VAC decrypting shit

1. /*
2. ** VAC decrypter
3. **
4. ** Special thanks to wav for some infos.
5. */
6.  
7. #include <stdio.h>
8. #include <windows.h>
9. #include <conio.h>
10. #include <Tlhelp32.h>
11.  
12. // The VAC module!
13. HMODULE hVac = NULL;
14.  
15. // Pointer to the decryption function, as of July 16th 2010.
16. // VAC hasn't been updated in ages so this should still work.
17. UINT32 decryptCall = 0x27EE;
18.  
19. // Offsets to encrypted code blocks. This uses the 64-bit encryption
20. // algorithm. These are arranged in order of the jump table.
21. UINT32 encryptedCodeBlocks[14] = {
22.  
23. // Functions in the scan request jump table
24. 0x24B5, // Function 0 - Undumped
25. // Function 1 - Unused
26. // Function 2 - Unused
27. 0x7018, // Function 3 - Undumped
28. 0x14C7, // Function 4 - Undumped
29. 0x1E4F, // Function 5 - Undumped
30. 0x218F, // Function 6 - Undumped
31. 0x7331, // Function 7 - Module check of some sort
32. 0x4564, // Function 8 - Process / Module enumeration
33. 0x35A4, // Function 9 - Compute MD5 of all modules
34. 0x29CE, // Function 10 -
35. 0x5879, // Function 11 -
36. 0x662F, // Function 12 -
37.  
38.  
39.  
40.  
41. // Encrypted functions referenced within the encrypted blocks
42. 0x7DBF,
43. 0x89F0, // Utility functions. Used by Function 7
44. 0xF5FD,
45. };
46.  
47. // Offsets to encrypted string blocks. This uses a far more simple
48. // algorithm, which we handle in here.
49. UINT32 encryptedStringBlocks[8] = {
50. 0x22FC8,
51. 0x22FD8,
52. 0x23090,
53. 0x230A8,
54. 0x230C4,
55. 0x230D8,
56. 0x230F8,
57. 0x2310C,
58. };
59.  
60. //
61. // Here are the 64-bit encryption keys used by VAC to decrypt its code.
62. // Keys are sent over whenever VAC wants a function to run.
63. // To dump these, hook some code slightly before the scans run. The key
64. // will be stored in a pointer at [ebp + 0xC].
65. //
66. #define MAX_KEYS 7
67. UINT8 keys[MAX_KEYS][8] = {
68. { 0x6c, 0xa3, 0xda, 0x1a, 0x35, 0x13, 0xc3, 0xc1 }, // Key A - Shared between 2 functions
69. { 0xa9, 0x5c, 0x1a, 0x9b, 0x98, 0x37, 0x76, 0x05 }, // Key B
70. { 0xea, 0xbe, 0xdf, 0x61, 0x62, 0xb2, 0x77, 0x11 }, // Key C
71. { 0x0b, 0x16, 0xd5, 0xe4, 0x76, 0x5b, 0xdf, 0xf3 }, // Key D: Fcn 11.
72. { 0xd0, 0xe6, 0xa5, 0x35, 0x1c, 0x93, 0x5a, 0xe5 }, // Key E: Fcn 10. Seems to be popular for MW2
73.  
74. // Keys in VAC, probably for client/server communications.
75. // These might just be one big 128-bit key.
76. { 0x34, 0xb2, 0xa2, 0x48, 0x7f, 0xd6, 0x8f, 0xd1 },
77. { 0xec, 0x08, 0xa1, 0xb4, 0xf3, 0xc6, 0xd2, 0x35 },
78. };
79.  
80.  
81. // A struct for vac_encrypted_func.
82. typedef struct {
83. UINT8 fcn_number; // Number of the encrypted block (unused?)
84. UINT32 fcn_size; // Size of the block
85. UINT32 fcn_passes; // Passes during decryption (thanks, wav)
86. UINT32 fcn_crc32; // CRC32 of the function
87. } vac_encrypted_func;
88.  
89.  
90. /*
91. ** Here is the VAC decryption function.
92. **
93. ** A more accurate prototype is:
94. ** BOOL __cdecl VacDecryptCode( vac_encrypted_func* pFunction, UINT32* pKey, UINT8* pWorkspace, UINT32 dwMaxCodeSize);
95. */
96. BOOL (__cdecl *VacDecryptCode)(UINT8* dwDestAddress, UINT32* key, UINT8* somePointer, UINT32 something);
97.  
98. // Something to satisfy the third argument to the function with. I have no idea what this is.
99. UINT32 more_buffer[0x10000];
100.  
101.  
102. void DecodeCodeBlocks() {
103.  
104.  
105.  
106. }
107.  
108.  
109.  
110.  
111. // String block decoding
112. // This is a bit buggy...
113. void DecodeStringBlocks() {
114. DWORD oldProtect;
115.  
116.  
117. for (int i = 0; i < 8; i++) {
118. UINT32* base = (UINT32*)((UINT8*)hVac + encryptedStringBlocks[i]);
119. cprintf("Working on string block at %p\n", base);
120.  
121. for (int x = 0; base[x] != 0; x++) {
122. UINT8* encryptedstring = (UINT8*)base[x];
123. UINT8 xor_key = 0x55;
124. UINT8 size = encryptedstring[0] ^ xor_key;
125.  
126. VirtualProtect( (LPVOID)encryptedstring, 0x10000, PAGE_EXECUTE_READWRITE, &oldProtect );
127.  
128. encryptedstring++;
129.  
130. UINT8 buffer[ 256 ];
131. memset(buffer, 0, 256);
132. for (int y = 0; encryptedstring[y] != 0; y++) {
133. UINT8 decoded = encryptedstring[y] ^ xor_key;
134. xor_key = encryptedstring[y];
135. buffer[y] = decoded;
136.  
137. // zero-terminate the string
138. //if (encryptedstring[y+1] == 0) encryptedstring[y] = 0;
139. }
140. printf("Decrypted string %s\n", buffer);
141.  
142.  
143. //encryptedstring[size - 1] = 0;
144. //memcpy( encryptedstring - 1, buffer, size);
145.  
146. }
147.  
148. }
149.  
150. }
151.  
152.  
153.  
154. int main( int argc, char** argv ) {
155.  
156. hVac = LoadLibraryA("SourceInit.dat");
157.  
158. if (!hVac) {
159. printf("Can't load VAC client\n");
160. return 1;
161. }
162.  
163. UINT8* callPtr = (UINT8*)hVac + 0x27ee;
164.  
165. // Pointer
166. printf("hVac %p, Callptr %p\n", hVac, callPtr);
167. //printf("decoding at %p\n", decode_addr);
168.  
169. VacDecryptCode = (BOOL (__cdecl *)(UINT8 *,UINT32 *,UINT8 *,UINT32))callPtr;
170.  
171. printf("Decrypting...\n");
172.  
173. UINT32 decoded_funcs = 0;
174.  
175. for (int i = 0; i < 14; i++ ) {
176. UINT8* decode_addr = (UINT8*)hVac + encryptedCodeBlocks[i];
177.  
178. for (int x = 0; x < MAX_KEYS; x++) {
179.  
180.  
181. BOOL result = VacDecryptCode( decode_addr, (UINT32*)keys[x], (UINT8*)more_buffer, 0x2000);
182.  
183. if (result) {
184. decoded_funcs++;
185. UINT32* key = (UINT32*)keys[i];
186. printf("Key #%d decrypted block #%d at 0x%p OK\n",
187. x, i, encryptedCodeBlocks[i]);
188.  
189. // break from this loop
190. break;
191. }
192. }
193. }
194.  
195. printf("Decoded %d of 14 functions\n", decoded_funcs);
196.  
197. printf("Decoding encrypted strings...\n");
198. DecodeStringBlocks();
199.  
200. FILE * f = fopen("VacDecoded.bin","wb");
201. if (f) {
202. fwrite(hVac, 0x31000, 1, f);
203. fclose(f);
204.  
205. printf("Wrote decoded DLL to VacDecoded.bin\n");
206.  
207. }
208.  
209.  
210.  
211. return 0;
212. }