Project 1999

Go Back   Project 1999 > General Community > Rants and Flames
Reload this Page RMTers discuss P1999 dsetup.dll "includes some NSA-level intrusive scans on your PC"
Home Forums Register Members List Today's Posts

Closed Thread
Page 5 of 19 « First 34 5 6715 Last »
 
Thread Tools Display Modes
  #41  
Old 10-19-2015, 10:42 PM
Alaron01 Alaron01 is offline
Large Rat


Join Date: Sep 2010
Posts: 6
Default
Quote:
Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]
So how could the EQClient executable access information outside of the access privelages it is granted when it's installed on the system? Swapping out a .dll file won't change these, meaning that P1999 can only access data within the process's allotted memory, in the locations on secondary storage specified by said access privelages, and data that is shared with the process by other processes it interacts with.

So how would the addition of a .dll file allow the EQClient to grab data from the web browser, which is an entirely separate process that does not interact with it whatsoever? How does this executable suddenly get full access to the file management system simply through the addition of a dll? Can someone please let me know if this is possible? I knly just graduated from Comp Sci, but all of these claims seem to be full of shit to me. Am I missing something here?
Here's where to start: https://en.wikipedia.org/wiki/DLL_injection

It usually involves more than just swapping out a DLL. It's easiest to have an executable that can do the injection (see bullet point #3 in the wiki for how-to).

Once you can get another process to load your DLL, then your DLL main function will be called. This is where the process that's being injected into loses all control, and this is precisely why a detection mechanism for cheating would target foreign DLLs. An attacker can have all kinds of fun in here since they are executing in the other process' address space.

So, rough sketch of how P1999 staff could theoretically make your EQClient grab data from your web browser:
1) Inject a DLL into EQClient through the launcher.
2) Now the DLL main function will get called by EQClient. They put the code for DLL injection into the DLL that's being injected though! So now this DLL main will make EQClient inject the very same DLL into your web browser. If you are feeling fancy (or kinky) you could do something like hooking the function for receiving tells and trigger this to happen only when "gay elf love" is contained in the text.
3) The same thing happens inside the web browser except it starts snapping screenshots. Hide yo kids, hide yo wife.

The claim that it's possible is not full of shit.. I wouldn't miss any sleep over worrying about it though.

PS: I see you've worked out more of this while I wrote this post. Cool. Gonna post it anyway in case you find something interesting.
  #42  
Old 10-19-2015, 11:19 PM
simp403 simp403 is offline
Kobold

simp403's Avatar

Join Date: Jul 2015
Posts: 100
Default
Quote:
Originally Posted by Alaron01 [You must be logged in to view images. Log in or Register.]
PS: I see you've worked out more of this while I wrote this post. Cool. Gonna post it anyway in case you find something interesting.
No, this is good shit. Thanks for posting it!

Quote:
Originally Posted by Alaron01 [You must be logged in to view images. Log in or Register.]
They put the code for DLL injection into the DLL that's being injected though! So now this DLL main will make EQClient inject the very same DLL into your web browser.
So how exactly would the EQClient be able to inject this code into the web browser if it does not have access permission to touch the web browser?

I had a feeling that there was some way to include malicious code in the dll file but I thought that it would also require specific conditions with the executable loading it, as well. Is it possible to know whether or not the EQClient can be used this way? Does the swapped dll file alter the executable file to inject code in this way, and how could it access other programs if the access permissions to do so were not originally granted to the executable loading the dll file?
__________________
Dinobots
  #43  
Old 10-19-2015, 11:23 PM
Ostros Ostros is offline
Kobold

Ostros's Avatar

Join Date: May 2010
Location: Lakeland, FL
Posts: 114
Default
Quote:
Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]
No, this is good shit. Thanks for posting it!



So how exactly would the EQClient be able to inject this code into the web browser if it does not have access permission to touch the web browser?

I had a feeling that there was some way to include malicious code in the dll file but I thought that it would also require specific conditions with the executable loading it, as well. Is it possible to know whether or not the EQClient can be used this way? Does the swapped dll file alter the executable file to inject code in this way, and how could it access other programs if the access permissions to do so were not originally granted to the executable loading the dll file?
Without setting off every red flag for your AV/Anti-Malware? It can't. That's why it's bullshit. That it's possible is irrelevant. Process hijacking is a heuristic that's like....dead giveaways 101 for malicious software.
__________________
Quote:
The internet is a cruel, anonymous fight club where your weaknesses will be exploited and your fears used against you. Use the internet for entertainment and maybe information, as long as you realize that most of it is false. But if your sole social circle exists entirely online, you're already fucked if you can't hack it alone, because you are.
Sithix Wraithscale - Necro
  #44  
Old 10-19-2015, 11:25 PM
simp403 simp403 is offline
Kobold

simp403's Avatar

Join Date: Jul 2015
Posts: 100
Default
Quote:
Originally Posted by Ostros [You must be logged in to view images. Log in or Register.]
Without setting off every red flag for your AV/Anti-Malware? It can't. That's why it's bullshit. That it's possible is irrelevant. Process hijacking is a heuristic that's like....dead giveaways 101 for malicious software.
Ok, yeah, I figured that this would be very easy to prevent or otherwise detect.
__________________
Dinobots
  #45  
Old 10-19-2015, 11:36 PM
Magikarp Magikarp is offline
Sarnak

Magikarp's Avatar

Join Date: Dec 2013
Location: MSN Instant Messenger
Posts: 325
Default
this explains why my bank account is low and i got that fixit ticket for expired registration the other week and i may have a drinking problem

illuminati everywhere

damnit rogean. glad to have someone reveal the TRUTH for all to see
  #46  
Old 10-19-2015, 11:39 PM
Ostros Ostros is offline
Kobold

Ostros's Avatar

Join Date: May 2010
Location: Lakeland, FL
Posts: 114
Default
Quote:
Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]
Ok, yeah, I figured that this would be very easy to prevent or otherwise detect.
Without looking at the DLL myself, I'd put money on it working like:

If window says "MQ2" (or whatever), send "OH SHIT" to Rogean.

Else: do nothing
__________________
Quote:
The internet is a cruel, anonymous fight club where your weaknesses will be exploited and your fears used against you. Use the internet for entertainment and maybe information, as long as you realize that most of it is false. But if your sole social circle exists entirely online, you're already fucked if you can't hack it alone, because you are.
Sithix Wraithscale - Necro
  #47  
Old 10-19-2015, 11:43 PM
simp403 simp403 is offline
Kobold

simp403's Avatar

Join Date: Jul 2015
Posts: 100
Default
Quote:
Originally Posted by Ostros [You must be logged in to view images. Log in or Register.]
Without looking at the DLL myself, I'd put money on it working like:

If window says "MQ2" (or whatever), send "OH SHIT" to Rogean.

Else: do nothing
Naw, it probably goes something like

If: web browser says "cuckhold", send site login information to Rogean.

Else: send bank account info and install ransomware.
__________________
Dinobots
  #48  
Old 10-19-2015, 11:48 PM
iruinedyourday iruinedyourday is offline
Banned


Join Date: Apr 2014
Posts: 7,351
Default
i heard the virgin detector they put in the client crashed the internet for 30 minuets.
  #49  
Old 10-19-2015, 11:49 PM
Ostros Ostros is offline
Kobold

Ostros's Avatar

Join Date: May 2010
Location: Lakeland, FL
Posts: 114
Default
Quote:
Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]
Naw, it probably goes something like

If: web browser says "cuckhold", send site login information to Rogean.

Else: send bank account info and install ransomware.
lel
__________________
Quote:
The internet is a cruel, anonymous fight club where your weaknesses will be exploited and your fears used against you. Use the internet for entertainment and maybe information, as long as you realize that most of it is false. But if your sole social circle exists entirely online, you're already fucked if you can't hack it alone, because you are.
Sithix Wraithscale - Necro
  #50  
Old 10-19-2015, 11:52 PM
simp403 simp403 is offline
Kobold

simp403's Avatar

Join Date: Jul 2015
Posts: 100
Default
Quote:
Originally Posted by iruinedyourday [You must be logged in to view images. Log in or Register.]
i heard the virgin detector they put in the client crashed the internet for 30 minuets.
EverQuest can't run on Linux, though.
__________________
Dinobots
Closed Thread
Page 5 of 19 « First 34 5 6715 Last »

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 03:10 PM.

Privacy Policy - Project 1999 - Classic Everquest - Archive - Top

Everquest is a registered trademark of Daybreak Game Company LLC.
Project 1999 is not associated or affiliated in any way with Daybreak Game Company LLC. 		Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.