EXM Tweaks v2.1.1 — Full Reverse Engineering Analysis

Analysis Date: June 2026
Target: EXM-2.1.1-installer.exe (NSIS installer, 147 MB)
Vendor: EXM TWEAKS, s.r.o. (Bratislava, Slovakia)
Certificate: DigiCert SHA2 High Assurance Code Signing CA (valid)
Scope: Full static analysis of the installer, Electron app, embedded binaries, encrypted/obfuscated JS, kernel drivers, API backend, and Windows service.

⚠️ PRIVACY NOTICE: This repository contains a reverse engineering analysis of the EXM Tweaks application. Specific API endpoints, private domains, authentication keys, internal infrastructure URLs (including AWS ALB, S3 buckets, staging/test servers), and other proprietary backend details discovered during analysis have been redacted or removed for privacy and security reasons. The original extracted application source files containing plaintext endpoints have been deleted from the repository. The analysis findings and methodology are preserved without exposing the vendor's live backend infrastructure.

Table of Contents

1. Executive Summary

2. Installer Analysis

3. Application Architecture

4. Bundled Third-Party Executables

5. Package Dependencies

6. Obfuscation & Encryption

7. API Endpoints & Network Communication

8. Background Windows Service (exmantitamperingservice)

9. Kernel Driver Analysis (HIDUSBF)

10. Security Assessment

11. Feature Inventory

12. Digital Forensics Artifacts

13. Appendices

1. Executive Summary

EXM Tweaks v2.1.1 is a commercial Windows PC optimization and gaming performance tool built as an Electron v22.19.0 desktop application with a React + Vite + Tailwind CSS frontend. It is digitally signed by a Slovak company (EXM TWEAKS, s.r.o.) with a valid DigiCert code signing certificate.

Risk Rating: MODERATE — The software is not malware, but exhibits concerning behaviors:

• Aggressive anti-piracy/anti-debugging measures (background watchdog service)

• Remote kill switch capability (vendor can remotely brick installations)

• Unsigned kernel-mode USB driver (HIDUSBF) — BSOD risk

• Runs tweaks as SYSTEM via NSudoLC

• Full PostHog telemetry with hardware fingerprinting

• All JS code heavily obfuscated (javascript-obfuscator + custom RC4 string encoding)

• AES-256-CBC encrypted local configuration storage

Recommended for: Gaming use cases where vendor trust is accepted.
Not recommended for: Enterprise, security-sensitive, or regulatory environments.

2. Installer Analysis

2.1 File Identification

2.2 Extraction

The NSIS installer was extracted using 7-Zip, yielding 1,443 files across the following structure:

EXM_app/
├── EXM.exe                     # Electron main executable (193 MB)
├── chrome_100_percent.pak      # Chromium resources
├── chrome_200_percent.pak
├── d3dcompiler_47.dll          # Microsoft Direct3D HLSL Compiler
├── ffmpeg.dll                  # (file present, version info empty)
├── icudtl.dat                  # ICU Unicode data
├── libEGL.dll                  # ANGLE GL-EGL wrapper (v2.1.25161)
├── libGLESv2.dll               # ANGLE GLESv2 implementation (v2.1.25161)
├── LICENSES.chromium.html
├── resources/
│   ├── app.asar                # Electron application bundle (163 MB)
│   └── app.asar.unpacked/      # Unpacked native resources
│       ├── node_modules/       # Node.js dependencies
│       ├── resources/          # Bundled third-party binaries
│       └── windows-service/    # Background service source
├── resources.pak
├── snapshot_blob.bin           # V8 snapshot
├── v8_context_snapshot.bin
├── vk_swiftshader.dll          # SwiftShader Vulkan (v5.0.0)
├── vulkan-1.dll               # Vulkan Loader (v1.4.311.0)
└── node.dll                    # Node.js runtime library

2.3 Build Artifacts

The app was built with electron-builder (detected from app.asar.unpacked structure and electron-updater dependency). The embedded Node.js runtime (v18.18.2) occupies 71 MB within the app.asar.unpacked/node_modules directory.

3. Application Architecture

3.1 Tech Stack

3.2 Electron Process Structure

Renderer Process (Vite/React)
    ↓ IPC (contextBridge)
Preload Script (out/preload/preload.js)
    ↓ IPC (ipcRenderer.invoke/send)
Main Process (out/main/main.js)
    ↓ IPC
Background Service (EXMantitamperingservice.exe)
    └─ monitor.js       — Watchdog process scanning
    └─ security.js      — Encryption + HW fingerprinting
    └─ config.js        — Config management
    └─ httpServer.js    — Local API (port 5000)
    └─ reporter.js      — Telemetry reporter
    └─ installer.js     — Service installer
    └─ revertManager.js — Tweak rollback
    └─ uninstallDetector.js

3.3 Frontend Pages & Components

3.4 Content Security Policy (from index.html)

default-src 'self' res:;
connect-src 'self' res:
    http://localhost:5000
    http://localhost:5001
    http://localhost:8000
    http://eda2-alb-XXXXXXXXX.eu-north-X.elb.amazonaws.com (redacted for privacy)
    https://eda2-alb-XXXXXXXXX.eu-north-X.elb.amazonaws.com (redacted for privacy)
    https://test.XXXXXXX.com (redacted for privacy)
    https://XXXXXXX.com (redacted for privacy)
    https://ai.XXXXXXX.com (redacted for privacy)
    https://XXXXXXXXX.com (redacted for privacy)
    https://XXXXXXX.fancystudio.sk (redacted for privacy)
    https://*.i.posthog.com
    https://XXXXXXX.s3.eu-north-X.amazonaws.com (redacted for privacy);
script-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data: res:
    http://localhost:5000
    https://cdn.discordapp.com
    https://lh3.googleusercontent.com
    https://graph.facebook.com
    https://platform-lookaside.fbsbx.com;

Notable: An AWS ALB endpoint is present (eda2-alb-XXXXXXXXX.eu-north-X.elb.amazonaws.com — redacted for privacy) — likely the production API gateway. CSP allows images from Discord and social platforms (auth avatars). No unsafe-eval in script-src (good).

4. Bundled Third-Party Executables

4.1 NVCleanInstall v1.19.0

4.2 NVIDIA Profile Inspector v2.4.0.27

4.3 HIDUSBF v1.3.0 (Kernel Driver)

4.4 DevManView v1.80

4.5 NSudoLC v9.0.2676

4.6 WinSW v1.17.0 (Service Wrapper)

4.7 Node.js v18.18.2

5. Package Dependencies

From package.json:

{
  "name": "exm",
  "version": "2.1.1",
  "main": "out/main/main.js",
  "dependencies": {
    "@0biwank/gethwid": "^1.0.3",
    "@electron-toolkit/preload": "^3.0.2",
    "@electron-toolkit/utils": "^4.0.0",
    "@heroui/slider": "^2.4.21",
    "@heroui/system": "^2.4.20",
    "@heroui/theme": "^2.4.20",
    "@hookform/resolvers": "^5.1.1",
    "@posthog/react": "^1.4.0",
    "@radix-ui/react-*": "^1.x",
    "axios": "^1.6.0",
    "bytenode": "^1.5.7",
    "electron-log": "^5.4.3",
    "electron-store": "^11.0.2",
    "electron-updater": "^6.6.2",
    "lucide-react": "^0.511.0",
    "next-themes": "^0.4.6",
    "node-machine-id": "^1.1.12",
    "node-windows": "^1.0.0-beta.8",
    "posthog-js": "^1.293.0",
    "posthog-node": "^5.14.0",
    "react-router-dom": "^7.7.0",
    "remark-gfm": "^4.0.1",
    "sonner": "^2.0.5",
    "sudo-prompt": "^9.2.1",
    "uuid": "^13.0.0",
    "zod": "^3.25.67",
    "zustand": "^5.0.6"
  }
}

Notable Dependencies

6. Obfuscation & Encryption

6.1 JavaScript Obfuscation

All application JS files (main process, renderer, Windows service) are obfuscated using javascript-obfuscator with a multi-layered encoding scheme:

Obfuscation Layers:

1. Control Flow Flattening — Linear code converted to state-machine loops with switch/case dispatchers

2. String Concealing — All string literals replaced with indexed lookups into encoded arrays

3. Custom Base64 + RC4 Encoding — Strings are base64-encoded then RC4-encrypted with rotating context keys

4. Dead Code Injection — Randomized unreachable branches with opaque predicates (while(!![]), parseInt checks)

5. Identifier Renaming — _0xXXXX pattern for all variables and function names

6. Context-Key Rotation — Each file has unique RC4 keys that rotate per string lookup

Decoder function pattern (present in every obfuscated file):

function _0xXXXX(_0xYYYY, _0xZZZZ) {
    // Custom base64 alphabet: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
    // Decodes base64 → RC4-decrypts with rotating key derived from context
}

Deobfuscation was achieved by:

1. Extracting the encoded string arrays

2. Identifying the RC4 decryption keys embedded as context variables

3. Running the native decoder function against all encoded indexes

4. Reassembling the plaintext source

6.2 Configuration Encryption

Algorithm: AES-256-CBC + HMAC-SHA256

• Config stored at %ProgramData%\EXM\config.json

• Encrypted with AES-256-CBC using a derived key

• Integrity verified with HMAC-SHA256

• Key material generated from machine-specific entropy

Key management:

• %ProgramData%\EXM\security\hmac.key — HMAC verification key

• %ProgramData%\EXM\security\key_version.txt — Key version tracking

• CURRENT_VERSION = "2025-12-01" — Embedded version string

6.3 Electron safeStorage

The preload script exposes secureStorage API via contextBridge:

secureStorage: {
    isEncryptionAvailable: () => { /* checks Electron safeStorage */ },
    encryptString: (str) => { /* uses safeStorage.encryptString() → base64 */ },
    decryptString: (encoded) => { /* base64 → safeStorage.decryptString() */ }
}

7. API Endpoints & Network Communication

7.1 Complete Endpoint Map

7.2 Authentication Endpoints (from preload.js)

• Google OAuth: https://lh3.googleusercontent.com (avatar)

• Discord OAuth: https://cdn.discordapp.com (avatar)

• Facebook OAuth: https://graph.facebook.com, https://platform-lookaside.fbsbx.com (avatar)

OAuth flow creates a child BrowserWindow for the external auth provider, then captures the callback via IPC (onOAuthCallback, onAuthCallback).

7.3 AI Chatbot

• Endpoint: https://[redacted]/api/XXXX

• Hardcoded API Key: bytehintXXXXXXXXXXXXXXXX (redacted for privacy)

• Purpose: Provides an AI assistant within the app (likely for support/guidance)

7.4 Kill Switch Mechanism

Endpoint: GET https://[redacted]/api/vX/killXXXXXX/check

When triggered, the service:

1. Receives a kill signal from the API

2. Stops and deletes the Windows service (EXMantitamperingservice)

3. Creates a cleanup batch script

4. Deletes its own installation directory

5. Reverts all applied tweaks

This gives the vendor full remote control to brick the application on any machine.

7.5 Telemetry (PostHog)

Endpoint: https://us.i.posthog.com

PostHog is configured with:

• posthog-js v1.293 (37 KB, browser/renderer)

• posthog-node v5.14 (Node.js service)

• @posthog/react v1.4 — React integration hooks

Telemetry scope (standard PostHog capabilities):

• Page views and navigation

• Feature usage and clicks

• System information (OS, hardware)

• Session recordings

• Error tracking

• Custom events (tweak application, backup creation)

The CSP whitelist *.i.posthog.com enables PostHog's event ingestion infrastructure.

8. Background Windows Service (exmantitamperingservice)

8.1 Overview

8.2 File Inventory

8.3 Monitor.js — Dangerous Processes Detection

The service continuously monitors running processes. If any of the following are detected, the service may take protective action (alerts vendor / stops tweaks):

Detected Process Categories:

8.4 Security.js — Hardware Fingerprinting

The service collects a machine fingerprint using multiple sources:

1. WMI commands — Windows Management Instrumentation (motherboard serial, CPU, disk, BIOS)

2. @0biwank/gethwid — Third-party HWID library

3. node-machine-id — Machine GUID

4. CPU serial — Direct WMI query

5. OS Info — via os module (hostname, platform, release, total memory, CPU cores)

The fingerprint is used for:

• License binding (prevents sharing accounts)

• Telemetry enrichment

• Possibly kill switch identification

8.5 HttpServer.js — Local API

Runs an Express server on port 5000 providing:

Also connects to port 5002 for the revert queue:

• http://localhost:5002/api/revert-queue/add

• http://localhost:5002/api/revert-queue/remove/${id}

8.6 Service Installation Flow

installer.js:
1. Ensure Node.js runtime exists (download from nodejs.org if missing)
2. Check required npm modules (node-windows)
3. Create service with WinSW wrapper
4. Configure service to start automatically
5. Install to Windows Service Control Manager
6. Start the service

uninstaller.js:
1. Stop the service
2. Remove from SCM
3. Clean up service files
4. (If kill switch) Revert all tweaks, delete installation directory

9. Kernel Driver Analysis (HIDUSBF)

9.1 Architecture

HIDUSBF is a community-developed kernel-mode driver that modifies the USB polling rate for HID-compliant mice. It operates at ring 0 (kernel mode).

9.2 Driver Variants

Total: 15 .sys driver variants for different architectures and polling rates.

9.3 Driver Characteristics

9.4 Installation Mechanism

1. Setup.exe runs as Administrator

2. Creates a system restore point

3. Installs the .sys driver for the target polling frequency

4. Registers with Windows USB HID stack

5. System reboot required for activation

9.5 Risk Assessment

10. Security Assessment

10.1 Risk Matrix

10.2 External Communication Map

EXM Application
├── Renderer Process
│   ├── [redacted]/api/v1/*           — Main API
│   ├── [redacted]/api/*              — Auth API
│   ├── [redacted]/api/XXXX           — AI Chatbot
│   ├── us.i.posthog.com/*            — PostHog Analytics
│   └── [redacted].s3.eu-north-X...   — Updates
│
├── Main Process (Node.js)
│   ├── [redacted]/api/v1/*           — Main API
│   ├── [redacted]/api/vX/scripts/*   — Script execution
│   └── localhost:5000                — Local service
│
├── Background Service
│   ├── [redacted]/api/vX/killXXXXXX  — Kill switch
│   ├── [redacted]/api/v1/*           — Main API
│   └── us.i.posthog.com/*            — Telemetry

10.3 False Positives Ruled Out

During analysis, the following potential suspicions were confirmed as benign:

1. "MZ" headers in PNG files — False positives; these are coincidental byte patterns in icon resources. No valid PE structures exist in any PNG file.

2. "http" strings in .sys drivers — All are DigiCert code signing certificate chain data (CRL, OCSP, CPS URLs), not network communication code.

3. Embedded PEs in resource files — All Chromium resource files (.pak, .dat, .bin) were verified as standard format with no embedded executables.

4. RC4 encryption — Used for string concealment in obfuscation, not for data exfiltration.

10.4 Vendor Capabilities

What the vendor (EXM TWEAKS, s.r.o.) can do post-installation:

1. Remotely brick the app — Via kill switch endpoint (can target specific HWIDs)

2. Collect telemetry — Full PostHog analytics on all user interactions

3. Push arbitrary updates — Via S3-hosted electron-updater releases

4. Identify users — Via machine fingerprinting + OAuth accounts

5. Execute SYSTEM-privilege code — Via NSudoLC for tweaks

6. Monitor user activity — Via the background watchdog service

11. Feature Inventory

11.1 System Tweaks

11.2 Feature Modules (from renderer bundles)

11.3 Anti-Tampering Features (from monitor.js)

The background service:

• Detects debuggers, disassemblers, memory scanners, network monitors

• Detects process analysis tools (Process Hacker, Process Explorer)

• Detects DLL injectors and code analysis tools

• Detects packet analyzers (Wireshark, Fiddler, mitmproxy)

• Detects cheat engines and game modification tools

• Reports detected tools to vendor via telemetry

• Uninstalls itself if the EXM app is deleted (uninstallDetector.js)

12. Digital Forensics Artifacts

12.1 Filesystem Artifacts

12.2 Registry Artifacts

(Expected, based on NSIS installer patterns)

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EXM Tweaks — Uninstall entry

• HKLM\SYSTEM\CurrentControlSet\Services\EXMantitamperingservice — Service registration

• Service start type: Automatic

12.3 Service Artifacts

• Service Name: EXMantitamperingservice

• Display Name: EXM Anti-Tampering Service

• Binary: C:\Program Files\EXM Tweaks\windows-service\src\daemon\exmantitamperingservice.exe

• Working Directory: C:\Program Files\EXM Tweaks\windows-service\

• Account: LocalSystem (default for WinSW)

• Dependencies: None

12.4 Network Artifacts

• DNS lookups: [redacted-main-api], [redacted-auth-domain], [redacted-ai-domain], us.i.posthog.com, [redacted].s3.eu-north-X.amazonaws.com, eda2-alb-XXXXXXXXX.eu-north-X.elb.amazonaws.com

• Local ports: 5000, 5001, 5002, 8000 (Express HTTP servers)

• TLS: All external communication uses HTTPS

13. Appendices

A. File Hashes

B. Certificate Chain

DigiCert High Assurance EV Root CA
  └── DigiCert SHA2 High Assurance Code Signing CA
       └── EXM TWEAKS, s.r.o. (valid through ~2028)

C. Tools Used

D. Methodology

1. Static Analysis — Binary examination without execution

2. Installer Extraction — 7-Zip decompression of NSIS archive

3. ASAR Extraction — Electron app archive unpacking

4. Code Analysis — Manual and automated JS deobfuscation

5. Network Mapping — All URLs extracted from JS and CSP headers

6. Binary Verification — PE header validation, digital signature checking

7. DLL/Driver Analysis — Import table, string extraction, certificate verification

8. Resource Validation — Confirmed no embedded payloads in resource files

E. Update Channels

The application uses electron-updater v6.6.2 configured with:

• Provider: S3

• Bucket: [redacted].s3.eu-north-X.amazonaws.com

• Path: [redacted]

• Format: .exe NSIS installers (as per build configuration)

F. Deobfuscation Detail

The obfuscation scheme uses a rotating two-key system per file. Each JavaScript file contains:

1. Two encoded string arrays (generated from _0x1218() in monitor.js)

2. A custom base64 decoder (function _0x4636 / function _0x3836)

3. Context keys that rotate the RC4 cipher

The RC4 implementation uses a standard 256-byte key scheduling algorithm (KSA) with the context variable as the encryption key. String access follows the pattern:

_0x3836(0x191,'FVRU')  // Returns decoded string at index 0x191 using key context 'FVRU'

Disclaimer: This analysis is for educational and research purposes only. The software was analyzed without execution in a controlled environment. Findings represent a snapshot of version 2.1.1 and may differ in other versions. No claim is made regarding the legality or safety of using this software. Use at your own risk.