Dargondo

Member
Mar 3, 2018
297
636
Got a big ole alert from my computer that there is a malicious trojan in the application for this game, which is fun since it seems like I'm not the only one who got it too.
 

saboro

Member
Sep 28, 2019
101
359
This download 100% has a virus (trojan) that gets installed in your system files. Do not under any circumstances install this on your computer. Installing it in a VM should be ok tho.
I've been running the game since July in an isolated machine, and its files seem totally clean as of today, according to manual checks, SFC and fully updated Kaspersky AV (excluding the game executable). I'm a computer security paranoid, as most people with enough experience, but after what I've seen, I'm more inclined to think that this is a false positive triggered by a modified executable that has to bypass a convoluted DRM protection. Heck, even some DRM protections trigger the AVs until the devs send the protected executable hashes to the AV companies so they can whitelist them. If we consider that the crack probably isn't coded in the most elegant way, it does have all the ingredients to make any AV go crazy. Nevertheless, I condone your VM advice (for this game and any other suspicious cracked software).

You claim that you're 100% sure the download has a trojan, so you must have info the rest doesn't have. Could you give us more details about the specific trojan, like the connections it tries to establish, the processes it does use, the files it does install or the system files it does infect? If such info is replicable, that would help people with already infected computers and would be enough proof to take down the links, since nobody wants to share dangerous shit here. Thanks.
 

wyldstrykr

Active Member
Nov 30, 2017
666
304
This download 100% has a virus (trojan) that gets installed in your system files. Do not under any circumstances install this on your computer. Installing it in a VM should be ok tho.
can you give us the details of that virus trojan that gets installed in your system files?? people were claiming that its a false positive due to denovo cracks and cracks in general. my scan doesnt count because i didnt run the game in administrator mode. yes virtual machine is the way to go when in doubt.
 

bansdebar

Member
Jan 11, 2019
192
262
I've been running the game since July in an isolated machine, and its files seem totally clean as of today, according to manual checks, SFC and fully updated Kaspersky AV (excluding the game executable). I'm a computer security paranoid, as most people with enough experience, but after what I've seen, I'm more inclined to think that this is a false positive triggered by a modified executable that has to bypass a convoluted DRM protection. Heck, even some DRM protections trigger the AVs until the devs send the protected executable hashes to the AV companies so they can whitelist them. If we consider that the crack probably isn't coded in the most elegant way, it does have all the ingredients to make any AV go crazy. Nevertheless, I condone your VM advice (for this game and any other suspicious cracked software).

You claim that you're 100% sure the download has a trojan, so you must have info the rest doesn't have. Could you give us more details about the specific trojan, like the connections it tries to establish, the processes it does use, the files it does install or the system files it does infect? If such info is replicable, that would help people with already infected computers and would be enough proof to take down the links, since nobody wants to share dangerous shit here. Thanks.
The only thing I'm gonna give is the Trojan name (later, too busy atm). The trojan gets installed in the system32 directory directly after you unzip the file. I haven't analysed the exe but I can imagine there is more wonky and dangerous shit there. Usually you can open an .exe and read what it's supposed to do.

You ever created an .exe yourself? You can edit and modify it however you want and the virusscanners don't care at all, that's not what triggers a virusscanners. What triggers it are some wonky links of script.

As you can see Dragondo also noticed a Trojan, (and it is 100% a Trojan as unzipping should absolutely not trigger the install of a file in the system32 directory).

Signs in the code you can look out for are generally lines of code that try to surpass the admin permission of moving a file. Usually by calling a system .dll method or whatnot that is supposed to do something else entirely.

I will give you the Trojan filename later but not what it does. If you feel like that's not enough then investigate it yourself or enjoy your time with the Trojan.
 

saboro

Member
Sep 28, 2019
101
359
The only thing I'm gonna give is the Trojan name (later, too busy atm). The trojan gets installed in the system32 directory directly after you unzip the file. I haven't analysed the exe but I can imagine there is more wonky and dangerous shit there. Usually you can open an .exe and read what it's supposed to do.

You ever created an .exe yourself? You can edit and modify it however you want and the virusscanners don't care at all, that's not what triggers a virusscanners. What triggers it are some wonky links of script.

As you can see Dragondo also noticed a Trojan, (and it is 100% a Trojan as unzipping should absolutely not trigger the install of a file in the system32 directory).

Signs in the code you can look out for are generally lines of code that try to surpass the admin permission of moving a file. Usually by calling a system .dll method or whatnot that is supposed to do something else entirely.

I will give you the Trojan filename later but not what it does. If you feel like that's not enough then investigate it yourself or enjoy your time with the Trojan.
So, essentially, you're telling us that the trojan gets installed into the system32 directory once you extract the 7z archive, with no need of user interaction, and making use of some sort of exploit to bypass UAC.

I won't get into details about why that doesn't make any sense at all. Despite that, I'm always open to any sort of crazy shit, so I have taken the time to do some simple checks in a new fresh VM to see it by myself, but as I expected, I'm not able to reproduce anything you reported. .

Dragondo wrote that his computer alerted him, probably his AV, like everyone else's AV, nothing new. The OP clearly says: "Crack will trigger antivirus as false positive. Play at your own risk.". Again, no one wants to share dangerous shit and this site is probably the cleanest one out there for this type of content. You're the one who's 100% sure about the trojan thing, so you're expected to have tangible proof, show it to us so everyone can take the appropiate measures and keep the site clean. This is not about me, I don't want and I don't have to waste more time "enjoying my time with the trojan".
 

bansdebar

Member
Jan 11, 2019
192
262
So, essentially, you're telling us that the trojan gets installed into the system32 directory once you extract the 7z archive, with no need of user interaction, and making use of some sort of exploit to bypass UAC.

I won't get into details about why that doesn't make any sense at all. Despite that, I'm always open to any sort of crazy shit, so I have taken the time to do some simple checks in a new fresh VM to see it by myself, but as I expected, I'm not able to reproduce anything you reported. .

Dragondo wrote that his computer alerted him, probably his AV, like everyone else's AV, nothing new. The OP clearly says: "Crack will trigger antivirus as false positive. Play at your own risk.". Again, no one wants to share dangerous shit and this site is probably the cleanest one out there for this type of content. You're the one who's 100% sure about the trojan thing, so you're expected to have tangible proof, show it to us so everyone can take the appropiate measures and keep the site clean. This is not about me, I don't want and I don't have to waste more time "enjoying my time with the trojan".
Everyone be aware that this lad is trolling and it wouldn't surprise me as he had something to do with placing the Trojan in the zip. Even worse is his pseudo science approach of this.

If you don't think you can activate viruses and Trojans with unzipping some files I suggest you should do some more studying.

This download 100% has a virus and this lad has something to do with it. No normal person would go this far into protecting a random zip file in the internet.

Furthermore most of his arguments are obviously fake but twisted in a sense they might appear real.

The download 100% contains a Trojan. Be aware, do not directly install it on your PC.
 

James Eveleth

Well-Known Member
Mar 22, 2018
1,477
2,692
Everyone be aware that this lad is trolling and it wouldn't surprise me as he had something to do with placing the Trojan in the zip. Even worse is his pseudo science approach of this.

If you don't think you can activate viruses and Trojans with unzipping some files I suggest you should do some more studying.

This download 100% has a virus and this lad has something to do with it. No normal person would go this far into protecting a random zip file in the internet.

Furthermore most of his arguments are obviously fake but twisted in a sense they might appear real.

The download 100% contains a Trojan. Be aware, do not directly install it on your PC.
I honestly do not know who the right side in this argument is, but you could do with providing actual evidence instead of simply rebuking saboro's claims with words and then accusing them of placing a virus in the game.

saboro did extensive tests and provided evidence for their claims. Even if it's total bullshit and they are trying to pull the wool over everyone's eyes like you say they are, they currently seem more trustworthy by value of that alone.

You, on the other hand, said that you'd give the name of the Trojan, so you could do that to show that you're serious. And since it seems that you possess the necessary know-how, if you put in the work and tell the people here what the Trojan actually does while backing it up with proof, it will add a lot to your credibility and possibly save dozens of PCs from becoming infected.
 
Feb 3, 2020
112
130
I honestly do not know who the right side in this argument is, but you could do with providing actual evidence instead of simply rebuking saboro's claims with words and then accusing them of placing a virus in the game.

saboro did extensive tests and provided evidence for their claims. Even if it's total bullshit and they are trying to pull the wool over everyone's eyes like you say they are, they currently seem more trustworthy by value of that alone.

You, on the other hand, said that you'd give the name of the Trojan, so you could do that to show that you're serious. And since it seems that you possess the necessary know-how, if you put in the work and tell the people here what the Trojan actually does while backing it up with proof, it will add a lot to your credibility and possibly save dozens of PCs from becoming infected.
Well, the fact that he/she has not said the name of the trojan, even if it takes two seconds, but has the time to respond with void arguments, tells everything. If he/she was not trolling, he/she would have told us the trojan name in the comment where he/she responded to saboro.
 

saboro

Member
Sep 28, 2019
101
359
Everyone be aware that this lad is trolling and it wouldn't surprise me as he had something to do with placing the Trojan in the zip. Even worse is his pseudo science approach of this.

If you don't think you can activate viruses and Trojans with unzipping some files I suggest you should do some more studying.

This download 100% has a virus and this lad has something to do with it. No normal person would go this far into protecting a random zip file in the internet.

Furthermore most of his arguments are obviously fake but twisted in a sense they might appear real.

The download 100% contains a Trojan. Be aware, do not directly install it on your PC.
Oh my god, now I'm the mastermind of the conspiracy?

I encourage anyone who doubts me to fire up a VM and check by themselves. All the tools I've used are totally free, except Thinapp, but If you're here, you probably know how to find a cracked one. Please do it, feel free to ask me any doubts, and see by yourself who's the one spreading pseudo-science bullshit.

None of my checks proves that the download doesn't contain a trojan, just that I wasn't able to reproduce your convoluted claims. They suggest it is a false positive, and I'm inclined to think that, but I honestly can't be 100% sure about it. Someone more knowledgeable than me can definitely do more insightful checks and tell us exactly what we're dealing with. Please be cautious if you play this, use a VM or a safe computer isolated from your network.

Lastly. I've not created this thread, cracked or submitted this game, the mods or uploaders involved know this is true. I'm playing the game and I'm subscribed to the thread, but I'm honestly tired of notifications about people panicking over an AV popup and alerting others, even in the reviews, when there's a big fat warning in the fist post. I rarely participate on f95 forums unless I have something to contribute, like small mods, fixes and stuff like that, but your comment was the cherry on the top.

For fucks sake, you're pirating games, there's always risk involved, and everyone here tries to do their best to reduce it.
 
Last edited:

bansdebar

Member
Jan 11, 2019
192
262
Trojan is automatically put in Win32/sabsik.FLA!ma when you unzip it. The code that does it is executed as soon as you unzip the zip by meiqNS_crack.exe. In the case it's removed it's probably automatically done by windows defender.

In case anyone is unfamiliair with cracking. In no case should a crack ever be put in the w32 dir. Seeing as the other person here is very hard false flagging with pseudo IT related arguments he/she/it is probably somehow involved in the spreading of such a trojan.

He/she/it apparently already has at least 3 bot accounts so be mindful of this dangerous behaviour. I'm not putting anymore effort in it then this as I simply don't have the time.
 

Celerarity

Member
Apr 23, 2018
201
218
You have the time to spend two days responding to this thread but not to send us some screenshots or walkthroughs?
 

dmmt

Well-Known Member
May 8, 2020
1,003
971
AVAST does not give an alert of any kind. The game unpacks, however it lacks an .exe file. I see no means of starting it.
 

saboro

Member
Sep 28, 2019
101
359
AVAST does not give an alert of any kind. The game unpacks, however it lacks an .exe file. I see no means of starting it.
Your antivirus is probably silently removing the .exe. Try to disable it before extracting the game, or whitelist the folder where you are extracting it. The 7z definitely contains an .exe. Use a VM if you prefer to avoid risks.
 
Last edited:

dmmt

Well-Known Member
May 8, 2020
1,003
971
that did it. TYVM!

now I'm antsy....1st AVAST removed the application executable. SO as suggested, I whitelisted the target folder and it was was there. But when I clicked it, MALWARE intercepted and quarantined it too. With both of them grabbing hold of it, I'm.not.so.sure.about running it.
 
  • Like
Reactions: saboro

saboro

Member
Sep 28, 2019
101
359
Trojan is automatically put in Win32/sabsik.FLA!ma when you unzip it. The code that does it is executed as soon as you unzip the zip by meiqNS_crack.exe. In the case it's removed it's probably automatically done by windows defender.

In case anyone is unfamiliair with cracking. In no case should a crack ever be put in the w32 dir. Seeing as the other person here is very hard false flagging with pseudo IT related arguments he/she/it is probably somehow involved in the spreading of such a trojan.

He/she/it apparently already has at least 3 bot accounts so be mindful of this dangerous behaviour. I'm not putting anymore effort in it then this as I simply don't have the time.

"Win32/sabsik.FLA!ma" is not a location but a name, that's how Windows Defender calls the trojan it detects. It's not inside any "Win32" folder nor any other system folder, "Win32" is part of the name given to the threat. Here's one of the screenshots I shared in the pastebin link a few posts before:


defender.png

Pressing the "show details" button will reveal a panel with "category", "description", "recommended action" and "items". The actual location of the virus appears under "Items:", prefixed by "file:". In my case, as you can see, it's: "C:\Users\saboro\Desktop\Suzukuri_Dungeon_Karin_in_the_Mountain\Suzukuri Dungeon Karin in the Mountain\meiqNS_crack.exe", that's the exe inside the game folder.

Unfortunately for you, your last reply has shown your blatant lack of knowledge to the point of making me cringe. There wasn't any trojan inside any system folder in the first place, that was your game folder, Mr. IT expert. All the fantasies you've told us afterwards based on that claim are now void. But hey, you can still have fun unmasking me, the dangerous evil hacker and his bot harem. Even better, make an eroge about that and share it here, the title works as is.

I hope everyone enjoyed the drama. Thank you, Microsoft, for designing unintuitive GUIs.

Case closed.
 
3.80 star(s) 9 Votes