Nerd's Corner

[Lambchops]

If anyone is interested, its like a hue'd lime green instread of the Pink.

I'm lovin' your initiative... not so much the lime green so here's something that might help.








App attached. Not tested, but seems to work Ok.
Will load a palette from a .ppl, a WC2 SS, or an 8 bit bitmap file. Saves to .ppl

Enjoy 

[shesycompany]

very cool man!

smurfs!!
http://imagizer.imageshack.us/v2/516x387q90/923/Im3GD2.jpg

[Lambchops]

smurfs!!

Hehe they look like little blue ninjas. 

Glad u like it. Still needs a few things... command line parsing so u can drop a file on the exe, or associate it with .ppl files so u can just double click on them.... and a color spread function so u can make a light color and a dark color then automatically make the shades in between.

[Incos]

very cool man, anyway u could add a peasant? =x jw.. if not it cool, i know its code.

Trying to get better at this ripping sprites at the moment. Taking me awhile to get one unit done. Trying to create a demon race.  Might have to delete the human race to have it done though. Not sure if possible to do 3, would have to edit the tables, code. Lots of lining up to do

[Delete mine too]

very cool man!

smurfs!!
http://imagizer.imageshack.us/v2/516x387q90/923/Im3GD2.jpg

That's freaking cool looking hahaha.

[Lambchops]

...so a few hours ago Nedro was asking if I knew how to make a big SS of an entire map, and I felt pretty bad after all those times I killed him while he was watching , so... Challange Accepted.

For a test run I picked the noobiest map I could find, and it turned out something like this:



Well, actually it turned out like a 16MB 4096x4096 bitmap, which is too big to attach. I tried multi-pass PNG compressing it and the best I could get was a bit over 2MB (still too big), so I ended up attaching a savagely compressed JPG, which unsurprisingly looks pretty bad if you zoom in. The original is game quality, stitched together out of 225 individual screen grabs. Takes about 0.22 seconds to grab the full image then about half a second to save it to disk. 

I'll tidy up the program a bit and post it later.
   

[shesycompany]

a hold up nedro is a mario kart player!! if it was dellam ok  cool a gow poster!...

(been busy tonight)
actually bought a android laptop thingy  ....was gonna make  war2 play on it but got side tracked .....got my controllers hooked up to it and mario kart going sucesss!!!!!

[Lambchops]

....was gonna make  war2 play on it but got side tracked .....got my controllers hooked up to it and mario kart going sucesss!!!!!

WOOOOHOOOOOOOO Yeeeaaahhhh! Now we're talkin! I mean WC2 is pretty cool and all, but Mario-Kart Warriors are the truely HARDCORE.

Hehe - anyway. I finished the grabber. If I had more time to spend on it I'd add an option to stamp the image with the time/date and player names etc... some other time. I'll post it now.

[Lambchops]

FULL MAP SS GRABBER

So just run the .exe then hit F6 when you're in game.

*Move the cursor off the game window or you'll get bits of the cursor and it's background stuck all over your SS.

*Works in server games, but also in Single Player, so you can "on screen" it and get a full view.

May still have bugs IDK, I just knocked it up this afternoon, but seems to work OK. Let me know if any problems. Enjoy 


Edit - It just does a quick search for a window with a title starting with "Warcraft II" so close any other open windows with that name - i.e folders etc. or it may think that's the game.

Also somebody just asked me about it working on pause and hackers, etc...  It doesn't work on pause, it needs the game running to move the screen offset and get WC2 to render all the individual pieces that are stitched together to make the full picture.

It is intended to get a big picture of the whole map, it is not intended for catching noobs using map-hacks. For SS challenges you should still post a normal SS.

(EDIT)

Included WC2FullSSc.exe, self checking version should help for people experiencing glitchy results.

[8)MikulZ(8]

Avira reports a false positive "TR/Crypt.ULPM.Gen" with your ss grabber can you do something about it?

[shesycompany]

probably thinks its a keyboard logger.

[Lambchops]

Avira reports a false positive "TR/Crypt.ULPM.Gen" with your ss grabber can you do something about it?

Not really mate, sorry.

Some AV or another will almost always make some crap up about any .exe file that hasn't been digitally signed by paying big$ to one of the official money makers.

All I can do is give you my personal assurance as someone with whom you have spent a fair bit of time, and someone that has (as can be seen by this thread - and my other posts on this forum and the old one ) devoted a decent chunk of his life to being involved with the community, that I personally compiled it less than 8 hours ago from source code that I wrote myself and I am absolutely sure that it is 100% safe.

But thanks for letting me know. I have noted, of course, that you state that it is a false positive, and I know that you are an intelligent guy, and your query is about getting rid of the warning.

I have still (as I tend to lol) written a rather lengthy post about the issues that come with AV software, not necessarily for yourself, but more for anyone else that gets some kind of AV response and has concerns.

So open if you dare! LOL

Anti-Virus False Positives ---> 

Spoiler

EC has a point, in that it calls GetAsyncKeyState to check the F6 key to so it knows when to take the SS. GetAsyncKeyState is a Windows API function that (obviously) checks if a key is being pressed or not, as such it can also be used for key-logging - if you use it to track the state of all keys then save them.

This is superficially analogous to saying that a tyre-iron can be used to beat someone to death, therefore we should suspect that anyone with a tyre-iron is a murderer. Of course most people have one in their trunk and just use it when they have a flat tyre.

The main point here is that you don't sell AV software by not reporting anything. Sadly most people believe that if AV#2 "finds more stuff" than AV#1, then AV#2 is therefore more sophisticated, and more secure.

Bloggers do comparative tests feeding a heap of different AV suits everything from actual malware to stuff that some other source said was a "PUP" (potentially unwanted program). Often they copy the descriptions of these things from the websites of the people selling the AV software to sound knowledgeable despite understanding very little of what they are writing. As a result, many AV providers got scared not to report EVERYTHING, in case they looked ineffetive on some moron's blog page.

It's a massive industry worth $Billions, and their competition has traditionally been one of providing the most alerts.... although they are slowly gettting better as the population becomes more tech-savvy. I always have a lol when I see the results of a multi-AV scan and they are all saying a different thing... or an identical thing. For instance: here's the results for that file from VirusTotal.com - it's a useful site that checks just about every available AV resource.

Code: [Select]

Avira (no cloud)        TR/Crypt.ULPM.Gen               20170306
Arcabit                     Trojan.Heur.emGfXPgbohm     20170306
BitDefender             Gen:Trojan.Heur.emGfXPgbohm     20170306
Emsisoft                Gen:Trojan.Heur.emGfXPgbohm (B) 20170306
F-Secure                Gen:Trojan.Heur.emGfXPgbohm     20170306
GData                   Gen:Trojan.Heur.emGfXPgbohm     20170306
eScan                   Gen:Trojan.Heur.emGfXPgbohm     20170306

Endgame                 malicious (high confidence)     20170222
CrowdStrike Falcon (ML) malicious_confidence_68% (D)    20170130

Invincea                worm.win32.bartly.a     20170203
McAfee-GW-Edition       BehavesLike.Win32.Sality.lc     20170306
Qihoo-360               HEUR/QVM18.1.0000.Malware.Gen   20170306
TheHacker               Posible_Worm32  20170305
ALYac 20170306
AVG 20170306
AVware 20170306
AegisLab 20170306
AhnLab-V3 20170306
Alibaba 20170228
Antiy-AVL 20170306
Avast 20170306
Baidu 20170306
Bkav 20170306
CAT-QuickHeal 20170306
CMC 20170306
ClamAV 20170306
Comodo 20170306
Cyren 20170306
DrWeb 20170306
ESET-NOD32 20170306
F-Prot 20170306
Fortinet 20170306
Ikarus 20170306
Jiangmin 20170306
K7AntiVirus 20170306
K7GW 20170306
Kaspersky 20170306
Kingsoft 20170306
Malwarebytes 20170306
McAfee 20170306
Microsoft 20170306
NANO-Antivirus 20170306
Panda 20170306
Rising 20170306
SUPERAntiSpyware 20170306
Sophos 20170306
Symantec 20170306
Tencent 20170306
TrendMicro 20170306
TrendMicro-HouseCall 20170306
Trustlook 20170306
VBA32 20170306
VIPRE 20170306
ViRobot 20170306
Webroot 20170306
WhiteArmor 20170303
Yandex 20170225
Zillya 20170304
ZoneAlarm by Check Point 20170306
Zoner 20170306
nProtect 20170306


From 61 different AV resources there are 48 negatives (nothing found) and 13 'results'.

Now, first let me say this; I'm pretty sure my computer is 'clean', but nobody can ever be 100% sure, there are some pretty clever rootkits around, so I don't know that there is not malware on my computer somewhere. Take war2observe for example. It works by injecting  a piece of code into a "code-cave" in the wc2 exe..... it's a worm, just not a malicious one.

Nobody really knows for sure that any .exe .dll .ocx etc. on their computer is completely safe, if I send some file to VirusTotal and there's results, I have to consider them. You can never be completely sure.... EXCEPT for this one case. Where I have personally written the code, then compiled it, then (and this is important) immediately compressed it using the most aggressive executable compression available.... always the most exhaustive/slowest methods.

At this point it comes down to information/entropy vs. size. There are no 'code caves' left. There is no way to 'inject' a worm into it and have the program still perform its expected function without increasing the file size. That amount of bytes simply cannot hold the extra information, not without completely re-writing it in a different language (i.e pure ASM - this one is a bastardised C prog), and only a human can do that, not malware.

I use open source exe compression that I have altered so that it cannot be automatically unpacked by either malware OR anti-virus, because nobody else knows how I have altered it.... I won't go on about that part of it, but for now I'm what I'm saying that when I have just compiled and compressed a program from my own source code, is the only time that I can upload a file to be virus checked and I absolutely 100% KNOW it its safe. Nobody else knows this for sure, but I did it, so I know ... and yet we get "13 results" a few different results, but there's 6 out of the 13 all saying it is a "Trojan.Heur.emGfXPgbohm". OMG! It must be true! 

But because I know it is false, I now know something else. These sources are all using the same AV engine (or at the very least the same virus definitions and a clone of the engine). Without a doubt. Of the 6 sources one stands out as being a genuine AV company. "BitDefender" are Romanian group, and a reasonably major player in the industry. So at this point I KNOW the other 5 are just re-branding BitDefender's engine. Never bothered looking before, but while writing this post, within 2 minutes of looking I came up with THIS page listing "Multiscanning" vendors. At the top of the page it lists 4 out of the 5 (Emsisoft,F-Secure,GData and eScan) as using the BitDefender engine. As for "Arcabit", whoever the hell they are, I couldn't be bothered but I'll lay money if you look them up, they're exactly the same.

So. Our 13 out of 61 "Results" have shrunk to 8 out of 54. Two of those are saying "malicious" and "confidence", my guess: they are nobodys with dodgy "everything turned up to 11" implementations of one of the open source projects.... I mean "CrowdStrike Falcon" BAHAHAHA, sorry but if that name turned up in the war2bne channel you'd take one look at it and say "noob" 

Here's our real results:

BitDefender              Gen:Trojan.Heur.emGfXPgbohm
Invincea                   worm.win32.bartly.a
McAfee-GW-Edition    BehavesLike.Win32.Sality.lc
Qihoo-360                 HEUR/QVM18.1.0000.Malware.Gen
TheHacker                 Posible_Worm32
   and of course...
Avira                         TR/Crypt.ULPM.Gen

.... and these people say its safe:
AVG, Avast, Kaspersky, Kingsoft, McAfee (Std), Microsoft, Symantec, TrendMicro, ZoneAlarm  .... and 39 other AV providers.

Anyway, for starters you can see why I LMAO at noobies claiming "68% confidence"... lol I've actually started laughing again writing that, for real...  I mean some newbie newbie called CrowdStrikeFalcon!!! just turns up in the channel and claims that he is exactly "68% confident" that he knows more about the game than mikulz, styx, Day, Player, Medievh, Ouin... etc (sorry ppl i forgot)... ROTF...

Anyway, stuff such as: "BehavesLike.Win32.Sality.lc" is fair enough. IDK what "Sality" is, but its probably a naughty program that is written in C, calls "GetAsyncKeyState", "OpenProcess", and "ReadProcessMem", is compiled with WATCOM, and then compressed in a non-standard way. McAffee is a decent provider, in addition to their normal AV product they obviously have another product variant aimed at the customer who wants to see lots of results.... that's fine, they just said, "owns a tyre-iron" not "is a serial killer". Annoying, but not technically untrue (I assume).

That's the sort of thing they all should be putting. because the fact of the matter is these are all the result of the AV software saying 2 things:

(1) This program is protecting it self in ways I don't understand, so I cant mess with it how I want to... this makes me worry.
(and Lamb says,"yes that's right mother-lover, and neither can the worms when they try to find a home")

(2) When it unpacks itself I can see the functions its linking, and now I've got an excuse to make some alarmist rubbish up because I don't trust it and OMG ITS USING THE KEYBOARD!  et.al..... and besides: Warnings Generate Sales.

"TheHacker", despite their rather dodgy sounding name, give a reasonable response possible worm. Not a claim, just a possibility, and the way that this program functions it could conceivably be a "worm" like Observer is. In this case it isn't but it does use some of the tools that a worm would need, so "possible worm"... sure, hf with that.

"Invincea", whoever they are, just say worm.win32.bartly.a, same thing, they really should put "possibly", or "behaves like"

"Qihoo-360" - HEUR/QVM18.1.0000.Malware.Gen
lol...WTH is a "Qihoo"? You just invented that crap on the spot, didn't you? heh

I guess, this means "general malware". Also note the "HEUR",  in this and the BitDefender response, which stands for heuristic.

"As opposed to signature-based scanning, which looks to match signatures found in files with that of a database of known malware, heuristic scanning uses rules and/or algorithms to look for commands which may indicate malicious intent." SOURCE

i.e. "Carries a tyre-iron"

And then there's these 2...
BitDefender              Gen:Trojan.Heur.emGfXPgbohm
Avira                         TR/Crypt.ULPM.Gen

Sorry, but it looks to me like Avira also uses the the BitDefender engine as at least part of it's scanning process, because I'm finding it hard to believe that 2 separate engines got it that wrong. At least they have their own classification of the result, because of all the responses this one is the most incorrect. "Worm"... maybe. It's not a worm, but if you wanted to make stuff up, at least it's believable garbage,.... but "Trojan"... bzzzz.. FAIL. Sorry. No freakin' way.

The whole point of the Trojan horse (actually a Roman Horse lol) was to allow a few men to get into Troy and open the gates so the Roman army could storm in and sack the city. The one thing all software trojans do... in fact pretty much all malware these days, is access the network. That is the whole point, so they can download a bunch of other nasty stuff and install it, but this program has absolutely no code whatsoever that does anything at all with any network functions or services. So sorry BitDefender, but that is just a big fat FAIL.

I suppose if I un-protected the exe, so that the AV software could poke around a lot more, some of them might feel better about it, but for sure some of them would still come up with some lame warning. This is just a marketing technique.

But, if I did that, it would not only make the file bigger, it would also make it a lot less safe because then any malware that may be floating around in the future can also access, and possibly infect it... not to mention wannabe WC2 hackers who might possibly like to reverse engineer some of my stuff 

It's better if people can just be reassured that:

AVG, Avast, Kaspersky, Kingsoft, McAfee, Microsoft, Symantec, TrendMicro, ZoneAlarm  .... and 39 other Anti-Virus providers all say its fine.  HF

[8)MikulZ(8]

Yeah I mainly posted because I thought some might think it's a virus + I actually wanted to know what is causing avira to think it's a virus, so thanks for the explanation  . And sorry for triggering you to write so much    . It was a good read tho like all your posts here so... thanks lol

[Lambchops]

d sorry for triggering you to write so much

LOL .... yeah I never normally do that

....no worries mate, like I say, thanks for letting me know. AV software is a bit of a pet subject for me anyway, I'm surprised I havn't written about it before now.

[Lambchops]

smurfs!!
http://imagizer.imageshack.us/v2/516x387q90/923/Im3GD2.jpg

smurfs having a blue life bar below the portrait is just freakn' awesome