Why is the patch detected some sort of Win64/Packed.GoLang?
Posted at 03-11-19, 01:44 pm Link | #1
CyberHunter

Posts: 1
Joined: 03-11-19
Last post: 2112 days
Last view: 2110 days
http://mabinogi.ir/patch/281_to_282.zip

is detected as

https://www.virustotal.com/#/file/3daf06316a7ce0ffa2c2f0238d6aa5e8e9d6df37e33c0093e51e914e9d73a655/detection

I'm personally interested as to why this is the case when the client.exe that I have on the installed game isn't really detected as anything of the sort.
I also found out that manual patching involves overwriting the old files with what's in the patch archive file

As to how virustotal seeing an exe file with no name within the archive kinda gives me a hunch that something is really unusual with it
Also, the incompletely downloaded archive, when viewed with 7zip, shows that a Client.exe and a Client2.exe and I'm like wot

Have there been incidents like this before?
Posted at 03-11-19, 06:14 pm Link | #2
Drahan GM

Posts: 2147
Joined: 02-06-17
Last post: 310 days
Last view: 37 days
This isn't a false positive, but it's also not malicious.

I can break down that detection for you, though:
Win64 means that it is a 64 bit binary. Packed means that the file is compressed and obfuscated - this is usually done to prevent analysis and prevent modifications to the binary. GoLang is actually the programming language that the file was written in, as we use Go for internal development at MabiPro.

Most antiviruses will flag packed files by default, because they cannot tell if they are malicious or clean since they are unable to analyze them.
Nexon's Client.exe is also packed with Themida, and there is flags on AVs related to this too.

Actually, this file was a trial of our clientside anticheat, a replacement for Nexon's NGS, however, it was disabled after less than a week, which is why it is no longer used in your updated client.
Given that it's an anticheat, it is packed to prevent hackers from analyzing and modifying it.
Posted at 03-12-19, 01:05 am Link | #3
CyberHunter2

Posts: 1
Joined: 03-12-19
Last post: 2112 days
Last view: 2112 days
I'm grateful for your very detailed response
Amazing to know that you guys utilize the Go language for internal development
Guess it can't be helped that an anti-cheat would be deemed as suspicious due to its nature of being packed
Time to add it to my exceptions list then

Also pardon me for making a new account, so dumb not to notice that password resetting is not possible in this forum XD

Please have a nice day and thank you for all the hard work
Terms

Powered by mabi.pro v1.0034-arisa (View credits)
MabiPro is not associated with Nexon Co., Ltd. in any way shape or form.