Author Topic: CheatEngine6.X standalone trainer for singleplayer game [false alarm]  (Read 3719 times)

0 Members and 1 Guest are viewing this topic.

Offline mgr.inz.Player

  • Newbie
  • *
  • Posts: 3
Hi. I have problem with Avast 8.0.1483.

I'm using trainer created by CheatEngine6.2 and Avast shows message about virus:
"Win32:Evo-gen [Susp]"


- first problem:
I tried to add this EXE to exclude list:
*\Trainer.exe
*\Trainer.exe|[Embedded_R#DECOMPRESSOR]

But still, I can not launch trainer. Avast just ignore my exclude list.





- second problem
Currently, all CE6.2 trainers are made like this:

- files: .cetrainer, few .dll, one .exe , are compressed with zlib into ARCHIVE

- and there is DECOMPRESSOR file (standalonephase2.dat file inside installed cheatengine dir) - this file, when launched, will decompress ARCHIVE and execute final EXE

- ARCHIVE and  DECOMPRESSOR are embedded into final EXE (standalonephase1.dat file)

So, standalonephase1.dat  file with changed icon, name and with embedded ARCHIVE and DECOMPRESSOR is final product. For example as gameName_trainer.exe






On end-user side, it looks like this:

1) When user launch gameName_trainer.exe, embedded data:ARCHIVE and DECOMPRESSOR, are saved inside temp dir (F:\temp\cetrainers\CET28.tmp\),
ARCHIVE as CET_Archive.dat and
DECOMPRESSOR as gameName_trainer.exe (yes, the same name)

2) then DECOMPRESSOR (gameName_trainer.exe) decompresses CET_Archive.dat into "extracted" folder

3) inside "extracted" there are: .dll, .lua and exe file (with the same name: gameName_trainer.exe)



But, AVAST treats DECOMPRESSOR as malware. You could say: "you downloaded trainer from untrusted site". Well, I made that trainer and I know what it is exactly doing. And CheatEngine is an "open source GPL" application.

I even tried to compile DECOMPRESSOR  myself with current Lazarus version 1.0.8. The same result.

Here is DECOMPRESSOR:
http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2

as you see, here http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2/main.pas
There is nothing suspicious.

Thanks for any help.
« Last Edit: February 26, 2014, 02:24:28 PM by mgr.inz.Player »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32642
Re: CheatEngine6.2 standalone trainer for singleplayer game [false alarm]
« Reply #1 on: April 27, 2013, 11:19:55 PM »
you can report it here   http://www.avast.com/en-no/contact-form.php   change subject to suite your case
you may add a link to this topic in case they reply here

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 1683
Re: CheatEngine6.2 standalone trainer for singleplayer game [false alarm]
« Reply #2 on: April 30, 2013, 11:29:01 PM »
Hello,
thanks for the sample, it will be fixed in next stream update.

Milos

Offline mgr.inz.Player

  • Newbie
  • *
  • Posts: 3
Re: CheatEngine6.2 standalone trainer for singleplayer game [false alarm]
« Reply #3 on: August 05, 2013, 10:36:29 AM »
I know this topic is old, but there's no other threads like this one. And first post contains useful informations.


Standalone single player trainers are again blocked by Avast: Win32:Evo-gen [Susp]
Problem applies to CheatEngine ver. 6.2 and the new one, CheatEngine ver. 6.3. I have to save my trainers to folder added to exclusion list. And downloaded (from trusted site) trainers do not work until I move them to excluded folder.



We can manually scan CheatEngine v6.2 installed inside "program files" folder - no threats detected. (CheatEngine v6.3 too).

Conclusion:
now standalonephase1.dat (from CE6.2 and CE6.3) file with appended RCData (ARCHIVE and DECOMPRESSOR, and changed icon) is treated as Win32:Evo-gen [Susp]



PS:
Thanks for previous fix.

PSS:
I'll use contact form. I'll post it here too:

link:
http://www.mediafire.com/?f34ax09b3xckvnd

Archive contains:

- standalonephase1.dat (no virus detected)

- emptyTrainer.EXE - (false positive - Win32:Evo-gen [Susp]). It is an empty trainer generated with CE6.3, this EXE is standalonephase1.dat file with appended RCData



Thank you.
« Last Edit: August 09, 2013, 11:49:27 AM by mgr.inz.Player »

Offline mgr.inz.Player

  • Newbie
  • *
  • Posts: 3
Re: CheatEngine6.2 standalone trainer for singleplayer game [false alarm]
« Reply #4 on: February 26, 2014, 02:24:06 PM »
Thank you for your previous fixes. Sadly, problem returns again.

As an example, trainer made by CheatEngine forum member. His trainer is flagged as Win32:Malware-gen.
I'm using "avast! Free Antivirus 2014 9.0.2013"

I attached:
Banished Trainer (x32).exe - flagged as Win32:Malware-gen

Banished Trainer (x32) (NO RCData).exe - flagged as safe, Avast doesn't find anything suspicious. I removed RCData (Embedded data) with Resource Editor.

Extracted from EXE resource, RCData, with Resource Editor:

ARCHIVE - flagged as safe. As mentioned earlier in my posts, this is zlib archive, and contains essential files: two DLL files, one EXE file (cheatengine main EXE), one LUA file, one CETRAINER file (which is XOR-crypted CheatTable file). Basically, it contains some files from "C:\Program Files\Cheat Engine 6.3". Worth to mention - Avast doesn't find anything suspicious in "C:\Program Files\Cheat Engine 6.3" directory. Main trainer exe (Banished Trainer (x32).exe) saves it as CET_Archive.dat.
cheatengine main EXE - it can be cheatengine-i386.exe or cheatengine-x86_64.exe.

DECOMPRESSOR - flagged as safe. This is executable file. It extracts ARCHIVE and executes another EXE file. It is the same file as standalonephase2.dat from "C:\Program Files\Cheat Engine 6.3".

Components are clean. Combined into one EXE, false-positively flagged as malware.

Link to sample:
http://www.mediafire.com/?c7r2j5i9zc623dq

I'll use contact form too.

EDIT:
Valerij Medviď, thank you. It is fixed.
« Last Edit: February 27, 2014, 12:01:35 AM by mgr.inz.Player »