Ahhh I love this trick. Demoscene goes all in on it sometimes, but there's even uses of it in racing games on the Game Boy where it used it for drawing the geometry of the upcoming road with faux perspective
It, again, truly doesn't matter whether vibecoding actually caused the outages or not - when you start bragging about how claude is making every engineer on staff more productive and the site goes through months of persistent downtime, that's a Statement.
I basically don't use bsky but I figured I might as well post it here for visibility
Man, the character limit is really killing me here in bsky. I had to split that thread into like twice as many posts as it was originally on Masto
Anyway yeah if a malware analyst follows me and wants any of the stages involved, from the raw Python script to the machine code payload lmk
I don't think it actually injects this machine code as a payload actually, it just loads it into memory as a bytestring in Python, remaps the memory as executable, and then calls directly into it, with some malware-prevention bypass stuff in the middle.
...which I think specifically is to bypass the Anti-Malware Scan Interface by replacing a reference to amsi.dll with ansi.dll. And then it invokes the payload in the process itself using LdrCallEnclave, I think.
Ok, it looks like it starts the CLR...in the Python process I think? Some code is run next that I don't know exactly what that does, but it seems to monkeypatch the clr DLL in the current process.
But I really don't feel like tossing the blob into ghidra. SHA-256 of the machine code blob is 64f70a4cfdf24b817c795ea28b90cad23af92f640c616464bbea365d4c1c89aa.
I suspect this stage is just a payload injector that is installed into something else. The payload itself is a 781579 byte blob of x86 machine code. I suspect that payload isn't even the main payload but instead an encrypted blob and decryption stage for the final payload.
SHA-256 of the file is e86c0415e102c0e72265f7145b472e85e537135866e33e8d865d536f6e569c1c and I've uploaded it to VirusTotal: www.virustotal.com/gui/file/e86...
The program itself is heavily Windows-specific to a degree I don't understand. It appears to inject a block of machine code (I see a nop sled at the beginning of the bytestring) into something but I'm out of my depth here.
The malicious script names itself node_modules.asar to attempt to blend in. It's a base85-encoded Python program which itself is a base64-encoded zlib compressed Python program that contains the actual Python program.
It's a doubly-obfuscated Python program that I think is being used in the current Discord credential stealing campaign. It installs itself into AppData/Roaming/Google/Runtime/CLRHost/[hex garbage]/ and names the Python binary as ls_crashpad_handler.exe.
Is bsky back? Can I post the rest of that thread now?
I really need to replay DotT. Still have my original CD!
clippy drawing that reads "have you considered using your brain instead of asking chatgpt?"
๐
#art
Oh I see I'm not the only one who remembers calling 480p widescreen "enhanced definition"
Game Boy Intermediate
An update: it seems like Sigma Star Saga DX has added the required disclosure and LRG has also reached out to me about what to do going forwards. Looks like this is going to be resolved.
Given how simple that is it's all the more egregious that this baseline hasn't been met at least twice now!
The baseline is just complying with the MPL. This would mean crediting the original work and copyright, providing any changed source files in the used work, and linking to the original source. If you don't change mGBA at all it's basically free so long as you give credit and the link.
There are lots of us actually! NanoBoyAdvance was also written by a trans person, and I'm kinda blanking on others at the moment but I know there are plenty
I haven't been active here like at all
I already have nearly 1/3 as many followers as my mastodon account got over several years...
God this was not how I wanted to start using this account
Also please stop @'ing MVG in the replies
They do not have a negotiated license. I am unsure what they're doing beyond what I've seen with WF's (mis)use.
An extremely funny thing about retro rereleases that use unlicensed emulators is that you are basically committing the exact same crime (using software outside of the terms of its license) that has you so scared of downloading roms in the first place but now someone has monetized it.