Jump to content
Tuts 4 You

[CrackMe/KeygenMe] MONDAY NIGHT FIGHT


simple

Recommended Posts

Ladies and gentleman - live from the CrackMe's Arena of tuts4you.com - welcome to the main event of the evening.In the blue corner, we have Rumble.rar wieghing in at 86.5 kb, consisting of a C kernel binary and a C++ user binary, unpacked, fighting out of the Windows XP/7/8 x86 OS.*crowd gos wild yeeeeaahhh wooo!!!!!*In the red corner, we have the contender, the master reversing underdog, with a history of infinite knockouts, fighting out of tuts4you.com - putting their flawless record on the line!*crowd boos boooooooooo* (jk ;))Alright, I want a clean fight, anything goes, first fighter to submit the other or make the program accept the correct serial wins the title/public source. This is a featherweight (difficulty - 1/10) bout, judges will score higher for a keygen, but whatever u gotta do to keep from getting knocked out, including patching/cracking/etc can win u the title too. Touch gloves and go back to your corner for the bell.LETTTTTTTTSSSSS GET READYYYY TO RUMMMMMMMMMMMMBLLEEEE!!!!!*ding ding ding*

 

DISCLAIMER - There shouldn't be any bsod's, accept my apologies if there are, however if u change code and cause deadlocks/bsod/other bad stuff then thats on u.

Rumble.rar

  • Like 2
Link to comment

The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad...


T4Y takes matters in their own hands and replace the judge..


 


@Simple:

you forgot to send serial no. to your driver.

;)

 


 


EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass".


patched.zip

Edited by kao
  • Like 1
Link to comment

The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad...

T4Y takes matters in their own hands and replace the judge..

 

@Simple:

you forgot to send serial no. to your driver.

;)

 

 

EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass".

The fight was won by T4Y via kernel K.O.

Edited by GIV
Link to comment

judge side comment - The fight is definately not rigged! Notice call to DeviceIoControl() @ 40158f, that's where it gets sent. If it never got sent, your pacthed .sys wouldn't work - but it does! Back to the announcer -


 


Ladies and gentlemen,


 


After a 10 hour bout, the judges have returned their scorecards scoring at 7 - 2, 9 - 3 and 10 - 1, with a unanimous decision of victory by technical knock out to REVERSER KAO!!!!!!


 


*ref raises kao's arm in air and hands the OFFICIAL TUTS4YOU FEATHERWEIGHT WORLD CHAMPION TITLE BOUT BELT!!!!!**


 


*kao runs victory laps around the ring*


 


kao, this has been an emotional fight, you've obviously been training. do u have a few words for the crowd on how u managed to defeat this opponent? (my guess is u changed subsys to wingui and used olly?)


 


*holds mic to kao...*


 


edit - confirmed that the fight can be won w/out cheating and valid serials are possible, like any other keygenme!


Edited by simple
Link to comment

RDGMax, didn't take time to look to see but it's not the original way I distributed it. I guess that whatever rar decompresor you used gave you the packed version which I can't speak for (your version can still input correct serial btw, it just has a diff ret value on a function I used).


 


The version I distro is 288kb on disk, so make sure your file is that size and that error should dissappear. 


Link to comment

Like I said that's not the file as I distro'd it, nor is the file name "Rumblex.exe". The file name is Rumble.exe, it has no packer on it. Use winrar.


Link to comment

To clear up these match fixing allegations defending featherwight champion kao reported a "bug" in that the name is sent to the driver and not the serial, so simply replace "name here", w/"serial here" in the text box, or disregard them both. Apologies if that caused you problems.
 
Here's the user space source since it wont help you get a working serial nor keygen it. I'll post the driver's source if someone posts a keygen or working serial (then they will hold the belt!, however binary has been defeated)

 

edit - text box not driver

 

#include <windows.h>#include <string.h>#include <iostream>#include <sstream>#include <fstream>#include <algorithm>#include <iterator>#include <iomanip>#include <iphlpapi.h>#include <psapi.h>#include <Assert.h>#include <tlhelp32.h>#include <ws2tcpip.h>#include <winsock2.h>#include <io.h>#include <wchar.h>#include <winioctl.h>#define IOCTL_GET_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_OUT_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA)using namespace std;// lib/libiphlpapi.a// lib/libws2_32.a// "C:\\MinGW\\mingw32\\bin\\nm.exe"/*Function - SendString() - Sends a Unicode string to driverArgument - wchar_t - unicode string of comma seperated valued indicating what files to stop Returns  - ASCI string indicating CreateFile() error code, DeviceIoControl() error code,            Invalid Input, or Success */char* SendString(wchar_t* Sender){    HANDLE hFile;	DWORD dw;	BOOL Check = FALSE;	BOOL DoubleCheck = FALSE;	std::wstring Replacer;    char* Returner;	char RetVal[24];	static char ErrorReturn[40];	wchar_t* NewMemory, FinalSend;	// Convert to C++ string and verify unicode 	std::wstring Sizer(Sender);	int ByteCount = ((Sizer.length() * 2) + 2);	/*if (Sender == NULL || Sizer.length() == 0)	{	    goto INVALID_INPUT;    }*/	// make sure size isnt too big for ioctl	if (ByteCount > 63000)	{	    goto INVALID_INPUT;    }    	// Open a handle to BlockIt	hFile = CreateFileW(L"\\\\.\\ioctl", GENERIC_ALL, 0, NULL, OPEN_EXISTING, 0, NULL);	if (hFile == INVALID_HANDLE_VALUE)	{	    sprintf(ErrorReturn, "[ ! ] CreateFile() error() %d", GetLastError());				return &ErrorReturn[0];	}	    // Send IOCTL and string list and get return value from kernel driver    Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Sender, ByteCount, RetVal, sizeof(RetVal), &dw, NULL);    //Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Replacer.c_str(), (Replacer.length() * 2)+ 2, RetVal, sizeof(RetVal), &dw, NULL);    //free(NewMemory);		    if (!Check)    {		sprintf(ErrorReturn, "[ ! ] DeviceIoControl() error() %d", GetLastError());				return &ErrorReturn[0];    }		//if kernel returns anything other than "VALID" the input is invalid	else if (strncmp(RetVal, "KNOCKOUT", 8) == 0)	{	    CloseHandle(hFile);		INVALID_INPUT:        if (DoubleCheck)        {            CloseHandle(hFile);            free(NewMemory);        }		return "[ ! ]KNOCKOUT";			}	else	{        CloseHandle(hFile);			    return "[ + ]Success";    }}inline BOOL FileExists(std::wstring FileToCheck){    if(_waccess(FileToCheck.c_str(), F_OK) != -1)        return true;                                           else        return false;       }char* StopDriver(){    static char ErrorReturn[40];    SC_HANDLE hSCManager;    SC_HANDLE hService;    SERVICE_STATUS ss;    wchar_t infoBuf[MAX_PATH];    if (!GetWindowsDirectoryW(infoBuf, MAX_PATH))    {        return "[ ! ]GetWinDir() fail\n";        //return FALSE;     }     std::wstring Testing(infoBuf);     Testing.append(L"\\Rumble.sys");    const wchar_t *InstallDir = Testing.c_str();        //printf("install dir %ws\n", InstallDir);    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);	    if(hSCManager)    {        		hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP);				if(hService)        {                        if (!ControlService(hService, SERVICE_CONTROL_STOP, &ss))            {                sprintf(ErrorReturn, "[ ! ] ControlService() error() %d", GetLastError());		        CloseServiceHandle(hService);                return &ErrorReturn[0];                                          }						//ListWidget->addItem("[ + ] Deleting service...");            if (!DeleteService(hService))            {                sprintf(ErrorReturn, "[ ! ] DeleteService() error() %d", GetLastError());		        CloseServiceHandle(hService);                return &ErrorReturn[0];                                                                                                                      }            DeleteFileW(InstallDir);            //printf("%d\n", check);            CloseServiceHandle(hService);            return "[ + ]Success";                    }		else if (!hService)		{		    //ListWidget->addItem("[ ! ] Could not open service");		    sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError());		    CloseServiceHandle(hSCManager);            return &ErrorReturn[0];		}			    }	if(!hSCManager)    {        //ListWidget->addItem("[!] Cannot open SCM. Admin rights?");        sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError());		        return &ErrorReturn[0];    	}}char* StartDriver(){          static char ErrorReturn[40];      int Checker;      //printf("[ + ] Checking installation...");	SC_HANDLE hSCManager;    SC_HANDLE hService;    SERVICE_STATUS ss;	wchar_t infoBuf[MAX_PATH * 10];    if (!GetWindowsDirectoryW(infoBuf, MAX_PATH * 10))    {        return "[ ! ]GetWinDir() fail\n";        //return FALSE;     }     std::wstring Testing(infoBuf);     Testing.append(L"\\Rumble.sys");    const wchar_t *InstallDir = Testing.c_str();    //printf("Install dir: %ws\n", InstallDir);     //Arg->addItem((Testing.c_str());   	//BOOL Checker = ;	    if (!FileExists(Testing))	{	    //printf("[ ! ] Install not found. Creating...");		wchar_t cCurrentPath[32000];	    if (GetCurrentDirectoryW(32000, cCurrentPath))        {            std::wstring CurrentPath(cCurrentPath);            CurrentPath.append(L"\\Rumble.sys");                        //MessageBox(NULL, (const char*)CurrentPath.c_str(), "current path", MB_ICONEXCLAMATION | MB_OK);                        if (!FileExists(CurrentPath.c_str()))                return "[ ! ] BlockIt.sys not in cwd";             						//Arg->addItem(cCurrentPath);			if (!CopyFileW(CurrentPath.c_str(), InstallDir, TRUE))			{                sprintf(ErrorReturn, "[ ! ] CopyFileW() error() %d", GetLastError());		                return &ErrorReturn[0];                                            } 			    }	}          hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);    if(hSCManager)    {        //printf("Create Service\n");        hService = CreateServiceW((SC_HANDLE)hSCManager, L"Rumble", L"Rumble", SERVICE_START | DELETE | SERVICE_STOP, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,  SERVICE_ERROR_IGNORE, Testing.c_str(), NULL, NULL, NULL, NULL, NULL);        if(!hService)        {            Checker = GetLastError();                         if (Checker == 1073 || Checker == 1078)            {		        //ListWidget->addItem("[ + ] Opening service...");                hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP);                if (!hService)                {                    sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError());		                    return &ErrorReturn[0];                                       }                }                         }				if(hService)        {            BOOL Check = StartService(hService, 0, NULL);						if (Check)			{                CloseServiceHandle(hService);                      return "[ + ]Success";      			    //ListWidget->addItem("[ + ] Service started");			}			else if (!Check)			{                 int LER = GetLastError();                                  if (LER == 1056)                 {                     CloseServiceHandle(hService);                     return "[ ! ]Service already running";                         }                                  sprintf(ErrorReturn, "[ ! ] StartService() error() %d", LER);		         CloseServiceHandle(hService);                  return &ErrorReturn[0]; 			}	        }        if (!hService)        {            sprintf(ErrorReturn, "[ ! ] CreateServiceW() error() %d", Checker);		            return &ErrorReturn[0];                       }    }	if(!hSCManager)    {        sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError());		        return &ErrorReturn[0];    	}}// Step 4: the Window ProcedureLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam){	switch(msg)	{		case WM_CLOSE:			DestroyWindow(hwnd);		break;				case WM_DESTROY:			PostQuitMessage(0);		break;				case WM_COMMAND:             switch(LOWORD(wParam))                 {                     case ID_FILE_EXIT:                          DestroyWindow(hwnd);                          break;		             case ID_STUFF_GO:                          MessageBox(hwnd, "s!mple 2012", "s!mple", MB_OK | MB_ICONINFORMATION);                          break;                                                                 case REG_BUTTON:                                                    wchar_t SerialInput[32000];                          wchar_t NameInput[32000];                                                     GetWindowTextW(GetDlgItem(hwnd, NAME_BOX), NameInput, 32000);                          GetWindowTextW(GetDlgItem(hwnd, SERIAL_BOX), SerialInput, 32000);                                                      wchar_t* Sender = &NameInput[0];                                                    char* ErrCheck = StartDriver();                          if (strncmp(ErrCheck, "[ + ]Success", 12) != 0)                              MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK);                                                                                                         ErrCheck = SendString(Sender);                          if (strncmp(ErrCheck, "[ ! ]KNOCKOUT", 13) == 0)                              MessageBox(NULL, "YOU HAVE BEEN KNOCKED OUT", "KNOCKOUT!", MB_ICONEXCLAMATION | MB_OK);                                                                               ErrCheck = StopDriver();                          if (strncmp(ErrCheck, "[ + ]Success", 12) != 0)                              MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK);                                                                                                        break;                                           }                 break;                         case WM_CREATE:        {                                                      CreateWindow (TEXT("EDIT"), TEXT("Name Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 10, 230, 20, hwnd, (HMENU) NAME_BOX, NULL, NULL);             CreateWindow (TEXT("EDIT"), TEXT("Serial Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 35, 230, 20, hwnd, (HMENU) SERIAL_BOX, NULL, NULL);             CreateWindow (TEXT("BUTTON"), TEXT("Register"), WS_VISIBLE | WS_CHILD | WS_BORDER, 75, 60, 90, 20, hwnd, (HMENU) REG_BUTTON, NULL, NULL);             CreateWindow (TEXT("STATIC"), TEXT("Enter serial and press 'Register'."), WS_VISIBLE | WS_CHILD | WS_BORDER, 15, 90, 220, 20, hwnd, (HMENU) RE_BOX, NULL, NULL); // Creates text box with value inside                                                 break;        }				default:			return DefWindowProc(hwnd, msg, wParam, lParam);	}	return 0;}int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){	WNDCLASSEX wc;	HWND hwnd;	MSG Msg;    const char g_szClassName[] = "myWindowClass";	//Step 1: Registering the Window Class	wc.cbSize		 = sizeof(WNDCLASSEX);	wc.style		 = 0;	wc.lpfnWndProc	 = WndProc;	wc.cbClsExtra	 = 0;	wc.cbWndExtra	 = 0;	wc.hInstance	 = hInstance;	wc.hIcon		 = LoadIcon(NULL, IDI_APPLICATION);	wc.hCursor		 = LoadCursor(NULL, IDC_ARROW);	wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);	wc.lpszMenuName  = NULL;	wc.lpszClassName = g_szClassName;	wc.hIconSm		 = LoadIcon(NULL, IDI_APPLICATION);	wc.lpszMenuName  = MAKEINTRESOURCE(IDR_MYMENU);	wc.hIcon         = LoadIcon(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON));    wc.hIconSm       = (HICON)LoadImage(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON), IMAGE_ICON, 16, 16, 0);    wc.hbrBackground = CreateSolidBrush(RGB(190, 190, 190));        	if(!RegisterClassEx(&wc))	{		MessageBox(NULL, "Window Registration Failed!", "Error!",			MB_ICONEXCLAMATION | MB_OK);		return 0;	}	// Step 2: Creating the Window	hwnd = CreateWindowEx(WS_EX_CLIENTEDGE, g_szClassName, "Ruuumble v0.1", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,         265, 170,		NULL, NULL, hInstance, NULL);	if(hwnd == NULL)	{		MessageBox(NULL, "Window Creation Failed!", "Error!",			MB_ICONEXCLAMATION | MB_OK);		return 0;	}	ShowWindow(hwnd, nCmdShow);	UpdateWindow(hwnd);	// Step 3: The Message Loop	while(GetMessage(&Msg, NULL, 0, 0) > 0)	{		TranslateMessage(&Msg);		DispatchMessage(&Msg);	}	return Msg.wParam;}
Edited by simple
Link to comment

I'll take the belt, too. :) Sample serials:

kao---44op46bbg050czd

WbdJKTddaEf90aRac674d

IzSROl99JRa224W7bb8qd

Serial must be entered in "name here" box, and "serial here" box can contain anything.

Keygen attached

keygen.zip

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...