:
Originally Posted by N0T X0R View Post
Hello esteemed MPC members and hello to the *****s/liars from "fknowned",
Today I heard news that "Holzed 1.2 Fixed" by Holz contained a virus so being my vindictive self I decided to see what all the commotion was about and with that I had a look at this horrible cheat. Holzed 1.2 Fix is a CounterStrike Source cheat which is coded in C++ & compiled in Visual C++ 7, it consists of two main parts; the injector & the dll. I'll now briefly explain what each file does.
Holzed 1.2 Fixed itself is one normal file packed with PECompact (don't forget this), it consists of a secondary file which is embedded within a resource (Resource ID 135), this is clearly a portable executable just by looking at the first few bytes of the program (the immediately recognisable "MZ" signature). Once it's dumped you can see that it's a DLL file which is also packed with PECompact (never would have guessed). Anyway, here are the checksums for the packed files.
CODE
:
Injector:
MD5: D3BBC6678A973CC6374C53A55B2E1F07
SHA1: 07CA968DBC960D2EFF794AD0AF31E4AFE66808C2
CRC32: B1F33E22
SIZE: 225KB (230,912 bytes)
DLL:
MD5: 102B992BD77D6F2B05EB1F9DF78CE985
SHA1: 0EDF6E53CA7D233007AE77C6BEC69EB0D9CDFBC2
CRC32: D581B35F
SIZE: 125KB (128,000 bytes)
Feel free to compare these to yours, anyway now to virus scan them; you'll notice they both will get HEUR/Crypted virus detections, why? This is because they're packed with PECompact (yes, I know it's getting repetitive to hear that name). PECompact uses common encryption/decryption methods which are akin on packers, this is to compress & encrypt the code. Most programs packed with even the most weak packers (UPX, NSPack, etc) are still detected. This is a common anti-virus fault, feel free to Google for proof. Anyway, so I then unpacked the main executable, guess what happened... It still got detected as HEUR/Crypted. So now you may be thinking that Holzed really is virused but it's simply not the case, if you remember I said that the DLL was also packed with PECompact and because the DLL is still a resource it's being detected. So once we removed the DLL resource let's do another scan... No virus, am I out of my mind? Luckily, I'm not. The main injector has no virus at all, Holz only crime is not knowing how to pack his programs properly. Now let's show the checksums for the unpacked files. (Imports fixed, etc)
CODE
:
Injector:
MD5: 59B0E953748EB72720C9DD9554217F96
SHA1: 16BF1E7B94820C3ED5A8E1F4D1388305AB7B0C1E
CRC32: 29D6A583
SIZE: 641KB (656,896 bytes)
DLL:
MD5: C279A3CF078D2B652DFFC871580A5192
SHA1: 7A651DB5AF988BAAEDEFB822616464BCF4CE7CAE
CRC32: A43561B7
SIZE: 392KB (401,408 bytes)
So as you can see, the only real virus threat is HEUR/Crypted which is a false positive anyway. Now let's get onto the Poison Ivy claims... People have claimed that Holzed 1.2 Fix comes bundled with Poison Ivy (PI) but as I've already highlighted no anti-virus gets such a false-positive so we most probably have somebody lying to tarnish another memeber's reputation Poison Ivy works by embedding into a program through a very simple method, it's almost exactly like any other code/file embedder. It simply extends the .code section or makes it's own section and then changes the entry point to the newly allocated code which does whatever the coder wants it do, in Poison Ivy's case it installs a registry key and creates a DLL in the system folder. This is then automatically loaded into explorer.exe whenever it's loaded. To see this is very easy in any program, a tell-tale sign is some random code then jump to the entry point. Now let's look at Holzed's main executable:
CODE
:
0040524B > $ 6A 60 push 60
0040524D . 68 E8CF4100 push Holzed.0041CFE8
00405252 . E8 B51D0000 call Holzed.0040700C
00405257 . BF 94000000 mov edi, 94
0040525C . 8BC7 mov eax, edi
0040525E . E8 FD010000 call Holzed.00405460
00405263 . 8965 E8 mov dword ptr ss:[ebp-18], esp
00405266 . 8BF4 mov esi, esp
00405268 . 893E mov dword ptr ds:[esi], edi
0040526A . 56 push esi ; /pVersionInformation
0040526B . FF15 98B24100 call near dword ptr ds:[<&kernel32.Ge>; GetVersionExA
This is the entry point until "regular" code starts (GetVesion(Ex) is called at the beginning of every VC++ program (unless modified). As you can see there's only one part of interest, the call at 00405252, unfortunately this isn't the virus you're all begging for; this is VC++'s SEH (structured exception handler), so you all fail... again. Same applies for the DLL.
CODE
:
100106A2 > $ 6A 0C push 0C
100106A4 . 68 60DD0310 push HolzedDL.1003DD60
100106A9 . E8 22180000 call HolzedDL.10011ED0
100106AE . 33C0 xor eax, eax
100106B0 . 40 inc eax
100106B1 . 8945 E4 mov dword ptr ss:[ebp-1C], eax
100106B4 . 8B75 0C mov esi, dword ptr ss:[ebp+C]
100106B7 . 33FF xor edi, edi
100106B9 . 3BF7 cmp esi, edi
100106BB . 75 0C jnz short HolzedDL.100106C9
100106BD . 393D DC650510 cmp dword ptr ds:[100565DC], edi
100106C3 . 0F84 B3000000 je HolzedDL.1001077C
100106C9 > 897D FC mov dword ptr ss:[ebp-4], edi
100106CC . 3BF0 cmp esi, eax
100106CE . 74 05 je short HolzedDL.100106D5
100106D0 . 83FE 02 cmp esi, 2
100106D3 . 75 31 jnz short HolzedDL.10010706
100106D5 > A1 D8A00510 mov eax, dword ptr ds:[1005A0D8]
100106DA . 3BC7 cmp eax, edi
100106DC . 74 0C je short HolzedDL.100106EA
100106DE . FF75 10 push dword ptr ss:[ebp+10]
100106E1 . 56 push esi
100106E2 . FF75 08 push dword ptr ss:[ebp+8]
100106E5 . FFD0 call near eax
100106E7 . 8945 E4 mov dword ptr ss:[ebp-1C], eax
100106EA > 397D E4 cmp dword ptr ss:[ebp-1C], edi
100106ED . 0F84 85000000 je HolzedDL.10010778
100106F3 . FF75 10 push dword ptr ss:[ebp+10] ; /Arg3
100106F6 . 56 push esi ; |Arg2
100106F7 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1
100106FA . E8 22FEFFFF call HolzedDL.10010521 ; HolzedDL.10010521
100106FF . 8945 E4 mov dword ptr ss:[ebp-1C], eax
10010702 . 3BC7 cmp eax, edi
10010704 . 74 72 je short HolzedDL.10010778
10010706 > 8B5D 10 mov ebx, dword ptr ss:[ebp+10]
10010709 . 53 push ebx
1001070A . 56 push esi
1001070B . FF75 08 push dword ptr ss:[ebp+8]
1001070E . E8 583FFFFF call HolzedDL.1000466B
10010713 . 8945 E4 mov dword ptr ss:[ebp-1C], eax
10010716 . 83FE 01 cmp esi, 1
10010719 . 75 0E jnz short HolzedDL.10010729
1001071B . 3BC7 cmp eax, edi
1001071D . 75 0A jnz short HolzedDL.10010729
1001071F . 53 push ebx ; /Arg3
10010720 . 57 push edi ; |Arg2
10010721 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1
10010724 . E8 F8FDFFFF call HolzedDL.10010521 ; HolzedDL.10010521
10010729 > 3BF7 cmp esi, edi
1001072B . 74 05 je short HolzedDL.10010732
1001072D . 83FE 03 cmp esi, 3
10010730 . 75 29 jnz short HolzedDL.1001075B
10010732 > 53 push ebx ; /Arg3
10010733 . 56 push esi ; |Arg2
10010734 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1
10010737 . E8 E5FDFFFF call HolzedDL.10010521 ; HolzedDL.10010521
1001073C . 85C0 test eax, eax
1001073E . 75 03 jnz short HolzedDL.10010743
10010740 . 897D E4 mov dword ptr ss:[ebp-1C], edi
10010743 > 397D E4 cmp dword ptr ss:[ebp-1C], edi
10010746 . 74 13 je short HolzedDL.1001075B
10010748 . A1 D8A00510 mov eax, dword ptr ds:[1005A0D8]
1001074D . 3BC7 cmp eax, edi
1001074F . 74 0A je short HolzedDL.1001075B
10010751 . 53 push ebx
10010752 . 56 push esi
10010753 . FF75 08 push dword ptr ss:[ebp+8]
10010756 . FFD0 call near eax
10010758 . 8945 E4 mov dword ptr ss:[ebp-1C], eax
1001075B > 834D FC FF or dword ptr ss:[ebp-4], FFFFFFFF
1001075F . 8B45 E4 mov eax, dword ptr ss:[ebp-1C]
10010762 . EB 1A jmp short HolzedDL.1001077E
10010764 . 8B45 EC mov eax, dword ptr ss:[ebp-14]
10010767 . 8B08 mov ecx, dword ptr ds:[eax]
10010769 . 8B09 mov ecx, dword ptr ds:[ecx]
1001076B . 50 push eax
1001076C . 51 push ecx
1001076D . E8 BB7B0000 call HolzedDL.1001832D
10010772 . 59 pop ecx
10010773 . 59 pop ecx
10010774 . C3 retn
This is a direct repost from MPC itself. Again, this post shows, at the technical coding level how this is NOT a virus. If you do not understand this, then rightfully so.
Log In
Ghoztcraft [Gaming Made Easy]
·
·
·
·
·
Sep 2 2007, 06:39 PM
XGhozt
