simple Posted January 20, 2015 Posted January 20, 2015 Ladies and gentleman - live from the CrackMe's Arena of tuts4you.com - welcome to the main event of the evening.In the blue corner, we have Rumble.rar wieghing in at 86.5 kb, consisting of a C kernel binary and a C++ user binary, unpacked, fighting out of the Windows XP/7/8 x86 OS.*crowd gos wild yeeeeaahhh wooo!!!!!*In the red corner, we have the contender, the master reversing underdog, with a history of infinite knockouts, fighting out of tuts4you.com - putting their flawless record on the line!*crowd boos boooooooooo* (jk )Alright, I want a clean fight, anything goes, first fighter to submit the other or make the program accept the correct serial wins the title/public source. This is a featherweight (difficulty - 1/10) bout, judges will score higher for a keygen, but whatever u gotta do to keep from getting knocked out, including patching/cracking/etc can win u the title too. Touch gloves and go back to your corner for the bell.LETTTTTTTTSSSSS GET READYYYY TO RUMMMMMMMMMMMMBLLEEEE!!!!!*ding ding ding* DISCLAIMER - There shouldn't be any bsod's, accept my apologies if there are, however if u change code and cause deadlocks/bsod/other bad stuff then thats on u. Rumble.rar 2
GIV Posted January 20, 2015 Posted January 20, 2015 There shouldn't be any bsod's So. Do you use any kind of driver?
Loki Posted January 20, 2015 Posted January 20, 2015 So. Do you use any kind of driver? "consisting of a C kernel binary" 1
kao Posted January 20, 2015 Posted January 20, 2015 (edited) The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad... T4Y takes matters in their own hands and replace the judge.. @Simple: you forgot to send serial no. to your driver. EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass". patched.zip Edited January 20, 2015 by kao 1
GIV Posted January 20, 2015 Posted January 20, 2015 (edited) The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad... T4Y takes matters in their own hands and replace the judge.. @Simple: you forgot to send serial no. to your driver. EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass". The fight was won by T4Y via kernel K.O. Edited January 20, 2015 by GIV
simple Posted January 20, 2015 Author Posted January 20, 2015 (edited) judge side comment - The fight is definately not rigged! Notice call to DeviceIoControl() @ 40158f, that's where it gets sent. If it never got sent, your pacthed .sys wouldn't work - but it does! Back to the announcer - Ladies and gentlemen, After a 10 hour bout, the judges have returned their scorecards scoring at 7 - 2, 9 - 3 and 10 - 1, with a unanimous decision of victory by technical knock out to REVERSER KAO!!!!!! *ref raises kao's arm in air and hands the OFFICIAL TUTS4YOU FEATHERWEIGHT WORLD CHAMPION TITLE BOUT BELT!!!!!** *kao runs victory laps around the ring* kao, this has been an emotional fight, you've obviously been training. do u have a few words for the crowd on how u managed to defeat this opponent? (my guess is u changed subsys to wingui and used olly?) *holds mic to kao...* edit - confirmed that the fight can be won w/out cheating and valid serials are possible, like any other keygenme! Edited January 20, 2015 by simple
simple Posted January 20, 2015 Author Posted January 20, 2015 RDGMax, didn't take time to look to see but it's not the original way I distributed it. I guess that whatever rar decompresor you used gave you the packed version which I can't speak for (your version can still input correct serial btw, it just has a diff ret value on a function I used). The version I distro is 288kb on disk, so make sure your file is that size and that error should dissappear.
simple Posted January 20, 2015 Author Posted January 20, 2015 Like I said that's not the file as I distro'd it, nor is the file name "Rumblex.exe". The file name is Rumble.exe, it has no packer on it. Use winrar.
simple Posted January 20, 2015 Author Posted January 20, 2015 (edited) To clear up these match fixing allegations defending featherwight champion kao reported a "bug" in that the name is sent to the driver and not the serial, so simply replace "name here", w/"serial here" in the text box, or disregard them both. Apologies if that caused you problems. Here's the user space source since it wont help you get a working serial nor keygen it. I'll post the driver's source if someone posts a keygen or working serial (then they will hold the belt!, however binary has been defeated) edit - text box not driver #include <windows.h>#include <string.h>#include <iostream>#include <sstream>#include <fstream>#include <algorithm>#include <iterator>#include <iomanip>#include <iphlpapi.h>#include <psapi.h>#include <Assert.h>#include <tlhelp32.h>#include <ws2tcpip.h>#include <winsock2.h>#include <io.h>#include <wchar.h>#include <winioctl.h>#define IOCTL_GET_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_OUT_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA)using namespace std;// lib/libiphlpapi.a// lib/libws2_32.a// "C:\\MinGW\\mingw32\\bin\\nm.exe"/*Function - SendString() - Sends a Unicode string to driverArgument - wchar_t - unicode string of comma seperated valued indicating what files to stop Returns - ASCI string indicating CreateFile() error code, DeviceIoControl() error code, Invalid Input, or Success */char* SendString(wchar_t* Sender){ HANDLE hFile; DWORD dw; BOOL Check = FALSE; BOOL DoubleCheck = FALSE; std::wstring Replacer; char* Returner; char RetVal[24]; static char ErrorReturn[40]; wchar_t* NewMemory, FinalSend; // Convert to C++ string and verify unicode std::wstring Sizer(Sender); int ByteCount = ((Sizer.length() * 2) + 2); /*if (Sender == NULL || Sizer.length() == 0) { goto INVALID_INPUT; }*/ // make sure size isnt too big for ioctl if (ByteCount > 63000) { goto INVALID_INPUT; } // Open a handle to BlockIt hFile = CreateFileW(L"\\\\.\\ioctl", GENERIC_ALL, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) { sprintf(ErrorReturn, "[ ! ] CreateFile() error() %d", GetLastError()); return &ErrorReturn[0]; } // Send IOCTL and string list and get return value from kernel driver Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Sender, ByteCount, RetVal, sizeof(RetVal), &dw, NULL); //Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Replacer.c_str(), (Replacer.length() * 2)+ 2, RetVal, sizeof(RetVal), &dw, NULL); //free(NewMemory); if (!Check) { sprintf(ErrorReturn, "[ ! ] DeviceIoControl() error() %d", GetLastError()); return &ErrorReturn[0]; } //if kernel returns anything other than "VALID" the input is invalid else if (strncmp(RetVal, "KNOCKOUT", 8) == 0) { CloseHandle(hFile); INVALID_INPUT: if (DoubleCheck) { CloseHandle(hFile); free(NewMemory); } return "[ ! ]KNOCKOUT"; } else { CloseHandle(hFile); return "[ + ]Success"; }}inline BOOL FileExists(std::wstring FileToCheck){ if(_waccess(FileToCheck.c_str(), F_OK) != -1) return true; else return false; }char* StopDriver(){ static char ErrorReturn[40]; SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_STATUS ss; wchar_t infoBuf[MAX_PATH]; if (!GetWindowsDirectoryW(infoBuf, MAX_PATH)) { return "[ ! ]GetWinDir() fail\n"; //return FALSE; } std::wstring Testing(infoBuf); Testing.append(L"\\Rumble.sys"); const wchar_t *InstallDir = Testing.c_str(); //printf("install dir %ws\n", InstallDir); hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if(hSCManager) { hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP); if(hService) { if (!ControlService(hService, SERVICE_CONTROL_STOP, &ss)) { sprintf(ErrorReturn, "[ ! ] ControlService() error() %d", GetLastError()); CloseServiceHandle(hService); return &ErrorReturn[0]; } //ListWidget->addItem("[ + ] Deleting service..."); if (!DeleteService(hService)) { sprintf(ErrorReturn, "[ ! ] DeleteService() error() %d", GetLastError()); CloseServiceHandle(hService); return &ErrorReturn[0]; } DeleteFileW(InstallDir); //printf("%d\n", check); CloseServiceHandle(hService); return "[ + ]Success"; } else if (!hService) { //ListWidget->addItem("[ ! ] Could not open service"); sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError()); CloseServiceHandle(hSCManager); return &ErrorReturn[0]; } } if(!hSCManager) { //ListWidget->addItem("[!] Cannot open SCM. Admin rights?"); sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError()); return &ErrorReturn[0]; }}char* StartDriver(){ static char ErrorReturn[40]; int Checker; //printf("[ + ] Checking installation..."); SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_STATUS ss; wchar_t infoBuf[MAX_PATH * 10]; if (!GetWindowsDirectoryW(infoBuf, MAX_PATH * 10)) { return "[ ! ]GetWinDir() fail\n"; //return FALSE; } std::wstring Testing(infoBuf); Testing.append(L"\\Rumble.sys"); const wchar_t *InstallDir = Testing.c_str(); //printf("Install dir: %ws\n", InstallDir); //Arg->addItem((Testing.c_str()); //BOOL Checker = ; if (!FileExists(Testing)) { //printf("[ ! ] Install not found. Creating..."); wchar_t cCurrentPath[32000]; if (GetCurrentDirectoryW(32000, cCurrentPath)) { std::wstring CurrentPath(cCurrentPath); CurrentPath.append(L"\\Rumble.sys"); //MessageBox(NULL, (const char*)CurrentPath.c_str(), "current path", MB_ICONEXCLAMATION | MB_OK); if (!FileExists(CurrentPath.c_str())) return "[ ! ] BlockIt.sys not in cwd"; //Arg->addItem(cCurrentPath); if (!CopyFileW(CurrentPath.c_str(), InstallDir, TRUE)) { sprintf(ErrorReturn, "[ ! ] CopyFileW() error() %d", GetLastError()); return &ErrorReturn[0]; } } } hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if(hSCManager) { //printf("Create Service\n"); hService = CreateServiceW((SC_HANDLE)hSCManager, L"Rumble", L"Rumble", SERVICE_START | DELETE | SERVICE_STOP, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, Testing.c_str(), NULL, NULL, NULL, NULL, NULL); if(!hService) { Checker = GetLastError(); if (Checker == 1073 || Checker == 1078) { //ListWidget->addItem("[ + ] Opening service..."); hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP); if (!hService) { sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError()); return &ErrorReturn[0]; } } } if(hService) { BOOL Check = StartService(hService, 0, NULL); if (Check) { CloseServiceHandle(hService); return "[ + ]Success"; //ListWidget->addItem("[ + ] Service started"); } else if (!Check) { int LER = GetLastError(); if (LER == 1056) { CloseServiceHandle(hService); return "[ ! ]Service already running"; } sprintf(ErrorReturn, "[ ! ] StartService() error() %d", LER); CloseServiceHandle(hService); return &ErrorReturn[0]; } } if (!hService) { sprintf(ErrorReturn, "[ ! ] CreateServiceW() error() %d", Checker); return &ErrorReturn[0]; } } if(!hSCManager) { sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError()); return &ErrorReturn[0]; }}// Step 4: the Window ProcedureLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam){ switch(msg) { case WM_CLOSE: DestroyWindow(hwnd); break; case WM_DESTROY: PostQuitMessage(0); break; case WM_COMMAND: switch(LOWORD(wParam)) { case ID_FILE_EXIT: DestroyWindow(hwnd); break; case ID_STUFF_GO: MessageBox(hwnd, "s!mple 2012", "s!mple", MB_OK | MB_ICONINFORMATION); break; case REG_BUTTON: wchar_t SerialInput[32000]; wchar_t NameInput[32000]; GetWindowTextW(GetDlgItem(hwnd, NAME_BOX), NameInput, 32000); GetWindowTextW(GetDlgItem(hwnd, SERIAL_BOX), SerialInput, 32000); wchar_t* Sender = &NameInput[0]; char* ErrCheck = StartDriver(); if (strncmp(ErrCheck, "[ + ]Success", 12) != 0) MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK); ErrCheck = SendString(Sender); if (strncmp(ErrCheck, "[ ! ]KNOCKOUT", 13) == 0) MessageBox(NULL, "YOU HAVE BEEN KNOCKED OUT", "KNOCKOUT!", MB_ICONEXCLAMATION | MB_OK); ErrCheck = StopDriver(); if (strncmp(ErrCheck, "[ + ]Success", 12) != 0) MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK); break; } break; case WM_CREATE: { CreateWindow (TEXT("EDIT"), TEXT("Name Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 10, 230, 20, hwnd, (HMENU) NAME_BOX, NULL, NULL); CreateWindow (TEXT("EDIT"), TEXT("Serial Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 35, 230, 20, hwnd, (HMENU) SERIAL_BOX, NULL, NULL); CreateWindow (TEXT("BUTTON"), TEXT("Register"), WS_VISIBLE | WS_CHILD | WS_BORDER, 75, 60, 90, 20, hwnd, (HMENU) REG_BUTTON, NULL, NULL); CreateWindow (TEXT("STATIC"), TEXT("Enter serial and press 'Register'."), WS_VISIBLE | WS_CHILD | WS_BORDER, 15, 90, 220, 20, hwnd, (HMENU) RE_BOX, NULL, NULL); // Creates text box with value inside break; } default: return DefWindowProc(hwnd, msg, wParam, lParam); } return 0;}int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ WNDCLASSEX wc; HWND hwnd; MSG Msg; const char g_szClassName[] = "myWindowClass"; //Step 1: Registering the Window Class wc.cbSize = sizeof(WNDCLASSEX); wc.style = 0; wc.lpfnWndProc = WndProc; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hInstance = hInstance; wc.hIcon = LoadIcon(NULL, IDI_APPLICATION); wc.hCursor = LoadCursor(NULL, IDC_ARROW); wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1); wc.lpszMenuName = NULL; wc.lpszClassName = g_szClassName; wc.hIconSm = LoadIcon(NULL, IDI_APPLICATION); wc.lpszMenuName = MAKEINTRESOURCE(IDR_MYMENU); wc.hIcon = LoadIcon(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON)); wc.hIconSm = (HICON)LoadImage(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON), IMAGE_ICON, 16, 16, 0); wc.hbrBackground = CreateSolidBrush(RGB(190, 190, 190)); if(!RegisterClassEx(&wc)) { MessageBox(NULL, "Window Registration Failed!", "Error!", MB_ICONEXCLAMATION | MB_OK); return 0; } // Step 2: Creating the Window hwnd = CreateWindowEx(WS_EX_CLIENTEDGE, g_szClassName, "Ruuumble v0.1", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 265, 170, NULL, NULL, hInstance, NULL); if(hwnd == NULL) { MessageBox(NULL, "Window Creation Failed!", "Error!", MB_ICONEXCLAMATION | MB_OK); return 0; } ShowWindow(hwnd, nCmdShow); UpdateWindow(hwnd); // Step 3: The Message Loop while(GetMessage(&Msg, NULL, 0, 0) > 0) { TranslateMessage(&Msg); DispatchMessage(&Msg); } return Msg.wParam;} Edited January 20, 2015 by simple
kao Posted January 21, 2015 Posted January 21, 2015 I'll take the belt, too. Sample serials: kao---44op46bbg050czd WbdJKTddaEf90aRac674d IzSROl99JRa224W7bb8qd Serial must be entered in "name here" box, and "serial here" box can contain anything. Keygen attached keygen.zip 1
simple Posted January 21, 2015 Author Posted January 21, 2015 Ladies and gentleman, in an unforeseen rematch, reigning featherweight title holder kao reaches victory by second round knockout! VICTORY IS YOURS ALONE!RumbleDriverSource.rar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now