double lolz

1. /*
2. ** VAC decryption key brute-forcer
3. */
4.  
5. #include <stdio.h>
6. #include <windows.h>
7. #include <conio.h>
8. #include <Tlhelp32.h>
9. #include "Detours.h"
10.  
11. HMODULE vacModule = NULL;
12.  
13. UINT32 decryptCall = 0x27EE;
14.  
15.  
16. //
17. // Decrypt function
18. // key = packet
19. BOOL (__cdecl *VacDecryptCode)(UINT8* dwDestAddress, UINT8* key, UINT8* somePointer, UINT32 something);
20.  
21. UINT8 block[0x10000];
22.  
23. UINT8 more_buffer[0x10000];
24.  
25. UINT32 test_dump[10];
26. UINT32 last_crc = 0;
27. UINT8 running = 0;
28.  
29. void PrintCurrentTime() {
30. SYSTEMTIME sysTime;
31.  
32. GetLocalTime( &sysTime );
33.  
34. printf("[%d/%d/%d %d:%d:%d] ", sysTime.wYear, sysTime.wMonth,
35. sysTime.wDay, sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
36.  
37. }
38.  
39.  
40. void StatusThread() {
41.  
42.  
43. while ( running ) {
44.  
45. // Update status every minute
46. Sleep(60000);
47. printf("Currently on key %p %p, last CRC32 was %p...\n",test_dump[1],test_dump[0],last_crc);
48.  
49.  
50. }
51. }
52.  
53.  
54. // A jump inserted at the end of the CRC32 routine lands us here
55. // We monitor CRC32's coming off of CRC32_ProcessBuffer
56. void __declspec(naked) Crc32Hook() {
57. __asm {
58. pop esi
59. mov last_crc, eax
60. mov [edi], eax
61. pop ebx
62. retn
63. }
64. }
65.  
66.  
67. int main( int argc, char** argv ) {
68.  
69. HMODULE hVac = LoadLibraryA("SourceInit.dat");
70.  
71.  
72. if (!hVac) {
73. printf("Can't load VAC client\n");
74. return 1;
75. }
76.  
77. test_dump[0] = 0;
78.  
79. UINT8* callPtr = (UINT8*)hVac + 0x27ee;
80. UINT8* decode_addr = (UINT8*)hVac + 0x29CE;
81.  
82. printf("hVac %p, Callptr %p\n", hVac, callPtr);
83. printf("decoding at %p\n", decode_addr);
84.  
85. VacDecryptCode = (BOOL (__cdecl *)(UINT8 *,UINT8 *,UINT8 *,UINT32))callPtr;
86.  
87. UINT8* patchPtr = (UINT8*)hVac + 0x10e67;
88. void (*origCrc32)() = (void(*)())patchPtr;
89.  
90. // hookens
91.  
92. DetourTransactionBegin();
93. DetourUpdateThread( GetCurrentThread() );
94.  
95. DetourAttach( (PVOID*)&origCrc32, Crc32Hook);
96. DetourTransactionCommit();
97. //return 0;
98.  
99. printf("Brute-forcing key... this will take a while.\n");
100.  
101. // Try it
102.  
103. running = 1;
104. CreateThread( 0, 100000, (LPTHREAD_START_ROUTINE)StatusThread, NULL, NULL, NULL );
105.  
106.  
107.  
108. BOOL result = VacDecryptCode( decode_addr, (UINT8*)test_dump, (UINT8*)more_buffer, 0x2000);
109. while (!result) {
110. //printf("Tried key 0x%p\n", test_dump[2]);
111. result = VacDecryptCode( decode_addr, (UINT8*)test_dump, (UINT8*)more_buffer, 0x2000);
112.  
113. if (test_dump[0] == 0xffffffff) test_dump[1]++;
114. test_dump[0]++;
115.  
116. }
117.  
118. running = 0;
119.  
120. printf("Decrypt successful! key %p %p\n", test_dump[1], test_dump[0]);
121.  
122. return 0;
123. }