Man, things got really out of hand with all this Sonic 2 HD virus-thing. Earlier today, we informed you about a possible keylogger in Sonic 2 HD. Well, it seems SonicRetro – the source of this story – made some severe mistakes in their article. Why you ask and how do we know about it? But because the man who discovered the hack security within the game claims that the game does not contain a keylogger.
In a long post at Reddit, ‘Guess Who’ from Sonic Retro claims that the anti-virus warnings were indeed false positives and that there is no keylogger. The man who started all this and claimed that there was a keylogger was ‘MrVestek’. ‘MrVestek’ claimed that the keylogger was not accessing the Net and that the game revealed that the game accesses the registry and monitors keyboard strokes even while it is not in focus. While this is true – in a way – it is far simpler than what you may have thought.
‘Guess Who’ confirmed that the program does, in fact, respond to keystrokes ‘even if you have another window in focus – say, you alt-tabbed to Chrome or Firefox or whatever. So, for example, if you have “jump” bound to spacebar and you have Chrome open, each time you press spacebar in Chrome will result in Sonic jumping in the background‘. However, this occurs only when you use DirectInput for input. With the default keyboard option, there is no such behavior.
It’s also important to note that this only occurs while the game is running. Sonic 2 HD does not install a service or add anything to your startup programs. ‘Guess Who’ concludes that ‘this evidence coupled with the lack of any proof of any actual logging of keys – a required trait for a keylogger – heavily suggests that the problem is merely poor implementation of DirectInput’.
But what about the registry files, right? Well, the team behind Sonic 2 HD decided to use the registry to store your video and controller settings and a “Stat” entry that is believed to track what you have unlocked in the demo. We’ve seen such things and in other games so there is nothing ‘wrong’ with that.
And here is what ‘Guess Who’ had to say about the anti-virus warning:
“Yes, the game triggers an antivirus alert. No, it’s not because of keylogging. As I mentioned in my editorial, the game’s executable is packed and obfuscated to deter reverse engineers. Trojans often utilize the same tactic to hide malicious code. The fact that this compression sets off antivirus software is confirmed by Avira. AntiVir detects the game as “TR/Crypt.XPACK.Gen“, whose description reads:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
VirusTotal, an online service that checks a program against multiple antivirus programs, vouches for this – not a single antivirus program detects the game as a keylogger. If you’re wondering why the executable is packed and obfuscated to begin with, it’s not because it is malicious. The programmer, LOst, has a severe case of paranoia and does not want Sonic Retro members to reverse engineer his engine.”
So there you have it guys. No keylogger. It’s just a poor implementation of DirectInput and a paranoic action from the team’s programmer and nothing more.