24 Mar

Cybellum – next gen cyber company (it’s not)

2 days ago everybody started talking about DoubleAgent attack that Cybellum supposedly invented and how every Windows OS since Windows XP is screwed. As soon as I read about it, I said “hmmm, where have I seen it before?”.

While the rest of the world went on writing sensational news articles, Alex Ionescu summed up it all up in one nice tweet:

Have fun and don’t believe in everything you read – too many morons are writing about security these days..

09 Mar

Recovering data from faulty HDD

I’m extremely lucky. In my 15+ years of messing with computers, I’ve never lost data due to HDD developing bad blocks and dying. Never! smile

Other people are not that fortunate. So, last weekend I was asked to look at an Acer laptop that just won’t start. Windows startup screen shows up, stays for 5-10 minutes and computer reboots. Safe mode doesn’t start, Alt-F10 Acer Recovery Console won’t show up, nothing. At least I got Windows Memory Diagnostics to show up – and it didn’t find anything wrong with RAM.

After I disabled Automatic Restart on System Failure (and waited 10+ minutes for Windows to crash), I got this nice error UNMOUNTABLE_BOOT_VOLUME (STOP: 0x000000ED):

Considering how much time it takes to get to the error, it’s probably a bad hard disk.

Disclaimer: data recovery is a very delicate science. If you value your data, I suggest that you use a specialized data-recovery service. But if you are short on cash or just want to have some fun with dying HDD, please read on! Just remember that each HDD issue is different and what worked for me might not work for you.

Disassembly time!

I removed 2 screws to get access to HDD. First thing I saw was this huge scratch all over HDD bracket and cover plastic.

Apparently Mr.Awesome Neighborhood PC Repair Dude has tried to remove HDD with a screwdriver and failed. He had also broken few plastic clips on HDD cover – but who cares about those, right? At least, he did no visible damage to the electronic parts of HDD. smile

Let’s try to attach disk to another PC and see if it’s really bad.

Windows hates bad disks

Let me tell you, attaching it to my Windows computer was a bad idea. When disk was plugged in, Windows took 5 minutes to start. Any program took 1-2 minutes to start. To be honest, I have no idea why Windows were acting so weirdly, but hey, kids, don’t try this at home! smile

At least I got an output from Crystal Disk Info which confirmed my suspicions – bad HDD:

On the side note, Internet is full of really stupid advices. If you suspect that your disk might be physically damaged and dying, never ever use “chkdsk” or similar tools on it! They will likely fail and/or corrupt your data even more. Make a full disk copy and try to fix data there.

Lesson learned – don’t use Windows if your HDD is dying. Linux is much safer and data-recovery friendly!

Clonezilla

After some Googling, I found Clonezilla. It’s a free Linux-based software that helps with disk imaging/cloning. Reviews were nice, so I made a bootable USB with Clonezilla and tried it out.

It failed.

After enabling “Expert options” and enabling ––rescue flag, it started to do something. However, estimated completion time of 40+ hours wasn’t exactly exciting. Apparently, Clonezilla/partclone is slow! I’d love to have a solution that actually works, preferrably today.

Ddrescue and open-source stupidities

Few more Google searches later I learned about ddrescue. It’s yet-another-Linux-software that can do almost anything – iff you can master its arcane command-line arguments. As their “manual” tells it succinctly:

This tutorial is for those already able to use the dd command. If you don’t know what dd is, better search the net for some introductory material about dd and GNU ddrescue first.

Dude, I AM reading the ddrescue manual. What other introductory material about ddrescue should I search for? sad

Since ddrescue is included in clonezilla USB image, I launched bash and tried the simplest possible version:

It failed with error “Can’t open input file: Permission denied”. Apparently, you need to use sudo. My next attempt was actually successful!

So, here we are, after 5 hours of running.. Estimated remaining run time is 25 minutes and it has recovered everything but 100MB of data from the HDD… Fingers crossed!

18 hours later my fingers were still crossed.. WTF?

Well… Hidden in the ddrescue manual is this great note:

The ‘remaining time’ is calculated using the average rate of the last 30 seconds and does not take into account … Therefore it may be very imprecise, may vary widely during the rescue, and may show a non-zero value at the end of the rescue. In particular it may go down to a few seconds at the end of the first pass, just to grow to hours or days in the following passes.

Holy fuck, why on earth would you show “remaining time” if you very well know that it’s “very imprecise”? Does it make your program go any faster? No. Does it help your user in any way? No. It just pisses everyone off.

All in all, ddrescue ran for around 48 hours – recovering 99.98% of data. There were still 45MB of non-scraped data left but I decided that it’s not worth to wait 40-50 more hours to rescue mere 20-30 megabytes.

Lesson learned – reading data from unreadable sectors is really slow. Prepare to wait for days!

Analyze the rescued image

Recovering data is great. But what to do with the 0.02% of data that were unreadable? ddrescue log can tell you that sector 0x12345000 was unreadable – but you will have no idea which file occupied that sector. Since I’m a Windows guy, I decided to modify ddrescue’s suggested approach a bit and used Windows tools when possible.

First, run ddrescue with ––fill-mode argument:

It will take the image file and mark all unreadable sectors with “BABEC0DE” and relevant sector/position information based on the log file. The affected part of file will look like this:

You can pick whatever text you want – I didn’t want to use suggested “DEADBEEF” constant, as it is much more commonly used and might actually appear in some valid files.

Second, reboot into Windows and use OSFMount to mount the created hdimage.img:

Finally you can see files and folders from the damaged disk. Now use whichever Windows tool you like to search for “BABEC0DE”. In my case, there were 16 files affected – 12 videos and 4 log files. So, nothing of value was lost! smile

Write the rescued image to the new hard drive

If you have Acronis or other Windows cloning software, you could use that to write HDD image to new disk. Since I didn’t have any, I use Clonezilla’s bootable USB and Linux standard dd command:

After an hour and a half all the data were transferred to the new disk. Now I just needed to put HDD back into the laptop, boot up the system and run chkdsk to make sure that everything is fixed.

After 3 evenings and plenty of swear words, it’s a great success! smile

Final words

There are two kinds of people, those who back up their stuff and those who have never lost all their data. Be smart and make sure you have proper backups! Otherwise, be prepared to spend few evenings learning Linux disk management tools and cursing their command-lines.

Till next time!

16 Feb

NetBalancer: should you trust it?

Last few months people kept bashing antivirus and security software in general. Like on Twitter or their personal pages. Sure, Twitter is full of opinionated idiots who just love to complain about everything that doesn’t match their point of view. On a few occasions they are right and even I have written about some of the issues with antiviruses before.

But!

But you’d be f*king stupid to delete your antivirus just because it has some bugs. Doorlocks get picked by criminals every day and people still use them. Professional lockpickers do exist – it’s their job to break lock’s security mechanism and get you back in the house when you lose your keys. Tavis Ormandy is a professional lockpicker – only he works in the digital world. It’s his job to break digital security mechanisms and help vendors to fix the issues.

Having said that, not all software is created equal. Sometimes new and dangerous features get added to an otherwise great software. These features look good on paper but they can really ruin someone’s day. Today, I’ll demonstrate one such feature.

Introducing SeriousBit NetBalancer

NetBalancer is a Windows application for local network traffic control and monitoring. It shows you the network traffic on your computer and helps you to set limits, priorities and rules for that traffic. Some sort of a firewall – but better. It can prioritize your traffic, schedule it for specific times, do statistics, make graphs and charts and what not. And it looks really good!

Predefined Priorities

NetBalancer’s Predefined Priorities is a feature that looks great on paper.

For those of you who are not sure what priorities are best for your PC we decided in NetBalancer 8.5 to add some predefined priorities.
These priorities include the most used programs and processes, currently about 1700 total (and counting), and are set to match the needs of most users

It could be used for virtually everything:

  • giving high priority to VoIP applications and games
  • making sure background processes (eg. software updaters) don’t interrupt your Youtube experience
  • and even blocking malware

The possibilities are endless. In fact, virtually all of the antivirus products use similar databases to preconfigure their firewalls. It makes total sense after all!

However, the devil is in the details. All such databases must be maintained. New version of Skype comes out, you need to update database. League of Legends releases new update, you must update the database. And you must do it very fast, so that your users don’t suffer from misbehaved firewall. It’s a lot of work.

Since NetBalancer is made by a small company called SeriousBit SRL, I was naturally curious how they manage to do that. smile

Inside Predefined Priorities

First, I needed to obtain the complete database of the priorities. You could try to find something in C:\ProgramData\SeriousBit\NetBalancer\ but it would be more interesting to find and download correct files for the official servers, right? smile After a quick string search, I learned that priorities can be downloaded from https://netbalancer.com/api/internal/predefinedpriorities. It’s a huge JSON file but isn’t encrypted or signed in any way.

That’s a serious red flag right there. Security companies vigorously protect their databases – it’s their know-how, their crown jewels. And they use digital signatures to make sure that the databases aren’t tampered with. After all, which developer wants to see his product in news like “MalwareBytes: multiple security issues“? smile

OK, in this case JSON file is downloaded over HTTPS, therefore it’s slightly harder to intercept traffic and modify it. So, let’s ignore this issue for a moment and look at the JSON data instead.

In a minute or two, I was in the full “WTF?” mode.

Here’s an excerpt from the JSON, prettified for easier viewing:

Setting high priority for RAR and TMP files.. More than 2000 entries like that? WTF?

How about this?

Yes, I want to download my porn with a high priority, thank you very much!

But how on earth that got through the QA process? Is there any QA process in SeriousBit SRL? I highly doubt that..

Unsolicited user data gathering

All those entries made me think – how is it possible that NetBalancer’s database contains such crap information? Most obvious answer was – it’s submitted by users. To verify the guess, I took a sneak peek inside SeriousBit.NetBalancer.Core.dll. And there it was:

The call is coming from here:

There you have it – if you have enabled “Predefined Priorities”, NetBalancer will also silently upload all your priorities to their servers.

Want to wreak some havoc with unsuspecting users of NetBalancer? Post your own JSON file that blocks all traffic for all the browsers – apparently NetBalancer doesn’t validate user submissions and will happily distribute them to other users. bigsmile

Abusing existing database

I was also wondering what is the meaning of ExeNameCrc field. smile Turns out that NetBalancer uses CRC32 of filename as a key in the dictionary that manages process priorities To make matters easier, they also supply you with a proper filename in ExecutablePath field. So, if you want to make sure your malware has unlimited traffic and high download priority, just name it swarm.exe:

Indeed, CRC32(“swarm.exe”) = 1475648703, as you can verify in some online CRC32 calculator..

A quick test confirms that too:

Conclusion

Trust is a delicate subject. On the one hand, all the Cloud and Connected things make your life much easier. On the other hand, you must choose wisely who you trust and what data he/she can access. I doubt that SeriousBit intentionally created such buggy and dangerous feature in NetBalancer. But that doesn’t mean I would ever want it to be running on my machine!

Have fun and stay safe!

06 Feb

Updated Molebox unpacker

During last year, the most common complaint on this blog was “your Molebox unpacker cannot unpack this crazy big EXE of MMORPG game X, Y or Z.”

Sounds like an easy problem to fix, right? Well, that’s not true – but I finally did it!

TL;DR – new version of unpacker is here: https://www.mediafire.com/?t3xw46s554it5fp

In the rest of the post I’ll describe the obstacles I had to overcome while solving this seemingly simple problem.

Delphi TMemoryStream limitation

First, unpacker is written using classic (non-.NET) Delphi and compiled as x86 executable. And standard Delphi streams are retarded. TMemoryStream uses GetMem – which ends up somewhere in Delphi memory manager and VirtualAlloc. That doesn’t work well with 800+MB files.

I ended up with implementing custom stream backed by temporary file (CreateFile with FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE).

Pointer magic

Since the original unpacker was using TMemoryStream, the whole file was loaded in memory as a continuous memory block and I could easily read/write each byte of file using pointers. Something like this:

Guess what? Files don’t work that way.. sad I had to do a full and complete rewrite of all those methods.

Zlib conflicts

Original unpacker was compiled with Delphi 3. Delphi 3 didn’t have Zlib library, so you had to supply your own Zlib implementation. But it won’t compile with new versions of Delphi, giving error message

Unit Graphutil was compiled with a different version of zlib.TZDecompressionStream.

The solution was to get rid of my Zlib implementation and rewrite all methods that deal with decompression.

ANSI strings

In Delphi 3 all strings were ANSI. Starting from Delphi 2007, strings are Unicode. Since Molebox internally uses ANSI, it required changing quite a few structure definitions and rewriting several string manipulation routines. It’s a lot of fun (and source of the most obscure bugs), trust me!

Conclusion

I hope you find this unpacker useful. But if it doesn’t work for you, please send me an error report with all the details you can and I’ll try to fix it. Have fun!

Download link: https://www.mediafire.com/?t3xw46s554it5fp

01 Feb

Moving to a new host

Last week MaxXor suggested that I should add HTTPS support to my blog. My existing free host (bplaced) doesn’t offer HTTPS, so I decided to finally switch to paid hosting. After thinking a bit, reading customer references, I chose Active24 – and so far the experience has been overwhelmingly positive.

  • Webhost was set up within minutes, including self-signed HTTPS certificate;
  • As soon as you update your DNS entries, Let’s Encrypt certificate is issued automatically. You don’t need to do anything yourself!
  • Unlimited disk space;
  • Unlimited traffic;
  • Unlimited cron jobs;
  • And everything “just works™”;

For now HTTPS is optional (try https://lifeinhex.com/), I’ll start enforcing HTTPS in a few days after fixing all the mixed-content warnings. smile

Have fun and stay safe (and let me know if you notice any issues)!

26 Jan

Abusing Microsoft-signed executables

This morning I noticed an article from Cylance named “Graftor Variant Leveraging Signed Microsoft Executable“. It’s a nice article, so I can really recommend you read it.

TL;DR version: Graftor authors are using DLL hijacking in SrcTool.exe to load their own dbghelp.dll. If antimalware solution trusts executable that’s signed by Microsoft (most of them do!) and doesn’t check all the DLLs it loads, malicious code will not be detected.

Other vulnerable files

I decided to look for other Microsoft-signed files that could be abused in a similar manner. One quick search for EXE files in folder C:\Program Files (x86)\Windows Kits that also contain string dbghelp.dll and here’s the result:

  • agestore.exe
  • cdb.exe
  • dbh.exe
  • kd.exe
  • mftrace.exe
  • ntkd.exe
  • ntsd.exe
  • srctool.exe
  • symchk.exe*
  • symstore.exe
  • tlist.exe
  • tracefmt.exe
  • tracepdb.exe

*symchk.exe also requires SymbolCheck.dll.

All these files are statically linked to dbghelp.dll and therefore vulnerable to DLL hijacking. agestore.exe, mftrace.exe, srctool.exe, symstore.exe, tlist.exe, tracefmt.exe and tracepdb.exe are the best targets – if you don’t pass any command-line to them, they load dbghelp.dll but don’t call any of its APIs and therefore will not crash.

Demo time

Here’s a small fake dbghelp.dll you can use for testing: https://www.mediafire.com/?yx677bhxtyc13pu

Place it in the folder with vulnerable EXE lies and run the EXE. If a “DLL Hijacking” messagebox shows up, the EXE is vulnerable. smile Something like this:

Have fun and keep it safe!

18 Jan

Blog not dead

I just noticed that I haven’t published a full-length post for almost 2 months already. sad Let me assure you, this blog is not dead, I just had a peaceful Christmas vacation. Here’s what else is new..

Domain renewal

I’m still having fun writing this blog. So, I’ve renewed the domain for one more year. Since I’m using a free shared hosting, HTTPS is not an option. But if you would really like to see that (or any other improvements to the site), please let me know in the comments.

WordPress update

As you probably have noticed, this blog is running on WordPress. And since my webhost has really tough restrictions on what can be done with shared hosting accounts, automatic update of WordPress is not possible. So, I updated the engine manually to the latest version 4.7.1.

Last night there was some short outage but it was more likely caused by maintenance on the webhost. But please do let me know if you notice any issues with the site!

Improved Enigma Virtual Box unpacker

One of the most requested features for Enigma Virtual Box unpacker was support for large files. I had to rewrite quite a lot of stuff to make it happen but now it works fine for files up to 4GB (and possibly more). wink It’s finished but I need to test the unpacker properly before making it public.

Improved Molebox unpacker

Again, one of the most requested features is to support huge files (500MB+). Since the original unpacker was written in 2009, compiled only with Delphi 4 and was intended to unpack regular EXE files, I had to rewrite pretty much everything from scratch – so I’m happy to say that it’s 90% done. I should be able to wrap it up in a few weeks and then make it public.

Blog post about video-to-exe DRM protections

Every once in a while someone in Tuts4You asks about video-to-exe or pdf-to-exe “protections”. Every single one I’ve seen so far has been just a snake oil. In the article I’ll document the methods used by these “protections” to encrypt video/PDF and prevent user from extracting original file out of EXE. You won’t believe how much time and effort goes into preparing a single technical blog post – so don’t expect it to be finished any time soon. wink

Have fun and talk to you all later!

02 Dec

Deobfuscating AutoIt scripts

Every once in a while, someone posts an interesting challenge concerning protected or obfuscated AutoIt scripts. Today I’d like to show some basic approaches to AutoIt deobfuscation. As a target I’ll use a very simple protection called AutoGuardIt and the crackme from Tuts4You thread. If you don’t have access to Tuts4You, here is the alternative download link: https://www.mediafire.com/?qs52emp7tkk472g

In general, there is nothing hard in decompiling AutoIt scripts. The Autoit script interpreter is designed in such a way that it’s really easy to convert P-Code back to the script form. There’s also a tidy.exe utility which takes ugly hand-written script and reformats it to make it really pretty. All of this makes writing deobfuscators much easier because you can start with well-formatted AutoIt script and your deobfuscator can consist of simple regexps and string replaces. It will not be very pretty code but it will work.

While I was preparing this blog post, SmilingWolf came up with a full-featured solution written in Python. It’s a nice solution but it doesn’t explain how or why it works. So, in this article I will explain how the protection works, show the basic techniques and sample source code to defeat each of the protection steps. Making a full-featured deobfuscator is left as an exercise for the reader.

Required tools

  • C# compiler. All my examples were tested under Visual Studio 2010 but any recent version should do
  • MyAutToExe. I’m using my personal modification of myAutToExe. You can download it from Bitbucket: https://bitbucket.org/kao/myauttoexe
  • Tool for testing regexps. I’m using http://regexr.com/
  • Some brains. You can’t become a reverser if you can’t think for yourself.

Decompiling the script

There are 2 public tools for extracting compiled AutoIt script: MyAutToExe and Exe2Aut.

Exe2Aut uses dynamic approach for obtaining script – it runs the file and gets decrypted and decompressed script from process memory. That’s usually the easiest way but you really don’t want to run the malware on your computer.

MyAutToExe uses static approach – it analyzes file and tries to locate, decrypt and decompress the script on its own. That’s more safe approach but it’s easier to defeat using different packers, modified script markers and so on. To extract script from this crackme, I used my own MyAutToExe (see “Required tools” section above).

Analyzing the obfuscation

Once the script is extracted and decompiled, it looks quite strange and unreadable:

Let’s look at each of the obfuscation techniques and see how it works and how it can be defeated.

Integer decomposition

AutoGuardIt takes constants and converts them to series of math operations. Example:

Deobfuscator should be able to take the expression, evaluate it and replace the expression with the correct value.

The biggest problem here is the precedence of operations (multiply and divide should be processed before addition and subtraction), so you can’t start from the beginning of line and do it one step at a time. This would be wrong:

After some thinking and few Google searches, I found a LoreSoft.MathExpressions library that does all the heavy lifting for me. smile

The following C# code snippet will find all math expressions, extract them, evaluate them and replace expression with the actual value:

Pseudo-random integers

This is quite strange protection that relies on a fact that AutoIt’s Random function is actually pseudo-random number generator. If you seed it with the same seed, you get the same results. Example:

In general, it’s a very bad idea because there’s no guarantee that random number generator will not change in the next version of AutoIt. But for now it works..

Since I was already using myAutToExe, I decided to use RanRot_MT.dll from the package.

a = StringLen(“xyz”)

Small integers can be obfuscated by using function StringLen:

To clean them up, a simple regex can be used:

End result:

Chr(x)

Some strings in the executable are split into bytes, and each byte is then encoded as call to Chr function:

Another simple regex will kill all of those:

The result will be valid but still hardly readable string:

And one more simple search-replace will fix that:

End result:

If 1 Then

Once you remove the integer obfuscations, you’ll see a lot of useless statements like this:

This condition is always true, so we can remove both If and EndIf lines and improve readability.

The problem here is that If‘s can be nested and you can’t just remove first EndIf that you encounter. Consider this example:

Taking all that into account, I came up with this ugly but working* code:

* – see below for some scenarios where this code might fail.

If a = a Then

Variation of previous protection. In such cases, using regexp is much more efficient than simple string comparison

Do Until 1

It’s pretty much the same protection as If 1 Then and it can be defeated the exact same way.

While 1 / ExitLoop / WEnd

Another protection of the same kind, just uses 3 lines of code instead of 2. Same approach, just make sure you match the correct lines and remove all 3 of them.

For $random=0 to 123.456 / ExitLoop / Next

Another protection, very similar to previous ones.

Here one must be very careful not to remove the real for cycles from program, so it’s better to use regexps. Apart from that, it’s pretty much the same code again.

Assign/Execute

This type of protection relies on AutoIt’s Assign function. First, an alias to a function is defined:

Later, alias is used to call the function:

Deobfuscation is a simple operation: find all calls to Assign, extract the variable name and the function name, then replace all references to the variable with the function name:

BinaryToString

As you can see in the example above, some strings in the script are replaced with calls to BinaryToString. Here’s a another example of the same protection where part of code is replaced with BinaryToString + call to Execute.

Merging all 3 lines into one and converting hex strings to bytes gives us the following code:

which using the methods described earlier can be deobfuscated as:

Functions returning constants

Some strings are not only encoded using BinaryToString but also moved to a separate function.

Deobfuscated code will look like this:

It’s quite tricky to find the correct return value for each function and replace function calls with correct values. In addition to that, regexes aren’t really suitable for such tasks. smile The code I wrote is really ugly, so I’m not going to show it. Go, figure it out yourself! smile

Switch control-flow obfuscation

This is actually the hardest one of them all. The example code looks like this:

You must find the initial value of the variable. Then you must find the correct start/end of the Switch, all the switch cases and all other assignments to the control variable. Then you’ll be able to reorder all the code. It’s a moderately hard problem for which I don’t have a pretty solution. smile

Here’s my code which seems to work:

After cleanup, the deobfuscated code looks like this:

Unused variable assignments

There are random variable assignments sprinkled all over the code.

They are only assigned once and never used. To clean them up, one can locate the assignments using regex, count how many times this variable appears in the code and remove it, if it’s only assigned once. Something like this:

You can remove string and integer assignments using very similar regex.

Lather, rinse, repeat

If you run each of the mentioned deobfuscations only once, you’ll end up with half-deobfuscated code. Also, there isn’t one specific order in which the deobfuscations should be applied. Of course, you could just run the entire loop 100 times, but it’s just ugly.

Therefore, I prefer to run the code in the loop like this:

It will run all the deobfuscations until there’s nothing left to clean up. Then run tidy.exe on the output and you’ll get a nicely readable script.. smile

Possible problems and gotchas

Deobfuscators based on string matching are very easy to implement. However, one must be very careful to write correct regular expressions and string comparisons. My example code works very well on this specific crackme. However, it will mess up with code like this:

You can work around such issues by using more specific regexes with anchors. During my research, I used http://regexr.com/ a lot, and I find it really helpful. Give it a try!

Conclusion

In this article I showed basic approaches that can be used to deobfuscate (not only) AutoIt scripts. They are extremely simple and work well for one-time tasks. For more complex tasks, deobfuscators based on abstract syntax trees or disassembled P-Code are much more efficient but more time-consuming to create.

Have fun!

15 Nov

Why morons shouldn’t be writing about security, part 2

I read Kotaku’s article called “FBI Says Alleged Hackers Used FIFA To Steal Millions From EA” this morning. And it reminded me of the crap articles Catalin Cimpanu writes at Softpedia.

What’s wrong with Kotaku’s article?

Well, pretty much everything.

First, this group did not steal from Electronic Arts. If fact, not a single penny of real currency was taken from EA.

According to an unsealed FBI indictment, Clark and his co-defendants allegedly built a tool that would send false signals to EA’s servers to spoof matches, generating these FIFA coins at a rapid rate. The FBI alleges that Clark and crew then sold the coins to third-party sellers, earning millions.

Exactly! Guys received FIFA coins from EA (it’s an in-game currency) which they later sold on underground sites. Money came from persons entirely unrelated to Electronic Arts and it was given voluntarily. And that, by definition, is not a theft.

The article continues with a plenty of other funny statements like

.. worked with the defendants to get Xbox development kits and reverse-engineer a pirated copy of FIFA 14 using a program called Interactive Disassembler. This process took several months, Alcala said, but it allowed them to create a tool for mining FIFA coins.

I just love the IDA reference in here. bigsmile These guys used disassembler, they must be real evil hackers! All in all, this article is a fun read but it got all the basic facts wrong.

Mr. Jason Schreier, please stop writing about things you have no clue about. Stick to your video game reviews or something.

What is really happening?

Thankfully, UK journalists have much better idea of what’s happening in US courts, and they wrote a much better article. According to the indictment, the charges are “conspiracy to commit wire fraud“, a stupid catch-all term used in US courts for pretty much everything done over the Internet.

That document is equally funny read and shows how desperate the prosecutors must be to make any charges stick. Let’s see:

  • the defendant assisted in creating a program (…) which sent electronic messages to EA’s servers fraudulently representing that thousands of FUT matches had been completed in the EA’s FIFA video game. EA’s servers materially relied on the completed match messages and credited various accounts maintained by the defendant and his co-conspirators with FIFA coins. – this is the only part of the indictment that actually makes sense. Kinda. There’s one teeny tiny detail – RANE Developments got virtual goods from EA. And the legal status of virtual goods is very unclear in the United States. If virtual goods are not “money or property” in the eyes of law, then there was no fraud.
  • the defendant and co-conspirators continued to create and execute new methods to circumvent the security measures by EA in EA’s effort to prevent fraudulent activity associated with the company’s FIFA video game. – that might be a breach of EULA but not a crime;
  • executed their “application” through a video game console, which they modified to circumvent security and copyright protections, and on game development kits, which they obtained from unlicensed sources. – we’re getting desperate, let’s charge them with modding their consoles!
  • executed their “application” through cloud computer servers, which allowed them to run more copies of the software and obtain significantly more FIFA coins. – if nothing else helps, let’s charge them with renting cloud computer servers! Oh, wait, what? smile

Naturally, the defendant has pled not guilty to the charge. And if his lawyer is any good, I’m guessing he’ll walk out of the court as a free man.