Counter-Strike: Source -> | Starcraft Hacks | Diablo II Hacks | Warcraft Hacks | WoW Hacks | Counter Strike Hacks

News

Main Menu

Gallery

Arcade

Downloads

Forums

Welcome Guest ( Log In | Register )

Ghoztcraft [Gaming Made Easy]

Gaming Forums

Steam Games

Half-Life 2 Game Mods

Counter-Strike: Source

Topic Preview

Counter-Strike: Source

Forum Options

url=http://www.mpcforum.com/showthread.php?t=205870
Reposted from MPC, the official site where HOLZED cheat is built from

QUOTE

:
Originally Posted by N0T X0R View Post
Hello esteemed MPC members and hello to the *****s/liars from "fknowned",

Today I heard news that "Holzed 1.2 Fixed" by Holz contained a virus so being my vindictive self I decided to see what all the commotion was about and with that I had a look at this horrible cheat. Holzed 1.2 Fix is a CounterStrike Source cheat which is coded in C++ & compiled in Visual C++ 7, it consists of two main parts; the injector & the dll. I'll now briefly explain what each file does.

Holzed 1.2 Fixed itself is one normal file packed with PECompact (don't forget this), it consists of a secondary file which is embedded within a resource (Resource ID 135), this is clearly a portable executable just by looking at the first few bytes of the program (the immediately recognisable "MZ" signature). Once it's dumped you can see that it's a DLL file which is also packed with PECompact (never would have guessed). Anyway, here are the checksums for the packed files.

CODE

:

Injector:
MD5: D3BBC6678A973CC6374C53A55B2E1F07
SHA1: 07CA968DBC960D2EFF794AD0AF31E4AFE66808C2
CRC32: B1F33E22
SIZE: 225KB (230,912 bytes)

DLL:
MD5: 102B992BD77D6F2B05EB1F9DF78CE985
SHA1: 0EDF6E53CA7D233007AE77C6BEC69EB0D9CDFBC2
CRC32: D581B35F
SIZE: 125KB (128,000 bytes)

Feel free to compare these to yours, anyway now to virus scan them; you'll notice they both will get HEUR/Crypted virus detections, why? This is because they're packed with PECompact (yes, I know it's getting repetitive to hear that name). PECompact uses common encryption/decryption methods which are akin on packers, this is to compress & encrypt the code. Most programs packed with even the most weak packers (UPX, NSPack, etc) are still detected. This is a common anti-virus fault, feel free to Google for proof. Anyway, so I then unpacked the main executable, guess what happened... It still got detected as HEUR/Crypted. So now you may be thinking that Holzed really is virused but it's simply not the case, if you remember I said that the DLL was also packed with PECompact and because the DLL is still a resource it's being detected. So once we removed the DLL resource let's do another scan... No virus, am I out of my mind? Luckily, I'm not. The main injector has no virus at all, Holz only crime is not knowing how to pack his programs properly. Now let's show the checksums for the unpacked files. (Imports fixed, etc)

CODE

:
Injector:
MD5: 59B0E953748EB72720C9DD9554217F96
SHA1: 16BF1E7B94820C3ED5A8E1F4D1388305AB7B0C1E
CRC32: 29D6A583
SIZE: 641KB (656,896 bytes)

DLL:
MD5: C279A3CF078D2B652DFFC871580A5192
SHA1: 7A651DB5AF988BAAEDEFB822616464BCF4CE7CAE
CRC32: A43561B7
SIZE: 392KB (401,408 bytes)

So as you can see, the only real virus threat is HEUR/Crypted which is a false positive anyway. Now let's get onto the Poison Ivy claims... People have claimed that Holzed 1.2 Fix comes bundled with Poison Ivy (PI) but as I've already highlighted no anti-virus gets such a false-positive so we most probably have somebody lying to tarnish another memeber's reputation Poison Ivy works by embedding into a program through a very simple method, it's almost exactly like any other code/file embedder. It simply extends the .code section or makes it's own section and then changes the entry point to the newly allocated code which does whatever the coder wants it do, in Poison Ivy's case it installs a registry key and creates a DLL in the system folder. This is then automatically loaded into explorer.exe whenever it's loaded. To see this is very easy in any program, a tell-tale sign is some random code then jump to the entry point. Now let's look at Holzed's main executable:

CODE

:

0040524B > $ 6A 60 push 60
0040524D . 68 E8CF4100 push Holzed.0041CFE8
00405252 . E8 B51D0000 call Holzed.0040700C
00405257 . BF 94000000 mov edi, 94
0040525C . 8BC7 mov eax, edi
0040525E . E8 FD010000 call Holzed.00405460
00405263 . 8965 E8 mov dword ptr ss:[ebp-18], esp
00405266 . 8BF4 mov esi, esp
00405268 . 893E mov dword ptr ds:[esi], edi
0040526A . 56 push esi ; /pVersionInformation
0040526B . FF15 98B24100 call near dword ptr ds:[<&kernel32.Ge>; GetVersionExA

This is the entry point until "regular" code starts (GetVesion(Ex) is called at the beginning of every VC++ program (unless modified). As you can see there's only one part of interest, the call at 00405252, unfortunately this isn't the virus you're all begging for; this is VC++'s SEH (structured exception handler), so you all fail... again. Same applies for the DLL.

CODE

:

100106A2 > $  6A 0C         push    0C
100106A4   .  68 60DD0310   push    HolzedDL.1003DD60
100106A9   .  E8 22180000   call    HolzedDL.10011ED0
100106AE   .  33C0          xor     eax, eax
100106B0   .  40            inc     eax
100106B1   .  8945 E4       mov     dword ptr ss:[ebp-1C], eax
100106B4   .  8B75 0C       mov     esi, dword ptr ss:[ebp+C]
100106B7   .  33FF          xor     edi, edi
100106B9   .  3BF7          cmp     esi, edi
100106BB   .  75 0C         jnz     short HolzedDL.100106C9
100106BD   .  393D DC650510 cmp     dword ptr ds:[100565DC], edi
100106C3   .  0F84 B3000000 je      HolzedDL.1001077C
100106C9   >  897D FC       mov     dword ptr ss:[ebp-4], edi
100106CC   .  3BF0          cmp     esi, eax
100106CE   .  74 05         je      short HolzedDL.100106D5
100106D0   .  83FE 02       cmp     esi, 2
100106D3   .  75 31         jnz     short HolzedDL.10010706
100106D5   >  A1 D8A00510   mov     eax, dword ptr ds:[1005A0D8]
100106DA   .  3BC7          cmp     eax, edi
100106DC   .  74 0C         je      short HolzedDL.100106EA
100106DE   .  FF75 10       push    dword ptr ss:[ebp+10]
100106E1   .  56            push    esi
100106E2   .  FF75 08       push    dword ptr ss:[ebp+8]
100106E5   .  FFD0          call    near eax
100106E7   .  8945 E4       mov     dword ptr ss:[ebp-1C], eax
100106EA   >  397D E4       cmp     dword ptr ss:[ebp-1C], edi
100106ED   .  0F84 85000000 je      HolzedDL.10010778
100106F3   .  FF75 10       push    dword ptr ss:[ebp+10]           ; /Arg3
100106F6   .  56            push    esi                             ; |Arg2
100106F7   .  FF75 08       push    dword ptr ss:[ebp+8]            ; |Arg1
100106FA   .  E8 22FEFFFF   call    HolzedDL.10010521               ; HolzedDL.10010521
100106FF   .  8945 E4       mov     dword ptr ss:[ebp-1C], eax
10010702   .  3BC7          cmp     eax, edi
10010704   .  74 72         je      short HolzedDL.10010778
10010706   >  8B5D 10       mov     ebx, dword ptr ss:[ebp+10]
10010709   .  53            push    ebx
1001070A   .  56            push    esi
1001070B   .  FF75 08       push    dword ptr ss:[ebp+8]
1001070E   .  E8 583FFFFF   call    HolzedDL.1000466B
10010713   .  8945 E4       mov     dword ptr ss:[ebp-1C], eax
10010716   .  83FE 01       cmp     esi, 1
10010719   .  75 0E         jnz     short HolzedDL.10010729
1001071B   .  3BC7          cmp     eax, edi
1001071D   .  75 0A         jnz     short HolzedDL.10010729
1001071F   .  53            push    ebx                             ; /Arg3
10010720   .  57            push    edi                             ; |Arg2
10010721   .  FF75 08       push    dword ptr ss:[ebp+8]            ; |Arg1
10010724   .  E8 F8FDFFFF   call    HolzedDL.10010521               ; HolzedDL.10010521
10010729   >  3BF7          cmp     esi, edi
1001072B   .  74 05         je      short HolzedDL.10010732
1001072D   .  83FE 03       cmp     esi, 3
10010730   .  75 29         jnz     short HolzedDL.1001075B
10010732   >  53            push    ebx                             ; /Arg3
10010733   .  56            push    esi                             ; |Arg2
10010734   .  FF75 08       push    dword ptr ss:[ebp+8]            ; |Arg1
10010737   .  E8 E5FDFFFF   call    HolzedDL.10010521               ; HolzedDL.10010521
1001073C   .  85C0          test    eax, eax
1001073E   .  75 03         jnz     short HolzedDL.10010743
10010740   .  897D E4       mov     dword ptr ss:[ebp-1C], edi
10010743   >  397D E4       cmp     dword ptr ss:[ebp-1C], edi
10010746   .  74 13         je      short HolzedDL.1001075B
10010748   .  A1 D8A00510   mov     eax, dword ptr ds:[1005A0D8]
1001074D   .  3BC7          cmp     eax, edi
1001074F   .  74 0A         je      short HolzedDL.1001075B
10010751   .  53            push    ebx
10010752   .  56            push    esi
10010753   .  FF75 08       push    dword ptr ss:[ebp+8]
10010756   .  FFD0          call    near eax
10010758   .  8945 E4       mov     dword ptr ss:[ebp-1C], eax
1001075B   >  834D FC FF    or      dword ptr ss:[ebp-4], FFFFFFFF
1001075F   .  8B45 E4       mov     eax, dword ptr ss:[ebp-1C]
10010762   .  EB 1A         jmp     short HolzedDL.1001077E
10010764   .  8B45 EC       mov     eax, dword ptr ss:[ebp-14]
10010767   .  8B08          mov     ecx, dword ptr ds:[eax]
10010769   .  8B09          mov     ecx, dword ptr ds:[ecx]
1001076B   .  50            push    eax
1001076C   .  51            push    ecx
1001076D   .  E8 BB7B0000   call    HolzedDL.1001832D
10010772   .  59            pop     ecx
10010773   .  59            pop     ecx
10010774   .  C3            retn

This is a direct repost from MPC itself. Again, this post shows, at the technical coding level how this is NOT a virus. If you do not understand this, then rightfully so.

File Name :: Supreme Colored Models
Author :: Supreme
Category :: CS:S "VAC proof"
Description ::
+-------------------------------------------------------------------------+ 'Supreme Colored Models' CS:S [06.06.06] by 'Supreme' +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ Latest Version : [06.06.06] Release Date : 06.06.06 Last Update : 06.06.06 VAC2 Status : Undetected Date Status : June 6, 2006 Detection : Very Unlikely +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ ABOUT This is a safe Colored Model pack that changes the colors of models within the game to base colors and is compatible with ANY other hack, especially a color aimbot. This release is totally safe against VAC2 as it DOES NOT use any methods which are considered to be "illegal" by Valve. This pack will most likely stay safe for quite awhile. DESCRIPTION The package was created for the updated models and with a few additional features. Counter-Terrorist & Terrorist skins were repainted with a base colors which are familiar to most players and are compatible with pretty much all color aimbots. The grenades were also separately color coded and can be detected while carried by the enemy, held in hand, thrown in the air or dropped on the floor. In addition, the C4 and the Defuse Kits were coded for simple detection as an enemy/teamate equipment and when planted or dropped. Finally, for richness the hostages were colored with a base color as well. DETAILS CT Models (ALL 4 UPDATED MODELS) -> BLUE Colored T Models (ALL 4 UPDATED MODELS) -> RED Colored Hostages (ALL 4 MODELS) -> WHITE Colored C4 (Planted/Carried/Dropped) -> GREEN Colored Defuse Kit (Dropped/Carried) -> GREEN Colored HE Grenade -> ORANGE Colored FLASH Grenade -> YELLOW Colored SMOKE Grenade -> GREEN Colored (ALL: Carried/Dropped/Thrown) BENEFITS - Simplifies Enemy & Teamate Detection - Models are Properly RGB Matched & Color Efficient - Extremely Effective with Color Aimbots - Serve as an Grenade & Props Detection - Allow Maneuvering Away from Thrown Grenades - Simplify the Location of C4 and/or Defuse Kit - Provide a 'LEGAL' Gaming Edge over the Others +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ INSTALLATION 1. Download the LATEST 'Supreme Colored Models' package 2. Memorize your Steam username (not your in-game name) 3. Navigate to the '\cstrike\' directory, like below : C:\Progra~1\SteamApps\-USER-\counter-strike source\cstrike\ Note: Replace -USER- part with your Steam username 4. Extract or Move the '\materials\' from the 'Supreme Colored Models' package into the '\cstrike\' directory. 5. Start Steam & Launch Counter Strike : Source 6. Play +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ UNINSTALLATION SIMPLE 1. Navigate to the '\cstrike\' directory, like below : C:\Progra~1\SteamApps\-USER-\counter-strike source\cstrike\ Note: Replace -USER- part with your Steam username 2. Remove the "\materials\" folder within 3. Done ADVANCED 1. View the Materials list below 2. Manually erase the individual files to leave your other models intact +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ HISTORY June 06, 2006 : v[06.06.06] - Initial Release - Includes CT/T/HE/FB/SG/HS/C4/DK models +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ MATERIAL LIST Weapons: materials\models\weapons\w_models\w_c4\w_c4.vtf materials\models\weapons\w_models\w_eq_defuser\w_eq_defuser.vtf materials\models\weapons\w_models\w_eq_flashbang\w_eq_flashbang.vtf materials\models\weapons\w_models\w_eq_fraggrenade\w_eq_fraggrenade.vtf materials\models\weapons\w_models\w_eq_smokegrenade\w_eq_smokegrenade.vtf CT Skins: materials\models\player\ct_gign\ct_gign.vtf materials\models\player\ct_gign\ct_gign_glass.vtf materials\models\player\ct_gsg9\ct_gsg9.vtf materials\models\player\ct_sas\ct_sas.vtf materials\models\player\ct_sas\ct_sas_glass.vtf materials\models\player\ct_urban\ct_urban.vtf materials\models\player\ct_urban\ct_urban_glass.vtf T Skins: materials\models\player\t_arctic\t_arctic.vtf materials\models\player\t_guerilla\t_guerilla.vtf materials\models\player\t_leet\t_leet.vtf materials\models\player\t_leet\t_leet_glass.vtf materials\models\player\t_phoenix\t_phoenix.vtf Hostages: materials\models\hostages\art_facemap.vtf materials\models\hostages\cohrt.vtf materials\models\hostages\hostage_sheet.vtf materials\models\hostages\hostage_sheet_normal.vtf materials\models\hostages\sandro_facemap.vtf materials\models\hostages\vance_facemap.vtf +-------------------------------------------------------------------------+ - Supreme 

View File

Topic Title

Replies

Topic Starter

Views

Last Action