This project is an advanced assetbundle scanning system, designed to prevent maliciously corrupted assetbundles from crashing your game by preventing them from being downloaded at all, or at the very least blocking them from being loaded. It makes use of a wide range of technologies, including trie-lookup hash matching, VirusTotal's YARA signature matching engine, and AssetsTools.NET.
We know there are clients out there with some of this featureset, but we're tired of basic safety features like this being locked up behind invite-only Discords and Patreons.
Quit being dicks. You know who you are.
- Using ANY mods can get you banned from VRChat. Don't talk about using mods, and don't be obvious around people you don't trust.
- While BundleBouncer tries to block as much as it can, it still relies on known signatures and hashes for much of it's power. False negatives (and positives) are possible.
- BundleBouncer is now tied into a significant part of Unity's crusty underbelly. This can result in occasional weirdness.
- Some C# files in this project are generated from sets of data not included in this repository (to prevent skiddies getting access to all the bad avatars we know of), so the files seen here are not a complete representation of the codebase.
- However, the files in this project are representative of everything in the DLLs. Compiling this code should result in a DLL mostly identical to the one released as a binary (beyond some compiler gibberish).
- For security, malicious avatar IDs are hashed and mildly obfuscated so skiddies can't easily grab a list of them.
- We will not be releasing this on VRCMG yet, since they require manual reviews and would result in horrendously outdated definitions. We have split the project into a core DLL, and an automatically-generated definitions DLL to simplify things in the future.
- ONLY grab this DLL from https://github.com/ScottGriffin213/BundleBouncer/releases/latest or the mirror at https://gitgud.io/Scottinator/BundleBouncer/-/releases! Forks can contain dangerous code, so review any files from forks using dnSpy before installing them. Tip: If they're obfuscating the code, there's something they don't want you to see.
- Install VRChatUtilityKit
- Install UIExpansionKit
- Install BundleBouncer.dll from Releases into MelonLoader
Mods/directory. - Optionally, pre-download BundleBouncer.Shitlist.dll from LATEST_DEFINITIONS into a subfolder of your VRChat install called
Dependencies/. - Optionally, pre-download Global-YARA-Rules.bin from LATEST_DEFINITIONS into
UserData/BundleBouncer/.
NOTE: There are a bunch of avatars that are automatically blocked by the mod.
- Open or create
VRChat\UserData\BundleBouncer\My-Blocked-Avatars.txtin your favorite text editor. (Don't use WordPad, OpenOffice Write, or Word, they are word processors!) - Add the avatar ID (usually of format
avtr_<gibberish>) to a new line. - Save and close the file.
- Send the avatar ID to Scott!
The file should look like this when you're done:
# Any line beginning with # are comments and are ignored by BundleBouncer.
# NOTE: The avtr_ IDs used in this example are fake and shouldn't exist in real life.
avtr_6c6b51e5-5abe-4534-a223-f4d955770201
Please report any problems at the issue board above.
When reporting an issue, please provide the following:
- Your OS
- Full MelonLoader log (remove any private information)
- Steps we can take to have the same problem as you (Reproduction steps)
- What you were trying to do at the time
- What you expected to happen
- What actually happened
Feature requests are welcome, but are not guaranteed to be added.
Please note that any feature added is NOT your property, but the property of the project.
Please send any crasher, lagger, or otherwise malicious avatar IDs to scgriffin213@outlook.com (this is not my real email, but will still reach me). DO NOT REPORT THESE AVATARS TO THE ISSUE LIST ABOVE!
Include the following:
- Asset ID (
avtr_orfile_) - Assetbundle and/or its SHA256 checksum, if known (use
sha256sum filename) - Avatar Name, if available
- Pictures, if available
- Description of malicious behaviour (screenspace shader, assetbundle crasher, etc)
- World(s) encountered in
- The name you wish to be credited as, if you want.
- Discord: https://discord.gg/jt8xppHeQq
The public source code (which is contained in this repository) is MIT-licensed. Feel free to send Merge Requests (MRs) and report issues!
The full buildsystem and avatar dataset is proprietary for security reasons. Copyright ©2021-2022 "Scott Griffin". All rights reserved.
We make use of dnYara and libyara for signature matching. See here for dnYara's license and here for our changes to dnYara.
We also make use of AssetsTools.NET for smoke-testing AssetBundles.
Mono.Cecil is a dependency of AssetsTools.NET. We're fairly sure it's not actually used, but it's bundled into the mod, just in case.
- "Scott Griffin"
- null
- AdvancedSafety by Knah - IL2CPP interface code
- Finitizer by Knah - IL2CPP icall hooking code
- Airbus CERT - Made dnYara
- AssetTools.NET
- Behemoth - More help with IL2CPP
- Benji, Requi - Handholding, ideas, help with backend particulars
- Jewordi - Testing, ideas, being a bro
- StackOverflow - Code outsourcing
- VRCMG Discord - Putting up with my dumb questions
- Various skiddies - Outright stole and modified code for some sketchier API calls.
- VirusTotal - Made YARA