dsetup.dll is setting off malware alert - Page 3

Grimjaw · #1 07-04-2014, 12:43 AM

Quote:

Originally Posted by abacab-101 [You must be logged in to view images. Log in or Register.]

The file is obfuscated, and has two anti-cracking methods put into place; the first is the encryption and the block against .NET Reflector editing, it jumbles up the text and actively block compilers there are ways around that but I won't post that here.

The second is when it's edited a Project1999 pop-up comes up that says "this file has been corrupted, modified, and changed" as well as the DLL-2 error that pops up; the trick here is to maintain the file integrity and size; since most of the file has bullshit hex for filler (the lines upon lines of CC CC CC CC CC and 00 00 00 00 00) that must be maintained to keep the file from being rejected by the p99 client.

DLL has been cracked it's not hard at all.

so what does it do then lol? U can read pcode?

abacab-101 · #2 07-04-2014, 12:49 AM

Quote:

Originally Posted by Grimjaw [You must be logged in to view images. Log in or Register.]

so what does it do then lol? U can read pcode?

1. It's a callback
2. It causes an overflow on third-party programs, when you D/C it flags you because it sends out bad packets that the server then collects from your client; since MQ2 can't function well when the dsetup.dll is running at x100000 as opposed to the normal x0200 of eqgame.exe it disconnects the moment your character hits the world and reads the very first packet.

Artaenc · #3 07-09-2014, 03:33 PM

Quote:

Originally Posted by abacab-101 [You must be logged in to view images. Log in or Register.]

The file is obfuscated, and has two anti-cracking methods put into place; the first is the encryption and the block against .NET Reflector editing, it jumbles up the text and actively block compilers there are ways around that but I won't post that here.

The second is when it's edited a Project1999 pop-up comes up that says "this file has been corrupted, modified, and changed" as well as the DLL-2 error that pops up; the trick here is to maintain the file integrity and size; since most of the file has bullshit hex for filler (the lines upon lines of CC CC CC CC CC and 00 00 00 00 00) that must be maintained to keep the file from being rejected by the p99 client.

DLL has been cracked it's not hard at all.

Which part of the machine code is the one that detects precisely repeating commands like something that autofire would do.

getsome · #4 07-01-2014, 09:48 AM

Quote:

Originally Posted by BiggHurb [You must be logged in to view images. Log in or Register.]

yea right now only abacab knows how to circumvent it... /sarcasm

i mean, how do u catch the people who hide their cheating from your .dll, ie the real cheaters... u cant i guess... shame on all of u

real cheaters play on a mac.

Thana8088 · #5 07-01-2014, 10:07 AM

Quote:

Originally Posted by Buttcheeks [You must be logged in to view images. Log in or Register.]

I use Comodo for security, and it triggers on this file in the new patch. I scanned the old versions and they don't raise any alarms.

I use Comodo as well, and have to re-install the newest p99 files (and disable my AV) each time I want to play EQ because Comodo has nuked the .dll file.

I guess there's a way to tell Comodo to allow this seemingly malicious file to continue unmolested?

Grimjaw · #6 07-02-2014, 11:18 AM

yes tell comodo to ignore your EQ directory

Portasaurus · #7 07-02-2014, 12:39 PM

Whatever was happening that caused severe mouse lag while p99 was open seems to have stopped recently, perhaps with this latest patch.

Has anybody else who was formerly having these very very strange mouse lag issues noticed that the problem recently went away?

I have noted that this mouse lag was exactly the same as the kind of lag that occurs when broadcasting my screen via OBS to twitch, which is unsettling to say the least, and unfortunately leads me to the following question:

Can someone in a position of knowledge tell us definitively that p99 does not in any way allow remote observation of our displays or logging of our keystrokes, either inside or outside of the client?

-your Tingrocer

phiren · #8 07-03-2014, 04:39 PM

Granted this is my own issue -- but I play on a system where I cannot remove McAfee. This never used to be a problem until the last patch. McAfee is calling DSETUP.DLL "Artemis!" threat.

Although -- since the patch came out a week ago, and McAfee is just now calling it one -- it's probably a McAfee update.

Still though -- might be something for Devs to look into. I can't imagine there's only a few people with this issue.. probably going to be more widespread soon as all the other anti virus software gets their updates.

~phiren

Grimjaw · #9 07-03-2014, 07:40 PM

if u punch Artemis into google, you would see that McAfee actively scans for new threats, and when it finds them it calls them Artemis (the name of McAfee's system that is searching your PC for these threats).

That's why it's called Artemis, because it doesn't know what virus it is, it just thinks it might be a virus.

Also, it looks like the P99 developers can put in a request with McAfee to have the file white-listed:

https://secure.mcafee.com/apps/mcafe...aspx?region=us

abacab-101 · #10 07-04-2014, 01:38 AM

MQ2 reads 0x02 as that is what the client normally pushes, since p99 puts out 0x10 MQ2 cannot handle it and disconnects, thus the flagging occurs.