Recently I ported my Steamless project to .NET. I made this port because more and more people are in the RE scene have been making use of .NET languages (C# and Vb.NET). I wanted to make the project open to more people in the scene if they ever wanted to contribute back or share ideas for the project.

I plan on keeping the C/C++ version, just that it will be a little while before I start updating it again and bring it up to speed with this new repository for the .NET version.

Steamless.NET is written in C# and is made to be as easy to follow, understand, and expand onto.

The code is setup to use reflection to find known unpackers internally and can be easily adjusted to load external modules as unpackers as well. I went with this approach so that people can get into a specific part of the code base easily and modify or extend any part of the code they wish.

The unpackers make use of a custom attribute 'SteamStubUnpackerAttribute' that tells the executable the class inheriting the attribute is used as an unpacker for a specific version of the DRM. The attribute has a few properties, one of which is a pattern. The pattern is used to find and determine the version of the DRM being used. For example, this is the variant version 2 class definition:
Code: cpp
[SteamStubUnpacker(
Author = "atom0s (thanks to Cyanic)", Name = "SteamStub Variant #2",
Pattern = "53 51 52 56 57 55 8B EC 81 EC 00 10 00 00 C7")]
public class SteamStubVariant2 : SteamStubUnpacker
{


Here the attribute tells us the author and name of this stub unpacker, as well as the pattern used to determine the version. Patterns are based on the .bind section code within the file and should be unique to other versions to ensure proper unpacking.
In later versions I plan to add a force-flag command line parameter to allow users to specifically state what unpacker they want to use in case a file has false-positives.

All unpacker classes inherit a base class 'SteamStubUnpacker' to allow for reflection to initialize and invoke the classes unpacking process. The base class forces the inheritee to implement a function called Process that takes in the current loaded file to be unpacked and then the class is free to do whatever from that point on. For example in the v2 and v3 unpackers I have written so far, I broke each part of the unpacking process into different steps. This helps keep the code base clean and easily maintainable as well as easily readable for new comers to the project.

While the v2 and v3 unpackers are near 100% completion they do come with some bugs.

For the v2 unpacker:
- x64 bit files are not handled at this time.
- Not all flags may be handled correctly as only a few executables have been tested and validated.
- In certain cases, overlay data may not be restored properly. (Some files store this into a section called .extra)

For the v3 unpacker:
- x64bit files are not handled at this time.
- Not all flags may be handled correctly as only a few executables have been tested and validated.
- If a file has no .text section (or it was renamed) the unpacking will force-fail. (This will be fixed soon.)


Again, a big thanks to Golem_x86 for his assistance in this project. :)
Given that I am a moderator on Cheat Engine's forums, one of my duties is to keep the forums clean of various things. One of which is harmful files / trainers that could contain things that are harmful to the users that download and run them. When Cheat Engine 6.0 beta was first started and posted in the beta only section of the forum, I immediately updated my old trainer dumper tool from Cheat Engine 5.6 to work with the newest version of Cheat Engine.

This was a major overhaul to the popular tool with an entire rewrite of how the trainer files are handled from their original format. That said, I decided to just rewrite my tool specifically for Cheat Engine 6 and use a separate one for older files.

As of today, Cheat Engine is now at version 6.4 and through the 4 major revisions the sub-set of changes have altered the trainer files and their method of being saved numerous times. In total there are two major ways the files are saved based on the version of Cheat Engine being used to create them. There is also two ways a trainer can be saved and protected:
- As a stand-alone .exe file.
- As a compiled/protected .CETRAINER file that Cheat Engine understands how to read.

Each of these methods have their own ups and downs. Keep in mind though, Cheat Engine is open source so these protections are mainly just to deter newbies from editing credits and claiming they wrote something they didn't. So this post should not be seen as anything major or hard-core in terms of creating a dumping tool as the source is freely available.

Stand-Alone Executable File (.exe)

    Using this approach, trainer makers can create a stand-alone solution within Cheat Engine that actually does a few things pretty interesting for the user and makes their trainer able to make use of Cheat Engine fully. When Cheat Engine generates a stand-alone executable it does the following steps:
    1. The users cheat table is compressed with zlib.
    2. The users cheat table is then xor encrypted multiple times.
    3. Cheat Engine creates a new SFX file for the trainer using a base exectuable.
    4. Cheat Engine builds an archive file that contains the various files that this trainer will need to run.
    5. Cheat Engine injects this new archive into the SFX file's resources and names it 'ARCHIVE'.
    6. Cheat Engine injects another resource named 'DECOMPRESSOR' into the files resources which is used to extract the 'ARCHIVE' resource.
    7. Cheat Engine finalizes the image and renames it to the trainer creators desired name.

    When this file is executed, it will startup and look for the 'DECOMPRESSOR' and 'ARCHIVE' resources and extract them. The decompressor will then run and extract the contents of archive. This archive contains a number of files based on what the trainer requires to run. By default this will at least include:
    • cheatengine-i386.exe / cheatengine-x86_64.exe
    • lua.dll
    • dbghelp.dll

    Outside of that it can also include various files based on the trainers needs such as the dbk32/64.sys driver, speedhack.dll etc.

    Once the files are extracted, if a .CETRAINER file is found in the archive, the decompressor will launch the Cheat Engine executable with the trainer file as the 2nd argument. Then the following information for loading a .CETRAINER file comes into play.

.CETRAINER File (.CETRAINER)

    CETRAINER files can come in two manners, protected and unprotected. These files are simple .xml files that hold the Cheat Table information. If protected, the files are compressed and encrypted via a simple xor encryption.

    The flow of how these files are loaded follows:
    • Cheat Engine loads the file.
    • Checks if the file is already xml by seeing if '<?xml' exists as the first 5 characters.
    • If '<?xml' exists, just load the table as normal.
    • If not, then the file is considered protected and must be decoded.
    • The first layer of protection is a 3-way xor encryption.
      1. The first wave is a before-key relationship where the the first byte (x) starts at 2 and the first xor key starts at x-2.
      2. The second wave is an after-key relationship where the first byte (x) starts at length-2 and the first xor key starts at x+1.
      3. The last wave is a static-incrementing key relationship where the key starts at 0xCE and increments each xor.
    • Next the newly xor'd data is then decompressed using zlib.
    • Old Decompress Method
      • Using older trainer files have no special compression or buffer, the entire buffer is assumed to be compressed and can be processed.
    • New Decompress Method
      • Using newer trainer files will show a 5 byte header saying 'CHEAT'. This should be skipped before attempting to decompress the buffer.
      • Next the newer files also have the compressed data size after the 'CHEAT' header which should be read and used to know how much data to read and inflate from the compressed data stream.
    • At this point the .CETRAINER file should be clean .xml text and can be reused/edited/etc. again.

Summing It Up

    Is this a secure method of protection? No not at all, but it is not meant to be. It is, again, meant to deter the newbies from stealing work of others. Overall this is more of a compression method to help reduce the size of the compiled trainer. Granted, due to the fact that .exe trainer files include Cheat Engine's core files to work, the file size of trainers are fairly large with little to no cheats added. A base trainer could be around 3-5MB which is a bit excessive but due to how it works, is very nice for the user given they have full access to CE then.

    For those looking to really protect their trainer / work and do not want it to be seen by others so easily, I do not recommend making your trainers in Cheat Engine, and if you do, you should use an additional packer/protector on top of what Cheat Engine does. Another thing you can do is download Cheat Engines source code and modify the code to implement other methods of protection on top of whats already there. It can help in the long run to protect things.

    Keep in mind though, if your trainer does anything with WriteProcessMemory / ReadProcessMemory it can be easily 'spied' on and stolen still!

CeDumper - Drop-and-dump Solution

Because of needing to check files often like I mentioned above, I wrote a tool to dump the trainer files easily.
A simple drag-and-drop interface can be used to dump any trainer file made with Cheat Engine that is not modded from the original protection setup.
Image Image Image

I will probably release this tool in the near future since others may find it useful to keep themselves protected against malicious trainer files from Cheat Engine.
A month or two back I bought a new main work station / desktop. Typically I opt. to build my own but this time around I did not want to bother dealing with RMA's and other potential hassles during the build phase. Instead I took to finding pre-builts by trusted companies and price matched their parts used. I figured if I can find someone that is selling pre-builts that are close to the cost of the parts, I'd be in good shape. If not, I can just build my own in the long run if need be.

I took about a week looking through some various companies. Most of which landed up seeming to be more then $250 or more on labor costs for the parts you were getting, that alone could build a desktop computer, so no thanks. My price range was not limited but I was not interested in being able to build another system or even the cost of another graphics card just in "labor".

I came across CyberPowerPC and saw their lower-end prices and was pretty amazed. I took a few of their systems and price-matched them on Newegg and a few other sites and came up with a total labor cost of around $50-150 in each of their machines. This, for me, was a comfortable spot for the cost of having someone else do the work. I took to their forums and reviewed some of their feedback sections and such and pretty much every post was nothing but good. Newegg has them listed as a reseller as well with great ratings so this was a company I could personally put trust into.

The system I priced turned out to be just under $100 in labor, and it was well worth it.

The parts list consists of:
    Processor: Intel Core i7 - 4790K (Unlocked @ 4.4GHz)
    Motherboard: Gigabyte Z97-HD3 (GA)
    Hard Drive: Toshiba DT01ACA200 2TB
    RAM: Team Group 4GB DDR3 1600 (x2 - 8gig total)
    Graphics Card: MSI Geforce GTX 970
    Power Supply: Atng 600W w/ Rounded Cables (OEM style power supply)
    Optical Drive(s): LG HL-DT-ST GH24NSC0 DVD/RW

In total the system priced part for part was about $100 less then the asking price so I went for it. Knowing the drive situation it came with, I opt'd to buy two additional SSD's for it.
I also needed a new monitor so I got one as well. Additional parts I snagged were:
    Hard Drive: SAMSUNG 850 EVO MZ-75E250B/AM 250GB SSD x2
    Monitor: Asus VH238H 23" Full HD HDMN Backlight LCD w/ Speakers

I went with the ASUS monitor because I enjoy having a monitor with built in speakers. I do not have the desk space for a separate sound system (Speakers and so on.) so having them built in is best for me. The SAMSUNG drives came recommended from a friend of mine so I went with those based on his (and reviews) opinion.

End result I spent around $1600 total on all parts, the system and the monitor. I also had to snag a few SATA cables which were only about $2 a piece.

The system performs amazingly, nothing was dead-on-arrival. CyberPowerPC ships things wonderfully with expanding packaging to ensure nothing moves during the ship. The system was solid and fresh. Paint looked great and parts were secure and in-place. Nothing was damaged, scratched, or had any issues.

The system comes pre-installed with an OEM copy of Windows 8.1, however this is the most amazing OEM install I've ever seen. There is 0 bloat-ware, ad-ware, spy-ware, etc. installed. Literally nothing comes with the install. It is a stock Windows 8.1 Pro install, not even a custom wall paper. The only thing changed is in the system properties they show their personal logo as the OEM provider. That is it.

I reformatted immediately anyway to double-check this with their included OEM install disk and it held true. The reformat yielded the same results. A nice clean stock Windows 8.1 experience.

Overall I'm very happy with my purchase. The system is setup as a work machine as well as a gaming machine in my free time. 1 SSD is being used as a the main OS drive along with the main work programs I use, the 2nd SSD is my gaming drive which I have all my games installed to. The last drive being the 2TB non-SSD is just for storage holding old stuff. I bought a IDE to USB cable and backed up a bunch of old hard drives onto the 2TB drive.
Here is a simple way to hide the 'Top Stories' garbage on Google News.

You will need to download 1 specific extension, Stylebot. Download it for Chrome here:
https://chrome.google.com/webstore/deta ... pgmdaleoha

Next follow these short steps to block the needed parts of the Google News page:
  1. Open Stylebot's options by clicking on the added button the extension made and choose 'Options' from the dropdown.
  2. Once the options are open, click on the 'Styles' link on the left side.
  3. Then on the right side, click 'Add a new style...'.
  4. For the url, enter: news.google.com
  5. For the CSS override in the bottom box, enter:
    Code: css
    div.section.top-stories-section.section-toptop {
    display: none;
    }

    li.nav-item.nv-FRONTPAGE.selected-nav-item.topic-nav-item {
    display: none;
    }

Click save, and you are done. Your Google News page should no longer show the Top Stories at all. :)
I've been working on the revamp of one of my Terraria tools in-light of the next major version being released soon.
For now, this version of toxy will remain for Terraria version 1.2.4.1 since major servers and stuff wont be playing on the new version for a while until things like tShock are updated.

Here is how toxy looks now:
Image
Image

Here is the current change log from the original version:
  • [CHG] toxy is fully written in WPF now rather then WinForms.
  • [CHG] toxy is fully rewritten to be a lot more optimized / stable
  • [ADD] toxy now includes a full scripting backend via Lua.
  • [CHG] toxy now handles all additional hacks/changes in the form of addons.
  • [REM] Hacks on the main window have been removed and are instead moved to addons.
  • [ADD] toxy now includes pre-made wrappers for every single packet in the game instead of just a select few.
  • [FIX] Fixed some underlying bugs with the core of toxy.
  • [FIX] Fixed some issues with the proxy library that toxy makes use of for proxied connections. (For ban evasion.)

toxy is not going to be released free or open source anymore as well. At this time I have not decided on a price tag but I should have something figured out in the near future. Perhaps a donation required access setup or something to keep development interests going. We'll see in the near future though.

Terraria 1.3 is scheduled for release at the end of the month, so be sure to backup your current Terraria installations!