Rofl, so many computer security ignorant folk here. probably the same type of people whom leave your wireless network unprotected because its 'easier' to connect to. (thanks neighbors!)
Nothing suspicious... for now. Here's the script on Pastey. Just drop it in a folder along with I.gif and run with Python 2.7 or compatible.
____
Edit: Script wasn't loading the resource file in binary mode. Fixed.
Edit: Added a link to the main app's I.gif. The code block is just the updater's resources.
I've done some rather intense decompiling and hex editing of both the mccheat files and the i.gif created inside. It certainly seems rather notorious and extremely concerning. I've found a few things:
[*:ryeq01b1]After collecting username and password information, i.gif is updated with a large amount of information
[*:ryeq01b1]mccheat does send back files over HTTP
I have yet to decrypt the i.gif, but I strongly suggest not using this software. It seems extremely malicious in terms of stealing your username and password. It isn't just saying "Hi, I'm alive!" to a server to be counted, but it's actively sending decent bits of data. I'm going to run some more intensive tools and update as I find out more.
Nothing suspicious... for now. Here's the script on Pastey. Just drop it in a folder along with I.gif and run with Python 2.7 or compatible.
____
Edit: Script wasn't loading the resource file in binary mode. Fixed.
Edit: Added a link to the main app's I.gif. The code block is just the updater's resources.
Thanks! This makes a lot more sense now. I noticed in the source of mccheat.jar it would make reference to lines of data collected by the i.class from the i.gif, such as:
URL localURL = new URL(I.I(342));
Also, the python script is very helpful
In my previous post I put a picture of youtube comments, the developer said that he removed this string encryption thing. it's a neat idea for storing data in gifs, but it's pretty suspicious as well
MCCheat Heartbeat
The developer of MCCheat went out of his way to take that string encryption out of the obfuscation process, so the strings are included in the code. Why this wasn't left alone in the first place, I'm not sure. It just seems like extra work that makes things more suspicious for almost no benefit
Also
Quote from Ruirize »
Fiddler2 reported no communication with an outer server, it's all good.
This is what connects to his server to add a number to users currently online using MCCheat. there's other code that links to a users.php page, which is just the page with the total number of users on it
Anyways, this code seems quite harmless. If anyone else decompiles it and finds anything "malicious", post it here. I think the whole problem revolved around the vagueness of what the gif was doing there, but I'm a bit more certain that MCCheat is safe, but not 100% certain yet
Yes i did read the entire topic but from what i've seen there are people for it and people against it.
What i mean to ask is does it or can it steal your minecraft login info?
if it was malicious why would the maker of it go through the trouble of actually making it work?
/thread
Higher propagation rate. If it works, it spreads further than if it doesn't work. My question is, why would you go to all this trouble to steal someone's login info for Minecraft? It's not like you can farm gold or items for your RMT business. It's neither profitable nor logical.
I loled so hard
http://tinyurl.com/9l6km29
The main app's I.gif is a little longer: http://pastey.net/142402
Nothing suspicious... for now. Here's the script on Pastey. Just drop it in a folder along with I.gif and run with Python 2.7 or compatible.
____
Edit: Script wasn't loading the resource file in binary mode. Fixed.
Edit: Added a link to the main app's I.gif. The code block is just the updater's resources.
I have been running this scince 1.0 and no problems at all!
http://tinyurl.com/9l6km29
I've done some rather intense decompiling and hex editing of both the mccheat files and the i.gif created inside. It certainly seems rather notorious and extremely concerning. I've found a few things:
[*:ryeq01b1]After collecting username and password information, i.gif is updated with a large amount of information
[*:ryeq01b1]mccheat does send back files over HTTP
I have yet to decrypt the i.gif, but I strongly suggest not using this software. It seems extremely malicious in terms of stealing your username and password. It isn't just saying "Hi, I'm alive!" to a server to be counted, but it's actively sending decent bits of data. I'm going to run some more intensive tools and update as I find out more.
Evocraft - Minecraft Evolved
Are you incapable of reading the first post? Or even the thread title?
-
View User Profile
-
View Posts
-
Send Message
Retired StaffVenit, quessit, induravit.
I'm saying that i have no problems so, no, i do not think its dangeous
http://tinyurl.com/9l6km29
Yes I did
Thanks! This makes a lot more sense now. I noticed in the source of mccheat.jar it would make reference to lines of data collected by the i.class from the i.gif, such as:
Also, the python script is very helpful
In my previous post I put a picture of youtube comments, the developer said that he removed this string encryption thing. it's a neat idea for storing data in gifs, but it's pretty suspicious as well
The developer of MCCheat went out of his way to take that string encryption out of the obfuscation process, so the strings are included in the code. Why this wasn't left alone in the first place, I'm not sure. It just seems like extra work that makes things more suspicious for almost no benefit
Also
private void KKLI() { try { URL localURL = new URL("http://www.mccheat.net/mccheat/heartbeat.php"); HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection(); localHttpURLConnection.connect(); localHttpURLConnection.getInputStream(); localHttpURLConnection.disconnect(); this.connect = System.currentTimeMillis(); System.out.println("Sent.."); } catch (IOException localIOException) { Logger.getLogger(HBThread.class.getName()).log(Level.SEVERE, null, localIOException); } }@Ruirize:
This is what connects to his server to add a number to users currently online using MCCheat. there's other code that links to a users.php page, which is just the page with the total number of users on it
Anyways, this code seems quite harmless. If anyone else decompiles it and finds anything "malicious", post it here. I think the whole problem revolved around the vagueness of what the gif was doing there, but I'm a bit more certain that MCCheat is safe, but not 100% certain yet
Is this program truly safe?
Yes i did read the entire topic but from what i've seen there are people for it and people against it.
What i mean to ask is does it or can it steal your minecraft login info?
/thread
ಠ_ಠ
Higher propagation rate. If it works, it spreads further than if it doesn't work. My question is, why would you go to all this trouble to steal someone's login info for Minecraft? It's not like you can farm gold or items for your RMT business. It's neither profitable nor logical.