CampStaff 1 Posted September 3, 2007 url=http://www.mpcforum.com/showthread.php?t=205870 Reposted from MPC, the official site where HOLZED cheat is built from :Originally Posted by N0T X0R View Post Hello esteemed MPC members and hello to the *****s/liars from "fknowned", Today I heard news that "Holzed 1.2 Fixed" by Holz contained a virus so being my vindictive self I decided to see what all the commotion was about and with that I had a look at this horrible cheat. Holzed 1.2 Fix is a CounterStrike Source cheat which is coded in C++ & compiled in Visual C++ 7, it consists of two main parts; the injector & the dll. I'll now briefly explain what each file does. Holzed 1.2 Fixed itself is one normal file packed with PECompact (don't forget this), it consists of a secondary file which is embedded within a resource (Resource ID 135), this is clearly a portable executable just by looking at the first few bytes of the program (the immediately recognisable "MZ" signature). Once it's dumped you can see that it's a DLL file which is also packed with PECompact (never would have guessed). Anyway, here are the checksums for the packed files. : Injector: MD5: D3BBC6678A973CC6374C53A55B2E1F07 SHA1: 07CA968DBC960D2EFF794AD0AF31E4AFE66808C2 CRC32: B1F33E22 SIZE: 225KB (230,912 bytes) DLL: MD5: 102B992BD77D6F2B05EB1F9DF78CE985 SHA1: 0EDF6E53CA7D233007AE77C6BEC69EB0D9CDFBC2 CRC32: D581B35F SIZE: 125KB (128,000 bytes) Feel free to compare these to yours, anyway now to virus scan them; you'll notice they both will get HEUR/Crypted virus detections, why? This is because they're packed with PECompact (yes, I know it's getting repetitive to hear that name). PECompact uses common encryption/decryption methods which are akin on packers, this is to compress & encrypt the code. Most programs packed with even the most weak packers (UPX, NSPack, etc) are still detected. This is a common anti-virus fault, feel free to Google for proof. Anyway, so I then unpacked the main executable, guess what happened... It still got detected as HEUR/Crypted. So now you may be thinking that Holzed really is virused but it's simply not the case, if you remember I said that the DLL was also packed with PECompact and because the DLL is still a resource it's being detected. So once we removed the DLL resource let's do another scan... No virus, am I out of my mind? Luckily, I'm not. The main injector has no virus at all, Holz only crime is not knowing how to pack his programs properly. Now let's show the checksums for the unpacked files. (Imports fixed, etc) : Injector: MD5: 59B0E953748EB72720C9DD9554217F96 SHA1: 16BF1E7B94820C3ED5A8E1F4D1388305AB7B0C1E CRC32: 29D6A583 SIZE: 641KB (656,896 bytes) DLL: MD5: C279A3CF078D2B652DFFC871580A5192 SHA1: 7A651DB5AF988BAAEDEFB822616464BCF4CE7CAE CRC32: A43561B7 SIZE: 392KB (401,408 bytes) So as you can see, the only real virus threat is HEUR/Crypted which is a false positive anyway. Now let's get onto the Poison Ivy claims... People have claimed that Holzed 1.2 Fix comes bundled with Poison Ivy (PI) but as I've already highlighted no anti-virus gets such a false-positive so we most probably have somebody lying to tarnish another memeber's reputation Poison Ivy works by embedding into a program through a very simple method, it's almost exactly like any other code/file embedder. It simply extends the .code section or makes it's own section and then changes the entry point to the newly allocated code which does whatever the coder wants it do, in Poison Ivy's case it installs a registry key and creates a DLL in the system folder. This is then automatically loaded into explorer.exe whenever it's loaded. To see this is very easy in any program, a tell-tale sign is some random code then jump to the entry point. Now let's look at Holzed's main executable: : 0040524B > $ 6A 60 push 60 0040524D . 68 E8CF4100 push Holzed.0041CFE8 00405252 . E8 B51D0000 call Holzed.0040700C 00405257 . BF 94000000 mov edi, 94 0040525C . 8BC7 mov eax, edi 0040525E . E8 FD010000 call Holzed.00405460 00405263 . 8965 E8 mov dword ptr ss:[ebp-18], esp 00405266 . 8BF4 mov esi, esp 00405268 . 893E mov dword ptr ds:[esi], edi 0040526A . 56 push esi ; /pVersionInformation 0040526B . FF15 98B24100 call near dword ptr ds:[<&kernel32.Ge>; GetVersionExA This is the entry point until "regular" code starts (GetVesion(Ex) is called at the beginning of every VC++ program (unless modified). As you can see there's only one part of interest, the call at 00405252, unfortunately this isn't the virus you're all begging for; this is VC++'s SEH (structured exception handler), so you all fail... again. Same applies for the DLL. : 100106A2 > $ 6A 0C push 0C 100106A4 . 68 60DD0310 push HolzedDL.1003DD60 100106A9 . E8 22180000 call HolzedDL.10011ED0 100106AE . 33C0 xor eax, eax 100106B0 . 40 inc eax 100106B1 . 8945 E4 mov dword ptr ss:[ebp-1C], eax 100106B4 . 8B75 0C mov esi, dword ptr ss:[ebp+C] 100106B7 . 33FF xor edi, edi 100106B9 . 3BF7 cmp esi, edi 100106BB . 75 0C jnz short HolzedDL.100106C9 100106BD . 393D DC650510 cmp dword ptr ds:[100565DC], edi 100106C3 . 0F84 B3000000 je HolzedDL.1001077C 100106C9 > 897D FC mov dword ptr ss:[ebp-4], edi 100106CC . 3BF0 cmp esi, eax 100106CE . 74 05 je short HolzedDL.100106D5 100106D0 . 83FE 02 cmp esi, 2 100106D3 . 75 31 jnz short HolzedDL.10010706 100106D5 > A1 D8A00510 mov eax, dword ptr ds:[1005A0D8] 100106DA . 3BC7 cmp eax, edi 100106DC . 74 0C je short HolzedDL.100106EA 100106DE . FF75 10 push dword ptr ss:[ebp+10] 100106E1 . 56 push esi 100106E2 . FF75 08 push dword ptr ss:[ebp+8] 100106E5 . FFD0 call near eax 100106E7 . 8945 E4 mov dword ptr ss:[ebp-1C], eax 100106EA > 397D E4 cmp dword ptr ss:[ebp-1C], edi 100106ED . 0F84 85000000 je HolzedDL.10010778 100106F3 . FF75 10 push dword ptr ss:[ebp+10] ; /Arg3 100106F6 . 56 push esi ; |Arg2 100106F7 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1 100106FA . E8 22FEFFFF call HolzedDL.10010521 ; HolzedDL.10010521 100106FF . 8945 E4 mov dword ptr ss:[ebp-1C], eax 10010702 . 3BC7 cmp eax, edi 10010704 . 74 72 je short HolzedDL.10010778 10010706 > 8B5D 10 mov ebx, dword ptr ss:[ebp+10] 10010709 . 53 push ebx 1001070A . 56 push esi 1001070B . FF75 08 push dword ptr ss:[ebp+8] 1001070E . E8 583FFFFF call HolzedDL.1000466B 10010713 . 8945 E4 mov dword ptr ss:[ebp-1C], eax 10010716 . 83FE 01 cmp esi, 1 10010719 . 75 0E jnz short HolzedDL.10010729 1001071B . 3BC7 cmp eax, edi 1001071D . 75 0A jnz short HolzedDL.10010729 1001071F . 53 push ebx ; /Arg3 10010720 . 57 push edi ; |Arg2 10010721 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1 10010724 . E8 F8FDFFFF call HolzedDL.10010521 ; HolzedDL.10010521 10010729 > 3BF7 cmp esi, edi 1001072B . 74 05 je short HolzedDL.10010732 1001072D . 83FE 03 cmp esi, 3 10010730 . 75 29 jnz short HolzedDL.1001075B 10010732 > 53 push ebx ; /Arg3 10010733 . 56 push esi ; |Arg2 10010734 . FF75 08 push dword ptr ss:[ebp+8] ; |Arg1 10010737 . E8 E5FDFFFF call HolzedDL.10010521 ; HolzedDL.10010521 1001073C . 85C0 test eax, eax 1001073E . 75 03 jnz short HolzedDL.10010743 10010740 . 897D E4 mov dword ptr ss:[ebp-1C], edi 10010743 > 397D E4 cmp dword ptr ss:[ebp-1C], edi 10010746 . 74 13 je short HolzedDL.1001075B 10010748 . A1 D8A00510 mov eax, dword ptr ds:[1005A0D8] 1001074D . 3BC7 cmp eax, edi 1001074F . 74 0A je short HolzedDL.1001075B 10010751 . 53 push ebx 10010752 . 56 push esi 10010753 . FF75 08 push dword ptr ss:[ebp+8] 10010756 . FFD0 call near eax 10010758 . 8945 E4 mov dword ptr ss:[ebp-1C], eax 1001075B > 834D FC FF or dword ptr ss:[ebp-4], FFFFFFFF 1001075F . 8B45 E4 mov eax, dword ptr ss:[ebp-1C] 10010762 . EB 1A jmp short HolzedDL.1001077E 10010764 . 8B45 EC mov eax, dword ptr ss:[ebp-14] 10010767 . 8B08 mov ecx, dword ptr ds:[eax] 10010769 . 8B09 mov ecx, dword ptr ds:[ecx] 1001076B . 50 push eax 1001076C . 51 push ecx 1001076D . E8 BB7B0000 call HolzedDL.1001832D 10010772 . 59 pop ecx 10010773 . 59 pop ecx 10010774 . C3 retn This is a direct repost from MPC itself. Again, this post shows, at the technical coding level how this is NOT a virus. If you do not understand this, then rightfully so. Share this post Link to post
CheesySalsa 4 Posted September 3, 2007 There is no virus, and if you do a virus scan on it, what threat does it come up with? Share this post Link to post
XGhozt 410 Posted September 3, 2007 There is a link on each download to report them, please use that. Share this post Link to post
darkmatter 0 Posted March 14, 2009 i don't know much about programing but i found your explanation very easy to understand. Thank you for filling me in. Share this post Link to post