Jump to content
Tuts 4 You

[CrackMe/KeygenMe] MONDAY NIGHT FIGHT

simple

By simple
in CrackMe

 Share

Recommended Posts

simple

simple

Posted
Posted

Ladies and gentleman - live from the CrackMe's Arena of tuts4you.com - welcome to the main event of the evening.In the blue corner, we have Rumble.rar wieghing in at 86.5 kb, consisting of a C kernel binary and a C++ user binary, unpacked, fighting out of the Windows XP/7/8 x86 OS.*crowd gos wild yeeeeaahhh wooo!!!!!*In the red corner, we have the contender, the master reversing underdog, with a history of infinite knockouts, fighting out of tuts4you.com - putting their flawless record on the line!*crowd boos boooooooooo* (jk ;))Alright, I want a clean fight, anything goes, first fighter to submit the other or make the program accept the correct serial wins the title/public source. This is a featherweight (difficulty - 1/10) bout, judges will score higher for a keygen, but whatever u gotta do to keep from getting knocked out, including patching/cracking/etc can win u the title too. Touch gloves and go back to your corner for the bell.LETTTTTTTTSSSSS GET READYYYY TO RUMMMMMMMMMMMMBLLEEEE!!!!!*ding ding ding*

 

DISCLAIMER - There shouldn't be any bsod's, accept my apologies if there are, however if u change code and cause deadlocks/bsod/other bad stuff then thats on u.

Rumble.rar

  • Like 2
Link to comment
Share on other sites
kao

kao

Posted
Posted (edited)

The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad...


T4Y takes matters in their own hands and replace the judge..


 


@Simple:

you forgot to send serial no. to your driver.

;)

 


 


EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass".


patched.zip

Edited by kao
  • Like 1
Link to comment
Share on other sites
GIV

GIV

Posted
Posted (edited)

The fight is rigged and can't be won w/o cheating. Boooooo... Crowd goes mad...

T4Y takes matters in their own hands and replace the judge..

 

@Simple:

you forgot to send serial no. to your driver.

;)

 

 

EDIT: forgot the most important thing - replace driver with patched one and use a long username like "tuts4you kicks serious ass".

The fight was won by T4Y via kernel K.O.

Edited by GIV
Link to comment
Share on other sites
simple

simple

Posted
  • Author
Posted (edited)

judge side comment - The fight is definately not rigged! Notice call to DeviceIoControl() @ 40158f, that's where it gets sent. If it never got sent, your pacthed .sys wouldn't work - but it does! Back to the announcer -


 


Ladies and gentlemen,


 


After a 10 hour bout, the judges have returned their scorecards scoring at 7 - 2, 9 - 3 and 10 - 1, with a unanimous decision of victory by technical knock out to REVERSER KAO!!!!!!


 


*ref raises kao's arm in air and hands the OFFICIAL TUTS4YOU FEATHERWEIGHT WORLD CHAMPION TITLE BOUT BELT!!!!!**


 


*kao runs victory laps around the ring*


 


kao, this has been an emotional fight, you've obviously been training. do u have a few words for the crowd on how u managed to defeat this opponent? (my guess is u changed subsys to wingui and used olly?)


 


*holds mic to kao...*


 


edit - confirmed that the fight can be won w/out cheating and valid serials are possible, like any other keygenme!


Edited by simple
Link to comment
Share on other sites
simple

simple

Posted
  • Author
Posted

RDGMax, didn't take time to look to see but it's not the original way I distributed it. I guess that whatever rar decompresor you used gave you the packed version which I can't speak for (your version can still input correct serial btw, it just has a diff ret value on a function I used).


 


The version I distro is 288kb on disk, so make sure your file is that size and that error should dissappear. 


Link to comment
Share on other sites
simple

simple

Posted
  • Author
Posted

Like I said that's not the file as I distro'd it, nor is the file name "Rumblex.exe". The file name is Rumble.exe, it has no packer on it. Use winrar.


Link to comment
Share on other sites
simple

simple

Posted
  • Author
Posted (edited)

To clear up these match fixing allegations defending featherwight champion kao reported a "bug" in that the name is sent to the driver and not the serial, so simply replace "name here", w/"serial here" in the text box, or disregard them both. Apologies if that caused you problems.
 
Here's the user space source since it wont help you get a working serial nor keygen it. I'll post the driver's source if someone posts a keygen or working serial (then they will hold the belt!, however binary has been defeated)

 

edit - text box not driver

 

#include <windows.h>#include <string.h>#include <iostream>#include <sstream>#include <fstream>#include <algorithm>#include <iterator>#include <iomanip>#include <iphlpapi.h>#include <psapi.h>#include <Assert.h>#include <tlhelp32.h>#include <ws2tcpip.h>#include <winsock2.h>#include <io.h>#include <wchar.h>#include <winioctl.h>#define IOCTL_GET_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_OUT_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA)using namespace std;// lib/libiphlpapi.a// lib/libws2_32.a// "C:\\MinGW\\mingw32\\bin\\nm.exe"/*Function - SendString() - Sends a Unicode string to driverArgument - wchar_t - unicode string of comma seperated valued indicating what files to stop Returns  - ASCI string indicating CreateFile() error code, DeviceIoControl() error code,            Invalid Input, or Success */char* SendString(wchar_t* Sender){    HANDLE hFile;	DWORD dw;	BOOL Check = FALSE;	BOOL DoubleCheck = FALSE;	std::wstring Replacer;    char* Returner;	char RetVal[24];	static char ErrorReturn[40];	wchar_t* NewMemory, FinalSend;	// Convert to C++ string and verify unicode 	std::wstring Sizer(Sender);	int ByteCount = ((Sizer.length() * 2) + 2);	/*if (Sender == NULL || Sizer.length() == 0)	{	    goto INVALID_INPUT;    }*/	// make sure size isnt too big for ioctl	if (ByteCount > 63000)	{	    goto INVALID_INPUT;    }    	// Open a handle to BlockIt	hFile = CreateFileW(L"\\\\.\\ioctl", GENERIC_ALL, 0, NULL, OPEN_EXISTING, 0, NULL);	if (hFile == INVALID_HANDLE_VALUE)	{	    sprintf(ErrorReturn, "[ ! ] CreateFile() error() %d", GetLastError());				return &ErrorReturn[0];	}	    // Send IOCTL and string list and get return value from kernel driver    Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Sender, ByteCount, RetVal, sizeof(RetVal), &dw, NULL);    //Check = DeviceIoControl(hFile, IOCTL_GET_LIST, (VOID*)Replacer.c_str(), (Replacer.length() * 2)+ 2, RetVal, sizeof(RetVal), &dw, NULL);    //free(NewMemory);		    if (!Check)    {		sprintf(ErrorReturn, "[ ! ] DeviceIoControl() error() %d", GetLastError());				return &ErrorReturn[0];    }		//if kernel returns anything other than "VALID" the input is invalid	else if (strncmp(RetVal, "KNOCKOUT", 8) == 0)	{	    CloseHandle(hFile);		INVALID_INPUT:        if (DoubleCheck)        {            CloseHandle(hFile);            free(NewMemory);        }		return "[ ! ]KNOCKOUT";			}	else	{        CloseHandle(hFile);			    return "[ + ]Success";    }}inline BOOL FileExists(std::wstring FileToCheck){    if(_waccess(FileToCheck.c_str(), F_OK) != -1)        return true;                                           else        return false;       }char* StopDriver(){    static char ErrorReturn[40];    SC_HANDLE hSCManager;    SC_HANDLE hService;    SERVICE_STATUS ss;    wchar_t infoBuf[MAX_PATH];    if (!GetWindowsDirectoryW(infoBuf, MAX_PATH))    {        return "[ ! ]GetWinDir() fail\n";        //return FALSE;     }     std::wstring Testing(infoBuf);     Testing.append(L"\\Rumble.sys");    const wchar_t *InstallDir = Testing.c_str();        //printf("install dir %ws\n", InstallDir);    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);	    if(hSCManager)    {        		hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP);				if(hService)        {                        if (!ControlService(hService, SERVICE_CONTROL_STOP, &ss))            {                sprintf(ErrorReturn, "[ ! ] ControlService() error() %d", GetLastError());		        CloseServiceHandle(hService);                return &ErrorReturn[0];                                          }						//ListWidget->addItem("[ + ] Deleting service...");            if (!DeleteService(hService))            {                sprintf(ErrorReturn, "[ ! ] DeleteService() error() %d", GetLastError());		        CloseServiceHandle(hService);                return &ErrorReturn[0];                                                                                                                      }            DeleteFileW(InstallDir);            //printf("%d\n", check);            CloseServiceHandle(hService);            return "[ + ]Success";                    }		else if (!hService)		{		    //ListWidget->addItem("[ ! ] Could not open service");		    sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError());		    CloseServiceHandle(hSCManager);            return &ErrorReturn[0];		}			    }	if(!hSCManager)    {        //ListWidget->addItem("[!] Cannot open SCM. Admin rights?");        sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError());		        return &ErrorReturn[0];    	}}char* StartDriver(){          static char ErrorReturn[40];      int Checker;      //printf("[ + ] Checking installation...");	SC_HANDLE hSCManager;    SC_HANDLE hService;    SERVICE_STATUS ss;	wchar_t infoBuf[MAX_PATH * 10];    if (!GetWindowsDirectoryW(infoBuf, MAX_PATH * 10))    {        return "[ ! ]GetWinDir() fail\n";        //return FALSE;     }     std::wstring Testing(infoBuf);     Testing.append(L"\\Rumble.sys");    const wchar_t *InstallDir = Testing.c_str();    //printf("Install dir: %ws\n", InstallDir);     //Arg->addItem((Testing.c_str());   	//BOOL Checker = ;	    if (!FileExists(Testing))	{	    //printf("[ ! ] Install not found. Creating...");		wchar_t cCurrentPath[32000];	    if (GetCurrentDirectoryW(32000, cCurrentPath))        {            std::wstring CurrentPath(cCurrentPath);            CurrentPath.append(L"\\Rumble.sys");                        //MessageBox(NULL, (const char*)CurrentPath.c_str(), "current path", MB_ICONEXCLAMATION | MB_OK);                        if (!FileExists(CurrentPath.c_str()))                return "[ ! ] BlockIt.sys not in cwd";             						//Arg->addItem(cCurrentPath);			if (!CopyFileW(CurrentPath.c_str(), InstallDir, TRUE))			{                sprintf(ErrorReturn, "[ ! ] CopyFileW() error() %d", GetLastError());		                return &ErrorReturn[0];                                            } 			    }	}          hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);    if(hSCManager)    {        //printf("Create Service\n");        hService = CreateServiceW((SC_HANDLE)hSCManager, L"Rumble", L"Rumble", SERVICE_START | DELETE | SERVICE_STOP, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,  SERVICE_ERROR_IGNORE, Testing.c_str(), NULL, NULL, NULL, NULL, NULL);        if(!hService)        {            Checker = GetLastError();                         if (Checker == 1073 || Checker == 1078)            {		        //ListWidget->addItem("[ + ] Opening service...");                hService = OpenServiceW((SC_HANDLE)hSCManager, L"Rumble", SERVICE_START | DELETE | SERVICE_STOP);                if (!hService)                {                    sprintf(ErrorReturn, "[ ! ] OpenService() error() %d", GetLastError());		                    return &ErrorReturn[0];                                       }                }                         }				if(hService)        {            BOOL Check = StartService(hService, 0, NULL);						if (Check)			{                CloseServiceHandle(hService);                      return "[ + ]Success";      			    //ListWidget->addItem("[ + ] Service started");			}			else if (!Check)			{                 int LER = GetLastError();                                  if (LER == 1056)                 {                     CloseServiceHandle(hService);                     return "[ ! ]Service already running";                         }                                  sprintf(ErrorReturn, "[ ! ] StartService() error() %d", LER);		         CloseServiceHandle(hService);                  return &ErrorReturn[0]; 			}	        }        if (!hService)        {            sprintf(ErrorReturn, "[ ! ] CreateServiceW() error() %d", Checker);		            return &ErrorReturn[0];                       }    }	if(!hSCManager)    {        sprintf(ErrorReturn, "[ ! ] OpenSCManager() error(). admin privs? %d", GetLastError());		        return &ErrorReturn[0];    	}}// Step 4: the Window ProcedureLRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam){	switch(msg)	{		case WM_CLOSE:			DestroyWindow(hwnd);		break;				case WM_DESTROY:			PostQuitMessage(0);		break;				case WM_COMMAND:             switch(LOWORD(wParam))                 {                     case ID_FILE_EXIT:                          DestroyWindow(hwnd);                          break;		             case ID_STUFF_GO:                          MessageBox(hwnd, "s!mple 2012", "s!mple", MB_OK | MB_ICONINFORMATION);                          break;                                                                 case REG_BUTTON:                                                    wchar_t SerialInput[32000];                          wchar_t NameInput[32000];                                                     GetWindowTextW(GetDlgItem(hwnd, NAME_BOX), NameInput, 32000);                          GetWindowTextW(GetDlgItem(hwnd, SERIAL_BOX), SerialInput, 32000);                                                      wchar_t* Sender = &NameInput[0];                                                    char* ErrCheck = StartDriver();                          if (strncmp(ErrCheck, "[ + ]Success", 12) != 0)                              MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK);                                                                                                         ErrCheck = SendString(Sender);                          if (strncmp(ErrCheck, "[ ! ]KNOCKOUT", 13) == 0)                              MessageBox(NULL, "YOU HAVE BEEN KNOCKED OUT", "KNOCKOUT!", MB_ICONEXCLAMATION | MB_OK);                                                                               ErrCheck = StopDriver();                          if (strncmp(ErrCheck, "[ + ]Success", 12) != 0)                              MessageBox(NULL, ErrCheck, "ERROR", MB_ICONEXCLAMATION | MB_OK);                                                                                                        break;                                           }                 break;                         case WM_CREATE:        {                                                      CreateWindow (TEXT("EDIT"), TEXT("Name Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 10, 230, 20, hwnd, (HMENU) NAME_BOX, NULL, NULL);             CreateWindow (TEXT("EDIT"), TEXT("Serial Here"), WS_VISIBLE | WS_CHILD | WS_BORDER, 10, 35, 230, 20, hwnd, (HMENU) SERIAL_BOX, NULL, NULL);             CreateWindow (TEXT("BUTTON"), TEXT("Register"), WS_VISIBLE | WS_CHILD | WS_BORDER, 75, 60, 90, 20, hwnd, (HMENU) REG_BUTTON, NULL, NULL);             CreateWindow (TEXT("STATIC"), TEXT("Enter serial and press 'Register'."), WS_VISIBLE | WS_CHILD | WS_BORDER, 15, 90, 220, 20, hwnd, (HMENU) RE_BOX, NULL, NULL); // Creates text box with value inside                                                 break;        }				default:			return DefWindowProc(hwnd, msg, wParam, lParam);	}	return 0;}int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){	WNDCLASSEX wc;	HWND hwnd;	MSG Msg;    const char g_szClassName[] = "myWindowClass";	//Step 1: Registering the Window Class	wc.cbSize		 = sizeof(WNDCLASSEX);	wc.style		 = 0;	wc.lpfnWndProc	 = WndProc;	wc.cbClsExtra	 = 0;	wc.cbWndExtra	 = 0;	wc.hInstance	 = hInstance;	wc.hIcon		 = LoadIcon(NULL, IDI_APPLICATION);	wc.hCursor		 = LoadCursor(NULL, IDC_ARROW);	wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);	wc.lpszMenuName  = NULL;	wc.lpszClassName = g_szClassName;	wc.hIconSm		 = LoadIcon(NULL, IDI_APPLICATION);	wc.lpszMenuName  = MAKEINTRESOURCE(IDR_MYMENU);	wc.hIcon         = LoadIcon(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON));    wc.hIconSm       = (HICON)LoadImage(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_MYICON), IMAGE_ICON, 16, 16, 0);    wc.hbrBackground = CreateSolidBrush(RGB(190, 190, 190));        	if(!RegisterClassEx(&wc))	{		MessageBox(NULL, "Window Registration Failed!", "Error!",			MB_ICONEXCLAMATION | MB_OK);		return 0;	}	// Step 2: Creating the Window	hwnd = CreateWindowEx(WS_EX_CLIENTEDGE, g_szClassName, "Ruuumble v0.1", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,         265, 170,		NULL, NULL, hInstance, NULL);	if(hwnd == NULL)	{		MessageBox(NULL, "Window Creation Failed!", "Error!",			MB_ICONEXCLAMATION | MB_OK);		return 0;	}	ShowWindow(hwnd, nCmdShow);	UpdateWindow(hwnd);	// Step 3: The Message Loop	while(GetMessage(&Msg, NULL, 0, 0) > 0)	{		TranslateMessage(&Msg);		DispatchMessage(&Msg);	}	return Msg.wParam;}
Edited by simple
Link to comment
Share on other sites
kao

kao

Posted
Posted

I'll take the belt, too. :) Sample serials:

kao---44op46bbg050czd

WbdJKTddaEf90aRac674d

IzSROl99JRa224W7bb8qd

Serial must be entered in "name here" box, and "serial here" box can contain anything.

Keygen attached

keygen.zip

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...