CheatEngine6.X standalone trainer for singleplayer game [false alarm]

Hi. I have problem with Avast 8.0.1483.

I’m using trainer created by CheatEngine6.2 and Avast shows message about virus:
“Win32:Evo-gen [Susp]”

- first problem:
I tried to add this EXE to exclude list:
*\Trainer.exe
*\Trainer.exe|[Embedded_R#DECOMPRESSOR]

But still, I can not launch trainer. Avast just ignore my exclude list.

- second problem
Currently, all CE6.2 trainers are made like this:

  • files: .cetrainer, few .dll, one .exe , are compressed with zlib into ARCHIVE

  • and there is DECOMPRESSOR file (standalonephase2.dat file inside installed cheatengine dir) - this file, when launched, will decompress ARCHIVE and execute final EXE

  • ARCHIVE and DECOMPRESSOR are embedded into final EXE (standalonephase1.dat file)

So, standalonephase1.dat file with changed icon, name and with embedded ARCHIVE and DECOMPRESSOR is final product. For example as gameName_trainer.exe

On end-user side, it looks like this:

  1. When user launch gameName_trainer.exe, embedded data:ARCHIVE and DECOMPRESSOR, are saved inside temp dir (F:\temp\cetrainers\CET28.tmp),
    ARCHIVE as CET_Archive.dat and
    DECOMPRESSOR as gameName_trainer.exe (yes, the same name)

  2. then DECOMPRESSOR (gameName_trainer.exe) decompresses CET_Archive.dat into “extracted” folder

  3. inside “extracted” there are: .dll, .lua and exe file (with the same name: gameName_trainer.exe)

But, AVAST treats DECOMPRESSOR as malware. You could say: “you downloaded trainer from untrusted site”. Well, I made that trainer and I know what it is exactly doing. And CheatEngine is an “open source GPL” application.

I even tried to compile DECOMPRESSOR myself with current Lazarus version 1.0.8. The same result.

Here is DECOMPRESSOR:
http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2

as you see, here http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2/main.pas
There is nothing suspicious.

Thanks for any help.

you can report it here http://www.avast.com/en-no/contact-form.php change subject to suite your case
you may add a link to this topic in case they reply here

Hello,
thanks for the sample, it will be fixed in next stream update.

Milos

I know this topic is old, but there’s no other threads like this one. And first post contains useful informations.

Standalone single player trainers are again blocked by Avast: Win32:Evo-gen [Susp]
Problem applies to CheatEngine ver. 6.2 and the new one, CheatEngine ver. 6.3. I have to save my trainers to folder added to exclusion list. And downloaded (from trusted site) trainers do not work until I move them to excluded folder.

We can manually scan CheatEngine v6.2 installed inside “program files” folder - no threats detected. (CheatEngine v6.3 too).

Conclusion:
now standalonephase1.dat (from CE6.2 and CE6.3) file with appended RCData (ARCHIVE and DECOMPRESSOR, and changed icon) is treated as Win32:Evo-gen [Susp]

PS:
Thanks for previous fix.

PSS:
I’ll use contact form. I’ll post it here too:

link:
http://www.mediafire.com/?f34ax09b3xckvnd

Archive contains:

  • standalonephase1.dat (no virus detected)

  • emptyTrainer.EXE - (false positive - Win32:Evo-gen [Susp]). It is an empty trainer generated with CE6.3, this EXE is standalonephase1.dat file with appended RCData

Thank you.

Thank you for your previous fixes. Sadly, problem returns again.

As an example, trainer made by CheatEngine forum member. His trainer is flagged as Win32:Malware-gen.
I’m using “avast! Free Antivirus 2014 9.0.2013”

I attached:
Banished Trainer (x32).exe - flagged as Win32:Malware-gen

Banished Trainer (x32) (NO RCData).exe - flagged as safe, Avast doesn’t find anything suspicious. I removed RCData (Embedded data) with Resource Editor.

Extracted from EXE resource, RCData, with Resource Editor:

ARCHIVE - flagged as safe. As mentioned earlier in my posts, this is zlib archive, and contains essential files: two DLL files, one EXE file (cheatengine main EXE), one LUA file, one CETRAINER file (which is XOR-crypted CheatTable file). Basically, it contains some files from “C:\Program Files\Cheat Engine 6.3”. Worth to mention - Avast doesn’t find anything suspicious in “C:\Program Files\Cheat Engine 6.3” directory. Main trainer exe (Banished Trainer (x32).exe) saves it as CET_Archive.dat.
cheatengine main EXE - it can be cheatengine-i386.exe or cheatengine-x86_64.exe.

DECOMPRESSOR - flagged as safe. This is executable file. It extracts ARCHIVE and executes another EXE file. It is the same file as standalonephase2.dat from “C:\Program Files\Cheat Engine 6.3”.

Components are clean. Combined into one EXE, false-positively flagged as malware.

Link to sample:
http://www.mediafire.com/?c7r2j5i9zc623dq

I’ll use contact form too.

EDIT:
Valerij Medviď, thank you. It is fixed.