDK and JRE set up in like 5 minutes without going through Oracle’s nightmare UX
Java is horrible in that regard. And when what you downloaded doesn't work you question whether it's Java being Java or you executed ran something you shouldn't have, since the official websites look like malware
I had to download an old version of the JDK and I had to make an account at Oracle to download that shit, I kept getting stuck at a paywall and I though "Crap do i have to pay for the older versions?" Then luckily after a few hours and downloading more versions I finally managed the server to boot up.
Termium is the easy way, for anyone learning about this from this reply(0 people lol)
Yeah, the pros just give up and bundle their own JRE with the code in a larger .exe file nowadays, that's what they did with the Minecraft client eventually.
I was thinking about how he came across the infected repository. And I think the main getaway for me here, is, whenever I have a public repository, check the forks that might be created from it. Maybe someone was stupid enough to just fork the repository, add his infected code, and a simple diff between the original and the fork might already show interesting things.
Smart attacker would obviously not simply fork the repository. But not all attackers are smart.
he was likely a victim of a scam attempt, there are bots in-game that dm you and try to make you download these mods
The pizza client part is injecting into a different mod ( - pizzaclient). which actually has a feature that protects the user's account, and the stealer basically disables it.
private main function, best way to protect a program is to make it not runnable
i assume that in "qolskyblockmod" the "qol" stands for "Quality of Life" as in useful additions that make it more enjoyable without making gameplay changes to the Skyblock mode that the mod is for.
some of the odd client names are most likely some obscure minecraft launchers i havent heard of before.
I do recognize essentials as a legitimate minecraft mod tho where they are probably trying to extract data from since its adding social mechanics like friends list, joining friends etc. like your used to from steam to the game.
I assume internal those systems store some data an info stealer would be interested in since the user basically already willingly gave those informations out.
also its not a hot take to say java is stupid lol
i always keep saying how outdated and ill-suited java is to ruin the game, even back in the day when it was first made by notch it wasnt a great choice.
i assume it was chosen because it was easy for him to get in to.
Ideally the game should be entirely rewriten in a modern language and use modern technology to re implement the same things but under Microsoft thats unlikely to happen.
Most likely they will rather keep suporting an outdated tech then re do the entire work which doesnt make them any money for such a silly thing as long term benefits.
qol in this context is a jokey term for a cheat
@@ai-spacedestructor Considering they did that with bedrock edition and people hate it I don't see why they should
@@XtraKawaii the programming language really isnt the problem with bedrock, its one of the few things actually ok about it.
"I do know maybe LITTLE bit about malware"
-John Hammond 2024
I love how you completely made a thumbnail in the exact style Minecraft UA-camrs make them
Not even Minecrafters are safe from malware....
they get so much
Minecraft mods load as full programs w/ access to Kernel APIs, they DO NOT run in a sandbox.
bro i coded one of these i was going to sell it but lost motivation coding it
Minecraft (and especially "Hypixel Skyblock") has quite a big problem with these infostealers, since a minecraft mod can read the current instance's session token and therefore just "steal" the account of someone, atleast temporarily (and as someone below mentioned, the mods can access anything on your pc too, they arent in a sandbox)
@@ItIsJan if your rat is advanced enough they can log into your gmail and (temporarily) and then log into your microsoft send a email to your email and change your minecraft accounts email if its as advanced as one of the ones ive made it hides itself in your mod folder and the even worse version ive made loads a rootkit and its like really hard to remove another one a friend of mine made (he actually sells it) uses sorrilus rat
The arguments aren't what the main method was missing before you copied the error, it was the fact the method was private. Main method has to be accessible in Java.
Spent 20 minutes doing nothing, then just uses ChatGPT and ends the video :/
Would've been more interesting to see some of the obfuscation techniques... I wish I could just access the code myself.
Yeah that was a bust..
finally another malware deobfuscation video, they are so interesting
Pizza client is a "safe" cheat mod which has a thing to prevent session id stealers or malware to launch. it's probably bypassing it
am I the only one bothered that he just jumped straight to ChatGPT and assumed the outputs it gave were fine, when the errors were quite clear and simple to fix?
And also that he removed the variable initialization instead of moving it where it actually makes sense, since the variable "L" was generated by the decomp and wasn't actually valid java
I mean, this probably wasnt some major project so it didnt really matter. I think John just wanted to squeeze a little bit of simple content out of this malware and be done with it. I doubt he would want to spend hours debugging for something this unimportant
It was rather painful watching him do the java stuff honestly
Is this available in your Repo? I have a reverse engineering env. Would love to dissect this too
this is literally so easy to decompile and u can tell by the libraries its using what it does
would be more interesting if it was a little bit more compiled like for example minecraft Cristalix launcher or if they actually used obfuscation tool. Some of them produce output that can't even viewed by java decompilers, so u have to work with bytecode
i just pissed on my wall
How did it feel ?
hell yeah
Lets fucking goo
> opens video about malware analysis
> pisses on wall
> refuses to elaborate
> leaves
fucking chad
actually, minecraft mods, at least modern ones made for forge, fabric, etc contain no game code.
they get loaded by the mod loader (e.g. forge, or fabric) so they contain some boilerplate to handle loading and unloading, but the rest is just the mod doing it's own thing and doing API calls to the mod loader / game.
OKAY JOHNNY YOU'RE GOING DOWN FOR CALLING JAVA STUPID (in all seriousness, great video, keep it up 😉)
minecraft mods has a set of functions you can use to auto deobfuscate mods that you can refer to in documentation. probably somewhere random they call the function for the session id of the minecraft account where they log on and steal all their items on hypixel skyblock.
Amazing video once again 😄👏,
Would there be any repercussion for spamming the C&C server with garage data/fake tokens?
used to do that, saw my request flooding the bots that posts the data into a discord channel (back when u can directly VIEW the contents inside of discord hidden channels with plugins, not sure on this one)
Agreed Java is one of the dumbest languages I ever tried to learn.
some dude said "yea first" 🤢
"Yea first" 🤢
is it just me or is the snyk link missing from the description?
Good catch, thank you, fixed!
Are those shell extensions or is it an ancient GNOME release?
now where does the rickroll link get used
Fire video once again John! I've loved minecraft and malware analysis for a long time now, it's great to see you bridging the gap (since log4j ofc)
Just using an actual Java IDE would probably make it much much easier LMFAO
Do more minecraft mod deobfuscations in the future please, love your videos
i have it downloaded what do i do?
change your passwords to everything it steals
Change all passwords and get rid of it. If lucky you have preserved most of your data
Needed that sublime select thing at work today thank you
i did not expect a john hammond skyblock crossover but hell yeah
I love how using any language starts with printing hello world.
recaf > jd-gui any day of the week
the mic quality in the sponsor segment damn
As someone who dabbles in mod making, the part where you tried to get it to work is sooo relatable lol
When you asked "is that a regular expression, the first part of it (the string "dQw4w9WgXcQ") is the UA-cam video ID for Rick Astley's Never Gonna Give You Up. I would recognize that ID anywhere.
Pizza client is a hack client
no its a "quality of life" mod that improves minecraft experience (fr)
i did not expect a minecraft skyblock mod on here 😭😭😭😭
theres no way the rickroll url is in the decrypted strings
You might wanna use a better decompiler, such as Fernflower.
Repeat after me: public static void main(String[] args) {}
John: private static void Main() {}
25:14 did it- is it printing out the youtube link to rick astley’s never going to give you up?????
Yes.
Basically, these malicious mods for hypixel skybloxk spread around and most of the time these people do it, just to steal ingame items and currency. Insanity
bruh they really are out here doing anything they can to steal 50 dollars of minecraft items
Whats wrong with quality
I dont understand anything about this video, but it was pretty interesting and made me wonder, how many files, games or mods have I downloaded without noticing anything, it is truly unbelievable for me what people can do with coding and how easy it is to infect people computers with malware’s or viruses.
why is the youtube video ID for the rickroll video in there
That is discord token decryption. Discord thought it would be a funny joke to encrypt tokens with the video id being the visible part. Really, it didn't do jackshit. The part of the code likely looks for the regex pertaining to the token and then decrypts with the os crypt key.
One of the strings is literally a Rick Roll. (The letters/numbers inside the parenthesis before the RegEx and another after "modifiers")
Finally! Another malware deobfuscation!!
Appreciate the rickroll youtube id just also being there lmao
that is how discord stores your token
discord do be funi
25:14 nah that's rickroll lmfao
I don't get the encrypted strings, what are they for?
hiding the real strings from someone using control F and searching for discord
@@Capiosus Aight, thanks
Its also a really noob friendly way to make your malware harder to detect
@@nothingnothing1799 ohh true, thabk you brothar
In Java boilerplate is not a design flaw but love. Boilerplate == love
Amazing job, always fun to see you deobfuscating stuff, especially java...
imagine that a malware that john Deobfuscating have a comment that say john please dont go further
.. minecraft modders have weird ads these days
Wild, there's even a rick roll in there. dQw
Pizza client is a cheat client for skyblock that has session token protection. The malware disables it before doing stuff 25:20
Also, this mod is skidded from github, I recognize that request format and obfuscation
Is it good to have venom rats on my computer I'm the one who downloaded it but nothing bad has happened to my computer? I know it's access Trojan I just want to know from a professional I downloaded the file off the dark web
no, use a virtual machine to test malware instead.
why am I not surprised it’s a skyblock mod
25:15 I know a rickroll when I see one
25:14 that is the url slug for Never Gonna Give You Up
I'll leave another comment when I've watched the video but just a little over a minute in I must say I love SkyHanni and its codebase. I wonder if you will be as impressed with its organization, code quality, and project management as I am.
Edit: fair enough.
Say it with me now, public static void main string brackets args.
I don't think that's encryption, it's just encoding it
"pizzaclient" is another mod that is paid to use and the malware is getting the token for using that mod
I love these videos, please make more.
Not surprised. Give it up to the no lifers of hypixel Skyblock hackers
I mean, how Java can be readble
For some accounts on a kids game is wild 💀
Yeah... obfuscation is nice - but what to do if the code int't... there? :D
Of course it's a Skyblock mod. That doesn't surprise me _at all._
it has been a problem for years
I took a look a little bit at skyhanni and it had weird shit going on so i never used the mod. a few things I remember is it tried to talk to discord. (malware in modpacks do that because they send the session id to their discord so they can log into ur acc and steal all your items)
of course I think i had the actual mod and didnt like it was talking to discord
Mods talk to discord using Rich Presence (local Discord API) to dynamically change the “actively playing” information in your discord profile.
Anything else that looked weird to you? I'll try my best to explain it!
Lol, I never expected mc on this channel ngl
Looks like he was probably stealing Skyblock info and pulling accounts
minecraft 1.8.9 (the version that this mod runs on) runs java 8, not the latest java
I need to find someone of your caliber to in Debian Linux. (I'm migrating back to Linux after a 20-year hiatus. )
More than half of the video is just him not downloading actual IDE in 5 mins and having code checked for compilation errors and instead using unsuccessfully text editor. Just download IDE. And yes java is annoying and stupid, when you are being stupid and not using the correct tools.
RECAF >> JD-GUI
He doesn't know shit about Java malware analysis, don't expect him to do research lmfao
@@GatoCoder True, true..
Aw hell nah bro everytime i check in with Minecraft this shi happens
XD
1. It's really funny that someone who clearly doesn't take the time calls Java stupid.
2. Lunar Is a Modded MC client with it's own suite of stuff. (which also makes this a threat to that modded client.
3. It actively unloads itself on world loading for the player (Single Player/MP)
4. Forge mod loader (which this mod is for) allows for some final variable abuse.
5. as for JDK, you are good getting the latest long-term release one, as it supports backwards sets.
6. The reason 'DECRYPT_MODE' failed for you, was because you failed to include the `` private static final int DECRYPT_MODE `` which was set to Cipher.DECRYPT_MODE;
-- This is just an example of chat GPT being dumb with variable names, which caught you off gaurd.
7. It Targets MS accounts, Lunar Accounts (Modded game client), Discord accounts, Feather (MC modded accounts thing), Pizzaclient which is a supposed account protection scheme
I have to put it this way.. for someone seriously promoting Synk, the way you talk about java... makes me geniunely question synks usefulness entirely, if you who does this kind of cyper ops on the regular... can't even take the time to understand the basic premises of java, without resorting to insulting it.. because you failed to understand the prerequisites.
I'll admit that Forge&Fabric Modded minecraft do some 'funnybusiness' with java, and preform things normal java doesn't allow (such as messing with final variables in some actions, and delaying when they are 'assigned', so that you can assign a final in one class then give it data later down the line (which works assuming you actually assigned some data before calling it, which was done here)
the amount of modded clients & cheat mods for the major servers is just nutty as hell.
This guy knows nothing about Java or anything related to java reverse engineering. Dunning kruger effect in action.
no way hypixel skyblock
is java good for malware dev
I recommend Lua or Rust. You need to be able to run your “software” even if the “customer” doesn’t have Java installed.
Depends on who you are targeting, I guess.
no unless minecraft, obfuscation is minimal and everything "decompiles" back to java source code.
using a language that compiles to binaries work much better
Free ma boi dreamys