Capcom Shits the Bed: SFV PC installs hidden rootkit

Home Forums Off Topic Capcom Shits the Bed: SFV PC installs hidden rootkit

This topic contains 5 replies, has 4 voices, and was last updated by Jake_L Jake_L 3 months, 1 week ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #7811
    Jake_L
    Jake_L
    Participant

    For the uninitiated, a rootkit is a software toolset that gives users access to and control over operations in a computer system without being detected and without authorization. Any and all malicious software on the system can poke a dodgy driver installed by SFV to completely take over the Windows machine. This gives the app kernel-level privileges.

    Capcom, to its credit, the rootkit is intended to use it to keep moders and PCMGR jackasses from applying cheat engines—either to unlock on-disk content (glitch time trials and challenge fights, alter color schemes, other various thuggery) or stomp during online play by enabling debug so they have infinite health or super abilities (like cunts). Because let’s face it, kids: if we’re not winning, we’re not having fun, at the expense of ~$65 USD after taxes—or $70-something for you Canadians. So installing a file that’ll close something like CheatEngine so you don’t goose the still budding PC branch of the FGC? FREAKING. GENIUS.

    But here’s the rub: The code is so badly designed, it opens up a full-blown local backdoor directly into your Windows system32 files. Y’know the one that makes the Windows OS actually O the S. (Giggety)

    For my fellow microcomputer processing experts, the capcom.sys kernel-level driver operates in a serious of mostly innocuous steps. (1) The driver provides an IOCTL service to applications that disables SMEP on the computer, (2) executes code at a given pointer, (3) and then reenables SMEP.

    For normal people, it switches off a crucial security defense in the Windows operating system, runs whatever instructions are given to it by the application, and then switches the protection back on. This is anal on taco night bad. Y’see children, SMEP (Supervisor Mode Execution Protection) is a security feature of some Intel CPUs, so it’s basically present on every commercial PC on the market and most custom built ones as well (i.e. PCMGR jackasses) but it’s also on most AMD x86 processors. When enabled, prevents kernel-level software from executing code in user-owned memory pages. It’s there to stop hackers from tricking the operating system into running malicious software smuggled into an application’s virtual memory space—Windows should only be able to run its own trusted code. Capcom.sys completely blows this away on Windows: an application simply has to pass control codes 0xAA012044 and 0xAA013044 to the IOCTL, and a pointer to some instructions, and the driver will then jump to that block of code with full kernel permissions.

    In short, it’s your computer’s condom, and the Capcom rootkit takes off the condom for a few strokes before putting it back on.

    This little bit of information was discovered patch after last, when PC owners were suddenly asked to grant SFV administrator access before starting the game. Some Twitch streamers reported they couldn’t even run the game with Twitch streaming.

    Needless to say, the Internet was PISSED.

    In a recent tweet, Capcom posted the following:

    “We are in the process of rolling back the security measures added to the PC version of Street Fighter V. After the rollback process to the PC version, all new content from the September update will still be available to players. We apologize for the inconvenience and will have an update on the time-frame for the PC rollback solution soon.”

    TL;DR: WE FUCKED UP.

    #7812
    V-Tundra
    V-Tundra
    Participant

    Dude, that’s just fucking unacceptable. Can’t Capcom spend 5 minutes without making asses of themselves?

    *Capcom’s pants fall down to a comical sound*

    "The universe is one big joke, and the joke is on us"

    #7815
    LaughingMan
    LaughingMan
    Keymaster

    Man, good thing I didn’t pick up SFV on the last Steam Sale :O

    #7818
    Mr.K
    Mr.K
    Participant

    Man, good thing I didn’t pick up SFV on the last Steam Sale :O

    Otherwise, you would have been fucked.

    "The world is merciless and it's also very beautiful."

    #7819
    V-Tundra
    V-Tundra
    Participant

    This is why I prefer torrents. (Especially from Capcom)

    "The universe is one big joke, and the joke is on us"

    #7823
    Jake_L
    Jake_L
    Participant

    To add another dosage to this shit Twinkie,
    MULTIPLE LINES OF CODE were copied over from KNOWN and MALICIOUS MALWARE PROGRAMS.

    Okay—drama over. to the devs credit, the code was dormant and grayed out (think putting a pin in a grenade after cooking it off). Further, the update patch was ready within 5 hours. That tells me that the guys that do the code went to the business types and said, “This is a TERRIBLE idea. We shouldn’t do this.”

    And the corporate guy said, “Nah I’m sure it’ll be fine.”
    *beat*
    “Do it.”

    Like I dropped out of software development (because I’m lazy and have a work ethic you need to measure in parts-per-million) but I know putting code to override pre-exisisting code takes days or weeks to compile. So the dev-level guys KNEW that corporate was gonna play the wrong card and get blown up the ass and had the new patch to nix the rootkit ready to launch. Smart.

    Issue is is that the rootkit is STILL in people’s computers, just dormant.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.