Kane and Lynch - 21:9 FIX

what is the extraction password? 

The Password is: pcgw

I assume this fix does not work while using GFWL as the game will just show a black screen and then just crash to desktop when I try to use this fix with GFWL enabled. I also know this is off topic but do you happen to know if a 21:9 fix is available for Kane & Lynch 2 as well?. I ask because I can't seem to find any fixes online and the game doesn't seem to support 21:9 natively as the screen just seems to stretch at that resolution.

How did you go about making this fix? I'm looking to make something similar to a patched executable for K&L1 for 16:9 resolutions, but im not exactly sure how to change the FOV.

Very nice written little malware my dude. Good job 🤓

There is really no excuse, keylogging, screen captures, 28 attack techniques and 9 tactics...

Reports are here:
http://www.hybrid-analysis.com/sample/33480dbf71388eedae4383629155ac4cee70098a37c3054bff31a7ecaa7d65ab/654a9e80c44a7cedf30a92af

MD5 also returns multiple times on virustotal.

Trojan/rat? Idunno, I don't see it connecting to any hosts in particular but with this level of skill, I doubt you wouldn't know a way around.

Be warned peeps, this is some first degree f*ckery right here.. 👹

‏‏‎ ‎

4 hours ago, andrew79 said:

Very nice written little malware my dude. Good job 🤓

There is really no excuse, keylogging, screen captures, 28 attack techniques and 9 tactics...

Reports are here:
http://www.hybrid-analysis.com/sample/33480dbf71388eedae4383629155ac4cee70098a37c3054bff31a7ecaa7d65ab/654a9e80c44a7cedf30a92af

MD5 also returns multiple times on virustotal.

Trojan/rat? Idunno, I don't see it connecting to any hosts in particular but with this level of skill, I doubt you wouldn't know a way around.

Be warned peeps, this is some first degree f*ckery right here.. 👹

That's a totally false report. I used this fix last year and I can guarantee you that it isn't malware at all. This fix also hasn't been updated since October the 18th, 2021 so it couldn't of been modified since the last time I used it either. Don't always believe these virus reports as 90% of the time they are completely false especially with files like these that patch other exe files.

11 hours ago, orangematty said:

That's a totally false report. I used this fix last year and I can guarantee you that it isn't malware at all. This fix also hasn't been updated since October the 18th, 2021 so it couldn't of been modified since the last time I used it either. Don't always believe these virus reports as 90% of the time they are completely false especially with files like these that patch other exe files.

Ehh.. False report? Look man, this is not just a MD5 sum check, which I doubt you have any knowledge about..
I am aware of false reports and make FUD rats myself and even crypt/sign whatever is necessary to make something work and stay out of any scopes.
I looked at the code myself and it is not just super shady but malicious too.

Hybrid analysis runs the program in VM for you and runs you through all the malicious methods/tactics the executable could do and actually does, which it does in this case.. This executable uses methods which are beyond necessary for it's defined purposes, altering and accessing parts of your pc which are without any doubt a no go for the written purposes above.

I like that you try to support the free world out there but please state educated factual statements before misleading others in to downloading and spreading malware which can be used for crypto mining, CP and purposes you wouldn't even want to consider.

You're crying out false report but I really doubt that you even read the report or have the slightest bit of inside knowledge about malware/computer science to identify a false report.

FACTS:

- Connection was made using TLSv1.1 [tls.handshake.version: 0x00000302]
- T1106, T1129, T1059.003, T1543.003, T1055.011, T1055, T1055.001, T1027, T1027.002, T1055.011, T1564.003, T1027.007, T1055, T1056.001, T1083, T1012, T1057, T1010, T1082, T1614.001, T1113, T1056.001, T1071, T1105, T1573, T1489!!! (I could write a code that does the same and doesn't light up all these red flags like, I don't know, 99% of all other patches out there that are made by people without false intends. Surely a couple, but really, this many and specifically these indicators?? Comon man..)

Just because you ran a code and think your pc is fine doesn't mean it's not working, be considerate.
Give me one indication (vs the 61 that are found easily) that this code is not malicious and I'll write it down as a false-positive, countering the MD5 sum check ups globally. Until then, this report will grow and protect people around the world from making mistakes that could harm them financially, emotionally or their property.

As someone who actually worked as a security analysts, and a programmer. as well as have performed almost daily investigation on executables, both of my own creation as well as those of others, this looks like a normal false positive. Though as always we at PCGamingWiki does not make any guarantees whatsoever, so anyone is still downloading at their own risk.

 

Anyway, regardless though, the use of a techniques defined or detected by MITRE does not really need to mean anything.

This is even clear in the link itself by checking the actual details of the calls: https://www.hybrid-analysis.com/sample/33480dbf71388eedae4383629155ac4cee70098a37c3054bff31a7ecaa7d65ab/654a9e80c44a7cedf30a92af

 

> "Calls an API typically used for keylogging" has the details ""Kane.and.Lynch.Ultrawide.Fix.exe" called "GetKeyState" with parameters {"nVirtKey": "16"}"

What this means is that _something_ that got executed as part of the process (either the process itself or an OS component that was executed as part of it) queried the state of the Shift key. The related details indicates the key state for Ctrl, Shift, Alt, and WinKey Left + Right was checked. This does not mean its a keylooger -- it just means the patcher tool itself, or an OS component that it invoked, checked whether any of those keys were held down. That's all.

Going through the other "suspicious" calls it makes shows that it tries to find and check details for a process called "kaneandlynch.exe" -- meaning it basically tries to identify if the game is currently running or not (since it can't be running if it's going to patch it).

 

And again, let me reinstate that ALL code that gets executed as part of the process within the sandbox gets logged as being caused by the specific process and code, regardless of whether it's actually caused by the OS itself or the code the executable contains. Misunderstanding the data is how we get ridiculous Reddit threads like the "Epic Games Store scans all of the certificates on your system!!!!" scaremongering, when in reality that's required for a normal TLS encrypted connection to be made to establish trust with the opposite end (meaning any and all HTTPS connections made on your system does literally the same).

 

> Contains ability to terminate a process (API string)

> Found reference to API "ExitProcess" (Indicator: "ExitProcess"; Source: "00000000-00004588.00000001.69110.00401000.00000040.mdmp, 00000000-00004588.00000002.71033.00401000.00000040.mdmp")

Oh my, a patcher tool that requires the game to not be running, and checks for the presence of the game running, also includes the ability to terminate that process... Color me surprised.

 

Then we have the absolute ridiculousness that is this sort of "detection":

> Uses 32 bit executable PE

> "Kane.and.Lynch.Ultrawide.Fix.exe" has flags like IMAGE_FILE_32BIT_MACHINE / IMAGE_FILE_EXECUTABLE

It's a "detection" that indicates that the tool is a 32-bit application. That's all this "detection" means.

 

What we end up with is an executable that:

- Machine learning detections (which are extremely prone to false positives) identified it as a "grayware" with a 90% confidence. This is not surprising, since it's a binary patcher for another executable. Those are typically used for licensing/crack reasons, and so is a frequent target for security tools to ensure corporations don't commit any unwanted licensing violations (which would've otherwise turned up during an audit and may cost hundreds of thousands in a penalty fee).

- Makes encrypted HTTPS connection(s) using the now obsolete TLS 1.1 version...  Which also isn't all that surprising as the patcher was created using the CodeFusion Wizard, a tool that harkens back to the 90s and Windows 9x/NT. TLS 1.1 defined in 2006, and only deprecated in 2020. So this doesn't actually mean anything. And again, it's not even guaranteed that the tool made the connection -- it might as well be the OS environment as it performed a compatibility check or whatever as the process was launched.

And these are the only two "malicious" indicator. One indicates the unsurprising use of a now obsolete encryption protocol, and the other that the executable may be "grayware" and as such unwanted in enterprise environments.

The remaining "suspicious" indicators are equally generally unimportant, with either minor notes (the modifier key states) or a couple of unique sections in the executable that doesn't by themselves mean anything nefarious is going on.

 

Ergo, it's almost certainly a false positive.

 

Also, this is why PC gaming modding is slowly but steadily dying off -- the whole act of modifying a separate executable, process, or such is something that piracy/licensing violations also rely on, and so are prime targets for security enterprises that are interested in selling their services to corporations interested in ensuring their employees don't do anything nefarious which can harm the company in any way. What we end up with are constant false positives everywhere, and the 6 (now 9) detections this had on VirusTotal is in reality quite few. Like just try and use CheatEngine for a game trainer, and you end up with 25-30+ "malware" detections all because a tool created to manipulate memory of other processes (to enable cheating) can also be utilized for nefarious reasons (to enable license violations or piracy).

1 hour ago, andrew79 said:

I could write a code that does the same and doesn't light up all these red flags lik

Feel free to create a program that attempts to establish an encrypted connection using TLS 1.1 that _doesn't_ trigger that same MITRE detection.

 

• If you are able to, then that MITRE detection needs to be improved since clearly it's not working as intended and not detecting your use of TLS 1.1.
• Or, most likely, you're not actually using TLS 1.1 and instead use TLS 1.2 or 1.3 which the scanner wouldn't, you know, "detect" since there's nothing "to detect."

 

It's that simple.