Of course, any AV company could add a rule to their signature checking to undo the XOR if they were targeting the romhack.ing site, but it sounds like they aren't being targeted but just getting caught up in the dragnet.
Did they check to see if their service has been compromised?
Why would Windows Defender flag GameBoy ROMs as malware?
Does a GameBoy ROMs website really mirror all 45 petabytes of Internet Archive?
I'm sure I'll get in touch with these folks to understand details, but I just wanted to make it known that if you do encounter what you think are false spam or malware issues, you can always email me directly at jscott at archive.org.
Not just for this instance, but in general... should I start emailing bank CEOs every time I get rejected for a house loan, or Henry Ford's children every time my mechanic refuses to service my car because of a defect they refuse to acknowledge?
Also, you should always mail the ceo of a bank if you get rejected for a loan if you think it was done unfairly.
That's literally how customer service in many industries works, yes.
derefr•5mo ago
(I will not directly link to these collections, for the fates are cruel. I'll just say that these IA collections are 'complete' per-console ROM collection archives created by "GoodMerge", a ROM collection validation and repacking tool — and are named very intuitively given that.)
CBMPET2001•5mo ago
waltbosz•5mo ago
shazbotter•5mo ago
fluoridation•5mo ago
EDIT: Furthermore, what's the proposed workflow? Does the Internet Archive run AVs over its collections? There's no way, right? That would be a massive compute expense.
wolrah•5mo ago
Distributing a modified ROM is as much copyright infringement as distributing the base ROM itself, so generally hacks are distributed as just the patch file and you have to provide your own copy of the base ROM and patch it from there.
It sounds like this site is packing the two together, and the patchers are causing the flagging issues. That also to me seems like the simple solution is to not do that and just distribute the patches without the software and have a note in the description pointing to a separate source for the patcher.
> Surely an automatic patcher is a pretty trivial piece of software, system-wise. It just reads a binary file and writes out a different binary file after doing some in-memory manipulations. Why would a an AV flag such a program? I don't buy this explanation.
A virus that wants to infect other executables on the system is going to have patching code in it where it's relatively rare in "legitimate" software so it makes sense for antimalware heuristics to find it suspicious.
fluoridation•5mo ago
Sure, but what an AV is going to look for is code that manipulates executable files, not random binary files. If the patchers are designed to apply patch files to ROMs rather than having the patches embedded then it makes even less sense that they get flagged.
shazbotter•5mo ago
fluoridation•5mo ago
derefr•5mo ago
> It sounds like this site is packing the two together,
1. No; as you said, no ROM hacking site distributes the original ROM. This one is no exception. They don't want to flagrantly violate copyright. (And in fact, modern patch formats — xDelta, UPS, BPS — are designed to avoid even minor "quotations" of the original copyrighted material, by using "copy offset:length" ops, or by storing partial/sparse patch segments as XOR deltas of the old and new files.)
> and the patchers are causing the flagging issues
2. No ROM hacking site distributes a patcher executable along with the patch. It'd be a huge waste of both bandwidth and storage space on their CDN. Besides the very reason coming up here (novel archives containing executables make anti-virus programs unhappy), there's also the fact that modern emulators, when loading a ROM, will auto-apply a patch in-memory if one is found in the same directory + with the same basename as the ROM. (Similar to how VLC auto-loads subtitle files if found beside a video file.) Creating an on-disk modified ROM using an explicit patcher utility is, for the most part, unnecessary today.
FYI, I downloaded the first ROMhack I saw from the referenced site (romhack.ing). It was a .zip file. Decompressing it, all it contained was a set of .ips files (variants of the patch) and a README.txt.
In short, there is no inherent, structural reason that a site hosting only archive files like this one, would trigger any anti-virus system.
jonhohle•5mo ago
Short answer is that no compiler would produce similar code and it’s probably a red flag that there’s odd dead code, jumps, or places where padding or nops are expected but there is code.
Rom hacks are more in depth, but often play the same tricks because they need to fit into possibly sections they shouldn’t exist in (say, code in BSS), encode instructions in a way that known compilers wouldn’t, long jumps to odd places.
immibis•5mo ago
jonhohle•5mo ago
Or more simply, it could be packed with a README that links back to a modding group that hosts stuff on a site with malware or other “hacker” tools.
VoidWhisperer•5mo ago
duskwuff•5mo ago
boomboomsubban•5mo ago
dvh•5mo ago
boomboomsubban•5mo ago
dvh•5mo ago
https://news.ycombinator.com/item?id=45000000
bitlax•5mo ago