Question about .dll's in AppData (R2R Releases)

Discussion in 'Software' started by mrbobojenkins, Feb 9, 2022.

Tags:
  1. mrbobojenkins

    mrbobojenkins Noisemaker

    Joined:
    Jan 16, 2022
    Messages:
    13
    Likes Received:
    3
    I am going to post this here in case any noobies are curious like myself

    What purpose does the "R2RNIKG3.dll" serve along with other .dlls in AppData? Found one thread about similar dll files (https://audiosex.pro/threads/what-is-r2rls7hp-dll-file.57256/). Just curious as to how it works and why Windows Defender detects it as "Trojan:Win32/Tnega!ml" as opposed to the other "Trojan:Win32/Wacatac.DF!ml" false positive mentioned in that thread too. It's Team R2R so of course I am not debating that it's unsafe! Just wanted to learn something and maybe this thread can be used to relieve some panic for new people too who will google/browse here.

    It was R2R Kontakt 6 v.6.6.1 on the sister site with verified scene release tag directly from the sister site (posted this to comply with a pinned thread about detections)

    Was gonna delete this post but don't think I can, so I guess maybe we can turn this thread into one on information about them to prevent panic? Then again I would not be surprised if I missed some that did.

     
    Last edited: Feb 9, 2022
  2.  
  3. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,000
  4. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    199
    Likes Received:
    67
    just a guess... R2R Native Instruments Key Generator 3
     
    • Like Like x 1
    • Dislike Dislike x 1
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  5. poly

    poly Platinum Record

    Joined:
    Sep 29, 2016
    Messages:
    282
    Likes Received:
    172
    Location:
    Hä?
    Did you de-compile the dll or is it your opinion like 1000+ other users that this is a false/positive? Did anyone de-compile stuff from our beloved and 'trusted' release groups? So if you didn't de-compile or look exactly with a Process Monitor what this stuff did you can't be 100% sure if it is a false/positiv! :guru:

    But hey, we have trusted KI/AI/META Virus/Trojan/POP/Adaware scanner..


    ..that could make sense!
     
    Last edited: Feb 9, 2022
    • Like Like x 1
    • Agree Agree x 1
    • List
  6. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,000
    Nothing is certain. I've also had a lot of alarms and people keep saying here, download from safe sources like our sister site. The people who crack and/or upload would otherwise be putting their livelihood or earning potential at risk.
    In short, anyone who provides their users with viruses / Trojans will then be shunned.

    I have had 3 real viruses and trojans so far. These pests all came from untrustworthy websites. My anti-virus software has
    not protected me from them either. 2 times the screen froze asking me to transfer some bitcoins. 1 time I had a polyphonic
    virus that ate away the files. I had a full backup of the C./ hard drive and in 90 minutes my system was restored.
     
    • Interesting Interesting x 2
    • List
  7. poly

    poly Platinum Record

    Joined:
    Sep 29, 2016
    Messages:
    282
    Likes Received:
    172
    Location:
    Hä?
    Do you know about BIOS-Rootkits? :bleh:
     
  8. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,000
    Yes, it's a nightmare.
    If an unauthorised rootkit is discovered at the BIOS level, there is only one way to get
    rid of it: The memory where the BIOS resides must be physically removed and replaced.

    Many companies lost more than 220 billion euros in the last few years due to hacker attacks.
     
    • Interesting Interesting x 1
    • List
  9. ArticStorm

    ArticStorm Moderator Staff Member

    Joined:
    Jun 7, 2011
    Messages:
    7,571
    Likes Received:
    3,827
    Location:
    AudioSexPro
    If the dll belongs to a keygen, it is packed to prevent it by getting reverse engineered by other people. AV dont have any unpackers, even if they had, you can still modify the pe header to force manual unpacking (r2r does that), so av companies decided to place all packed dll/exe files on a blacklist. It will therefore count as false positive.
    And since u got it from the sister page, there is nothing to worry.
     
    • Like Like x 2
    • Agree Agree x 1
    • Interesting Interesting x 1
    • List
  10. DoubleTake

    DoubleTake Audiosexual

    Joined:
    Jul 16, 2017
    Messages:
    2,245
    Likes Received:
    1,213
    I am not worried.
    I always wear clean underwear just in case.
     
  11. bobdule

    bobdule Rock Star

    Joined:
    Dec 28, 2014
    Messages:
    625
    Likes Received:
    436
    it is a part of the keygen.
    you can open R2R keygen.exe with 7zip to see what is inside.

    [​IMG]

    these file are crypted, or linked to execute, so the AV don't know how to read inside, it result an alert even if they are safe.

    2 AV alerts on virustotal are only based on missing version info & icon group, a simple rar sfx exe without it will result an alert.
    nothing is scaned. it is only a commercial issue to find something.

    the R2R Kontakt keygen don't use version info.
    [​IMG]
    usually all legit exe have one.

    ESET is quiet on keygens, re installable after an advanced revo cleanup without reboot, all you need is a new fake mail to reset the trial.
    maybe replace windows defender to stop this joke.
     
    • Winner x 3
    • Like x 2
    • Interesting x 2
    • Love it! x 1
    • Useful x 1
    • List
  12. boomoperators

    boomoperators Kapellmeister

    Joined:
    Mar 16, 2021
    Messages:
    90
    Likes Received:
    65
    If anyone wants to have a pre-installed "security-oriented" VM with all the necessary tools, check out "Flare VM". I stumbled upon this while watching Malware Analysis videos on Youtube and it seems to be a good solution to quickly populate a secured VM with tools.
    Always helped with unpacking binaries,etc

    https://github.com/mandiant/flare-vm
     
    • Useful Useful x 2
    • Like Like x 1
    • Interesting Interesting x 1
    • List
  13. mrbobojenkins

    mrbobojenkins Noisemaker

    Joined:
    Jan 16, 2022
    Messages:
    13
    Likes Received:
    3
    Yeah I figured this one was a false alarm, I just wanted to know what the .dll did and how I can analyze them in the future (like with the way people did with Nexus 3 that got removed off sister site).

    Thank you for the feedback though! I'll definitely use the tools here mentioned whenever I am curious about something.

    Also, which of those other sites gave you those viruses? Were they just the random VST ones?
     
    Last edited: Feb 9, 2022
  14. mrbobojenkins

    mrbobojenkins Noisemaker

    Joined:
    Jan 16, 2022
    Messages:
    13
    Likes Received:
    3

    Ahhh thank you, that makes sense now as to why Windows Defender gives off different readings too. It's not even scanning the file and just using machine learning to come up with an alert, which is why my alert was not showing up on the forums.
     
  15. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,000
    It was random search with a search engine for something - has been a long time ago, where then was not inside what is written on it. So a fake which is of course fraud. You should really only download from sources you trust.
     
  16. bobdule

    bobdule Rock Star

    Joined:
    Dec 28, 2014
    Messages:
    625
    Likes Received:
    436
    some dev can modify the crack to spread shit over the internet.(not a virus but a not working version)
    flux does it for their first matrix lock Air crack.
     
  17. stopped

    stopped Producer

    Joined:
    Mar 22, 2016
    Messages:
    421
    Likes Received:
    134
    the people who spend a decade bringing us 10000 clean releases for goodwill and street cred are totally going to flush all of that away now for whatever momentary gains they can get from a botnet or credential stealing

    (not to say virus total isnt your friend)
     
  18. mrbobojenkins

    mrbobojenkins Noisemaker

    Joined:
    Jan 16, 2022
    Messages:
    13
    Likes Received:
    3
    Of course. This was all just a post to help me understand more about the purpose of the .dll and how to properly analyze them in depth and why they raise false flags. I'm a new account here and wanted to delete this post as I thought it mightve been a silly question but I think it'll end up being useful for people who get false positives and spread knowledge of tools like the ones posted above
     
  19. demberto

    demberto Rock Star

    Joined:
    Nov 27, 2018
    Messages:
    933
    Likes Received:
    328
    Best Answer
    Adding to what @bobdule already said, I once did a deeper analysis of these 4 files.
    1. Keygen.exe is the main executable. Made with Onionsoft HSP3 script.
    2. Bgm.xm / .mid is the music played by Keygen, you can play it in your application if you want by using the BASSMOD.dll or any other supported software
    3. BASSMOD.dll is used by Keygen.exe to play bgm.xm. this dll is packed with MPRESS.
    4. And finally, the keygen and/or patcher logic is present R2R****.DLL (8.3 naming scheme, so Win95 can probably run the keygen as well). This one is packed with MPRESS as well. Coded in C, so most probably the keygen designer and programmer are different ppl.
    Finally all this is packed into a single exe. Maybe like the self extracting archive. NSIS is used for this.

    MPRESS can be easily unpacked by XVolkolak, if you want to examine / learn keygen and/or patching logic. The DLL exports are nicely named i.e. GenerateLicense, IsPatched etc. so you instantly know what the function is for.
     
    • Winner Winner x 3
    • Interesting Interesting x 1
    • Love it! Love it! x 1
    • List
  20. mrbobojenkins

    mrbobojenkins Noisemaker

    Joined:
    Jan 16, 2022
    Messages:
    13
    Likes Received:
    3
    Thank you so much for this
     
  21. Corporateslag

    Corporateslag Member

    Joined:
    Oct 4, 2019
    Messages:
    45
    Likes Received:
    10
    So, If i download something from the sister site, say for example The Glue and my antivirus detects a trojan ( Bit defender) its still safe to run the key gen? Im finding this with a lot of keygens from R2R.
     
Loading...
Similar Threads - Question dll's AppData Forum Date
LoopCloud Subscription Question Internet for Musician Aug 8, 2024
A BPM Question samples Aug 6, 2024
Kontakt BobDule Library Questions Kontakt Aug 4, 2024
Sports Streaming Apps Question Lounge Jul 21, 2024
Genuine Question about selling FabFilter plugins Software Jul 19, 2024
Loading...