Sicheats (h4x0r) trainers now contain DRM but why?

[Traziz]

Use W32Dasm if it makes it easier for you. Since it seems you can't fully use Olly correctly to show Data/String references.

And no I didn't use any amended xpsupport files, I used files from 3 seperate sources, one from sicheats (alice trainer), one from a link here given by cocodrila (fear 3) and one on GCW (fable 3).

I opened up in W32Dasm (xpsupport.dll) and was looking through the strings since people have been talking about the new DRM, just to check and I came across the 2 llsass instances (not lsass which is a legit Windows Logon binary). Then I also checked more into the trainers themselves, I had to unwrap them first, but then noticed the string references to vcltest3.dll, the uploading.com link. As provided by the screenshots.

Are you telling me you can't use Olly to find a simple string reference at all? Did you even try to look? From what I have seen from your responses is that you are more prepared to defend someone than be neutral and look.

Bad enough to be called a liar by Mr no understand the English, and then by you by saying I used modified files...

As far as I am concerned you are more an agent for Sicheats to try to veil the truth or something and keep things hidden or obscured.

I came here to ask why these things were in the trainer and the xpsupport.dll and to get some piece of mind so I can use them if they proved to be nothing, and all I have met is hostility and accusations, fine I will set up a virtual environment and run it there and perhaps I will post the results to show what files are created, what processes are accessed and created also.

[Joe Forster/STA]

Read my lips: WHERE ARE THE FILES YOU ANALYZED? ATTACH THEM AND GIVE US THEIR ORIGINAL DOWNLOAD URL'S!

(I never used OllyDbg but can use W32Dasm and Hacker's View fine, thank you, no need for taunting.)

[Traziz]

Quote:

Originally Posted by Joe Forster/STA

Read my lips: WHERE ARE THE FILES YOU ANALYZED? ATTACH THEM AND GIVE US THEIR ORIGINAL DOWNLOAD URL'S!

Perhaps you should have read what I said, I downloaded the fear 3 trainer from this thread, which cocodrila posted a link to a "Clean" trainer.

And Fable 3 trainer from GCW, doesn't matter what server I use there as they all contain the same archive.

As for the trainer, I shall include the unwrapped trainer, since it seems to be minor worries from it from the vcltest3.dll and the uploading.com url use.

The xpsupport.dll is the main worry with the llsass reference and coding to produce it locally.

http://www.megaupload.com/?d=DQ9AGV1Z - alice trainer with unwrapped binary, incase you are not sure how to unwrap binaries.

That was originally got from sicheats themselves.

[cocodrilo]

Traziz please download IDA and look. is this your evil L?



in your file offset. in ida jump -> jump to file offset and COMPARE .

[Joe Forster/STA]

1. Perhaps, you should have read what I said: ATTACH THE FILES YOU ANALYZED! Did you attach them? No. Screenshots and lots of blabla and you think anyone will believe you? You're out of your mind!

2. Perhaps, you should have read what cocodrilo said: the download at hxxp://www.multiupload.com/ID3HMZBEXK is of unknown origin and may contain malware. It is a .NET executable with the vast majority of it encoded in a base64-encoded stream. It can be determined at a glance that it has nothing to do with Sicheats whose executables are not even similar to it. So, even if you're (allegedly) good at using OllyDbg, you cannot make even the simplest observations.

3. The Alice: Madness Returns trainer you uploaded to hxxp://www.megaupload.com/?d=DQ9AGV1Z is exactly the same package as the one on GCW, only reRAR'ed without compression (wtf!). You didn't uncompress any binary at all. (Or you mix up executables with compressed archives?!)

4. Both versions of F.E.A.R. 3 trainers on GCW use the original v6.12 dbghelp.dll renamed as xpsupport.dll. So do the two Alice: Madness Returns trainers (the one on GCW and the one you linked to). Actually, even the suspicious third F.E.A.R. 3 trainer (see 2.) does, too. This dbghelp.dll obviously never contained the string "llsass".

(If anyone doesn't believe something above, please, download the files and see it for yourselves.)

Traziz, I'm fucking mad but I give you yet another chance. In case you reply, do it very, very wisely!

[Traziz]

Quote:

Originally Posted by Joe Forster/STA

1. Perhaps, you should have read what I said: ATTACH THE FILES YOU ANALYZED! Did you attach them? No. Screenshots and lots of blabla and you think anyone will believe you? You're out of your mind!

2. Perhaps, you should have read what cocodrilo said: the download at hxxp://www.multiupload.com/ID3HMZBEXK is of unknown origin and may contain malware. It is a .NET executable with the vast majority of it encoded in a base64-encoded stream. It can be determined at a glance that it has nothing to do with Sicheats whose executables are not even similar to it. So, even if you're (allegedly) good at using OllyDbg, you cannot make even the simplest observations.

3. The Alice: Madness Returns trainer you uploaded to hxxp://www.megaupload.com/?d=DQ9AGV1Z is exactly the same package as the one on GCW, only reRAR'ed without compression (wtf!). You didn't uncompress any binary at all. (Or you mix up executables with compressed archives?!)

4. Both versions of F.E.A.R. 3 trainers on GCW use the original v6.12 dbghelp.dll renamed as xpsupport.dll. So do the two Alice: Madness Returns trainers (the one on GCW and the one you linked to). Actually, even the suspicious third F.E.A.R. 3 trainer (see 2.) does, too.

(If anyone doesn't believe something above, please, download the files and see it for yourselves.)

Traziz, I'm fucking mad but I give you yet another chance. In case you reply, do it very, very wisely!

1. I did in the megaupload link.

2. "sicheats publish a clean trainers, with people reupload to other hosts binded..... PLEASE DOWNLOAD TRAINERS FROM SECURE SITES, LIKE SICHEATS OR GCW.

the link of this file is: http://www.multiupload.com/ID3HMZBEXK at te bottom in webpage post."

Are you telling me that says it is infected? He linked to the forum which was supplying the infected file then he said that (which I put in quotes above), looks like he was giving a clean file to me.

3. The alice trainer I got from SICHEATS was wrapped, never said I got from GCW. I got the fable 3 trainer from GCW.

4. That is what I was trying to say all along that it was not an amended xpsupport.dll at all and was trying to show from 3 sources that the files all contained the same coding.

Angry at me for trying to ask questions to ease myself and perhaps other peoples' minds on the trainers? Please remember Joe_Forster you attacked me and called me a liar just like cocodrila did, is this what sort of staff man these forums here? Moderators that attack users for trying to find peace of mind..

Damn sorry I came here, what a disgrace. Pffff Some help you give.

Come here and if you post anything negative about h4x0r's trainers you must be a cheathappens consort and a liar. Amazing. No wonder for the couple of days I have been here there has been little happening on the forum, just a couple of posts. Perhaps Joe_Forster has banned them all for asking wrong questions.

Go ahead ban me, I'd rather be somewhere with people who know how to treat people fairly and offer help.