ROM Hack WIP SplatHeX A Splatoon Save Editor

[TheHomesk1llet]

@SimonMKWii please stop talking, you look so foolish right now

or don't, it's funny to watch you do this to yourself

 

[ZoNtendo]

Extremely simple, open the application, open x64dbg and attach the process.
Then look through the memory map, and extract the files.

Funny, I did that and I don't see anything, it just try to decompress the resources. (as I can see)

I keep saying the obfuscation is used to keep online cheaters away, and you try so hard to keep people away from this simple save editor, sad.

--------------------- MERGED ---------------------------

tbh you should be banned from GBAtemp, your lies are so oblivious.

 

[SimonMKWii]

@SimonMKWii please stop talking, you look so foolish right now

or don't, it's funny to watch you do this to yourself

Feel free to infect your computer, I don't care, just trying to warn you.

 

[SciresM]

@SciresM I don't know what the fuck you said about me, but an explanation and some context would be extremely nice.

What? I don't think I've said anything about you that's contextually relevant here.

 

[SimonMKWii]

What? I don't think I've said anything about you that's contextually relevant here.

So, @ZoNtendo, when you said "but I remember SciresM talking about you and it wasn't for good stuff", what were you referring to.

 

[TheHomesk1llet]

Feel free to infect your computer, I don't care, just trying to warn you.

it's fairly obvious you're just grasping at straws rn, and given your track record you're not exactly a reliable source

What? I don't think I've said anything about you that's contextually relevant here.

i think they're probably referring to your comment in his hacdn thread, but i'm not entirely certain

 

[SimonMKWii]

it's fairly obvious you're just grasping at straws rn, and given your track record you're not exactly a reliable source


i think they're probably referring to your comment in his hacdn thread, but i'm not entirely certain

It's literally one of the first things you see in the program's RAM objects.
It's clear you didn't even attempt to debug it, you'll see it nearly instantly.

 

[ZoNtendo]

So, @ZoNtendo, when you said "but I remember SciresM talking about you and it wasn't for good stuff", what were you referring to.

I mean, from ReSwitched, everyone is bitching about you.

 

[SimonMKWii]

I mean, from ReSwitched, everyone is bitching about you.

Who's "everyone"?

 

[ZoNtendo]

i think they're probably referring to your comment in his hacdn thread, but i'm not entirely certain

that's too, now this thread is garbage

--------------------- MERGED ---------------------------

Who's "everyone"?

everyone when a drama start about you, like with your titlekey website...

But whatever

 

[TheHomesk1llet]

It's literally one of the first things you see in the program's RAM objects.
It's clear you didn't even attempt to debug it, you'll see it nearly instantly.

honestly it's not worth my time to check for myself, especially if you're the one producing "evidence" that consists of about 20 pixels of a rat icon and a string of java code in image format.

i'll keep using this tool, thanks

 

[SimonMKWii]

honestly it's not worth my time to check for myself, especially if you're the one producing "evidence" that consists of about 20 pixels of a rat icon and a string of java code in image format.

i'll keep using this tool, thanks

OK, it's your choice, but don't come running to me if something bad happens.

 

[Minox]

Funny, I did that and I don't see anything, it just try to decompress the resources. (as I can see)

I'm not seeing anything in particular either, the provided instruction to reproduce appears to be incredibly vague. I'm also not seeing many files left behind (a config file and a log file) and no processes appear to be left running either which is something one might expect from a RAT.

 

[SimonMKWii]

I'm not seeing anything in particular either, the provided instruction to reproduce appears to be incredibly vague. I'm also not seeing many files left behind (a config file and a log file) and no processes appear to be left running either which is something one might expect from a RAT.

Yeah, I did notice that, it seems a bit odd, usually a Java process would be running in the background, I'm going to investigate further.

 

[Joom]

Yeah, I did notice that, it seems a bit odd, usually a Java process would be running in the background, I'm going to investigate further.

Are there any dropped binaries? Have you tried running it in Sandboxie to see? Keep in mind that .NET malware likes to inject itself into the .NET console in order to break out of sandboxing and to seem inconspicuous. Just because nothing is apparent in your process list doesn't mean that the malicious party isn't using some shitty ring3 kit (supplied by a crappy crypter) to bypass first glances. I'm checking this out too. I'll report back if I find anything interesting.

 

[thomasnet]

Simon, please stop. You're defaming the authors of this software.

The only network activity this program has is to check Github for new releases.
This program is .NET-only.
Please provide evidence of your claims.

 

[Joom]

Simon, please stop. You're defaming the authors of this software.

The only network activity this program has is to check Github for new releases.
This program is .NET-only.
Please provide evidence of your claims.

Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.

 

[ZoNtendo]

Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.

Make a RAM dump of the app with Process Manager, go to the folder of the dump, download the jrat icon he posted, and try to search the icon with an hex editor.

I didn't find anything.

 

[Joom]

Make a RAM dump of the app with Process Manager, go to the folder of the dump, download the jrat icon he posted, and try to search the icon with an hex editor.

I didn't find anything.

I don't use Windows. Sorry to disappoint. You'll get my analysis when it's ready.

 

[TheHomesk1llet]

Well, he did find the jRAT icon in the binary. He's either trying entirely too hard, or the author is a skidmark that uses shitty, free RATs. If a jRAT binary is found, we'll have the IP/DNS it connects to as well as SMTP settings and the password used for the backconnect because jRAT stores this shit in plaintext. This said, I'm doing my own analysis so I don't come off as biased.

@SimonMKWii take notes tbh. this guy's approach is much better than "here's a png of a rat embedded in the program(?) and an image of some java i found in a hex editor once". dunno if you're trying to say that's in the program itself, but i certainly haven't found any sort of java from the ram dump i did. environment variables with my java path, yes. harmless javascript, sure. anything like what you posted, nah.

do your research before trying to start a witch hunt for attention or whatever.

also the method you used to we can reproduce what you're saying would be helpful.