Go Back   FileForums > Games > Game Trainers

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 15-03-2010, 06:18
Joe Forster/STA's Avatar
Joe Forster/STA Joe Forster/STA is offline
Senior forum member
 
Join Date: Nov 2000
Location: Hungary
Posts: 9,790
Thanks: 16
Thanked 327 Times in 212 Posts
Joe Forster/STA is on a distinguished road
Announcement and final word on the CheatHappens vs. h4x0r trainer war

(Typos and small missing details are being fixed in the posts constantly as they're noticed but no relevant information is changed or removed...)

It started with people simply complaining on our forum (why?!) that CheatHappens are selling their trainers and that this is not nice, trainers should be free and fully functional blabla. Our answer was that it's not their right to tell trainer authors under what conditions they should distribute their creations. That was no help for CheatHappens, only trying make sense among "freebie bastards". Then these complaints got more and more frequent and a forum sticky was created, telling people to stop these complaints as they will result in a punishment. Of course, the complaints still went on - some people just cannot shut up and some cannot even read - but their posts were only deleted and more serious punishments were rarely given, if ever.

(2009-03-27) Then came a new situation. CheatHappens accused the trainer makers called KelSat and h4x0r of having ripped code from their trainers. Their claim was that this thief gets access to their forum, downloads their trainers, dissects them and copied the most important, definitely non-trivial code fragments into his own; see http://fileforums.com/showthread.php?t=86218. There you can see that immediately proofs were requested so that we can inspect the claimed code theft ourselves. None arrived. Then we requested a list of the affected trainers. None arrived. Read the thread through: we were offering support to CheatHappens as soon as a proof arrives that we can check ourselves. Several days later, even Empire posted into the thread, again requesting a proof. Empire is already seen here stating his principle that GCW is willing to host any kind of trainer, whether promo or fully functional, but respecting the authors. We also recommended CheatHappens to put "fingerprints" (code that doesn't do anything useful but is added inside useful code) into their trainers and watch whether or not they appear in the code of stolen trainers.

In the meantime, the bitching about promo/fully functional and free/paid trainers and abuses against either side went on in this thread, too... We felt the situation was getting out of hand but the decision of what to do was pretty hard because we had to stay impartial as possible - let me repeat: still no proofs! - but try to keep the discussion in a non-abusive manner. See my posts, trying to calm down the CheatHappens side while telling them that, yes, I agree that code theft is not acceptable - like trying to navigate between Scylla and Charybdis. The thread was closed a week and a half later and look at the last post: still no proof arrived from CheatHappens.

(2009-04-09) Then h4x0r appeared, too, on the forum. He started announcing his trainers, one by one, on the forum. See http://fileforums.com/showthread.php?t=86315, http://fileforums.com/showthread.php?t=86331, http://fileforums.com/showthread.php?t=86301, http://fileforums.com/showthread.php?t=86271, http://fileforums.com/showthread.php?t=86333. Although this per se was not against the then current forum rules, the threads were later closed as we understood that the reason for these was to annoy CheatHappens rather than to help people. Also, most of these threads turned into a flame war already in the first few posts or some tricky questions arrived from the experts, trying to make h4x0r make a mistake that would prove that A) he did steal code from other's trainers and/or B) he doesn't know what he's doing so his code must be from somewhere else.

(2009-04-06) In the meantime, h4x0r received a PM from Empire (our administrator) which said GCW will not host trainers that contain stolen code. See http://fileforums.com/showthread.php?t=86277. This was the first thread in which h4x0r first showed his awfully broken English (actually machine-translated Spanish, as we learned later) which... khm... didn't do much good to the communication between him and everyone else, to put it mildly. He kept defending himself, saying that he ripped nothing at all. However, the tricky questions about his abilities were completely in vain because he didn't understand the questions or, when he did, we didn't understand his answers.

(2009-03-29) In the background, we (Empire, TippeX and I) were discussing things and agreed that trainers with stolen code should be removed but only if a proof is shown. (By the way, PWizard requested information about h4x0r in PM so that his CheatHappens account can be determined and banned but he was given none as that would've been giving out personal data to a third party without an obvious reason.) In that thread, I already mentioned the possibility - if I remember correctly, by suggestions from the threads so far as well as PM's from some forum members - that we might be experiencing a tricky advertising campaign from CheatHappens. With my paranoia reaching the heavens, I even suspected that it is exactly the opposite that is true: it is CheatHappens stealing code from others, then accusing them of theft and the two codes are obviously the same - but never mind me. Also, my acting of "I'm a programmer but I don't know too much about hacking so, please, bare with me and explain things thoroughly" started here - and it definitely paid out, as you will see. In the meantime, h4x0r has been sending taunting PM's to CheatHappens people in our forum but he has been threatened with a ban if he doesn't stop as, even if we did not accuse him of anything, this behavior should not be tolerated. CheatHappens people also have been asking us in PM's about why nothing is done against h4x0r's messages (probably not only PM's but also ones in the public forum). PWizard also told us that he probably found h4x0r's account on CheatHappens and the fact the he has an account and he is able to download their trainers kind of suggests that he rips code from them (excuse me?!). And h4x0r requested his account to be deleted so that there will be no more problems; my answer was that this is not necessary because our investigation about the code theft has not been closed yet. All the people who took part in the war were threatened in a PM with instant ban for posts expicitly advertising trainers, linking to promo trainers or harrassing other forum members. h4x0r was also asked to upload his trainers to GCW which he agreed with but did not wish to return to the forum. This was also when his trainer announcements were all closed in one go.

(around 2009-04-10) TippeX finally got a message from CheatHappens, pointing to the World in Conflict: Soviet Assault v1.010 trainers. Please, note that no actual trainers were sent, only telling us which ones to check. TippeX downloaded the CheatHappens trainer from GCW and compared it to a trainer from KelSat for the same game, also downloaded from GCW. The spectrum of options was at most similar so TippeX chose one option that was supposed to work mostly the same way (Freeze Clock in CheatHappens' against Increase/Decrease 1 hour in KelSat's); the code for them turned out to be implemented in completely different ways. I wasn't suprised in the slightest at the results; what I was surprised at was that TippeX was not told what specific part of which specific trainer to check. There you have it again: no actual verifiable proofs, just general ideas. Our suspicion was rising more and more and we found ourselves all moving away from CheatHappens' side, sympathizing more and more with h4x0r instead.

(2009-04-17) A week later, TippeX received a link from PWizard to the full version of CheatHappens' trainer and was specifically told to check the Free Camera Mode option. In the meantime, all of us was getting very impatient because time was working against us: h4x0r was complaining, CheatHappens were complaining, forum users were complaining and we were still without clear results. Caliber showed something like a proof in another thread - unfortunately, I seem to have permdeleted it in my anger so I cannot quote anything about it anymore - but 1) I couldn't understand much from it and, 2) yeah, I can also write two similar code fragments myself and then be as damn smart as being able to show the similarities between the two. TippeX, an expert, however checked the explanation and reckoned that 1) h4x0r seems to have stolen the method in this case but implemented it differently and 2) it is suspicious how h4x0r found the right method that Caliber could explain and h4x0r couldn't. However, this was still not what we wanted: CheatHappens seemed to still have not understood that we want two genuine, untouched, (freely?) downloadable, working actual trainers whose code we can check ourselves - and our suspicion was ever growing that this is intentional. (Personal note: If a serious programmer says to have never lifted, at least, small code fragments or little non-trivial ideas from other programs then he or she is simply lying: noone can resist the temptation of sparing time by not reinventing the whell by himself or herself. By the way, open source software solves this problem automatically: lifting source is not only not forbidden but actually recommended. Also, it is not possible to "patent" outlook so, please, don't make yourself ridiculous by claiming theft by showing two screenshots: I wrote a fully-featured - and some more - Norton Commander clone in Borland Pascal that, of course, has nothing to do with the original in terms of implementation, still it looks, moves, smells and feels like the original.) At this point, we recommended CheatHappens again to place a "fingerprint" in one of their upcoming trainers. (Some time later they reported to have found their fingerprint in h4x0r's code but, of course, no proofs this time either.) In the meantime, h4x0r reported to us to have finished his Need for Speed: Undercover 1.0.0.1 +11 trainer, with options that don't exist in other trainers. This also applied to his previous trainers which suggests that, even if he does steal ideas from other trainers, he is also able to add ones of his own. We then discussed the possibility to ban all trainer announcements on the forum because we couldn't find the proper set of rules that would benefit everyone. A few threads, with some direct or indirect bashing, came and got deleted soon.

(2009-07-13) Then arrived another accusation from CheatHappens: that h4x0r has stolen the code of Cheat Engine and based his own engine on it, without giving credits to the original author. See http://fileforums.com/showthread.php?t=87262; thread undeleted for your viewing. TippeX raised the question of why this came to light this late, with the suspicion that this is yet another fake accusation, but no answer came. Then the accusation changed to h4x0r having used freely available source code without giving credit to the author, which was not required and so this means h4x0r is at most a jerk but definitely not a thief. CheatHappens (and fans) again seemed to be doing their best to find a reason, whatever it is, to discredit h4x0r. Flames were getting high as several forum members joined, some defending h4x0r, therefore the thread was closed (and later, deleted, too). A few threads were opened, bashing CheatHappens for their business strategy as well as h4x0r putting a too high number of options into his trainer releases, otherwise things seemed to become quiet. During the next few months, even some long threads were created, with useful discussion and (almost) everyone was happy.

(2010-02-06) On a side note, a link to CheatHappens was posted where "h4x0r" admits that the accusations were true. See http://www.cheathappens.com/show_boa...4&titleID=8463. If from nothing else, it should be obvious from the too good English that it couldn't have been written by h4x0r himself, it is a fake. (In case CheatHappens deletes the thread, you can view "h4xor"'s post below in this thread.)

(2010-02-11) But the war was still not over. It was reported that h4x0r's trainers drop suspicious DLL's all over the system. See http://fileforums.com/showthread.php?t=89027; all posts undeleted for your viewing. Empire was faster than I and asked for specific trainers. None were given and the smearing of quasi-facts started again, not only from CheatHappens but also from their fans: this wasn't just a general report, here's a screenshot for a proof (are you kidding?!). I mentioned that cracktros also drop a few DLL's, e.g. often bassmod.dll for playing music, but these are harmless and asked Caliber to send me some material: one of his trainers and one of h4x0r's, too. Caliber refused, saying that there's no point in it because we would not consider his proofs this time either. In the meantime, it was also reported that something in h4x0r's trainers, namely the DLL dropped to C:\h4x0r.dll, seems to interfere with CheatHappens trainers. Unfortunately, this thread turned into a flame war, too, so it was closed.

(around 2010-02-17) I sent a PM to Caliber, literally begging him to send me some material because if there really was substantial proof that h4x0r is messing with CheatHappens trainers then the war could be finally over. (After all, this was our goal, too, from the beginning.)

(2010-02-20) I had the feeling my request would be refused again but, no, I received a PM from Caliber with instructions on proper testing as well as a package of trainers to my E-mail address. Completely unbelievable but true: after almost a year, a real inspection could be made. I was so excited that I finished my inspection within half a day but I didn't publish my findings for weeks as I was waiting for TippeX to do his own investigation, too. Unfortunately, because of lack of spare time, he couldn't even start it so you'll have to do with mine. ([...] Not true. We waited for him to finish it. See below.) Although I told Caliber that I wouldn't distribute the CheatHappens trainer, after what happened recently, I can break my promise without any conscience problems for the benefit of the public. You can find the packages and the E-mail, exactly as I received them, below so you can check our findings yourself. (Note that Caliber talks about h4x0r's Bioshock 2 trainer but it is actually h4x0r's Bioshock trainer that is used for the inspection.) Feel free to run h4x0r's "malicious" trainer, too, as it isn't malicious at all (see below). (If you're afraid, run it in a sandbox. If you're really afraid then copy any DLL into C:\h4x0r.dll manually instead. If you want to have a look at it without running the trainer itself, you can find it attached, too.)

Let's take Bioshock v1.1 + 10 Trainer.exe (the trainer - supposedly - by h4x0r) apart. At offsets 0x00000000-0x00001E7F, there is a prefix that creates C:\h4x0r.dll and decrypts and executes the real Bioshock v1.1 + 10 Trainer.exe. You can think of this prefix as a wrapper around the real trainer. It containts some other funny strings but see it for yourself. For a comparison, I downloaded about two dozens of trainers from http://www.sicheats.com/forum/forumd...eats-All-Games that day (from the same thread list page as this trainer, EXE timestamps = release dates between 2009-09-22 and 2010-02-01) and all of them were plain uncompressed, unencrypted Delphi code so this trainer already sticks out of them. (Note that you cannot download attachments from www.sicheats.com unless you're a registered user.)

It doesn't take a genius to find out that the encryption is actually XOR'ing the part at offsets 0x00001E80-0x0021292D with 0x86 and you'll get the real trainer. Now, if you download the same trainer from http://www.sicheats.com/forum/showth...r-STEAM-RETAIL (in case you can't download it, it's attached, too, named "REAL"), you will find out that they are exactly the same. (Well, the one that was encrypted is a byte longer, probably for padding to an even number of bytes.) This extremely lame way of encryption is weird as it wouldn't stop even a novice hacker.

It was reported that h4x0r's malicious trainer drops the h4x0r.dll, scs.dll, scx.dll, game.jpeg files and the skins subdirectory into C:\, the sicheats.dll file onto the current user's desktop and the chip.dll and pvt.tmp files into the Windows SYSTEM32 directory. If you run a HIPS (e.g. one integrated into some capable virus scanner or firewall software), you will see that, of these, only C:\h4x0r.dll is true, none of the other files are created even if there's reference to them in the code. (Probably common code/data for all trainers: some use it, some don't, but the data is compiled into all of them.) If you instruct your HIPS to not allow anything other than direct screen and keyboard access, the trainer will still run perfectly, even if it couldn't create C:\h4x0r.dll.

Now let's see C:\h4x0r.dll. If you compare it with the end of the "malicious" trainer, from offset 0x0021292E, you will see that this suffix starts exactly with the contents of C:\h4x0r.dll. However, there is no possible way that the dropped DLL can function at all as is because it only has a relocation table and an import table but both point into junk (probably, encrypted and/or compressed code/data) so neither are valid and there's no code or data segment. Also, a recursive scan in your complete Windows directory structure as well as the registry will show that this DLL is not registered anywhere but Sysinternals' Process Monitor will prove the same by not showing anything related to this DLL when you run other programs.

And have you looked at the icons inside the "malicious" trainer? One of them is a PNG file, at offsets 0x0021AB08-00227110. Why would h4x0r put such icons into his own trainer? Or where could they really have come from? Quite obviously, the suffix is actually an executable from CheatHappens that was damaged here and there on purpose.

By the way, see h4x0r's reply to all these claims at http://www.sicheats.com/forum/showth...d-hidden-files.

Now, with C:\h4x0r.dll finally in place, let's have a look at bio2-Joe_FileForums.exe (the trainer by CheatHappens). (Please, note that it seems to do some kind of online authentication. In case it refuses to work, because the CheatHappens account it is tied to has been banned, we will surely find a way - and publish it here - to make it possible to run the trainer for testing purposes.) Yup, it doesn't work but that was expected. Delete C:\h4x0r.dll and run CheatHappens' trainer again. Now it works. Wow! Launch Process Monitor and have it monitor everything that the trainer does. You will see that hundreds and hundreds of file and registry entries are accessed before there's a reference to C:\h4x0r.dll so it cannot be the operating system fetching the DLL because it is registered somewhere to be launched along with some programs. (Not that it could've been run as it is not a valid executable image anyway.) No, it is CheatHappens' trainer actively searching for this file.

Hack h4x0r's trainer, changing the file name of the DLL to be dropped to C:\h4x0r2.dll. CheatHappens' trainer will run although the "malicious" content has supposedly been delivered and the system "infected" with it. Simply by changing the file name, CheatHappens' trainer works again. This isn't surprising if we accept the fact that the operating system has nothing to do with all this but it is the trainer itself that checks for the presence of this dropped DLL. Actually, you can copy anything into C:\h4x0r.dll (say, C:\boot.ini, your favorite wallpaper, a HTML page, whatever you like) or create an empty file and the CheatHappens trainer will cease to function. Remove the "malicious" file and the trainer will work again. If you create such an unusable C:\h4x0r.dll file on a "virgin" machine, that has never been touched by h4x0r's "malicious" trainer, then CheatHappens' trainer will not work. Remove the "malicious" file and the trainer will work there, too. Isn't that cute...? BUT IT'S WROOONG!

As I wrote above, my acting of looking innocent paid off. CheatHappens took me for a fool which I'm not. While I may not be able to code seriously in assembly under Windows, I hacked many Windows programs so far.

Also see the results of TippeX's investigation in another post of this thread as well as my quite conclusive list of the so-called "malicious" DLL's dropped by varios h4x0r DLL's in http://fileforums.com/showthread.php?p=383796. The conclusion from all sets of results is obvious. h4x0r has been accused on three accounts:
  • Theft of code from CheatHappens trainers. TippeX and others agree that probably ideas were stolen, maybe, code fragments, too, but this is impossible to prove with 100% certainty.
  • Theft of code from Cheat Engine. By definition, you cannot steal from an open source software. Period.
  • Dropping DLL's with malicious intent, including making CheatHappens trainers non-functional. The malicious trainer was fake, created by CheatHappens, and the CheatHappens trainer was also intentionally modified to complain about the mere presence of a file.

Even if h4x0r may not be a "lamb born today" (a hungaricism, means "as clean as possible"), CheatHappens has been trying to discredit him in all kinds of immoral ways, multiple times, on multiple forums. They are completely unscrupulous about their ways of trying to kill their competitors off the market. We also have the strong suspicion and it has also been suggested by others that this was neither the first nor the last time CheatHappens ran such a false propaganda campaign against someone so be wary as now you know that you can never know when they're telling the truth and when they're lying. And, people at CheatHappens, please, forward my good wishes to your fucking lawyers, too! (See the bottom of http://fileforums.com/showthread.php?p=383485.)

(2010-03-06) The forum has been hacked, exploiting a security hole in the vBulletin software, and unsolicited advertising of trainers, most along with filthy messages, have been posted in the names of random users. vBulletin has been upgraded since and probably the security hole closed, too. ([...] h4x0r reported that his vBulletin 4.0.2 PL1 still contains the exploit. I asked Empire to contact the authors as, if I understood correctly, this forum is running on a licensed, paid copy of vBulletin.) Also, the contents of the forum are backed up daily so if there's an attempt that really brings the whole forum down, it will only be temporary. However, this doesn't matter much. By hacking the forum, the "unknown" hacker - who stated to not be be a member of CheatHappens - proved that he's not only immoral, like CheatHappens is, but goes even further and has no problems with entering cyber criminalism which is already a legal term. If you come back again and we're able to trace you back, you may have to face legal action. Also, we're not going to be afraid of you and we won't give in to your threats because we don't accept what you suggest: that, if nothing else works, violence is the ultimate answer. That kind of "solution" is for neanderthalians and terrorists, not homo sapienses. For this reason, you may have won a battle but you already lost the war when you fired your weapon for the first time.

(2010-03-07) Several fake trainers were uploaded, for different games, by different (fake) authors but with similar contents. We found out that such fake trainers have been uploaded for the last month and they were even published on GCW as noone knew about the possibility back then. As far as we can tell, CheatHappens was probably not (directly) behind this but you can never know for sure. This was most probably also the reason for people complaining on the forum about h4x0r's trainers, downloaded from GCW, crashing. The fake trainers have been replaced with their real counterparts by now and we asked h4x0r to upload his trainers himself - no trainer submissions will be accepted in his name from anyone else so, please, don't bother.

From all this above, it may not be obvious whom to side with but it is very obvious whom to not side with. Please, spread the word on all forums and feel free to link to this post for explanation.

Also, note that, as our first priority is the benefit of our visitors and we're still trying to be as impartial as possible, GCW will continue to host CheatHappens' (promo) trainers although they (CheatHappens, that is) don't deserve any kind of support anymore.

This is the last time we deal with this war with which we already wasted way, way too much of our resources. Further discussion of it is prohibited all over the forum: anyone breaking this rule will be banned on sight for a few months, without any prior warning; subsequent attempts will raise the length of the ban until we get bored and change the ban to permanent. We're trying to forget that all this shit ever happened and so should you. Thank you for your attention.
Attached Files
File Type: rar bio2-Joe_FileForums.rar (551.8 KB, 49 views)
File Type: rar Bioshock_v1.1_+_10_Trainer.rar (1,016.9 KB, 43 views)
File Type: rar Bioshock_v1.1_+_10_Trainer_REAL.rar (853.9 KB, 35 views)
File Type: zip h4x0r.dll.zip (23.6 KB, 89 views)
__________________
Joe Forster/STA
For more information, see the FileForums forum rules and the PC Games forum FAQ!
Don't contact me via E-mail or PM to ask for help with anything other than patches (or software in general) done by me, otherwise your request may be deleted without any reply!
Homepage: http://sta.c64.org, E-mail: [email protected]; for attachments, send compressed (ZIP or RAR) files only, otherwise your E-mail will bounce back!

Last edited by Joe Forster/STA; 15-03-2010 at 15:12.
The Following 3 Users Say Thank You to Joe Forster/STA For This Useful Post:
preg75904 (13-09-2013), ProSevenOne (25-11-2012), remcodevries (26-08-2013)
Sponsored Links
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -7. The time now is 20:10.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Copyright 2000-2020, FileForums @ https://fileforums.com