PSA: EZ Optimizer shenanigans

[DartPower]

I strongly advise you DONT use EZ Optimizer for Cyberpunk 2077 from EZ PC TECH. Right now, they force this stuff everywhere.

The thing is, according to some people, the code was plagiarized by another person with NexusMods. By the way, this tool written on C#. But everything is even worse ... In this "optimizer" there is a corny simple software that changes the settings of the game. But everything is not so simple, after launching the software, it creates a separate hidden method that is obfuscated and injects cryptographically encrypted malware into RAM ... The malware itself (from the module) looks like an application resource (in fact, it is completely encrypted / packed) and weighs 4 KB ...

So far Virustotal is showing 2/71. But the author of the campaign is cunning, he specially used his knowledge for obfuscation and other tricks to greatly reduce the detection of antiviruses.

In other words, it is a virus. You can prove it for yourself by applying the following steps:

1. Deobfuscate (rename) methods via de4dot-cex
2. Decompile the code via dnSpy (.NET Framework version)
3. Examine the code and understand that something is definitely not right there.

P.S. Sorry, when i posting here. This is very important info...

[grungebuddy]

"understand that something is definitely not right there"

Can you be more specific?

[DartPower]

Can you be more specific?

Sorry for my bad english. I meant "something is wrong here"

[kaeltis]

It's extremely shady, it contains an encrypted binary and the means to decrypt and possibly execute it.

While I can't see where it would execute this (no references to the decryption class and methods in the rest of the code, but I have no knowledge of C#) it looks like someone modified their half-finished malware to create this "optimizer".

I would definitely stay as far away from EZ Optimizer as possible.

According to https://github.com/yamashi/CyberEngineTweaks/issues/317#issuecomment-751938583 the shadyness was caused by the used obfuscator, altough it wasn't malicious, everyone should still be careful and scrutinize every executable downloaded from unknown sources.

[GreenyX1]

Creates a user.ini that turns off SSR, sets ambient occlusion to very low and crowd density changes for FPS boost. No magic. Reports of Win32/Bladabind, Wacatac and/or Trojan:Win32/DefenseEvasion a nasty encrypting ransomware. Don't touch it.

Edit: probably downloading random packages if it's shady.

[ipoopedmypantsuups]

Well what the fuck does it do? Password stealing? Account jacking? Is it a RAT? What? Already rebooted my PC, so.

[ErikShel17]

I cannot see a freaking reason for people to jeopardize utility for fps boost just because either they are trolls or.. idk.. Eventually, I think that this is true. Not only in here but I read some other forums and people were also saying that their AntiViruses started to detect malwares, ransomwares and trojans. I personally recommend you to use CyberEngineTweaks for now.

[dboggs95]

I don't think antivirus scans are evidence that this is or is not a trojan horse. Honestly, I think a fresh install of Windows would probably have "viruses" if you let an antivirus program scan it.

I do agree that if you are decompiling and finding strange blobs of code getting loaded into memory then it does look suspect, but I only know enough in this area to do damage, so let me offer an alternative hypothesis on the meaning of this observation. It is possible that his method of performing the optimizations involves patching the Cyberpunk 2077 exe in-memory. This allows you to modify a resources dynamically without any file system changes. So you wouldn't have to back up your game exe, and it might even work on new versions of the exe if the patched bytes stay in the same place. This is very possible since I read that the AMD-SMT fix is possible to do with a HEX editor. Further supporting this, would be this Tweet from him saying it edits some game files. Unfortunately, he does not specify whether it does it on the file system or in RAM (and maybe it doesn't matter, if something similar is required to modify the exe directly, but then I would think there would be a backup exe).

As a software developer, I can understand the feeling of putting development effort into a personal project like this, and wanting to "own it," but this is not paid for software, so at the most (if he is being honest), he might be making ad revenue off the demo video. If I were the developer being accused of wrongdoing in this case, I would open source this tool to acquit myself, and I would demonstrate that when I compile the exe and then decompile it looks exactly as the original to prove I didn't simply remove malware from the published source.

[dboggs95]

I'm not saying the argument above justifies trusting the tool and taking the risk, but I want to play Devil's Advocate since there is a possible benign explanation for what we are seeing, and this accusation, if false, would damage an innocent developer's reputation.

[deton24]

The program is just a set of 3 user.ini files for engine\config\platform\pc location Here is the config: https://pastebin.com/ycVmBhsW The difference between balanced and max boost is disabled volumetricfog

https://i.imgur.com/0f87y5q.png https://i.imgur.com/cTshHd8.jpg https://i.imgur.com/P8ZZ0dj.jpg

(I'm not the source, just passing the info)

[maximegmd]

I would definetely stay away from this as well, it's a piece of crap software containing like said 3 preset config files, you do not need a software to do this and there is indeed source code that decrypts and deflates memory in there, this is usually how you pack a malware in an executable.

This is also a good opportunity to see which media can be trusted, any media who shared this tool should be avoided, they do not put any research into it and just want a quick click bait even if that means exposing readers to malware.

As an alternative please use https://github.com/derplayer/ConfigOverhaulCyberpunk/ this is legit and does way more!

[deton24]

It spread out everywhere. Even in my country (PL IT news sites). Noone looks inside such tools. Including yours, which was equally spread.

pon., 28 gru 2020, 11:42 użytkownik yamashi notifications@github.com napisał:

I would definetely stay away from this as well, it's a piece of crap software containing like said 3 preset config files, you do not need a software to do this and there is indeed source code that decrypts and deflates memory in there, this is usually how you pack a malware in an executable.

This is also a good opportunity to see which media can be trusted, any media who shared this tool should be avoided, they do not put any research into it and just want a quick click bait even if that means exposing readers to malware.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/yamashi/CyberEngineTweaks/issues/317#issuecomment-751669029, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJ3EHBP5HDAP5A2OXA7O4TSXBOI7ANCNFSM4VLBEZ7A .

[maximegmd]

After further investigation we have not found a cryptominer or other crap. Our suspicion was caused by the use of an obfuscator and considering the kind of code this contains (pretty much just 3 ini files) it doesn't make any sense to be using this kind of tool.

We still recommend you don't use this, we won't be reverse engineering every patch they make and since it doesn't do anything, it's an unnecessary risk. If the tool were to become opensource and actually do something more than just set some ini settings we will reconsider that.

[dboggs95]

This is also a good opportunity to see which media can be trusted, any media who shared this tool should be avoided, they do not put any research into it and just want a quick click bait even if that means exposing readers to malware.

Agreed. Tom's Hardware has been around for while, and I thought it was supposed to be a reputable site. They shouldn't be recommending things like this without checking them out first. And there are plenty other places that are just linking their readers to this without making sure it's trustworthy.

This lends credence to the argument that Open Source is secure. If we could see it, we would know. Instead we are speculating.

[dboggs95]

The program is just a set of 3 user.ini files for engine\config\platform\pc location Here is the config: https://pastebin.com/ycVmBhsW The difference between balanced and max boost is disabled volumetricfog

https://i.imgur.com/0f87y5q.png https://i.imgur.com/cTshHd8.jpg https://i.imgur.com/P8ZZ0dj.jpg

(I'm not the source, just passing the info)

Thanks. He showed a demo where he was getting an impressive performance boost, so I still wanted to know what his tool was doing to achieve that.

[deton24]

Actually it's a good question whether the tool does anything beneficial to the performance beside just editing config.

[maximegmd]

It doesn't

[Deepdelver]

With some help from this post (https://www.nexusmods.com/cyberpunk2077/videos/150) I decided to remove the suspicious code and recompile it. If someone want the tool without the strange virus messages and without some fancy binary. Have fun!

Edit: The developer released the tool without the strange code in it. Removed the repository, as there is no use for it anymore.

[maximegmd]

@Deepdelver while I disagree with how EZ Optimizer is being handled by its developer, I find that ripping the code and making it open source isn't very clever, not only is that against the author's wishes but it is plain and simple illegal...

[deton24]

BTW. Has anybody compared performance achieved with this tool vs EZ Optimiser? https://www.nexusmods.com/cyberpunk2077/mods/183 Does it change the same values in the config?

[Pat-]

After further investigation we have not found a cryptominer or other crap. Our suspicion was caused by the use of an obfuscator and considering the kind of code this contains (pretty much just 3 ini files) it doesn't make any sense to be using this kind of tool.

We still recommend you don't use this, we won't be reverse engineering every patch they make and since it doesn't do anything, it's an unnecessary risk. If the tool were to become opensource and actually do something more than just set some ini settings we will reconsider that.

so is it malicious or not?

[dboggs95]

so is it malicious or not?

We have no answer to that question. Nobody but the developer knows.

I think everybody here agrees that we should not trust it unless the developer proves it is benign, and even then, there are plenty of better alternatives, including manually configuring the developer settings without EZ Optimizer.

[dio-gh]

So to wrap this story up, I went through the obfuscated parts and got the encrypted (and compressed) payload decrypted and extracted. It's essentially a "dead payload", pretty much only containing the icon of the executable; it contains no other notable resources, or even any code.

Based on the embedded payload's metadata, the obfuscation program used was made by a company called LogicNP Software, and is called something along the lines of Crypto Obfuscator For .Net (v2020) (link to the product page). It only did some pretty basic obfuscation, to the point that I got through it with relative ease by just using ILSpy (and dnSpy), plus a couple hours of free time (probably way less would have sufficed, if I had actual experience in analyzing C# applications).

If anyone feels like reproducing my findings, they can just use dnSpy like I did (the x86 version, because the tool was compiled to prefer x86 for some reason), and put a breakpont on the line return memoryStream.ToArray(); in the method A.cd5aa3b8a1ae939d6d3a43c9aac5cb237.c9bc0aeef7e527f7935d4b45a818ed89a(), then step line-by-line until you can dump the byte array into a file. Do so, then load it back up in either dnSpy or ILSpy, and have a gander.

TL;DR: It's not malicious, just a touch janky. Doesn't do anything else than what it advertises. Antivirus programs might flag it because of an obfuscator tool he mistakenly included with the application (misconfigured Visual Studio?).

Note: The analysis was done on the day I posted this, when the latest executable of that tool had the following hashes:

MD5: 2C4B955C4E67EE782ECB6EE69B8C7C9A SHA-1: CC2BBFC9BF60D44BA79199B2B09ABBE50BE954D0

Update: As the original author states in the reply below this comment, he uploaded a new version with the obfuscation removed. I went ahead and checked, the obfuscator's hooks are now indeed gone, and all symbols have been restored. AVs should probably not trigger anymore either (and yes, the code itself is still clean, same as before).

MD5: 9D2DC1AB2E4468859D878EF4F3439151 SHA-1: FA589E36FFC947038EDE544B5B1DD5CA8D101CE8

This analysis may not be valid at a later date, if the creator posts an even newer version of his tool. Compare hashes and reanalyze the executable yourself, if you think or know that a new version has been posted and are suspicious of the changes possibly made.

[CodeZ1LLa]

Thanks for your interest, and the time that you spent on decompiling my program. As everyone sees, it does nothing except what is supposed to do - help people with old PCs. Not really enjoying the forced frisking, but it is what it is. Since it was cracked and the source code was exposed all over the place (thanks to professionals!) I uploaded the new .exe that doesn't have any obfuscation since it's meaningless now. The reason why I didn't post it here is that I wanted to generate some revenue for holidays through the views on my channel for some work and that I've done, so I posted the download link under the video instead of posting it here. I simply have not the best time now, so I tried to earn a little bit through YouTube for gifts and stuff. Did nothing bad as everyone can see, so you can put the guns down and enjoy the free performance. Happy Holidays

[dio-gh]

Hi there, thank you for your reserved reply. Certainly didn't expect you the author to appear, so at the very least I'm glad I could clarify with certainty that your tool is not malicious in any way, and just simply gets the job done. I do want to address a couple of your points though.

Since it was cracked and the source code was exposed all over the place

I want to clarify that I do not agree with the people that have done this, as they've actively violated copyright by doing so. It is your own intellectual property. Not every software has to be open source, and I fully believe that if one seeks to keep their software closed source, their choice should be respected. I'm sorry that this has happened to you, and I hope it didn't taint your perception on open source software development too badly.

that doesn't have any obfuscation since it's meaningless now.

Applications written in C# or in other managed languages are usually trivial to decompile with decent readability, and there are some pretty great deobfuscation tools available for them too, for free, so that was a bit of an uphill battle to begin with. However, it reads like you thought your code actually got obfuscated - this is not the case. None of the actual application code you wrote has been obfuscated. If you did attempt to obfuscate them, you may have misconfigured the obfuscation tool.

In the future, if you're really keen on obfuscating your binaries, I'd recommend taking a look at them with the same tools that I listed. You'll be able to see it right away if they worked or not, and how well they did. You can even run a couple deobfuscation tools on the result, and see if it can undo the obfuscator's job.

Do note though that some obfuscation and compression tools may trip up antivirus programs, which I suspect also happened here. Overall, if your tool doesn't do particularly much, or anything super clever, I wouldn't try to obfuscate. As you can see for yourself, paranoia can reach pretty hardcore levels pretty quick, and understandably so. Not really worth the hassle imo.

In any case, I'm glad this is all sorted now. Happy Holidays to you too!

[CodeZ1LLa]

Thanks for understanding. I just want to let you know, that as soon as I removed obfuscation from the file, someone decompiled it immediately and started to blackmail me on Twitter that he'll publish the source code on GitHub and somewhere else if I'm not going to release the source code https://twitter.com/anon_zyj79544/status/1343807633522769920?s=20. He probably not aware that the protection was removed and thinks that he is a world-class hacker because he managed to decompile it. Just letting everyone know, so if you'll come across my code - it's not me, and I hope the person who practices such things will be banned from GH.

[dio-gh]

You can report offending repositories (such as another one in this very thread) to GitHub directly, as you are the original author. Usually they reply in a day or so.

[dboggs95]

I want to clarify that I do not agree with the people that have done this, as they've actively violated copyright by doing so. It is your own intellectual property. Not every software has to be open source, and I fully believe that if one seeks to keep their software closed source, their choice should be respected. I'm sorry that this has happened to you, and I hope it didn't taint your perception on open source software development too badly.

That's not entirely accurate. Everyone who published the source infringed the copyright. Decompiling software that has been distributed to you to understand what it does is not infringing the copyright unless there is a signed contract saying otherwise. If I remember correctly, some courts won't even uphold those contracts.

And as to the open source, all I was saying is that in my opinion, if we are to trust software from an unknown third party developer, it should probably be open source. But that is entirely up to the developer. Please do not publish CodeZ1LLa's source code. You have the right to author your own open source tool, but not to copy paste another author's work.

[maximegmd]

@CodeZ1LLa Trying to make a quick buck by making a shady executable that does NOTHING but write a preset ini file is really the kind of thing that the modding community doesn't need. It's bad on many levels:

1. You do not credit the work you used to generate the ini file.
2. You do not need an executable for such a simple change, you could have just uploaded the ini files under your video.
3. Releasing executables without source code AND obfuscated is the best way to get the community suspicious.
4. The modding community is based on sharing knowledge, the tools you have used and the tools made by the community is the result of many people working together, trying to hide what your mod does is the opposite of the modding philosophy.
5. While there is nothing wrong with asking for donations for actual work, what you did can't be qualified as actual work, your software is a 30 minute job for any CS student, the fact that you believe this is so revolutionary and needs to be closed source AND obfuscated frankly makes me think you misunderstand what modding is all about.

[CodeZ1LLa]

@yamashi 1) To generate ini file I use just a streamwriter and settings that I found in plain text and those are the internal game's commands, so not clear to whom I should give a credit? to CDPR? If I'll make a tool that will apply the config for Counter-Strike with commands like "sv_cheats 1" & "impulse 101" like in good old times, should I credit Valve? Since it was a pain to do it manually every time when I want to change something, and as soon as I managed to find a preset that worked for me the best I created the simplest app that does it for you in one click and rolled it out for people who don't know how to do it themself, or just feel it's more comfortable than doing it manually. This is the sole purpose of the app - do it for the user automatically. 2) I could upload ini files, but exe makes it simpler for the end-user. Since exe is clean then I don't see any issues. 3) I couldn't expect such interest, and that hundreds of people will try to decompile it as they are decrypting Nazi German's secret codes. I never used the obfuscator before and just decided to give it a shot. 4) I do not belong to the "modding community" and this is the first time I made something for the game. I'm not aware of the "philosophy" of that community and I don't really interested. I simply made an app that does something for the user in one click. 5) "the fact that you believe this is so revolutionary" - why you decided that I think so? Revolutionary assigning configs to the buttons? I mean... It helps people who don't know much about editing the game's files and just want to click and play. That's all that it does. Sorry, but all that nonsense and conspiracy around the simple tool that just applying profiles is exhaustive and annoying.

[PirryD3v]

deobfuscated and strange stuff removed ->

        string path = ".\\\\engine\\\\config\\\\platform\\\\pc\\\\user.ini";
        FileStream fileStream = new FileStream(path, FileMode.OpenOrCreate, FileAccess.Write);
        StreamWriter streamWriter = new StreamWriter(fileStream);           
        ....

and the settings for all 3 presets

[PirryD3v]

thats just setting ini files ,) no magic ... no need for protection .. thats a 1min code job

but if you tied all these settings your own ... respect for that nice work !

[CodeZ1LLa]

@PirryD3v It was not necessary to post the entire source code, and you probably so much enjoyed that you decompiled it, that you even liked your own post lol. There is also no "strange stuff" that would need to be removed.

[dio-gh]

In any case, I'd recommend this project's maintainer (@yamashi) to lock this issue. The whole ticket was unrelated to this project in essence to begin with, and it has been exhaustively discussed since. I don't see the value in keeping it unlocked.

[maximegmd]

Considering @CodeZ1LLa sent a DMCA takedown against Cyber Engine Tweaks to hide the comments about his tool, I feel like this issue deserves to go back into the spotlight.

This "mod" is useless, it contains 3 config files and its author think it's ok to try and takedown the modding ecosystem of the game (most mods depend on CET) because he has an image problem and can't milk the $ out of this useless tool.