I was trying out MCCheat yesterday, that program that gives you fly/invincibility and spawn controls, and didn't think to check its code before hand to see if it was malicious. I decompiled the code in JavaDecompiler and checked the class files to see if they could potentially snatch your MC account data when logging in. MCCheat auto logs you in if your data is remembered by the Minecraft client, if it is not remembered then MCCheat will prompt you to enter it supposedly into its own dialog box.
What's more suspicious is that MCCheat.jar or the Updater.jar codes don't make any reference to websites for downloading or sending information. What it does though is decode data from a gif file. Data was hidden in the i.gif file by a process called steganography. The i.class is coded to decode the information from this gif, as seen in the code below. Other classes import the i.class to use its info and there are a few codes that send http connections using reference to the i.class.
Here's the code from the i.class in JD
If anyone knows more about steganography or how to decode gif images, please post your findings here. The I.gif file is in both mccheat.jar and the updater.jar in the folder named "i".
It definatly looks malicious and just the fact that people are bringing it up means that it could potentially be dangerous. When programs you downloaded that are not mentioned by the creators ask for your passwords, then they're most likely unsafe.
Perhaps he was experimenting with something? I do that all the time, I have loads of old snippets that I never use in my code.
Oh yeah, on his website and on MCCheat itself, it displays how many people are using it. I'm not an expert on this but I would have thought the program would have to send a packet to the server to let it know that +1 person is using it. Being that there are absolutely no URLs included in the code, it would make sense to me that they've got to be in the gif image which is decoded by the i class, so I doubt it was an experiment being that the i.class and i.gif are in both mccheat.jar and updater.jar, neither of which contain direct url links in their code.
But, I've confirmed a non-malicious intent. So hush up.
You've done no such thing. You claim that you used a packet sniffer to make sure the program did not access an external server, but forgive me for not believing a random (and rude) stranger on the internet.
I find the whole thing very suspicious, and will not be using MCCheat. The program does not need to know my account information to run, so it shouldn't have it.
Rollback Post to RevisionRollBack
Quote from Manifusion »
You mine on the surface!? You monster!
Quote from Zhemak »
Hi, i'm a scientist, from the NASA. I can make science, so I tell you as a pro, Minecraft is not laggy.
I'm not familiar with that programming environment, but most compilers/assemblers I've used in the past have had a way to step through the code and watch variables. Perhaps that could be done with you NIC off to see what is being extracted out of the gif.
I'm not familiar with that programming environment, but most compilers/assemblers I've used in the past have had a way to step through the code and watch variables. Perhaps that could be done with you NIC off to see what is being extracted out of the gif.
I want to know if the function is called AT ALL.
If it is, then sure, suspect him, but if not, leave it be.
Once a program is compiled, there's not really any reliable way of watching variables. Normally you can only do that while you're actually coding and debugging it. Not when it's compiled.
Your Fiddler2 program probably can't detect it then. MCCheat is sending information to the server, I don't know how, but how else would it tell how many people were using the application? As I've said before, there are no URLs directly in the code, not even in the updater. The updater is what downloads mccheat.jar ffs, it has to have a link for that and the only hidden location which might contain a link is in the .gif, which happens to be decoded by the I class which is imported in a bunch of other places.
try decompiling the code and looking to see if it makes any connections, that way you can know for sure
I don't wish to sound rude, but instead of complaining about it, or insinuating that people who try to assure you through their own methods of testing are liars, try doing some of your own tests.
For example, comment out/delete that portion of code, recopile the program and run it. If you get no errors and the program runs successfully, then you can run the program without worry. If it doesn't run then it will either simply crash or give you an error message. Explore the error message or continue to assume it was malicious and don't use it.
You could also email the author of the program and ask him for an explanation as to what that snippet does exactly. If you get no response, as above, you can continue to assume it's malicious.
Research other users of the program too. Have there been any reports of stolen account information? Anyone using someone's account when they haven't been online? If so, have any of them ever used this program?
Finally, I have to point this out - and this will sound rude - ...As for other peoples tests, instead of jumping down their throats, try to ask them for a screenshot or a copy of the log produced by the sniffer if you have to mistrust everyone. Their being rude doesn't excuse you from also being rude.
I'm not familiar with that programming environment, but most compilers/assemblers I've used in the past have had a way to step through the code and watch variables. Perhaps that could be done with you NIC off to see what is being extracted out of the gif.
I want to know if the function is called AT ALL.
If it is, then sure, suspect him, but if not, leave it be.
Once a program is compiled, there's not really any reliable way of watching variables. Normally you can only do that while you're actually coding and debugging it. Not when it's compiled.
Your Fiddler2 program probably can't detect it then. MCCheat is sending information to the server, I don't know how, but how else would it tell how many people were using the application? As I've said before, there are no URLs directly in the code, not even in the updater. The updater is what downloads mccheat.jar ffs, it has to have a link for that and the only hidden location which might contain a link is in the .gif, which happens to be decoded by the I class which is imported in a bunch of other places.
try decompiling the code and looking to see if it makes any connections, that way you can know for sure
Sorry for the double post. The number of uses is an easy trick of the trade in web design; I've used it myself. "people using my program" isn't necessarily "I'm getting feedback from my program over the internet from everyone using it", it's more likely to be a re-phrased version of "this is how many people have downloaded my program" which is a simple counter coded into the web page, not the application. -shrugs-
I'm not familiar with that programming environment, but most compilers/assemblers I've used in the past have had a way to step through the code and watch variables. Perhaps that could be done with you NIC off to see what is being extracted out of the gif.
I want to know if the function is called AT ALL.
If it is, then sure, suspect him, but if not, leave it be.
Once a program is compiled, there's not really any reliable way of watching variables. Normally you can only do that while you're actually coding and debugging it. Not when it's compiled.
Your Fiddler2 program probably can't detect it then. MCCheat is sending information to the server, I don't know how, but how else would it tell how many people were using the application? As I've said before, there are no URLs directly in the code, not even in the updater. The updater is what downloads mccheat.jar ffs, it has to have a link for that and the only hidden location which might contain a link is in the .gif, which happens to be decoded by the I class which is imported in a bunch of other places.
try decompiling the code and looking to see if it makes any connections, that way you can know for sure
Click download it counts how many people have clicked that link, huzzah you now have a user count!
I'm not familiar with that programming environment, but most compilers/assemblers I've used in the past have had a way to step through the code and watch variables. Perhaps that could be done with you NIC off to see what is being extracted out of the gif.
I want to know if the function is called AT ALL.
If it is, then sure, suspect him, but if not, leave it be.
Once a program is compiled, there's not really any reliable way of watching variables. Normally you can only do that while you're actually coding and debugging it. Not when it's compiled.
The class was decompiled as stated by OP. I've programmed in C/C++ and Assembly in the past so I know a little about the process and what can/cannot be done with code. Java seems easier to decompile that other languages that are meant to be executed by the CPU.
I don't wish to sound rude, but instead of complaining about it, or insinuating that people who try to assure you through their own methods of testing are liars, try doing some of your own tests.
For example, comment out/delete that portion of code, recopile the program and run it. If you get no errors and the program runs successfully, then you can run the program without worry. If it doesn't run then it will either simply crash or give you an error message. Explore the error message or continue to assume it was malicious and don't use it.
You could also email the author of the program and ask him for an explanation as to what that snippet does exactly. If you get no response, as above, you can continue to assume it's malicious.
Research other users of the program too. Have there been any reports of stolen account information? Anyone using someone's account when they haven't been online? If so, have any of them ever used this program?
Finally, I have to point this out - and this will sound rude - ...As for other peoples tests, instead of jumping down their throats, try to ask them for a screenshot or a copy of the log produced by the sniffer if you have to mistrust everyone. Their being rude doesn't excuse you from also being rude.
Thanks.. I guess I got a bit irrational there, screenshot would have been a better idea. i think your comment was much needed, put some sense back into my head
(only if that worked for half of the posters on this forum)
I'm going to try modifying the source in a bit to see what comes of that, or just rewrite the whole thing without the need for the gif once I find out what it was used for.
I sent a message to the developer's youtube channel where he posts videos of the program, I wasn't able to find any other contact info
if there's hidden data that's obviously not meant to be open to eyes, then it's probably hidden so people don't find out about it. that makes it a bit suspicious
I don't wish to sound rude, but instead of complaining about it, or insinuating that people who try to assure you through their own methods of testing are liars, try doing some of your own tests.
For example, comment out/delete that portion of code, recopile the program and run it. If you get no errors and the program runs successfully, then you can run the program without worry. If it doesn't run then it will either simply crash or give you an error message. Explore the error message or continue to assume it was malicious and don't use it.
You could also email the author of the program and ask him for an explanation as to what that snippet does exactly. If you get no response, as above, you can continue to assume it's malicious.
Research other users of the program too. Have there been any reports of stolen account information? Anyone using someone's account when they haven't been online? If so, have any of them ever used this program?
Finally, I have to point this out - and this will sound rude - ...As for other peoples tests, instead of jumping down their throats, try to ask them for a screenshot or a copy of the log produced by the sniffer if you have to mistrust everyone. Their being rude doesn't excuse you from also being rude.
Thanks.. I guess I got a bit irrational there, screenshot would have been a better idea. i think your comment was much needed, put some sense back into my head
(only if that worked for half of the posters on this forum)
I'm going to try modifying the source in a bit to see what comes of that, or just rewrite the whole thing without the need for the gif once I find out what it was used for.
I sent a message to the developer's youtube channel where he posts videos of the program, I wasn't able to find any other contact info
Don't worry about it, we all get that way sometimes. :happy.gif: It's just I've had people accuse me of using my programs to steal information because it wasn't immediately clear to them what a piece of code did exactly. I'm not saying you're wrong as I can't tell exactly what that code does (commenting FTW -.-), just that we should always investigate before accusing.
Anyhoo, let us know if you get a reply and/or if you test the program out without the code... I'll get the lynching equipment and the creepers just in case. >D
EDIT: Also, depending on how MCCheat uses your login info, i.e. whether it sends the information directly to the MC server to log in, or passes it to minecraft.jar which then logs you in, it would be possible to use your firewall to block MCCheats access to the internet while still using it.
I'd like to know why it requires your login info though, instead of just being able to run and find the Minecraft exe after you've logged in normally... surely the latter would be a safer method for your users?
What's more suspicious is that MCCheat.jar or the Updater.jar codes don't make any reference to websites for downloading or sending information. What it does though is decode data from a gif file. Data was hidden in the i.gif file by a process called steganography. The i.class is coded to decode the information from this gif, as seen in the code below. Other classes import the i.class to use its info and there are a few codes that send http connections using reference to the i.class.
Here's the code from the i.class in JD
If anyone knows more about steganography or how to decode gif images, please post your findings here. The I.gif file is in both mccheat.jar and the updater.jar in the folder named "i".
I'm still curious then why the creator put that gif file in there with hidden data, and why it couldn't have been included in the code :/
Oh yeah, on his website and on MCCheat itself, it displays how many people are using it. I'm not an expert on this but I would have thought the program would have to send a packet to the server to let it know that +1 person is using it. Being that there are absolutely no URLs included in the code, it would make sense to me that they've got to be in the gif image which is decoded by the i class, so I doubt it was an experiment being that the i.class and i.gif are in both mccheat.jar and updater.jar, neither of which contain direct url links in their code.
You've done no such thing. You claim that you used a packet sniffer to make sure the program did not access an external server, but forgive me for not believing a random (and rude) stranger on the internet.
I find the whole thing very suspicious, and will not be using MCCheat. The program does not need to know my account information to run, so it shouldn't have it.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumYour Fiddler2 program probably can't detect it then. MCCheat is sending information to the server, I don't know how, but how else would it tell how many people were using the application? As I've said before, there are no URLs directly in the code, not even in the updater. The updater is what downloads mccheat.jar ffs, it has to have a link for that and the only hidden location which might contain a link is in the .gif, which happens to be decoded by the I class which is imported in a bunch of other places.
try decompiling the code and looking to see if it makes any connections, that way you can know for sure
For example, comment out/delete that portion of code, recopile the program and run it. If you get no errors and the program runs successfully, then you can run the program without worry. If it doesn't run then it will either simply crash or give you an error message. Explore the error message or continue to assume it was malicious and don't use it.
You could also email the author of the program and ask him for an explanation as to what that snippet does exactly. If you get no response, as above, you can continue to assume it's malicious.
Research other users of the program too. Have there been any reports of stolen account information? Anyone using someone's account when they haven't been online? If so, have any of them ever used this program?
Finally, I have to point this out - and this will sound rude - ...As for other peoples tests, instead of jumping down their throats, try to ask them for a screenshot or a copy of the log produced by the sniffer if you have to mistrust everyone. Their being rude doesn't excuse you from also being rude.
WIP: Babylon 5 (On hold)
Sorry for the double post. The number of uses is an easy trick of the trade in web design; I've used it myself. "people using my program" isn't necessarily "I'm getting feedback from my program over the internet from everyone using it", it's more likely to be a re-phrased version of "this is how many people have downloaded my program" which is a simple counter coded into the web page, not the application. -shrugs-
WIP: Babylon 5 (On hold)
Click download it counts how many people have clicked that link, huzzah you now have a user count!
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumYou forgot your semicolons.
RandomCodeSnippetWhichDoesntDoAnythingJustToMakePeopleParanoid();
... I couldn't think of anything shorter. <.<
WIP: Babylon 5 (On hold)
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumYou also don't want to capitalize the first letter.
:tongue.gif:
Yeah... I deleted "some" from the beginning and didn't alter case... ;P
WIP: Babylon 5 (On hold)
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumThe class was decompiled as stated by OP. I've programmed in C/C++ and Assembly in the past so I know a little about the process and what can/cannot be done with code. Java seems easier to decompile that other languages that are meant to be executed by the CPU.
Thanks.. I guess I got a bit irrational there, screenshot would have been a better idea. i think your comment was much needed, put some sense back into my head
(only if that worked for half of the posters on this forum)
I'm going to try modifying the source in a bit to see what comes of that, or just rewrite the whole thing without the need for the gif once I find out what it was used for.
I sent a message to the developer's youtube channel where he posts videos of the program, I wasn't able to find any other contact info
Don't worry about it, we all get that way sometimes. :happy.gif: It's just I've had people accuse me of using my programs to steal information because it wasn't immediately clear to them what a piece of code did exactly. I'm not saying you're wrong as I can't tell exactly what that code does (commenting FTW -.-), just that we should always investigate before accusing.
Anyhoo, let us know if you get a reply and/or if you test the program out without the code... I'll get the lynching equipment and the creepers just in case. >D
EDIT: Also, depending on how MCCheat uses your login info, i.e. whether it sends the information directly to the MC server to log in, or passes it to minecraft.jar which then logs you in, it would be possible to use your firewall to block MCCheats access to the internet while still using it.
I'd like to know why it requires your login info though, instead of just being able to run and find the Minecraft exe after you've logged in normally... surely the latter would be a safer method for your users?
WIP: Babylon 5 (On hold)