Sicheats (h4x0r) trainers now contain DRM but why?

[Traziz]

I was talking about the link you provided, a few posts back.

If you could ask h4x0r what the llsass.exe and vcltest3.dll (sorry I said vcl3test.dll before) are for. I think it will ease peoples minds if they also knew what they were for. And why does the trainers access the registry, I have noticed on a couple I have looked at they use registry API's to do so. And also what are the other files created when the trainer runs.

[cocodrilo]

Traziz this dissasemble is not from xpsupport.dll, men check form image base.... like a simple exe..... read a darkbyte text in yor image . please provide a xpsupport.dll real from sicheats.

xpsupport.dll is the original dbghelp.dll from windows . please make a link to this dll.

maybe ida and ollydbg is wrong.... please download link for debugging please.

it clearly has some interest in lying. Please update your disassembler WOW.

[Traziz]

I used the xpsupport.dll from the Alice trainer from your site, also the xpsupport.dll from the fear 3 trainer from the link you provided which you said was clean.

Also used the fable 3 trainer from GCW which uses the same xpsupport.dll

[cocodrilo]

ok downloading alice trainer from sicheats. wait a moment.

please look :

Quote:

A505-E0FC/archivos$ ls | grep "xp"
xpsupport.dll-alice
xpsupport.dll-fear3

Quote:

A505-E0FC/archivos$ md5sum xpsupport.dll-*
4003e34416ebd25e4c115d49dc15e1a7 xpsupport.dll-alice
4003e34416ebd25e4c115d49dc15e1a7 xpsupport.dll-fear3

is the same file, yor image shows darkbyte string in autoassembler engine.... strange very strange . please only REAL data and binaries from debugging .

please provide a link to binary file with strange code, strings refs or any data to damage you. please a real copy from sicheats servers.

you are lying for some reason.

[Traziz]

Goto GCW and get the fable 3 trainer and use that file.

Why you wish to call me a liar when I have tested with 3 independent files from "trusted" distributions points, and they all clearly show the same string references etc.

Is this the normal for people on sicheats to call people liars when it doesn't suit you?

I am sure Joe_Forster will check also, and I am sure he will find the same string reference and coding in all xpsupport.dll files from legitimate safe sites.


Oh wait... are you comparing the coding from the 2nd picture with the xpsupport.dll? The 2nd picture is from the actual Alice trainer and not the library (dll).

[cocodrilo]

GCW has a public upload . ok, downloading fable 3 from sicheats, please wait a moment.

Quote:

Oh wait... are you comparing the coding from the 2nd picture with the xpsupport.dll? The 2nd picture is from the actual Alice trainer and not the library (dll).

not im comparing all your images, you are talking from this file. please give a public link o wait downloading trainer.

[Joe Forster/STA]

I downloaded h4x0r's Alice: Madness Returns, Fable 3 and F.E.A.R. 3 trainers, both from Sicheats and GCW. The files in the packages for the same game are identical, except an extra promo video in one of them. Conclusion: There is no difference whether you download h4x0r's trainers from Sicheats or GCW. (Apparently, Empire's manual upload filtering works fine.)

I've checked xpsupport.dll, too, which is the same in all packages. It is, actually, identical to dbghelp.dll version 6.12, which can be downloaded along with the latest Windows SDK 7.1. Note that it contains digital signatures so it cannot be faked or tampered without anyone noticing. Conclusion: The xpsupport.dll's analyzed above are fakes.

Final conclusion: Traziz, you get one, I repeat, one more chance to prove that you're not a Cheathappens agent. A few questions for you to answer:
1. Where are the trainer packages that you (allegedly) downloaded from Sicheats and GCW? Give us the original download URL's (probably, a file sharing site that Sicheats supposedly links to) and attach them to your post.
2. How is it possible that we not only cannot find in xpsupport.dll any of the suspicious strings you reported but it turned out be (a copy of a given version of) a Windows system DLL?
3. Which trainer is supposed to create the "vcl3test.dll" file and where? The Alice: Madness Returns trainer doesn't create one.
4. Which trainers access what registry entries and how (read/write)?
5. Which trainers create what files and what do those files contain? Attach them.
(If you can use a disassembler, I'm sure you can also use Sysinternals' ProcMon to create a trace.)

As I already mentioned to Empire and TippeX, I think we're experiencing the latest - and more elaborate than ever before - attack against Sicheats on/via our forum.

[Traziz]

The 1st image is from xpsupport.dll

The 2nd image is from the alice trainer binary.

the llsass references is from the xpsupport.dll and the uploading.com is from the trainer. I did point this out.

[cocodrilo]

Quote:

A505-E0FC/archivos$ md5sum xpsupport.dll-*
4003e34416ebd25e4c115d49dc15e1a7 xpsupport.dll-alice
4003e34416ebd25e4c115d49dc15e1a7 xpsupport.dll-fable3
4003e34416ebd25e4c115d49dc15e1a7 xpsupport.dll-fear3

Quote:

The 1st image is from xpsupport.dll

lying continuous.


wait till I go to debug the trainer and whether there are such strings will explain what the code. dll in the continuous and sustained by lies without giving me a link to the binary

1: in trainer no string llsass . wait for open string (parameter of shellexecute to open a default browser, open a haxor paypal link if you like make a voluntari donation.... lies and lies). wait a moment, please.

[Traziz]

Quote:

Originally Posted by cocodrilo

lying continuous.


wait till I go to debug the trainer and whether there are such strings will explain what the code. dll in the continuous and sustained by lies without giving me a link to the binary

1: in trainer no string llsass . wait for open string (parameter of shellexecute to open a default browser, open a haxor paypal link if you like make a voluntari donation.... lies and lies). wait a moment, please.

You call me a liar because your understanding of English is poor?

I never said the llsass was in the trainer I said it was contained in the xpsupport.dll.

I never said it forces the paypal link on anyone, NOT ONCE. I said it forces the uploading.com url on the sly. And that url is contained in the trainer.

Get your facts correct first before accusing people of things.

[Traziz]

Full file listing of trainer contents



Here is W32Dasm with the correct path to the file and the string reference window open to llsass reference.

[cocodrilo]

no images, please binaries. wait for my explanation from paypal string .

now expected to explain the disassembly you afraid you and takes away the worry in 2 seconds.

Quote:

I never said the llsass was in the trainer I said it was contained in the xpsupport.dll.

the xpsupport.dll is te same in the 3 trainers.

Quote:

I never said it forces the paypal link on anyone, NOT ONCE. I said it forces the uploading.com url on the sly. And that url is contained in the trainer.

forced? please wait a moment jejeje ¿forced? hope you understand assembler to technical debate . no more words, only evidences (files to analyze, etc etc or technical analisis)

[Traziz]

Quote:

Originally Posted by cocodrilo

forced? please wait a moment jejeje ¿forced? hope you understand assembler to technical debate . no more words, only evidences (files to analyze, etc etc or technical analisis)

Oh I understand ASM, oh yes I understand it indeed.

Anyway this conversation is over... I would rather talk to someone with a modicum of understanding in English and isn't in the habit of calling people liars because they can't understand English.

As said I am sure Joe_Forster has the know how, or maybe TippeX to check the xpsupport.dll and find the same llsass references I did. Then there will be explaining to do why it is there.

[cocodrilo]

Quote:

I shall wait for Joe_Forster or some other moderator or administrator here to check files from sicheats and on GCW.

files from sicheats servers, no public upload.

I fully understand what you're saying, which I do not understand is you. please tell me the address of the event table associated with that component and continue talking. now I upload some pictures.

Quote:

As said I am sure Joe_Forster has the know how, or maybe TippeX to check the xpsupport.dll and find the same llsass references I did. Then there will be explaining to do why it is there.

Please upload this file or give the md5.


Ok, the event table look donation_click and lookd address.


event_click- disasm look for address:



¿is on click event to "forces you"? juaz. a picture is worth a thousand words do you need me to explain some part of the code?. if you do not understand that, you can search around for the dede.

REPEAT, NO MORE WORDS ONLY BINARIES but same md5 from sicheats trainers. NO MORE LIES.


you is not much to speak, many posts but have not given any evidence and for today I have said enough. Joe discuss things in private and quiet will the results.

[Traziz]

I won't bother trying to talk to you as it is evident your lack of English and misreading what is said is causing you to call me a liar, when it is you who can't understand what is being said.

I shall wait for Joe_Forster or some other moderator or administrator here to check files from sicheats and on GCW.