Cheat Engine

Polynomial

I recently downloaded a CoH:ToV trainer, only to find that it required a username and password to use. The website linked to by the trainer was long gone, and a mixture of Google, Wayback Machine, and historical DNS records couldn't find me the original author, so I decided to break the login validation myself.

Here's the login form:

And here's what happens when you try to log in:

So I can only imagine that the server is meant to respond with some checksum or number that validates the login, and in this case it's failing because my ISP's DNS hijacking is rerouting it to the "not found" page, which contains HTML rather than a number. Even better, we can also guess that it's looking a single digit, because the complaint is about a < character, rather than a bigger section of text.

First step was to work out which back-end server it was trying to talk to. I used Wireshark to look for DNS queries, and found that it was indeed sending one out for the sicheats.com domain:

I then filtered based on the IP address and discovered this HTTP request:

Simple! Next job is to try to play around with the responses. Now, here I had two options. The first was to set up a script that opens up a local HTTP server with responses that I can control, then use my hosts file to point sicheats.com back at 127.0.0.1, but that seemed like a bit of a pain in the ass. The second option was to mess with the responses coming back from my ISP using a packet editor. Echo Mirage is my tool of choice for messing with packets because it's simple as hell, support automated modifications, and automatically detects generic SSL libraries and gives you the raw buffers instead of the encrypted payloads. I didn't need the SSL stuff this time, but it's always nice to have.

I opened up Echo Mirage and configured a rule that auto-modified all response packets from the target IP to contain a HTTP response of just the number "1".

Next, I injected into the target process, and re-issued the request. Here's the modified response:

Unfortunately, the trainer simply did nothing. Bugger! After a bit of messing around, I discovered that having a response of "123456" would result in "2345" being shown in an information field:

This further solidifed my guess that the first number was a status, and indicated that the remaining part of the string (apart from the last character) was a status. Just to double check, I tried again with a response of "1Cheat Engine rocks!0":

After playing around, I tried "2345" as a response, and got a winner:

After a bit of experimentation, it appears that you can generate a valid response as long as your first character is a number digit larger than 1, and the total response length is 4 or more characters.

Just thought you guys would enjoy seeing something like this step-by-step.

STN · Posted: Mon Feb 03, 2014 1:15 am Post subject:

If they were here, i can't imagine the bashing you would get lol. I am actually surprised to see them disappear, they were doing so great. Guess they couldn't take on the hate anymore.

PS: As far as the validation goes, changing a few conditional jumps was enough.

Mike89 · Newbie cheater Reputation: 0 Joined: 17 Feb 2014 Posts: 21

This is hilarious, a cracker getting cracked, couldn't have happened to a nicer guy. Very good work to get around a screwed up trainer method that never should have been to begin with. I didn't know you could still download Haxor trainers. That method used is over my head but I'd no longer have a Haxor trainer just on gp anyway so I don't need to learn it (though I wish I had the knowledge to know stuff like that).

I was curious about the comment about being surprised they left and that they were doing so great. Didn't know if that was supposed to be a joke or if it was serious. To me they were always barely holding on by the skin of their teeth because their product and delivery were never solid to begin with. Can't make a good thing out of shit no matter how hard you try. Shit still smells like shit and eventually works it's way down the toilet like they did.

CheatsLord65 · Cheater Reputation: 0 Joined: 31 Mar 2011 Posts: 49

Well,
i need a crack for garsharp and the temple of tragon hacx0r trainer...
does any generic crack exist?
thanks

atom0s · Posted: Fri Jan 16, 2015 10:00 pm Post subject:

CheatsLord65 · Cheater Reputation: 0 Joined: 31 Mar 2011 Posts: 49

I know and i'm talking about hacx0r trainers according with this topic.
Hax0r put a drm in their trainers. The drm was tied up with his site.
Now you just had to sign up FOR FREE, so he didn't sell anything. His trainers was free, you just needed to register to his site.
The problem is than years are passed and his site now is gone....
I think there is nothing wrong in fixing that no?

STN · Posted: Thu Jan 22, 2015 7:42 am Post subject:

Just debug his trainers, the protection is a joke. Or use the method OP used to make the trainer think you entered valid user/pass.