Jump to content
Heads Up! This website is no longer maintained, if your a member from our era, consider joining the discord to say hello.
Sign in to follow this  
Followers 0

In regards to HOLZED CSS Cheat.

By CampStaff, in Steam Games

Recommended Posts

CampStaff    1

CampStaff
Posted

url=http://www.mpcforum.com/showthread.php?t=205870

Reposted from MPC, the official site where HOLZED cheat is built from

:

Originally Posted by N0T X0R View Post

Hello esteemed MPC members and hello to the *****s/liars from "fknowned",

 

Today I heard news that "Holzed 1.2 Fixed" by Holz contained a virus so being my vindictive self I decided to see what all the commotion was about and with that I had a look at this horrible cheat. Holzed 1.2 Fix is a CounterStrike Source cheat which is coded in C++ & compiled in Visual C++ 7, it consists of two main parts; the injector & the dll. I'll now briefly explain what each file does.

 

Holzed 1.2 Fixed itself is one normal file packed with PECompact (don't forget this), it consists of a secondary file which is embedded within a resource (Resource ID 135), this is clearly a portable executable just by looking at the first few bytes of the program (the immediately recognisable "MZ" signature). Once it's dumped you can see that it's a DLL file which is also packed with PECompact (never would have guessed). Anyway, here are the checksums for the packed files.

 

:

Injector:
 MD5: D3BBC6678A973CC6374C53A55B2E1F07
SHA1: 07CA968DBC960D2EFF794AD0AF31E4AFE66808C2
CRC32: B1F33E22
SIZE: 225KB (230,912 bytes)

DLL:
 MD5: 102B992BD77D6F2B05EB1F9DF78CE985
SHA1: 0EDF6E53CA7D233007AE77C6BEC69EB0D9CDFBC2
CRC32: D581B35F
SIZE: 125KB (128,000 bytes)

 

Feel free to compare these to yours, anyway now to virus scan them; you'll notice they both will get HEUR/Crypted virus detections, why? This is because they're packed with PECompact (yes, I know it's getting repetitive to hear that name). PECompact uses common encryption/decryption methods which are akin on packers, this is to compress & encrypt the code. Most programs packed with even the most weak packers (UPX, NSPack, etc) are still detected. This is a common anti-virus fault, feel free to Google for proof. Anyway, so I then unpacked the main executable, guess what happened... It still got detected as HEUR/Crypted. So now you may be thinking that Holzed really is virused but it's simply not the case, if you remember I said that the DLL was also packed with PECompact and because the DLL is still a resource it's being detected. So once we removed the DLL resource let's do another scan... No virus, am I out of my mind? Luckily, I'm not. The main injector has no virus at all, Holz only crime is not knowing how to pack his programs properly. Now let's show the checksums for the unpacked files. (Imports fixed, etc)

 

:
Injector:
 MD5: 59B0E953748EB72720C9DD9554217F96
SHA1: 16BF1E7B94820C3ED5A8E1F4D1388305AB7B0C1E
CRC32: 29D6A583
SIZE: 641KB (656,896 bytes)

DLL:
 MD5: C279A3CF078D2B652DFFC871580A5192
SHA1: 7A651DB5AF988BAAEDEFB822616464BCF4CE7CAE
CRC32: A43561B7
SIZE: 392KB (401,408 bytes)

 

So as you can see, the only real virus threat is HEUR/Crypted which is a false positive anyway. Now let's get onto the Poison Ivy claims... People have claimed that Holzed 1.2 Fix comes bundled with Poison Ivy (PI) but as I've already highlighted no anti-virus gets such a false-positive so we most probably have somebody lying to tarnish another memeber's reputation Poison Ivy works by embedding into a program through a very simple method, it's almost exactly like any other code/file embedder. It simply extends the .code section or makes it's own section and then changes the entry point to the newly allocated code which does whatever the coder wants it do, in Poison Ivy's case it installs a registry key and creates a DLL in the system folder. This is then automatically loaded into explorer.exe whenever it's loaded. To see this is very easy in any program, a tell-tale sign is some random code then jump to the entry point. Now let's look at Holzed's main executable:

 

:

0040524B > $  6A 60		 push	60
0040524D   .  68 E8CF4100   push	Holzed.0041CFE8
00405252   .  E8 B51D0000   call	Holzed.0040700C
00405257   .  BF 94000000   mov	 edi, 94
0040525C   .  8BC7		  mov	 eax, edi
0040525E   .  E8 FD010000   call	Holzed.00405460
00405263   .  8965 E8	   mov	 dword ptr ss:[ebp-18], esp
00405266   .  8BF4		  mov	 esi, esp
00405268   .  893E		  mov	 dword ptr ds:[esi], edi
0040526A   .  56			push	esi							 ; /pVersionInformation
0040526B   .  FF15 98B24100 call	near dword ptr ds:[<&kernel32.Ge>; GetVersionExA

 

This is the entry point until "regular" code starts (GetVesion(Ex) is called at the beginning of every VC++ program (unless modified). As you can see there's only one part of interest, the call at 00405252, unfortunately this isn't the virus you're all begging for; this is VC++'s SEH (structured exception handler), so you all fail... again. Same applies for the DLL.

 

:

100106A2 > $  6A 0C		 push	0C
100106A4   .  68 60DD0310   push	HolzedDL.1003DD60
100106A9   .  E8 22180000   call	HolzedDL.10011ED0
100106AE   .  33C0		  xor	 eax, eax
100106B0   .  40			inc	 eax
100106B1   .  8945 E4	   mov	 dword ptr ss:[ebp-1C], eax
100106B4   .  8B75 0C	   mov	 esi, dword ptr ss:[ebp+C]
100106B7   .  33FF		  xor	 edi, edi
100106B9   .  3BF7		  cmp	 esi, edi
100106BB   .  75 0C		 jnz	 short HolzedDL.100106C9
100106BD   .  393D DC650510 cmp	 dword ptr ds:[100565DC], edi
100106C3   .  0F84 B3000000 je	  HolzedDL.1001077C
100106C9   >  897D FC	   mov	 dword ptr ss:[ebp-4], edi
100106CC   .  3BF0		  cmp	 esi, eax
100106CE   .  74 05		 je	  short HolzedDL.100106D5
100106D0   .  83FE 02	   cmp	 esi, 2
100106D3   .  75 31		 jnz	 short HolzedDL.10010706
100106D5   >  A1 D8A00510   mov	 eax, dword ptr ds:[1005A0D8]
100106DA   .  3BC7		  cmp	 eax, edi
100106DC   .  74 0C		 je	  short HolzedDL.100106EA
100106DE   .  FF75 10	   push	dword ptr ss:[ebp+10]
100106E1   .  56			push	esi
100106E2   .  FF75 08	   push	dword ptr ss:[ebp+8]
100106E5   .  FFD0		  call	near eax
100106E7   .  8945 E4	   mov	 dword ptr ss:[ebp-1C], eax
100106EA   >  397D E4	   cmp	 dword ptr ss:[ebp-1C], edi
100106ED   .  0F84 85000000 je	  HolzedDL.10010778
100106F3   .  FF75 10	   push	dword ptr ss:[ebp+10]		   ; /Arg3
100106F6   .  56			push	esi							 ; |Arg2
100106F7   .  FF75 08	   push	dword ptr ss:[ebp+8]			; |Arg1
100106FA   .  E8 22FEFFFF   call	HolzedDL.10010521			   ; HolzedDL.10010521
100106FF   .  8945 E4	   mov	 dword ptr ss:[ebp-1C], eax
10010702   .  3BC7		  cmp	 eax, edi
10010704   .  74 72		 je	  short HolzedDL.10010778
10010706   >  8B5D 10	   mov	 ebx, dword ptr ss:[ebp+10]
10010709   .  53			push	ebx
1001070A   .  56			push	esi
1001070B   .  FF75 08	   push	dword ptr ss:[ebp+8]
1001070E   .  E8 583FFFFF   call	HolzedDL.1000466B
10010713   .  8945 E4	   mov	 dword ptr ss:[ebp-1C], eax
10010716   .  83FE 01	   cmp	 esi, 1
10010719   .  75 0E		 jnz	 short HolzedDL.10010729
1001071B   .  3BC7		  cmp	 eax, edi
1001071D   .  75 0A		 jnz	 short HolzedDL.10010729
1001071F   .  53			push	ebx							 ; /Arg3
10010720   .  57			push	edi							 ; |Arg2
10010721   .  FF75 08	   push	dword ptr ss:[ebp+8]			; |Arg1
10010724   .  E8 F8FDFFFF   call	HolzedDL.10010521			   ; HolzedDL.10010521
10010729   >  3BF7		  cmp	 esi, edi
1001072B   .  74 05		 je	  short HolzedDL.10010732
1001072D   .  83FE 03	   cmp	 esi, 3
10010730   .  75 29		 jnz	 short HolzedDL.1001075B
10010732   >  53			push	ebx							 ; /Arg3
10010733   .  56			push	esi							 ; |Arg2
10010734   .  FF75 08	   push	dword ptr ss:[ebp+8]			; |Arg1
10010737   .  E8 E5FDFFFF   call	HolzedDL.10010521			   ; HolzedDL.10010521
1001073C   .  85C0		  test	eax, eax
1001073E   .  75 03		 jnz	 short HolzedDL.10010743
10010740   .  897D E4	   mov	 dword ptr ss:[ebp-1C], edi
10010743   >  397D E4	   cmp	 dword ptr ss:[ebp-1C], edi
10010746   .  74 13		 je	  short HolzedDL.1001075B
10010748   .  A1 D8A00510   mov	 eax, dword ptr ds:[1005A0D8]
1001074D   .  3BC7		  cmp	 eax, edi
1001074F   .  74 0A		 je	  short HolzedDL.1001075B
10010751   .  53			push	ebx
10010752   .  56			push	esi
10010753   .  FF75 08	   push	dword ptr ss:[ebp+8]
10010756   .  FFD0		  call	near eax
10010758   .  8945 E4	   mov	 dword ptr ss:[ebp-1C], eax
1001075B   >  834D FC FF	or	  dword ptr ss:[ebp-4], FFFFFFFF
1001075F   .  8B45 E4	   mov	 eax, dword ptr ss:[ebp-1C]
10010762   .  EB 1A		 jmp	 short HolzedDL.1001077E
10010764   .  8B45 EC	   mov	 eax, dword ptr ss:[ebp-14]
10010767   .  8B08		  mov	 ecx, dword ptr ds:[eax]
10010769   .  8B09		  mov	 ecx, dword ptr ds:[ecx]
1001076B   .  50			push	eax
1001076C   .  51			push	ecx
1001076D   .  E8 BB7B0000   call	HolzedDL.1001832D
10010772   .  59			pop	 ecx
10010773   .  59			pop	 ecx
10010774   .  C3			retn

 

 

This is a direct repost from MPC itself. Again, this post shows, at the technical coding level how this is NOT a virus. If you do not understand this, then rightfully so.

Share this post

Link to post

CheesySalsa    4

CheesySalsa
Posted

There is no virus, and if you do a virus scan on it, what threat does it come up with?

Share this post

Link to post

 XGhozt    410

XGhozt
Posted

There is a link on each download to report them, please use that.

Share this post

Link to post

darkmatter    0

darkmatter
Posted

i don't know much about programing but i found your explanation very easy to understand. Thank you for filling me in.

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Steam Games
×