Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    2. News

    1. Red Dead Redemption 2

      1. News
      2. Red Dead Online
      3. The Armadillo Inn
    1. GTA Online

      1. After Hours
      2. Find Lobbies & Players
      3. Guides & Strategies
      4. Vehicles
      5. Content Creator
      6. Help & Support
    2. Crews

      1. Events
      2. Recruitment
    1. Grand Theft Auto Series

    2. GTA Next

    3. GTA V

      1. PC
      2. Guides & Strategies
      3. Help & Support
    4. GTA IV

      1. Episodes from Liberty City
      2. Multiplayer
      3. Guides & Strategies
      4. Help & Support
      5. GTA Mods
    5. GTA Chinatown Wars

    6. GTA Vice City Stories

    7. GTA Liberty City Stories

    8. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    9. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    10. GTA III

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    11. Top Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    12. Wiki

      1. Merchandising
    1. GTA Modding

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    3. Featured Mods

      1. DYOM
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Red Dead Redemption

    2. Rockstar Games

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Programming
      5. Movies & TV
      6. Music
      7. Sports
      8. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    1. Forum Support

    2. Site Suggestions

XB36Hazard

[Xbox360-PS3-PC] GTA V Save Editor (By: XB36Hazard)

Recommended Posts

XB36Hazard

 

 

 

 

Yes, I downloaded the update, I went into the updated editor, put godmode on Franklin, then put on the Vehicle Spawner for him, then saved the file. I went on to my PS3, copied it over, loaded the game, went to the Grove Street Garage, then nothing... Still the 33 DLC cars.

 

Here is the save you sent me. Let me know if it works for you: http://x3t-infinity.com/PFiles/GTAV_TEST.zip

I loaded it up, walked in, still just 33... Am I supposed to do something?

 

Humm, I really don't know why it doesn't work for you. I converted your save to PC and it worked fine. I also tried 20 other saves for PC & Xbox 360 and they all worked fine. Are you on the current title update? Also can anyone else confirm it doesn't work on PS3?Yeah, I'm on the current update. This is just weird. I wonder why it's not working. The saves you sent back to me, were they edited?

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zip

Share this post


Link to post
Share on other sites
DelPaako

 

 

 

 

 

Yes, I downloaded the update, I went into the updated editor, put godmode on Franklin, then put on the Vehicle Spawner for him, then saved the file. I went on to my PS3, copied it over, loaded the game, went to the Grove Street Garage, then nothing... Still the 33 DLC cars.

 

Here is the save you sent me. Let me know if it works for you: http://x3t-infinity.com/PFiles/GTAV_TEST.zip

I loaded it up, walked in, still just 33... Am I supposed to do something?

 

Humm, I really don't know why it doesn't work for you. I converted your save to PC and it worked fine. I also tried 20 other saves for PC & Xbox 360 and they all worked fine. Are you on the current title update? Also can anyone else confirm it doesn't work on PS3?Yeah, I'm on the current update. This is just weird. I wonder why it's not working. The saves you sent back to me, were they edited?

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zipIs this save ready to go, or do I have to edit it first?

Share this post


Link to post
Share on other sites
XB36Hazard

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zip

Is this save ready to go, or do I have to edit it first?

 

It's all good to go.

Share this post


Link to post
Share on other sites
DelPaako

 

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zip

Is this save ready to go, or do I have to edit it first?

 

It's all good to go.Am I supposed to press a specific button to activate the spawner, or do I just pull up special vehicles, and the list is expanded? I still see 33 DLC cars...

Share this post


Link to post
Share on other sites
XB36Hazard

 

 

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zip

Is this save ready to go, or do I have to edit it first?

 

It's all good to go.
Am I supposed to press a specific button to activate the spawner, or do I just pull up special vehicles, and the list is expanded? I still see 33 DLC cars...

 

It's just under special vehicles. Are you sure all 33 vehicles are dlc? Your PS3 save only has 42 options for special vehicles list so I'm thinking the 33 vehicles are the max for your save, this could be the problem.

Share this post


Link to post
Share on other sites
DelPaako

 

 

 

 

I might have found what was causing it. Try this save and let me know if it works. http://x3t-infinity.com/PFiles/GTAV_TEST2.zip

Is this save ready to go, or do I have to edit it first?

 

It's all good to go.
Am I supposed to press a specific button to activate the spawner, or do I just pull up special vehicles, and the list is expanded? I still see 33 DLC cars...

 

It's just under special vehicles. Are you sure all 33 vehicles are dlc? Your PS3 save only has 42 options for special vehicles list so I'm thinking the 33 vehicles are the max for your save, this could be the problem.The 33 cars that show up, are from the DLC updates, not from the spawner. They are as follows; Elegy RH8, Bifta, Kalahari, Paradise, Roosevelt, Alpha, Jester, Turismo R, Huntley S, Massacro, Thrust, Zentorno, Rhapsody, Dubsta 6X6, Warrener, Blade, Glendale, Panto, Pigalle, The Liberator, Sovereign, Coquette Classic, Furore GT, Hakuchou, Innovation, Jester (Racecar), Massacro (Racecar), Rat Truck, Slamvan, Stirling GT, Osiris, Virgo, and the Windsor. Those are all from DLC updates, no other car shows up on the list, so the spawner might not work for the PlayStation 3.

Share this post


Link to post
Share on other sites
XB36Hazard

The 33 cars that show up, are from the DLC updates, not from the spawner. They are as follows; Elegy RH8, Bifta, Kalahari, Paradise, Roosevelt, Alpha, Jester, Turismo R, Huntley S, Massacro, Thrust, Zentorno, Rhapsody, Dubsta 6X6, Warrener, Blade, Glendale, Panto, Pigalle, The Liberator, Sovereign, Coquette Classic, Furore GT, Hakuchou, Innovation, Jester (Racecar), Massacro (Racecar), Rat Truck, Slamvan, Stirling GT, Osiris, Virgo, and the Windsor. Those are all from DLC updates, no other car shows up on the list, so the spawner might not work for the PlayStation 3.

That could be, when I get some free time I will try to expand the list.

Share this post


Link to post
Share on other sites
DelPaako

 

The 33 cars that show up, are from the DLC updates, not from the spawner. They are as follows; Elegy RH8, Bifta, Kalahari, Paradise, Roosevelt, Alpha, Jester, Turismo R, Huntley S, Massacro, Thrust, Zentorno, Rhapsody, Dubsta 6X6, Warrener, Blade, Glendale, Panto, Pigalle, The Liberator, Sovereign, Coquette Classic, Furore GT, Hakuchou, Innovation, Jester (Racecar), Massacro (Racecar), Rat Truck, Slamvan, Stirling GT, Osiris, Virgo, and the Windsor. Those are all from DLC updates, no other car shows up on the list, so the spawner might not work for the PlayStation 3.

That could be, when I get some free time I will try to expand the list.Okay, sounds good.

Share this post


Link to post
Share on other sites
P2FX

Avira reports TR/Dropper.MSIL.Gen2 in version 2.0.2.22

Edited by P2FX

Share this post


Link to post
Share on other sites
hyperar

Avira reports TR/Dropper.MSIL.Gen2 in version 2.0.2.22

 

Said it a thousand times, this dude is delivering malware, it even checks for common malware analysis services (such as malwr.com) and if it detects it's running on said VMs, the malware doesn't do anything, that way it doesn't exposes its payload and makes it harder to analyze using automated tools.

 

As usual, people doesn't care it is delivering malware and continues to use it, so f*ck'em.

 

EDIT: Don't even try to deny it.

Edited by hyperar

Share this post


Link to post
Share on other sites
gooby

 

Avira reports TR/Dropper.MSIL.Gen2 in version 2.0.2.22

 

Said it a thousand times, this dude is delivering malware, it even checks for common malware analysis services (such as malwr.com) and if it detects it's running on said VMs, the malware doesn't do anything, that way it doesn't exposes its payload and makes it harder to analyze using automated tools.

 

As usual, people doesn't care it is delivering malware and continues to use it, so f*ck'em.

 

EDIT: Don't even try to deny it.

Why would he have to deny anything if people are going to use it anyway? Also it'd be nice if you back up your claims.

Share this post


Link to post
Share on other sites
hyperar

 

 

Avira reports TR/Dropper.MSIL.Gen2 in version 2.0.2.22

Said it a thousand times, this dude is delivering malware, it even checks for common malware analysis services (such as malwr.com) and if it detects it's running on said VMs, the malware doesn't do anything, that way it doesn't exposes its payload and makes it harder to analyze using automated tools.

 

As usual, people doesn't care it is delivering malware and continues to use it, so f*ck'em.

 

EDIT: Don't even try to deny it.

Why would he have to deny anything if people are going to use it anyway? Also it'd be nice if you back up your claims.

 

 

Why?, he did it before.

 

Backup?, Sure:

 

https://malwr.com/analysis/MzY3MjA1ZWJkZmI2NDgzNzg3ZDA5YmQxYTk0NWM0Nzk/

https://malwr.com/analysis/YTFjYzE0MmMzZmU2NDkxNGE4MWI0OTY1ZjFlMDg0NGU/

https://malwr.com/analysis/NDRmOWViZWIxNDBkNDAzOGI0MDBiMGI4NzMxM2MyMzQ/

 

I wonder why a Save Game editor would need to fingerprint a system?, or Install itself at Windows startup?, or Steal information from installed web browsers?, or Inject running processes? Or carry encrypted data inside itself? Or sending control codes directly to the network adapters? Or changing Registry keys' values? Or creating keys on sensible parts of the registry?

 

Just with those analysis on three different versions you have more info than what you need.

Edited by hyperar

Share this post


Link to post
Share on other sites
gooby

No, actually that's not "more information than I need". Since he denied it before, it must have been brought up somewhere? If you could link that, that'd be great, as I can't find anything useful about this. What does this 'malware' do exactly? Why has nobody else noticed and brought it up (at least in a way you'd find it on google) given this is the most distributed save editor? Given how quickly Angry Planes/NoClip was identified to be malicious and brought to public attention I wonder how that'd work.

 

Hazard still supports this program very well with fixes and added features, it does make you wonder if he does it all just for fun but it also shows the program itself is a genuine effort.

 

Edit: And please don't bother to link me to that single thread on this forum where a bunch of guys including yourself show their analysis results. That's not in depth analysis and Hazard hasn't bothered to deny anything there.

Edited by gooby

Share this post


Link to post
Share on other sites
hyperar

No, actually that's not "more information than I need". Since he denied it before, it must have been brought up somewhere? If you could link that, that'd be great, as I can't find anything useful about this. What does this 'malware' do exactly? Why has nobody else noticed and brought it up (at least in a way you'd find it on google) given this is the most distributed save editor? Given how quickly Angry Planes/NoClip was identified to be malicious I wonder how that'd work.

 

Hazard still supports this program very well with fixes and added features, it does make you wonder if he does it all just for fun but it also shows the program itself is a genuine effort.

 

Really?, modifying registry, stealing private information from web browsers, fingerprinting a system, injecting running processes is OK for a Save Game editor?. Is your call dude, if you wanna continue to use it, go for it.

 

I reported this initially on his youtube videos, then he added a red warning on his site saying that he's not doing it, and if you don't trust it, don't run it, which seemed pretty fair, if you trust him to run software that does funky stuff to your system, such as setting proxy settings on your registry, again, is your call.

Edited by hyperar

Share this post


Link to post
Share on other sites
gooby

 

No, actually that's not "more information than I need". Since he denied it before, it must have been brought up somewhere? If you could link that, that'd be great, as I can't find anything useful about this. What does this 'malware' do exactly? Why has nobody else noticed and brought it up (at least in a way you'd find it on google) given this is the most distributed save editor? Given how quickly Angry Planes/NoClip was identified to be malicious I wonder how that'd work.

Hazard still supports this program very well with fixes and added features, it does make you wonder if he does it all just for fun but it also shows the program itself is a genuine effort.

 

Really?, modifying registry, stealing private information from web browsers, fingerprinting a system, injecting running processes is OK for a Save Game editor?. Is your call dude, if you wanna continue to use it, go for it.

I asked you for more information you can't seem to provide. As for those threats, what do I know. That's why I ask you for more information. I have no clue how that page identified them and neither seem you, but I do know encryption is also used to protect source code for example. You just use it as your single source without explaining how those threats are harmful and what the malicious code does, which is why I ask you again to link me to a more in depth explanation.

 

From my perspective, my system and my accounts haven't been harmed in over a year of using this editor.

Share this post


Link to post
Share on other sites
hyperar

 

 

No, actually that's not "more information than I need". Since he denied it before, it must have been brought up somewhere? If you could link that, that'd be great, as I can't find anything useful about this. What does this 'malware' do exactly? Why has nobody else noticed and brought it up (at least in a way you'd find it on google) given this is the most distributed save editor? Given how quickly Angry Planes/NoClip was identified to be malicious I wonder how that'd work.

Hazard still supports this program very well with fixes and added features, it does make you wonder if he does it all just for fun but it also shows the program itself is a genuine effort.

Really?, modifying registry, stealing private information from web browsers, fingerprinting a system, injecting running processes is OK for a Save Game editor?. Is your call dude, if you wanna continue to use it, go for it.

I asked you for more information you can't seem to provide. As for those threats, what do I know. That's why I ask you for more information. I have no clue how that page identified them and neither seem you, but I do know encryption is also used to protect source code for example. You just use it as your single source without explaining how those threats are harmful and what the malicious code does, which is why I ask you again to link me to a more in depth explanation.

 

From my perspective, my system and my accounts haven't been harmed in over a year of using this editor.

 

 

Can't seem to provide?, dude, i handed you three links with detailed information about three different versions of the software, if you classify something as malware only if your accounts are compromised you are using your own custom definition of malware.

 

Malware is not only software that steals your Steam account details, just so you know.

 

Do whatever the f*ck you want with the info i posted, if you want to keep running this on your systems, then be my guest, i couldn't care less.

 

Just a little detail, all of this happens even when the editor fails to run, so all of this is done before the app even starts.

 

EDIT:

 

1) Open https://malwr.com/analysis/NDRmOWViZWIxNDBkNDAzOGI0MDBiMGI4NzMxM2MyMzQ/

2) Click on "Behavioral Analysis" on the left.

3) Click on "DW20.EXE".

4) Go to the 11th page.

5) Third row on the table.: You'll see that it's creating file: "C:\Device\HarddiskVolume1\Documents and Settings\User\Local Settings\Application Data\k43a\KxJ\aksl\ask39K\jha\xsandbox.bin".

6) http://lmgtfy.com/?q=xsandbox.bin.

7) On the previous 10 pages you can see how it uses a Windows undocumented API to hook itself to vital Windows processes such as ntdll.dll and kernel32.dll among others (LdrGetDllHandle, used for process injection and stealth persistance, AKA rootkit activity).

 

EDIT 2: From each of the three links to malwr.com, you can take the MD5 and post it on VirusTotal.com

 

File version: 2.0.1.72 -> 16/57 positives.

https://www.virustotal.com/en/file/458a0774fa81724f588a2bd3dcb777107bc5c3c5462a2e9425de4a7a516b4f84/analysis/

 

File version: 2.0.1.8 -> 1/57 positives.

https://www.virustotal.com/en/file/7627771ca00f408f7a4fd61d85e944ce379f48dcd965cbdf934e6deecb7f315d/analysis/

 

File version: 2.0.1.91 -> 19/55 positives.

https://www.virustotal.com/en/file/d0ac1bac80b3ff5fcced57dbd905845641b45e8bcddeb9496893bafdceb41a1b/analysis/

 

On this particular one, click on Relationships tab:

"This file was seen as a resource in the following Portable Executables."

https://www.virustotal.com/en/file/679eed0ceaa5c63cce45349fab2dc07989360d4946a360886443724eb0b2acdb/analysis/

 

EDIT 3:

 

From TrendMicro

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_dropr.dmdr

 

Go to "Dropping Routine" section.

 

There you can see, that the trojan drops this file: "xsandbox.bin.__tmp__"

 

1) Open https://malwr.com/analysis/NDRmOWViZWIxNDBkNDAzOGI0MDBiMGI4NzMxM2MyMzQ/

2) Click on "Behavioral Analysis" on the left.

3) Click on the first "GTA V.exe".

4) Go to 11th page.

5) Search for "xsandbox.bin.__tmp__".

6) API function "NtCreateFile" means it's creating said file.

 

EDIT 4:

1) Open https://malwr.com/analysis/NDRmOWViZWIxNDBkNDAzOGI0MDBiMGI4NzMxM2MyMzQ/

2) Click on "Behavioral Analysis" on the left.

3) Click on the first "GTA V.exe".

4) Go to 21st page.

5) On said page of the report you can see how it writes the registry to modify the "trusted" sites of your Windows.

http://lmgtfy.com/?q=%22Software%5CMicrosoft%5CWindows%5CCurrentVersion%5CInternet+Settings%5CZoneMap%5C%22+%22UNCAsIntranet%22

 

EDIT 5:

1) Open https://malwr.com/analysis/NDRmOWViZWIxNDBkNDAzOGI0MDBiMGI4NzMxM2MyMzQ/

2) Click on "Behavioral Analysis" on the left.

3) Click on "GTA V.EXE".

4) Go to the 11th page.

5) Third row on the table.: You'll see that it's creating file: "C:\Device\HarddiskVolume1\Documents and Settings\User\Local Settings\Application Data\k43a\KxJ\aksl\ask39K\jha\xregistry.bin".

6) http://lmgtfy.com/?q=xregistry.bin.

Edited by hyperar

Share this post


Link to post
Share on other sites
doppelblind

Dunno if this has anything to to with the Savefile-Editor, but since the bugs happen if all mods are removed from the game directory, I think it must be something your Editor has messed up in my savegame.

 

I have troubles replaying certain missions. For example when replaying the merryweather heist there is Debras picture hanging over the score scenario Trevor painted on the apartment wall, so you don't see it and have to guess which version you choose. In one part of the opening cutscene you can see the picture hanging on the wall and being placed on the floor near the kitchen bar at the same time.

 

-When playing the offshore version a couple other bugs can happen. Sometimes you see two Mike's standing out in front of Floyds appartment, one is dressed correctly but cant be controlled, the controllable michael is dressed normal, not in scuba clothes. When trying to kill the uncontrollable Michael, mission fails but it says Trevor died. Some time later during the mission, after picking up the device from sea and switching back to Frank to defeat the Merryweather boats and helicopters you cant switch back to Michael cause his sector of the char-wheel is empty just like the 4. slot. After time the game wants to auto-switch back to Michael, but this just causes the screen to flip permanently between Frank and Mike. The helicopter is auto-controlled and flies up to Sandy Shores, where the mission fails due to Michael being left behind.

-When playing the container version Mike freezes after climbing up to the ship.

 

When loading up a new savegame with your editor and going to the missions tab, you can see there are a lot of missions that haven't been completed yet but the editor shows values written in a lot of them. So according to your trainer there are most missions already done from startup,but this cannot be right. Your Trainer is showing wrong values.

 

Also when there is a mission that can only be done one way or another like the Merryweather heist, there are also values in the version one did not play or replay.

 

 

!!! The Version I had to download today, is blocked by my antivirus software. So I cant use your editor anymore!!!

Edited by doppelblind

Share this post


Link to post
Share on other sites
hyperar

Can someone download the current version and submit it on http://malwr.com. I am at work and i don't want the AV system to pick up anything. Please, remember to make the submission public, and post it here.

Share this post


Link to post
Share on other sites
hyperar

 

Can someone download the current version and submit it on http://malwr.com. I am at work and i don't want the AV system to pick up anything. Please, remember to make the submission public, and post it here.

My nod32 don't detect anything, but if you want here link: https://malwr.com/analysis/MzUxNmFlZTNmZGU0NDFlNjllZjQwYjIyN2JiMmNhMmY/

 

 

Great thanks. While NOD32 is a great antivirus, it doesn't mean anything that it doesn't detect anything.
In this last version we have a interesting new indicator that it tries to circumvent detection techniques employed by automated analysis tools:
-A process attempted to delay the analysis task by a long amount of time.
Process: GTAV.exe tried to sleep 1566866 seconds, actually delayed analysis time by 0 seconds
What does it means?, that deliberately tried to do nothing for a long time so there's nothing to detect, it tried to slept for over 18 days.
Both Avira and AVG detect a posible .NET/Mono assembly trojan.
It changes the .NET Framework config and replaces .NET native libraries.
File created:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Fails to create files:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
It changes the following registry key:
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders. Covered here: http://www.symantec.com/connect/articles/most-common-registry-key-check-while-dealing-virus-issue
Tries to load Windows cryptography library (rsaenh.dll), when fails, it drops its own, then loads it. Then it accesses Windows registry cryptography keys.
This is the first few pages of the Behavioural analysis, while i'm a software developer, and understand some of the things this malware does, some of them are beyond my knowledge, what i can tell you is, this "editor" should not be doing any of these stuff before even running, dropping files, trying to avoid detection by sleeping the running thread for 18 days, i don't know who could still have a doubt that this dude is delivering malware.
If someone has the knowledge to completely understand or explain more than what i did, please, share your thoughts
EDIT: It seems that both Comodo analysis solutions fell for the sleep for 18 days technique, i submitted the file an hour ago, and i'm still waiting for the results.
EDIT 2: Page 14 of the behavioral analysis shows that it tries to get info from the IP "192.168.56.1", which is a LAN IP, a little Google revealed that the IP the malware is trying to get info from is the default IP for the Host Adapter on VirtualBox, which seems to be a way to identify if it's running inside a VM to hide it's behaviour
Edited by hyperar

Share this post


Link to post
Share on other sites
El Dorado

kaspersky

 

PDM:Trojan.Win32.Bazon.a

Edited by El Dorado

Share this post


Link to post
Share on other sites
gooby

Thank you, that's what I was looking for. The Quick Overview provided limited info and I couldn't scroll down Behaviour Analysis on mobile due to the timeline selection, so I didn't realize the amount of information Malwr provides. The editor is more than a hex editor with GUI, I could see why things like the save decryption mechanisms appear suspicious to malware detection software. But with so many unrelated suspicious actions it does seem pretty clear to be malware. I still can't tell any effects from using his editor since early 2014, but I'm just an end user with almost no coding knowledge. I do stay away from the biggest security risks like saving passwords but I suppose if there are active running sessions on the browser that doesn't help.

 

I still don't get why Hazard would do this to his save editor because he seems to genuinely care about delivering a great extensive service. He could probably include the same malware in a low effort project like the No Clip mod and save a lot of time while achieving the same distribution. I also still wonder how this has gone unnoticed for such a long time while the malware in the PC mods was quickly found and brought to everyone's attention. Then again it all seems too good to be true and free. This provides a perfect shell and he managed to get his tool very well known.

 

I assume you strongly recommend getting rid of it altogether? This editor has so many useful features. It'd be a shame to lose it and there's no equivalent to replace it. Since it autoruns on Windows startup (can't find anything suspicious listed in my task manager but I assume it's easy for him to hide), is it dangerous just to have the .exe saved?

 

Edit: I kept all Save Editor versions I downloaded until now. I don't really know why, I thought it'd be cool to have an archive, it was probably a very bad idea. I might upload all in an archive tomorrow. Anyway, here's an analysis of 2.0.1.12 from way back in February 2014, oldest version I have. Interestingly none of the suspicious activities appear in the overview, although it does create an xsandbox.bin.

https://malwr.com/analysis/MTA1NzEwMTQxNWRiNDM2NWI4ZDk1NmU0ZmI4ZTIwZWY/

Edited by gooby

Share this post


Link to post
Share on other sites
hyperar

Thank you, that's what I was looking for. The Quick Overview provided limited info and I couldn't scroll down Behaviour Analysis on mobile due to the timeline selection, so I didn't realize the amount of information Malwr provides. The editor is more than a hex editor with GUI, I could see why things like the save decryption mechanisms appear suspicious to malware detection software. But with so many unrelated suspicious actions it does seem pretty clear to be malware. I still can't tell any effects from using his editor since early 2014, but I'm just an end user with almost no coding knowledge. I do stay away from the biggest security risks like saving passwords but I suppose if there are active running sessions on the browser that doesn't help.

 

I still don't get why Hazard would do this to his save editor because he seems to genuinely care about delivering a great extensive service. He could probably include the same malware in a low effort project like the No Clip mod and save a lot of time while achieving the same distribution. I also still wonder how this has gone unnoticed for such a long time while the malware in the PC mods was quickly found and brought to everyone's attention. Then again it all seems too good to be true and free. This provides a perfect shell and he managed to get his tool very well known.

 

I assume you strongly recommend getting rid of it altogether? This editor has so many useful features. It'd be a shame to lose it and there's no equivalent to replace it. Since it autoruns on Windows startup (can't find anything suspicious listed in my task manager but I assume it's easy for him to hide), is it dangerous just to have the .exe saved?

 

There is a part of this software that performs encryption and decryption and it's perfectly justified, but that occurs when open/save a save game (it's encrypted, it needs to be decrypted, read, and then write and encrypt the save games), and the analysis was done before the app even run, so there is no chance that there's a valid reason. It seems to be part of a big malware tool, i'm thinking about a botnet trojan, with different capabilities.

 

I had my doubts, as i said before, i do not understand everything, but the good thing about Behavioral analysis is that it is not a false-positive from an AV software, it is telling you what the malware is doing, and there is no mistake on that.

 

The tool install itself on Windows autorun.

The tool tries to hide itself from analysis tools.

The tool fingerprints your computer. If the tool could be used as ransomware (Cryptolocker i.e.), and considering it does funky stuff with Windows Cryptography, i'm thinking it could, this could identify your PC and be used as a way to identify which private key was used to encrypt your files, and retrieve it when you pay.

The tool steals info from your web browsers.

It drops files that are always found on other malware tools.

It modifies registry keys that are commonly used by malware.

Modifies your computer settings.

 

These are not suspicions, this has been done by the software, it's all documented.

 

Lets say this is no malware, then:

 

1) Why does the software does this and plenty other stuff before even running?

2) Why does it prevent to attach a debugger (a tool that allows to run a piece of software instruction by instruction),

3) Why does it tamper with Windows system libraries?.

4) Why does it sends control codes to different devices on your PC (network adapters and who knows what) accessing directly your devices drivers?

5) Why does it modifies .NET Framework config and library files?.

6) Why does it crawl deep inside the registry (system) keys?.

7) Why does it drop several hidden files and makes sure you can't access them even with anti rootkit tools?.

8) Why does it change the font cache folder and create files there?.

9) Why does it use undocumented Windows API functions commonly used to inject Windows processes and hide them from the system (ZwMapViewOfSection, LdrGetDllHandle)?. LdrGetDllHandle is known to be used to stealthy import libraries functions.

10) Why does it replace your system fonts (Fonts are known to be used to exploit Windows vulnerabilities)?. There are pages and pages of getting font from registry, creating file font activity on the analysis.

11) Why does it drop several GTA V.exe files on different folders on the system and deletes them so they can't be seen?.

12) Why does it change internet cache files path and properties?.

13) Why does it start a Windows service for Remote Access Service Manager (rasman.exe)?.

14) Why does it create system registry keys "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"?.

15) Why does it drop an "autoexec.bat" file?.

16) Why does it change system environment variables?.

17) Why does it check what network connections are created on the system "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk"?.

18) Why does change Windows shell folders "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"?.

19) Why does it uses and account ID only linked to malware information "S-1-5-21-1547161642-507921405-839522115-1004"?.

 

among other things.

Share this post


Link to post
Share on other sites
The Scout

 

Thank you, that's what I was looking for. The Quick Overview provided limited info and I couldn't scroll down Behaviour Analysis on mobile due to the timeline selection, so I didn't realize the amount of information Malwr provides. The editor is more than a hex editor with GUI, I could see why things like the save decryption mechanisms appear suspicious to malware detection software. But with so many unrelated suspicious actions it does seem pretty clear to be malware. I still can't tell any effects from using his editor since early 2014, but I'm just an end user with almost no coding knowledge. I do stay away from the biggest security risks like saving passwords but I suppose if there are active running sessions on the browser that doesn't help.

 

I still don't get why Hazard would do this to his save editor because he seems to genuinely care about delivering a great extensive service. He could probably include the same malware in a low effort project like the No Clip mod and save a lot of time while achieving the same distribution. I also still wonder how this has gone unnoticed for such a long time while the malware in the PC mods was quickly found and brought to everyone's attention. Then again it all seems too good to be true and free. This provides a perfect shell and he managed to get his tool very well known.

 

I assume you strongly recommend getting rid of it altogether? This editor has so many useful features. It'd be a shame to lose it and there's no equivalent to replace it. Since it autoruns on Windows startup (can't find anything suspicious listed in my task manager but I assume it's easy for him to hide), is it dangerous just to have the .exe saved?

 

There is a part of this software that performs encryption and decryption and it's perfectly justified, but that occurs when open/save a save game (it's encrypted, it needs to be decrypted, read, and then write and encrypt the save games), and the analysis was done before the app even run, so there is no chance that there's a valid reason. It seems to be part of a big malware tool, i'm thinking about a botnet trojan, with different capabilities.

 

I had my doubts, as i said before, i do not understand everything, but the good thing about Behavioral analysis is that it is not a false-positive from an AV software, it is telling you what the malware is doing, and there is no mistake on that.

 

The tool install itself on Windows autorun.

The tool tries to hide itself from analysis tools.

The tool fingerprints your computer. If the tool could be used as ransomware (Cryptolocker i.e.), and considering it does funky stuff with Windows Cryptography, i'm thinking it could, this could identify your PC and be used as a way to identify which private key was used to encrypt your files, and retrieve it when you pay.

The tool steals info from your web browsers.

It drops files that are always found on other malware tools.

It modifies registry keys that are commonly used by malware.

Modifies your computer settings.

 

These are not suspicions, this has been done by the software, it's all documented.

 

Lets say this is no malware, then:

 

1) Why does the software does this and plenty other stuff before even running?

2) Why does it prevent to attach a debugger (a tool that allows to run a piece of software instruction by instruction),

3) Why does it tamper with Windows system libraries?.

4) Why does it sends control codes to different devices on your PC (network adapters and who knows what) accessing directly your devices drivers?

5) Why does it modifies .NET Framework config and library files?.

6) Why does it crawl deep inside the registry (system) keys?.

7) Why does it drop several hidden files and makes sure you can't access them even with anti rootkit tools?.

8) Why does it change the font cache folder and create files there?.

9) Why does it use undocumented Windows API functions commonly used to inject Windows processes and hide them from the system (ZwMapViewOfSection, LdrGetDllHandle)?. LdrGetDllHandle is known to be used to stealthy import libraries functions.

10) Why does it replace your system fonts (Fonts are known to be used to exploit Windows vulnerabilities)?. There are pages and pages of getting font from registry, creating file font activity on the analysis.

11) Why does it drop several GTA V.exe files on different folders on the system and deletes them so they can't be seen?.

12) Why does it change internet cache files path and properties?.

13) Why does it start a Windows service for Remote Access Service Manager (rasman.exe)?.

14) Why does it create system registry keys "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"?.

15) Why does it drop an "autoexec.bat" file?.

16) Why does it change system environment variables?.

17) Why does it check what network connections are created on the system "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk"?.

18) Why does change Windows shell folders "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"?.

19) Why does it uses and account ID only linked to malware information "S-1-5-21-1547161642-507921405-839522115-1004"?.

 

among other things.

 

Sounds like malware to me

Share this post


Link to post
Share on other sites
XB36Hazard

It’s really funny how you guys use other tools to tell you that another tool (GTA V.exe) is doing something on your system just by signatures. I could explain myself all day but either you’re going to think I’m lying or I’m telling the truth. To me it’s up to the end user if they want to use my editor. My editor is not taking, stealing or doing anything with your information on your computer. It’s an advanced editor for GTA V and that’s it, nothing more nothing less. I have been around for a long time and there are people that try to ruin a great editor because they have no clue what they’re talking about and they want something they can’t have. So I have some questions and answers on your guy’s questions.

 

What does this too install itself on Windows auto run?

Please show me on windows with pictures that it’s in auto run.

 

Why does the tool try to hide itself from analysis tools?

This is because I don’t want people to steal my source code. I spent way too much time on it.

 

Why does it go into the registry?

This is because my obfuscator for the editor uses keys saved in the registry to make sure the editor isn’t tampered with.

 

Why does the editor us decryption before you open any save?

All my files are encrypted! If you look in my past many people stole things from me so in this editor I tool every single opportunity to make sure it’s secure. Look at the files in “GVSE” folder in your “Local” appdata folder, I encrypt everything!

 

All and all it’s up to the end user to decide. I’m going to say this again; my editor does nothing to your computer or information, it’s just for modding GTA V. If you really think its malware please provide real proof with pictures on windows, don’t show me some analysis from a program that really can tell what’s real and what’s not. All analysis programs use signatures so if the program looks like it’s doing something it will automatically red flag it. If anyone has any questions please ask, if you yell a scream at me I will not answer you (lets be nice). Also if you know how to program I would be happy to Skype with you and show you my code.

Edited by XB36Hazard

Share this post


Link to post
Share on other sites
hyperar

It’s really funny how you guys use other tools to tell you that another tool (GTA V.exe) is doing something on your system just by signatures. I could explain myself all day but either you’re going to think I’m lying or I’m telling the truth. To me it’s up to the end user if they want to use my editor. My editor is not taking, stealing or doing anything with your information on your computer. It’s an advanced editor for GTA V and that’s it, nothing more nothing less. I have been around for a long time and there are people that try to ruin a great editor because they have no clue what they’re talking about and they want something they can’t have. So I have some questions and answers on your guy’s questions.

 

What does this too install itself on Windows auto run?

Please show me on windows with pictures that it’s in auto run.

 

Why does the tool try to hide itself from analysis tools?

This is because I don’t want people to steal my source code. I spent way too much time on it.

 

Why does it go into the registry?

This is because my obfuscator for the editor uses keys saved in the registry to make sure the editor isn’t tampered with.

 

Why does the editor us decryption before you open any save?

All my files are encrypted! If you look in my past many people stole things from me so in this editor I tool every single opportunity to make sure it’s secure. Look at the files in “GVSE” folder in your “Local” appdata folder, I encrypt everything!

 

All and all it’s up to the end user to decide. I’m going to say this again; my editor does nothing to your computer or information, it’s just for modding GTA V. If you really think its malware please provide real proof with pictures on windows, don’t show me some analysis from a program that really can tell what’s real and what’s not. All analysis programs use signatures so if the program looks like it’s doing something it will automatically red flag it. If anyone has any questions please ask, if you yell a scream at me I will not answer you (lets be nice). Also if you know how to program I would be happy to Skype with you and show you my code.

 

Obfuscation and encryption are different things, and you really didn't explained why do you make you software to sleep a thread for 18 days when it detects that it's being analysed (it has nothing to do with source code), nor why do you need to stole information from local web browser, among other things that are much much worrying that what you explained. Why do you need to get which connections are available on the machine, why did you send control codes directly to devices? why don't you just used standard .NET objects to do basic things such as HTTP requests?, Why do you need to inject stuff into other processes memory area?

 

I'm a senior C# developer, but i'm not familiarized with many, many of the things your software does, and i don't really find a motive on why do you need to do all this stuff before even running.

 

What you're saying doesn't have much sense, if you don't want your source code stolen, then obfuscate it, that's more than enough for 95% of the cases, and i don't think any company is interested on your code.

Edited by hyperar

Share this post


Link to post
Share on other sites
gooby

If anyone has any questions please ask, if you yell a scream at me I will not answer you (lets be nice). Also if you know how to program I would be happy to Skype with you and show you my code.

I still think your editor itself is a great program so I have no doubts you can proof that that code is legit. However, with all due respect, it's an advanced hex editor with graphical user interface. It doesn't even do save data decryption/encryption itself, it uses flatz' tool like Bruteforce. Does it really need this level of 'protection'? I'd really like to trust you because as I posted before, I do see the genuine effort you put into the actual program. But to me those signatures amount to too many suspicious actions. How does hiding from analysis tools protect source code in any way?

 

Also, what do you hope to gain from making this editor? Do you really just want to serve the public for fun? I'm aware this is an incredibly naive question, but I don't really know how to get this across otherwise. Pretty much everything that seems too good to be true on the web is a scam.

Share this post


Link to post
Share on other sites
HacKasS

despite having made the exception with the virus, contuinua to delete the app! how do I fix?

Share this post


Link to post
Share on other sites
hyperar

despite having made the exception with the virus, contuinua to delete the app! how do I fix?

 

If this is in fact what i believe (i want to make this very clear) it is, still changes your system files and configuration, there is no way to tell that the system is safe after running this.

Share this post


Link to post
Share on other sites
XB36Hazard

 

Obfuscation and encryption are different things, and you really didn't explained why do you make you software to sleep a thread for 18 days when it detects that it's being analysed (it has nothing to do with source code), nor why do you need to stole information from local web browser, among other things that are much much worrying that what you explained. Why do you need to get which connections are available on the machine, why did you send control codes directly to devices? why don't you just used standard .NET objects to do basic things such as HTTP requests?.

 

I'm a senior C# developer, but i'm not familiarized with many, many of the things your software does, and i don't really find a motive on why do you need to do all this stuff before even running.

 

What you're saying doesn't have much sense, if you don't want your source code stolen, then obfuscate it, that's more than enough for 95% of the cases, and i don't think any company is interested on your code.

The application doesn’t sleep for 18 days nor does it take information for local web-browsers. As for checking what network connections are available; it checks to see if there is a network connection and the it checks to see if there is internet connect so that it can check for updates. The editor also doesn’t send control codes to devices unless if it’s checking for a USB for the Xbox 360. And who said anything about companies wanting my code? I obfuscate and encrypt my editor and resources and I always will. Most if not all the things you are talking about are based on an analysis program that uses signatures to detect what is malware. You guys can say it does this and that but can’t give real sold evidence that it’s actually doing anything.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • 1 User Currently Viewing
    0 Members, 0 Anonymous, 1 Guest

×

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.