search

brucethemoose / Minecraft-Performance-Flags-Benchmarks

Sane, Benchmarked Java Flags and Tweaks for Minecraft
MIT License
1.34k stars 29 forks source link

Graalvm from this guide may be compromised? Rogue processes and tcpip port exhaustion #35

Closed D3SL closed 1 year ago

D3SL commented 1 year ago

I downloaded graalvm 17 for windows amd64 directly from this guide and have started experiencing troubling issues. javaw.exe will regularly exhaust all tcpip ports trying to connect to "v2202209151437200088:25575", and it will also periodically begin taking up all available ram and CPU cycles in a rogue process connected to "libwebgl64.jar" in %appdata%/local/microsoft edge/.

Inside this folder I found run.bat containing

@echo off
start /B "" "C:\Gaming\MultiMC\graalvm-ee-java17-22.3.1\bin\javaw.exe" -jar "C:\Users\XXX\AppData\Local\Microsoft Edge\libWebGL64.jar"

and inside libWebGL64.jar I found Bootstrap.class and h.class along with a META-INF file. Decompiling those with vscode gets me:

 // Failed to get sources. Instead, stub sources have been generated by the disassembler.
 // Implementation of methods is unavailable.
public class Bootstrap {

  public static java.net.ServerSocket ALLATORIxDEMO;

  private static java.net.InetSocketAddress ALLATORIxDEMO() {
    return null;
  }

  public static java.lang.String ALLATORIxDEMO(java.lang.String a) {
    return null;
  }

  public static void ALLATORIxDEMO(java.nio.file.Path a, java.net.InetAddress a, byte[] a) throws java.io.IOException {
  }

  static {} {
  }

  private static void ALLATORIxDEMO() {
  }

  public Bootstrap() {
  }

  public static  java.net.InetSocketAddress ALLATORIxDEMO(java.util.function.Supplier<java.net.InetSocketAddress> a, java.nio.file.Path a) throws java.security.NoSuchAlgorithmException {
    return null;
  }

  public static void main(java.lang.String... a) throws java.net.URISyntaxException, java.io.IOException {
  }
}
 // Failed to get sources. Instead, stub sources have been generated by the disassembler.
 // Implementation of methods is unavailable.
public class h {

  private final java.nio.ByteBuffer ALLATORIxDEMO;

  public h(java.nio.ByteBuffer a) {
  }

  public final char ALLATORIxDEMO() {
    return 0;
  }

  public final boolean ALLATORIxDEMO() {
    return false;
  }

  public final byte ALLATORIxDEMO() {
    return 0;
  }

  public final int b() {
    return 0;
  }

  public final short ALLATORIxDEMO() {
    return 0;
  }

  public final float ALLATORIxDEMO() {
    return 0;
  }

  public final byte[] b() {
    return null;
  }

  public final byte[] ALLATORIxDEMO() {
    return null;
  }

  public static h ALLATORIxDEMO(java.nio.channels.SocketChannel a, int a) throws java.io.IOException {
    return null;
  }

  public final java.lang.String ALLATORIxDEMO() {
    return null;
  }

  public final double ALLATORIxDEMO() {
    return 0;
  }

  public final java.nio.ByteBuffer ALLATORIxDEMO() {
    return null;
  }

  public final long ALLATORIxDEMO() {
    return 0;
  }

  public final int ALLATORIxDEMO() {
    return 0;
  }
}

Allatori is a java obfuscator. So the question is why is an obfuscated jar file masquerading as webGL being silently run by a batch file by the graalvm offered by this page?

D3SL commented 1 year ago

It's not the graalvm, it's a tainted minecraft mod that's smart enough to use minecraft's java executable.

couleurm commented 1 year ago

what mod was that

D3SL commented 1 year ago

It's been taken down, it was called "Create Infernal Expansion Plus".