What is this "Cheat Software" actually doing?

Подписаться 27 тыс.

Просмотров 135 тыс.

50% 1

I finally got a copy of the notorious cheat lab, and was able to find out, what it's actually doing.
Follow me on Twitter - / atericparker
Tools used:
Arch Linux (host system)
MITMPROXY (traffic inspection)
bless (hex editor)
Windows 10 (guest operating system)
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
More Malware Investigation Videos:
→ Cyberpunk 2077 Highly Compressed: • Video
→ The latest "NORD" Malware - Nordsecured: • The latest 'NORD' Malw...
→🧧VIRUS WARNING🧧 NEW Optifine for Minecraft 1.16 SCAM: • 🧧VIRUS WARNING🧧 NEW Op...
→ The wilkreate RU-vid stealer virus that started this whole trend: • Fake sponsor DESTROYS ...
Much of the music in my videos comes from the RU-vid audio library, especially this amazing music creator: / @patrickpatrikios2050 .
Outro Music
Track: Lost Sky - Where We Started (feat. Jex) [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Lost Sky - Where We St...
Free Download / Stream: ncs.io/WhereWeStarted
(C) Eric Parker 2021

Наука

Опубликовано:

4 май 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 367

@GManCool 25 дней назад

it would've been easier if windows didn't send millions of requests to ms servers...

@3ofSpades 24 дня назад

And I would have gotten away with it if it weren't for the red spies in the base!

@NicoTheCinderace 24 дня назад

@@3ofSpades A red spy's in the base?!

@muscletype2 23 дня назад

@@NicoTheCinderaceWe need to protect the briefcase!

@MacGuffin1 22 дня назад

or ppl knew how to use filters...

@NicoTheCinderace 17 дней назад

@@muscletype2 Yo, a little help here?

@AlfiesFuntime 25 дней назад

Just look at all the packets that windows is sending, windows itself is spyware lol

@EricParker 25 дней назад

The main culprit is every time you open the start menu and type anything, that's all going to bing servers. You can disable that with a registry tweak.

@freakymawg 25 дней назад

@@EricParker Could you make a video on that? thanks.

@francomino-kt4wo 25 дней назад

@@EricParker how I can do that? you should make a video about that :)

@wtfrare 25 дней назад

@@EricParker disabling search indexing?

@_Bruhens_ 25 дней назад

disabling telemetry i think, that option to disable it is in winaero tweaker

@Shqrdzz 25 дней назад

This dude is an antivirus lol

@hydradragonantivirus 25 дней назад

No I'm

@SparselyUsed 16 дней назад

This right here. This guy's apparently just Symantec Endpoint Protection, but in person form.

@esomnx 26 дней назад

Thank you for investigating cheat lab! I've been wondering what the malware embedded into it does, and now I finally know what it actually does!

@Fizcakesprite 25 дней назад

Why are people after me?

@bubgamingandvlogs3870 25 дней назад

@@Fizcakesprite what

@Fizcakesprite 25 дней назад

@@bubgamingandvlogs3870 Balls

@ValipPowa 24 дня назад

@@Fizcakesprite it's blatant almost every cheat has a tiny bit of malware in it even paid ones 🙂the cheat developers are just addicted to embedding malware at every stop

@Guillermo100 23 дня назад

@@Fizcakesprite what

@Nas_Allie 22 дня назад

You know you can trust a guy when you see him open up the ol Firefox

@Stix_Zidinia 18 дней назад

Yeah, the same devs who think transitioning kids is OK. I'm sure they have your best interests in mind. Most chromium based browsers are better.

@Penguin_BTW 18 дней назад

@@Stix_Zidinia You seem obsessed with trans people. They are always on your mind.

@gmdzbanwic 18 дней назад

@Penguin_BTW they would be on your too if you had firefox personally after using apple device way more anal porn populated hub website so. Maybe there is certain agendas

@HexSaber 18 дней назад

@@Stix_Zidiniaso do you have anything to actually add to the conversation or

@idk.-.d 18 дней назад

@Stix_Zidinia Even though thinking that is being clowns, it doesn't have any connection to the confidence.

@SteenSneeze 26 дней назад

Please do a tutorial on the Network Monitoring.

@dogyX3 23 дня назад

Yes please

@ZondGrief 22 дня назад

I am not a 100% sure but I think you can do that with a program called Http-toolkit

@BillyBobJoeMoma 16 дней назад

I would love to see how you set up the VM, seems very interesting for learning how to reverse engineer rats

@MintleafCakes 19 дней назад

this channel is great, you remind me a lot of danooct1, its like ive discovered him again lol. i think its mostly the voice but also the realm of content you both make.

@Awesomium3 25 дней назад

i didnt know you could somehow get out of a hex a screenshot, great job man!

@ValipPowa 24 дня назад

lol how do you think images get saved they are in binary computers dont use a magic! alot of things on your computer right now can be viewed in hex format🙂 hex editor is a great tool

@cesj1 22 дня назад

@@ValipPowathat 1st sentence is fucking crazy.

@krazidev1133 22 дня назад

@@cesj1 ong bro had a stroke while typing that

@henzk 21 день назад

@@krazidev1133 tf you mean you had a stroke while typing that? you didn't type that 💀this comment section is cooked ngl

@NeoNickz 20 дней назад

@@henzkyou're illiterate lmfao

@3RR0RNULL 26 дней назад

I’m not sure what to say other than that this is cool, and I hope to see more like this in the future. I’m gonna go watch a bunch of your videos.

@d0tmaxx376 25 дней назад

Can you make a tutorial on how to setup the proxy that captures packets?

@Frozenies 18 дней назад

didn't know you were uploading again, love the content!

@mapelsiroup5604 24 дня назад

very informative and prompts me to check network calls on my own machine hehe, very cool config which you have there would love to know more maybe a video on how to make a "hidden" virtual machine would be super nice or at least how you would approach hiding virtualisation

@prosperogaming3036 22 дня назад

If i had to guess its possible those pixels at the top of the image are possibly pixel steganography hiding some form of data such as username

@amongussuss341 24 дня назад

im curious about if you have any specific special configuration for ur vm, i see ur using virt-manager

@borat1 24 дня назад

Couldn't you check ACPI table to detect vms? Not sure if you can get around that with vmware products

@WalnutBun 16 дней назад

Where do you get your virus samples from, btw?

@harrythezomby 19 дней назад

Hey Eric, just out of curiosity - do you add anything special to ur VMs xml to protect the host from vm escape malware and that sorta stuff?

@someguy4915 16 дней назад

Probably not, since VM escaping malware is so insanely rare and dependent on being run on the right version and type of hypervisor that it's hardly a concern.

@NoodleHD 26 дней назад

we love eric virus analasis

@KittyCatYT 25 дней назад

best comment, been watchin for 3 years now

@thesupercomputer1 15 дней назад

Du you have any resources on hand to stealth a VM like the one you used? Would be handy in some situations.

@theshark9001 18 дней назад

how did you get the packets being sent from a qemu VM? I am curious because that seems VERY useful and for a while, I have been wanting to do the same thing you are doing in this video

@someguy4915 16 дней назад

Use vSphere or Hyper-V and this is a default feature (Mirror Ports).

@austist 17 дней назад

this was an awesome watch and got me messing around with MITM inspecting everything lol. also youre the first half british half american sounding person ive ever heard. (not trying to be mean lol)

@Niksa30171 13 дней назад

what is the program to the right where u can see the stuff and all of that.

@camirow 3 дня назад

Hey how did you setup mtimproxy to capture the traffic of applications? Mine only displays data sent by browser, discord, games etc but applications i download off the internet and ran doesn't show up in mtim even tho ive set the proxy server in settings and downloaded their cert. Would appreciate if you could tell me how you set yours up or a guide somewhere thanks!

@camirow 3 дня назад

Some third party applications ive downloaded that i know/wont function without connecting to their servers etc does not show up in mtim proxy

23 дня назад

how you setuped a netweok monitor for vm? i use too arch btw

@randomdude12370 19 дней назад

Would you be able to show us how you create such a VM and/or the mitmproxy with the custom ssl cert?

@ruinfox4108 16 дней назад

Can you liink the thing you used to actually tell you what all the traffic means no encryption? i noticed it was the one thing you didnt include.

@ratboygirl 21 день назад

i know next to nothing about computers but even i could follow this with basic knowledge of how malware works :) good job super interesting

@Soup69God 18 дней назад

Howd you set up your stealth vm?

@vladislavkaras491 13 дней назад

It was interesting to see, how malfare functions! Thanks for the video!

@ethan1898 25 дней назад

great informative video. very cool to see the binary conversion into png, was interesting to see what they were looking for.

@android4pcgaming 20 дней назад

Am interested in the setup of the monitoring. There are a couple of uses I want to try out

@dbuwehiwebf 22 дня назад

what system do you use

@dinky_474 16 дней назад

I'd love to see you make some tutorials in the future!

@cibles 25 дней назад

Thank you for another wonderful vid!

@7vhx 20 дней назад

What are you using to see network data? Is it a feature of VM or is it an app installed on the VM?

@EricParker 20 дней назад

MITM proxy. It's installed on the Arch (host) and then I have a bridge that the VM connects to. Will make a tutorial on setup soonish. You can use wireshark, but the benefit of this setup is it decrypts all the SSL traffic.

@pandrevanc 25 дней назад

Let's all love lain

@valornt4400 18 дней назад

how did you disguise the VM?

@heckerhecker8246 9 дней назад

Hey, I built cheat engine 7.5 from source; I've ran it a few times, and nothings gone wrong; Though I suspect it still might be doing something, my pc has gotten slightly slower, but no malware found; Is it safe?

@felicityc 5 дней назад

cheat engine is not cheat lab, not related, cheat engine is a legit piece of utility

@heckerhecker8246 4 дня назад

@@felicityc thanks

@gerarderloper 17 дней назад

Would love to know what KVM/Host XML tweaks you did to convince windows its not a VM. I have only done the basic stuff myself. I don't really play online games and never cheat, just doing the VM thing because I love Linux and well, I could. lol

@Lemonesms 16 дней назад

Hi, if possible could you tell me how you made the virtual machine think it isn't, if so this would be very useful Thank you!

@jmvr 17 дней назад

LuaJIT is not the payload, the .LUA file is. JIT means "Just In Time", which makes certain programming languages into something like Java, where a VM or JIT Interpreter can run some compiled code on the machine. Basically, the malware just used the JIT Interpreter to run that compiled .LUA file

@volkingdeath5312 19 дней назад

Really interesting analysis, found another gem on youtube

@MiDnYTe25 8 дней назад

Ngl finding the rare ultrawide video on youtube as an ultrawide user is an unexpected feeling of bliss, didn't even realize until I was 2/3 the way through lol

@pixo2000 22 дня назад

bro thx so much! 1st video i can watch fullscreen without black borders. i also use ultrawide

@teemops7167 24 дня назад

I'd be curious about how to stealth a VM from software detecting it too

@666nxvxr 22 дня назад

underrated channel, great video!

@TommyLuciano1 16 дней назад

I like to test malware samples on VMs and every time I worry about the virus some how finding its way out of the VM into my actual computer. Surely VM software must have some kind of protection against that? Or I could be wrong. I mostly use VirtualBox but sometimes I use VMWare if an OS refuses to work in VirtualBox for some reason or other.

@felicityc 5 дней назад

it can happen sometimes, but it's pretty rare. just don't use shared folders, and make sure hyperv isnt compromised somehow via mods or tweaks but if you are going to release serious malware or a lot at once, cloud vm is the way to go, or a dedicated machine

@pilottim136 25 дней назад

how did you disable the virtualisation thing so the VM doesnt know that its in a VM?

@someguy4915 16 дней назад

You don't, most software will instantly recognize that. Software can look at the actual used hardware, which unless it's enterprise-grade, is usually virtualized stuff. 1: 'CPU is modern, virtualization is disabled' -Suspicious. 2: 'VMXNET network adapter.... (or similar for other hypervisors) 3: 'ACPI driver is one for VMs'...

@pilottim136 16 дней назад

@@someguy4915 makes sense

@Coolguyjommy 19 дней назад

What is your vm config? How do you get your vm to look real?

@SunTzu_0 17 дней назад

Does it by hand still proceeds to be better then avast

@TURTLETIMEGAMINGOFFICIAL 25 дней назад

Id love to see that network tool more !

@ThompYT 17 дней назад

How can you disguise a VM like that?

@strandedice5145 9 дней назад

Omg I installed cheat engine like 6 years ago to change values on fnaf ultimate custom night, and since then, my computer has gotten slow and gotten blue screens of death for like no reason at all. Should I be concerned? What do I do?

@felicityc 5 дней назад

cheat engine is not the same as cheat lab. cheat engine is not malicious software. cheat engine will get you instabanned if you try to change the memory on a game with anticheat in progress. the point of a cheat like this is that it uses some ridiculous workarounds and disguises itself so the anticheat thinks nothing is wrong. while also giving you malware

@CryptedExo 23 дня назад

can i get some help setting this up? please and ty

@lionkor98 18 дней назад

The rest of that file is also part of the image, that's why the image was mostly black. To get this, you can just remove the header before the magic, the rest is your image. It probably sends screenshots because they may contain a lot of sensitive info. The lua was in bytecode, you can certainly disassemble that back to lua code if you try ;)

@TerrisLeonis 18 дней назад

What's really interesting about this is that the "malicious exe" here actually appears to be legit. It's just the Lua runtime. That means it's a known good executable, which won't be detected as malicious - because, on its own, it's not. On the other hand, the Lua file is definitely malicious. It's compiled Lua bytecode, rather than Lua script, which means you'd need to decompile it to understand it. Normally, Lua reads a script and internally compiles it into bytecode before running it, but you can also just supply precompiled bytecode and Lua will recognise the bytecode by the file signature, it then skips the compilation step, and runs it as-is. (Python can do this too, it's not just Lua) So, the .lua file is the actual malware. Because it's not an executable but is interpreted, this gives it an opportunity to evade anti-malware solutions, which would just see it as a data file while the exe in the same folder is considered trusted.

@WoollyOwl 23 дня назад

I think that strange top bar isn't secret data, it looks a lot like the missing part of the taskbar. Just to the left a bit and shortened

@justaneric 24 дня назад

hey my name's eric too also you can likely use a code analyzer to see the operation of an exe's process. at 10:39 this looks like hex data hope this helps ;)

@hamburger_eatspie 16 дней назад

I love your videos even though I don’t understand most of the stuff you say ❤️

@L1ghtInTheDark 26 дней назад

Was that a Fnaf 3 refrence?

@EricParker 26 дней назад

Correct

@BubbleGumCanDevelop 23 дня назад

the letters you where seeing are opcodes, better known as shellcode, you can directly execute them from programs without any decoding needed.

@ThatGuyAmir 25 дней назад

Hi Eric, I just found out your channel I actually love your work could you please make a tutorial or redirect me to a existing one on how to make a secure VM like you did TYSM

@hassanbadarneh6613 20 дней назад

.i have it on my pc how can i delete it pls

@psycho101rl 20 дней назад

so is cheat engine fine or is cheat lab and engine the same thing?

@HandsofMilenko 18 дней назад

Cheat Engine is fine, Cheat Lab is the problem

@ardwetha 20 дней назад

That's the reason, why you either only download from trusted sources, or use open source software like cheat engine, or you use a seperate computer and dont care if yo have a virus

@xulifar4243 26 дней назад

why does he sound like tristan tate

@DoubleBluffing 26 дней назад

English accent mixed with a USA accent

@PixelatedBrayden 25 дней назад

Top T

@Twobrosk 17 дней назад

because he is

@BigMan7o0 16 дней назад

I was quite literally mid making a comment about if you could show us how to set up the network monitoring when you mentioned it at the end lol. Personally I would love to know how to do it so I can have the peace of mind of being able to see everything my pc does. I've tried wireshark before but it was a little above my paygrade xD

@greasydave1318 19 дней назад

How do you set up the vms so no one can detect it?

@someguy4915 16 дней назад

You can't, you can partially hide it, but by hiding it you usually just make it more obvious. Like trying not to be seen by a police officer by covering your face with a ski-mask...

@_whatistruth 20 дней назад

is MITM safe?

@lookinatherlike7747 24 дня назад

How did u hide the VM from the os?

@ValipPowa 24 дня назад

i think he hid it from the executable not from the OS probably some middleware spoofing intercept calls to check for vm and return false information

@sas408 22 дня назад

Try proxmox, theres option to put "host" option as your cpu and it probably wont trigger an vm detection. Also hyper-v should work, most malwares dont know about hv existence

@losttownstreet3409 14 дней назад

What's the difference between cheat software and malware? - Both need to use anti detection on kernel level (for multiplayer and gotcha games) - Both need to modify the system - Both need to be dynamically updated (artmoney not because you must search yourself in the game code) If you write a cheat for modern games, you use the same code as malware. There is no other way as to dynamically update the payload if you want to provide a cheat service for modern games.

@captheobbyist6434 18 дней назад

it's pretty funny that people think of privacy in the internet, while windows or a browser they're using is sending tons of requests to various servers. im not only talking about "evil" bing or windows, just about overall software which connects to the internet. there could be some operating systems which dont do that, like distros of linux

@user-pm8je4fo7e 16 дней назад

Nah, they all do that. You can only protect youself by mitming your connection and writing up huillion of filters. And there basically goes your internet, because you'll inevitably end up switching to whitelist mode, blocking everything, including all kinds of "cloud" solutions. I can't even see avatars or proper nicknames on youtube because googlagol uses its spyhosts to deliever code that loads those. It's a pain even for cypherpunks, let alone normies, so no, no linux distro will ever do this the proper way. Also you will r**ed with captcha. Funniest thing is that goolagol still knows a lot about me. All it takes is to crossreference activity and analyze what I consume and what I produce online. You are 100% trackable and identifyable until you are completely silent (emit no data) and use disposable internet endpoints in order to consume data. No distro can regulate this for you.

@user-kt9wc2fd3f 18 дней назад

can u make a video how to setup a vm with these tools

@Garloth1 18 дней назад

McAfee (lol) has a full wroteup, "Redline Stealer: A Novel Approach"

@Sebastian-ym3fz 6 дней назад

How do i get rid of it pls bro

@hirrunio 24 дня назад

Loving the Lain wallpaper ;)

@xynium. 20 дней назад

Let's all love Lain!

@robertkiestov3734 День назад

YWNBAW

@gtasanandreas684 25 дней назад

Also, lain my beloved

@Cyiatic 21 день назад

Thank you for your dynamic analysis of Cheatlab, Mr. Parker! Is there any chance we could all get a tutorial video on your network capture setup?

@frogrockrust 17 дней назад

can you look at "star multi tool"?

@1qxd 17 дней назад

the lain bg really shows you this guy knows what they're doing

@szneo1 22 дня назад

i love these videos i dont exactly know what everything means but i love it

@Jessycakeboy 24 дня назад

I would love a tutorial on how to set up the network monitor

@DAGzex 15 дней назад

Were you referencing fnaf 3?

@Unknown_2711 23 дня назад

Is thst cheat engine? Beacuse when u searched cheat lab it redirectec to cheat engine

@RetroGamerIE 4 дня назад

please share a video of full setup , thank you in advance

@Tearz-tearify 23 дня назад

Nice stuff g

@MultiTrackDrifto 7 дней назад

Did you do a man in the middle on yourself to view the packets

@swishhydrotrip6299 19 дней назад

Can you do one on this application called fps unlocker

@javierdz 17 дней назад

good video mate!

@DaFluffyBear 13 дней назад

nice windows ctac pfp, im an endermanch fan too

@zrehirs 3 дня назад

you know what would be funny somehow making viruses believe my actual machine is just a virtual machine so the virus just ignores it lol

@Nayte08 16 дней назад

Loving your videos even if I only understand at max 60% of what’s going on lol

@professionalanarchist 17 дней назад

can you do the spyware of TLAUNCHER next(the cracked minecraft launcher)

@Redstoneprojrjr 25 дней назад

Why do you call it packets instead of requests?

@idogaming3532 21 день назад

Because answering a request is also a packet.

@Redstoneprojrjr 21 день назад

@@idogaming3532 requests sounds more realistic here

@Stratxgy. 15 дней назад

youtube videos advertising “cheat lab” have been everywhere in the past few months and they are all just the same video with different music and ai thunbnails