Sicheats (h4x0r) trainers now contain DRM but why?

[Maxgrilo]

So, let me get this straight, now it's CHEATHAPPENS that secretly went to h4x0r's house and made him add the DRM to his trainers, is that correct Joe?

Forget all this malware back and forth for a minute and look at the REAL ISSUE HERE -- the DRM.

Apparently by the lack of any comment from GCW admins, this is perfectly fine behavior for files being uploaded to GAME COPY WORLD. Maybe soon we'll start seeing UNCRACKED exe's being added to the site as well.

[Joe Forster/STA]

Quote:

Originally Posted by Maxgrilo

REAL ISSUE HERE -- the DRM. Apparently by the lack of any comment from GCW admins, this is perfectly fine behavior for files being uploaded to GAME COPY WORLD.

Which word of "Empire has a real life" don't you understand?! (He hasn't replied even to my posts in the private moderator forum!)

The DRM has everything to do with Cheathappens as it's supposed to be some kind of protection, although we still don't know for sure whether h4x0r's or his users' protection.

TippeX, how the hell do I "goto" in OllyDbg? I can't find anything other than code at offset 0006A462 in xpsupport.dll. Perhaps, a plain file offset would be preferred. I found "lsass" in ANSI at file offset 0000686A and in Unicode at 00007854 and 00007868, nothing else...

[TippeX]

no , what joe is saying is that he suspects that the trainers are being modified and malicious content added... the drm and this are two totally different issues...

[Traziz]

Use W32Dasm if it makes it easier for you. Since it seems you can't fully use Olly correctly to show Data/String references.

And no I didn't use any amended xpsupport files, I used files from 3 seperate sources, one from sicheats (alice trainer), one from a link here given by cocodrila (fear 3) and one on GCW (fable 3).

I opened up in W32Dasm (xpsupport.dll) and was looking through the strings since people have been talking about the new DRM, just to check and I came across the 2 llsass instances (not lsass which is a legit Windows Logon binary). Then I also checked more into the trainers themselves, I had to unwrap them first, but then noticed the string references to vcltest3.dll, the uploading.com link. As provided by the screenshots.

Are you telling me you can't use Olly to find a simple string reference at all? Did you even try to look? From what I have seen from your responses is that you are more prepared to defend someone than be neutral and look.

Bad enough to be called a liar by Mr no understand the English, and then by you by saying I used modified files...

As far as I am concerned you are more an agent for Sicheats to try to veil the truth or something and keep things hidden or obscured.

I came here to ask why these things were in the trainer and the xpsupport.dll and to get some piece of mind so I can use them if they proved to be nothing, and all I have met is hostility and accusations, fine I will set up a virtual environment and run it there and perhaps I will post the results to show what files are created, what processes are accessed and created also.

[Joe Forster/STA]

Read my lips: WHERE ARE THE FILES YOU ANALYZED? ATTACH THEM AND GIVE US THEIR ORIGINAL DOWNLOAD URL'S!

(I never used OllyDbg but can use W32Dasm and Hacker's View fine, thank you, no need for taunting.)

[Traziz]

Quote:

Originally Posted by Joe Forster/STA

Read my lips: WHERE ARE THE FILES YOU ANALYZED? ATTACH THEM AND GIVE US THEIR ORIGINAL DOWNLOAD URL'S!

Perhaps you should have read what I said, I downloaded the fear 3 trainer from this thread, which cocodrila posted a link to a "Clean" trainer.

And Fable 3 trainer from GCW, doesn't matter what server I use there as they all contain the same archive.

As for the trainer, I shall include the unwrapped trainer, since it seems to be minor worries from it from the vcltest3.dll and the uploading.com url use.

The xpsupport.dll is the main worry with the llsass reference and coding to produce it locally.

http://www.megaupload.com/?d=DQ9AGV1Z - alice trainer with unwrapped binary, incase you are not sure how to unwrap binaries.

That was originally got from sicheats themselves.

[cocodrilo]

Traziz please download IDA and look. is this your evil L?



in your file offset. in ida jump -> jump to file offset and COMPARE .

[Joe Forster/STA]

1. Perhaps, you should have read what I said: ATTACH THE FILES YOU ANALYZED! Did you attach them? No. Screenshots and lots of blabla and you think anyone will believe you? You're out of your mind!

2. Perhaps, you should have read what cocodrilo said: the download at hxxp://www.multiupload.com/ID3HMZBEXK is of unknown origin and may contain malware. It is a .NET executable with the vast majority of it encoded in a base64-encoded stream. It can be determined at a glance that it has nothing to do with Sicheats whose executables are not even similar to it. So, even if you're (allegedly) good at using OllyDbg, you cannot make even the simplest observations.

3. The Alice: Madness Returns trainer you uploaded to hxxp://www.megaupload.com/?d=DQ9AGV1Z is exactly the same package as the one on GCW, only reRAR'ed without compression (wtf!). You didn't uncompress any binary at all. (Or you mix up executables with compressed archives?!)

4. Both versions of F.E.A.R. 3 trainers on GCW use the original v6.12 dbghelp.dll renamed as xpsupport.dll. So do the two Alice: Madness Returns trainers (the one on GCW and the one you linked to). Actually, even the suspicious third F.E.A.R. 3 trainer (see 2.) does, too. This dbghelp.dll obviously never contained the string "llsass".

(If anyone doesn't believe something above, please, download the files and see it for yourselves.)

Traziz, I'm fucking mad but I give you yet another chance. In case you reply, do it very, very wisely!

[Traziz]

Quote:

Originally Posted by Joe Forster/STA

1. Perhaps, you should have read what I said: ATTACH THE FILES YOU ANALYZED! Did you attach them? No. Screenshots and lots of blabla and you think anyone will believe you? You're out of your mind!

2. Perhaps, you should have read what cocodrilo said: the download at hxxp://www.multiupload.com/ID3HMZBEXK is of unknown origin and may contain malware. It is a .NET executable with the vast majority of it encoded in a base64-encoded stream. It can be determined at a glance that it has nothing to do with Sicheats whose executables are not even similar to it. So, even if you're (allegedly) good at using OllyDbg, you cannot make even the simplest observations.

3. The Alice: Madness Returns trainer you uploaded to hxxp://www.megaupload.com/?d=DQ9AGV1Z is exactly the same package as the one on GCW, only reRAR'ed without compression (wtf!). You didn't uncompress any binary at all. (Or you mix up executables with compressed archives?!)

4. Both versions of F.E.A.R. 3 trainers on GCW use the original v6.12 dbghelp.dll renamed as xpsupport.dll. So do the two Alice: Madness Returns trainers (the one on GCW and the one you linked to). Actually, even the suspicious third F.E.A.R. 3 trainer (see 2.) does, too.

(If anyone doesn't believe something above, please, download the files and see it for yourselves.)

Traziz, I'm fucking mad but I give you yet another chance. In case you reply, do it very, very wisely!

1. I did in the megaupload link.

2. "sicheats publish a clean trainers, with people reupload to other hosts binded..... PLEASE DOWNLOAD TRAINERS FROM SECURE SITES, LIKE SICHEATS OR GCW.

the link of this file is: http://www.multiupload.com/ID3HMZBEXK at te bottom in webpage post."

Are you telling me that says it is infected? He linked to the forum which was supplying the infected file then he said that (which I put in quotes above), looks like he was giving a clean file to me.

3. The alice trainer I got from SICHEATS was wrapped, never said I got from GCW. I got the fable 3 trainer from GCW.

4. That is what I was trying to say all along that it was not an amended xpsupport.dll at all and was trying to show from 3 sources that the files all contained the same coding.

Angry at me for trying to ask questions to ease myself and perhaps other peoples' minds on the trainers? Please remember Joe_Forster you attacked me and called me a liar just like cocodrila did, is this what sort of staff man these forums here? Moderators that attack users for trying to find peace of mind..

Damn sorry I came here, what a disgrace. Pffff Some help you give.

Come here and if you post anything negative about h4x0r's trainers you must be a cheathappens consort and a liar. Amazing. No wonder for the couple of days I have been here there has been little happening on the forum, just a couple of posts. Perhaps Joe_Forster has banned them all for asking wrong questions.

Go ahead ban me, I'd rather be somewhere with people who know how to treat people fairly and offer help.

[Traziz]

That is close to what it is, but its not referenced as L"lsass" but llsass without quotes.

Besides I cannot "Download" IDA as it is expensive software and I don't steal software.

EDIT: I see a v5 for freeware on their site I shall check it out.

[cocodrilo]

can you understand that W32Dasm is outdated and can misinterpret the chains. As can display strings that are not. win32dasm Windows98 I used it at puberty. please download the version that indicated dbghelp.dll joe microsoft servers and compare them.

or simply tell me that part of code that does that harms you, you're doing because they do not understand.

this screen is from pseudocode interpreter from ida, please read this:

http://msdn.microsoft.com/en-us/libr...(v=vs.80).aspx

and search for wchar_t PLEASE, LEARN.

Quote:

Besides I cannot "Download" IDA as it is expensive software and I don't steal software.

Ok, but download ollydbg and learn how to use it.

[Joe Forster/STA]

Traziz, you are an idiot, so away with you!

1. The Megaupload link is a package that contains, to the byte level, the same files as the GCW download of the same trainer. You didn't attach anything, although I asked you many times. We're still yet to see an "infected" xpsupport.dll with the (alleged) "llsass" string.

2. Epic fail. You think it's cocodrilo's bad English that you don't understand him. Actually, you cannot read plain English either. Had you gone to the linked webpage (http://www.softsclub.com/games/97811...0-trainer.html, in case you cannot find it in the original post), which is in pretty simple English, you would've found out that the hxxp://www.multiupload.com/ID3HMZBEXK link, the one to the suspicious F.E.A.R. 3 trainer, is at its bottom. cocodrilo's reference to the Multipload link was not that this link is a genuine Sicheats trainer, it was some help with finding out the Multiupload download link at the bottom of the Softsclub webpage.

3. Again, no files attached. Yeah, this file is compressed, that file isn't; this file is encrypted, that file isn't; this file is .NET, that file is Delphi; this file is infected, that file isn't; this file contains suspicious strings, that file doesn't. But no actual files that would prove your points just plain bullshit.

4. [...] Oh, fucking great Lord in the heavens above, I finally understood what you meant. In xpsupport.dll/dbghelp.dll, at file offset 0006A487, there's a PUSH 03008468 which points to "lsass" in Unicode; at 0006A49F, PUSH 03008454 which points to "lsass.exe" also in Unicode. There are no extra L's anywhere around these strings. (And, even if there were any, this is an original Windows DLL from Micro$oft, protected by a digital signature, so how could it be infected?!) Another epic fail: you're completely unable to read code either, not even with the help of a disassembler.

From this above, it should be obvious that Traziz has absolutely no idea what he's talking about, while trying to look like an expert in assembly programming. Expert my ass! Permbanned.

[Maxgrilo]

Tippex: According to Joe, "The DRM has everything to do with Cheathappens" along with the current state of the global economy and the problems in the middle-east no doubt. This site's lack of caring by the admins and absense of any objectivity is truly amazing.

Go ahead and ban me too. I'll get my DRM-free files elsewhere. I'm done here. I invite others to do the same.

[Joe Forster/STA]

You know, the days when I reacted to name-calling have been over for years. Yes, the thread went astray but, if you take the time to read what I wrote then you'd know that, unlike people with opposite opinion, I make arguments and can show actual counterproofs to their assumptions and anyone else can check the truthfulness of what I wrote, by downloading the same files (they're still there!) and having a look at what I saw.

So the "This site's lack of caring by the admins and absense of any objectivity is truly amazing" sentence is completely false. You're making a fool out of yourself with it which is worse than becoming a martyr by getting banned so you can stay for a while...

[...] Actually, it is exactly objectivity that makes me ban people who have no idea what they're shouting around and are unable to stop their bullshit, even after several warnings. It seems, some people come here with a preconception, and they cannot be convinced otherwise, that Sicheats is nothing else than a bunch of liars distributing malware. This is their own conscience problem... but until they start spreading such rumors, without any actual proofs, in the public. Now, that is not and will never be tolerated here and the same zero tolerance should be (read: should've been) introduced in other forums, too, long, long ago. Then unfounded rumors wouldn't get farther than a few people around those interested in spreading bullshit. (In case someone didn't understand, I'm referring to Cheathappens, with their usual sly propaganda campaigns.)

[tazzoun]

Actually Joe, what I have witnessed in this thread is the opposite. h4x0r and his team come here stating that cheathappens has been uploading malware versions of their trainers to sites including GCW and this is the reason for the DRM, yet no one has asked them for proof of this, their word is taken at face value. However, when someone states that h4x0r might have done something himself to attack cheathappens trainers then that it when proof is demanded, and lots of it.

That's just my observation. Again, I could care less about all of this malware bullshit and really just want to know about the DRM issue, which still is not being addressed, it's just being blamed on cheathappens and dismissed.