Tool Unity Ren'Py Renpy + Unity Malware Scanner

[Uncle Eugene]

Unity + Renpy Malware Scanner​

Spoiler: Why?

You don't have permission to view the spoiler content. Log in or register now.

Requirements:

• Only for Windows
• Supports Renpy and Unity.Mono games (Unity game has "Managed" folder inside %Game%_Data folder)
• Requires internet connection (To download reference assemblies)

How to Use:

• Place AntiMalware.exe in game directory and run it, console window will be opened with all the info

How it Works:

• The approach differs a little for Renpy and Unity, but generally it will download clean engine files from trusted (read: official) source and check engine files from game against it. Then it will check other files that are not part of an engine to see if there's anything suspicious

Is it a False Positive?

• Please do not spam in the game's thread if scanner triggered
• Look what it says in the console and use tools and brain to check it manually. Or send the link to the game in this thread.
• For Unity use
  You must be registered to see the links
  to see what's inside the assembly that triggered scanner
• For Renpy use
  You must be registered to see the links
  for .pyc decompilation, UnRen for .rpyc and .rpa. For other files use google

Spoiler: Changelog

You don't have permission to view the spoiler content. Log in or register now.

Safety Proof:
You can check the source code of this .exe yourself, it's .NET IL, I decided to not obfuscate nor hide anything hoping that this tool won't be used widely enough to get attention of malware developers

Warning

• Scanner is good enough now, but still has a lot of loopholes, so don't rely on it as your only security option
• The Renpy scanner right now is basically a diff checker against clean engine, it does not scan "game" folder nor the code itself, this is still in development

Some obscure antiviruses from VirusTotal don't like this program, so it will be marked as [VIRUS] on F95, I'm sorry that you have to pass the captcha...

 

[V1ncvega]

Spoiler: Console output

You don't have permission to view the spoiler content. Log in or register now.

Hi! I grabbed Third Crisis for testing - tried the Win and Win (GoG) versions from the thread, and also downloaded and installed the game separately using the official GOG installer. Checked all three - same result.
What do you think? How can I, as a regular user, tell if it’s a false positive or an actual detection?

 

[Uncle Eugene]

What do you think? How can I, as a regular user, tell if it’s a false positive or an actual detection?

I remember this game. You're raising a good question. Thanks for tests!
Probably it's up to me to develop better false positive detection looking at more legitimate usage cases.
When I first thought about the methods to detect suspicious functions in porn games I didn't think that so many games use System.Diagnostics.Process for some reason...
Didn't think about any real use cases to be honest

Would be nice to see more testing feedback, but for now I assume some devs like to use it to open windows explorer to show save file location.
Should be possible to make exception for that case

 

[Uncle Eugene]

Updated the scanner, it is now not that strict

-Improved false positive detection for some cases such as in Monster Girl Hunt and Third Crisis
-Disabled patcher since it didn't work properly
-Added final result message with verdict and description
-Added even more vulnerabilities to bypass detection, but also improved malicious code detection to stay balanced

Third Crisis still raises alert because of it's modding feature. If you know at least something about code you may figure out that it is false positive by yourself by looking at console output now

 

[Griinch]

Under Control still has malware according to your tool. But the exe is showing completely clean on Virus Total

 

[Uncle Eugene]

Under Control still has malware according to your tool. But the exe is showing completely clean on Virus Total

I've made a note in test results table, it has an obfuscator that uses exactly the same functions malware does. So it's impossible to verify if it's legit or malicious. You can decompile the game's code via DnSpy/ILSpy and look for yourself.
However I'm pretty sure the game does not contain viruses
You can also drop the obfuscated file in virus total, I think it will trigger a few AVs

File in question is Assembly-CSharp.dll

The idea behind scanner was to check as much as I can and look for any suspicious code in the game.
My logic was that there are functions, methods and DLLs, including low-level ones, that no porn game developer should ever touch to make such game.
Turned out devs do like to use some of them for various reasons from time to time:

Under Control: for hard obfuscation
Third Crisis: for modding tool (allowing people to load their own DLLs)
Lots of games: to open save file location in the explorer

I've made a check to test if game uses dangerous function to just open explorer.
So now it's only games with very suspicious code that needs attention and manual check are triggering false positive.
And if scanner says game is clean then there's very high chance it's clean since I leaned towards more false positives and less false negatives because I'm sure it's better to stay safe than ignore red flags

Even more info: scanner does not check the .exe file in any way, it scans the DLLs of the game with actual code that will be executed, virustotal won't see that while scanning .exe

 

[Uncle Eugene]

Updated the scanner

-Fixed an error that made malicious function calls considered non-malicious in some special cases
-Made scanner notify user when developer is likely to use risky functions legitimately instead of saying that the game is clean to prevent malware calling such functions unnoticed
-Heavily compressed the executable, now it fits in F95 attachments

 

[colobancuz]

I tested your scanner, most of my games turned out to be clean, but two flagged:
Nemurimouto v0.09 - as expected, I managed to download it before the virus warning appeared in the thread. If you want, I can send you the archive. For obvious reasons, I did not run the game.
School, Love & Friends v2.14 - I didn't expect this one. There are no warnings in the thread, and when I launched it in the sandbox, I didn't notice any suspicious activity.

Anyway, great scanner, keep up the good work!

 

[Uncle Eugene]

Scanner has been updated to v1.1

Whats New:
- Imagine, RENPY SUPPORT

Also a few bugfixes and improvements, but the main feature is that it now supports Renpy. It is not that great with scanning renpy as of this version, think of it as BETA, but should catch malware from the same stupid kid that did Unity viruses that started this thread in the first place

 

[Uncle Eugene]

Reuploaded the file, sorry for inconvenience
If you've downloaded it in this small timeframe - redownload please, it didn't trigger on found renpy malware lol

 

[colobancuz]

Reuploaded the file, sorry for inconvenience
If you've downloaded it in this small timeframe - redownload please, it didn't trigger on found renpy malware lol

Can you tell me which versions of Renpy are supported?

 

[Uncle Eugene]

Can you tell me which versions of Renpy are supported?

Should be any. But I didn't test it on real malware since I couldn't get a hand on one yet. Waiting until Bob wakes up, he must have some

 

[Uncle Eugene]

I tested your scanner, most of my games turned out to be clean, but two flagged:
Nemurimouto v0.09 - as expected, I managed to download it before the virus warning appeared in the thread. If you want, I can send you the archive. For obvious reasons, I did not run the game.
School, Love & Friends v2.14 - I didn't expect this one. There are no warnings in the thread, and when I launched it in the sandbox, I didn't notice any suspicious activity.

Anyway, great scanner, keep up the good work!

Somehow I missed your report here.
The second game looked fucking scary from logs, calling for kernel and starting processes. I've downloaded it, figured it uses some Lua scripting shit in the project for whatever reason.
Impossible to know what's in those scripts (well, possible, of course, I just don't want to). So probably false positive on that one.
However its good to see scanner picks up on stuff like that. You could easily run malware from those Lua scripts they're using (and nobody said they're not)

 

[colobancuz]

Here is the log for Halfway House EP11BonusScene-BONUS.9.
By the way, pythonw.exe very often does not match the SDK version in many games, and a check in virustolal finds nothing.
It's a good scanner, I tried something similar but it didn't work for versions older than 7.0.0 - it's not possible to find out the version in the usual way.

 

[Uncle Eugene]

Thanks. I see it didn't like .png files being replaced in the game, that's a mistake
pythonw.exe is an interesting one, I should look more into it
not sure why it's screaming on binaries tho. I'll check it out as well, seems like a bug or something was really modified there (but I doubt they've touched anything apart from platform.pyc)

 

[colobancuz]

Thanks. I see it didn't like .png files being replaced in the game, that's a mistake
pythonw.exe is an interesting one, I should look more into it
not sure why it's screaming on binaries tho. I'll check it out as well, seems like a bug or something was really modified there (but I doubt they've touched anything apart from platform.pyc)

The thing about .pyc/.rpyc/.rpymc files is that when the SDK is launched, they are recompiled from the source code, so they do not match. If there is an uncompiled (source) file, you can skip checking the compiled file.

 

[Uncle Eugene]

The thing about .pyc/.rpyc/.rpymc files is that when the SDK is launched, they are recompiled from the source code, so they do not match. If there is an uncompiled (source) file, you can skip checking the compiled file.

I thought it was the other way around. If there is a compiled version of the file - it does not use uncompiled one.
I remember testing it with .rpyc and .rpy files. But I guess I could be wrong. Would be convinient if so

I wanted to delete the compiled copies with the scan for extra safety, but that misses the whole point of "Scan". Will probably add that as patching feature which I wanted to add for Unity in the first place, but it didn't work out

 

[colobancuz]

I thought it was the other way around. If there is a compiled version of the file - it does not use uncompiled one.
I remember testing it with .rpyc and .rpy files. But I guess I could be wrong. Would be convinient if so

I wanted to delete the compiled copies with the scan for extra safety, but that misses the whole point of "Scan". Will probably add that as patching feature which I wanted to add for Unity in the first place, but it didn't work out

.rpy game files are compiled at startup only if .rpyc is outdated (by date), but when the developer makes a build, a full recompilation of all source files is usually performed, so the compiled files in the lib and renpy folders are different. I checked several dozen games - it's the same for all of them.
Also, games sometimes support SteamAPI, where some things are changed and added, including pyc, pyo, and pyd.
If you want, I can send you the logs of my program for the games I have. These are all clean games (at least I think so). Just for statistics. (But that's only towards evening)

 

[Uncle Eugene]

I understood that about recompilation of engine files on a build, as it's hex values and hash does not match just by little, but couldn't malware distributor just swap one of the compiled files and redistribute the game? Should work, no?

Didn't see any extra .pyc files yet, only some steamAPI dlls, they're marked as warnings and not considered malicious
Depends on what is in these logs, I will download a bunch of clean renpy games from here anyways, so wouldn't help much
infected games are much more wanted

 

[colobancuz]

I understood that about recompilation of engine files on a build, as it's hex values and hash does not match just by little, but couldn't malware distributor just swap one of the compiled files and redistribute the game? Should work, no?

Didn't see any extra .pyc files yet, only some steamAPI dlls, they're marked as warnings and not considered malicious
Depends on what is in these logs, I will download a bunch of clean renpy games from here anyways, so wouldn't help much
infected games are much more wanted

I also thought about this — you can decompile these files and compare them with the source code, but decompilers add all sorts of their own lines, so you have to create filters, plus pyc/pyo files don't always decompile properly. On the other hand, you can perform a more in-depth analysis of the types of functions used that are not in the SDK (for this file)... But I haven't gotten around to it yet.