├── canyoucrackit.co.uk └── vm.emu.py ├── confidence.2011 ├── README ├── bf.c ├── dump_tab.txt ├── elf.bin ├── force64.exe ├── kg.py ├── tab.h └── tab.txt ├── cyclops.dongle.me ├── README ├── crackme │ ├── Dongle Me.exe │ └── ReadMe.txt └── dongle │ ├── bin │ ├── kg.exe │ ├── libgcc_s_dw2-1.dll │ ├── libstdc++-6.dll │ └── vmulti │ │ ├── WdfCoInstaller01009.dll │ │ ├── devcon.exe │ │ ├── hidkmdf.sys │ │ ├── install_driver.bat │ │ ├── remove.bat │ │ ├── test.bat │ │ ├── testvmulti.exe │ │ ├── vmulti.inf │ │ └── vmulti.sys │ ├── kg │ ├── crc32.cpp │ ├── crc32.h │ ├── ecnr.cpp │ ├── ecnr.h │ ├── keygen.cpp │ ├── makefile │ ├── mingw-obj │ │ ├── big.o │ │ ├── crt.o │ │ ├── ec2.o │ │ ├── ecn.o │ │ ├── flash.o │ │ ├── miracl.a │ │ └── zzn.o │ └── vmulticlient.lib │ ├── rawhid_test │ ├── Makefile │ ├── hid.h │ ├── hid_LINUX.c │ ├── hid_MACOSX.c │ ├── hid_WINDOWS.c │ ├── rawhid_test.c │ └── rawhid_test.exe │ ├── usb_rawhid │ ├── Makefile │ ├── analog.c │ ├── analog.h │ ├── example.c │ ├── usb_rawhid.c │ └── usb_rawhid.h │ └── vmulti │ ├── Symbols.pri │ └── bin │ │ ├── exe │ │ └── testvmulti.pdb │ │ └── sys │ │ ├── hidkmdf.pdb │ │ └── vmulti.pdb │ ├── bin │ ├── WdfCoInstaller01009.dll │ ├── hidkmdf.sys │ ├── install_driver.bat │ ├── remove.bat │ ├── test.bat │ ├── testvmulti.exe │ ├── vmulti.inf │ └── vmulti.sys │ ├── build_logs │ └── binplace.log │ ├── buildchk_wxp_x86.log │ ├── buildfre_wxp_x86.log │ ├── buildme.bat │ ├── client │ ├── client.c │ ├── sources │ └── vmulticlient.vcproj │ ├── dirs │ ├── hidmapper │ ├── hidkmdf.c │ ├── hidkmdf.rc │ ├── makefile │ └── sources │ ├── inc │ ├── hidport.h │ ├── vmulticlient.h │ └── vmulticommon.h │ ├── obj │ ├── dongle │ │ └── vmulti │ │ │ ├── client │ │ │ └── objchk_wxp_x86 │ │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── client.obj │ │ │ │ └── vmulticlient.lib │ │ │ ├── hidmapper │ │ │ └── objchk_wxp_x86 │ │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── hidkmdf.obj │ │ │ │ ├── hidkmdf.pdb │ │ │ │ ├── hidkmdf.res │ │ │ │ ├── hidkmdf.sys │ │ │ │ └── vc90.pdb │ │ │ ├── sys │ │ │ └── objchk_wxp_x86 │ │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── vc90.pdb │ │ │ │ ├── vmulti.inf │ │ │ │ ├── vmulti.obj │ │ │ │ ├── vmulti.obj.oacr.root.x86chk.pft.xml │ │ │ │ ├── vmulti.pdb │ │ │ │ ├── vmulti.res │ │ │ │ └── vmulti.sys │ │ │ └── test │ │ │ └── objchk_wxp_x86 │ │ │ └── i386 │ │ │ ├── _objects.mac │ │ │ ├── testvmulti.exe │ │ │ ├── testvmulti.obj │ │ │ ├── testvmulti.pdb │ │ │ ├── testvmulti.res │ │ │ └── vc90.pdb │ └── multi │ │ ├── client │ │ ├── objchk_wxp_x86 │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── client.obj │ │ │ │ └── vmulticlient.lib │ │ └── objfre_wxp_x86 │ │ │ └── i386 │ │ │ ├── _objects.mac │ │ │ ├── client.obj │ │ │ └── vmulticlient.lib │ │ ├── hidmapper │ │ ├── objchk_wxp_x86 │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── hidkmdf.obj │ │ │ │ ├── hidkmdf.pdb │ │ │ │ ├── hidkmdf.res │ │ │ │ ├── hidkmdf.sys │ │ │ │ └── vc90.pdb │ │ └── objfre_wxp_x86 │ │ │ └── i386 │ │ │ ├── _objects.mac │ │ │ ├── hidkmdf.obj │ │ │ ├── hidkmdf.pdb │ │ │ ├── hidkmdf.res │ │ │ ├── hidkmdf.sys │ │ │ └── vc90.pdb │ │ ├── sys │ │ ├── objchk_wxp_x86 │ │ │ └── i386 │ │ │ │ ├── _objects.mac │ │ │ │ ├── vc90.pdb │ │ │ │ ├── vmulti.inf │ │ │ │ ├── vmulti.obj │ │ │ │ ├── vmulti.pdb │ │ │ │ ├── vmulti.res │ │ │ │ └── vmulti.sys │ │ └── objfre_wxp_x86 │ │ │ └── i386 │ │ │ ├── _objects.mac │ │ │ ├── vc90.pdb │ │ │ ├── vmulti.inf │ │ │ ├── vmulti.obj │ │ │ ├── vmulti.pdb │ │ │ ├── vmulti.res │ │ │ └── vmulti.sys │ │ └── test │ │ ├── objchk_wxp_x86 │ │ └── i386 │ │ │ ├── _objects.mac │ │ │ ├── testvmulti.exe │ │ │ ├── testvmulti.obj │ │ │ ├── testvmulti.pdb │ │ │ ├── testvmulti.res │ │ │ └── vc90.pdb │ │ └── objfre_wxp_x86 │ │ └── i386 │ │ ├── _objects.mac │ │ ├── testvmulti.exe │ │ ├── testvmulti.obj │ │ ├── testvmulti.pdb │ │ ├── testvmulti.res │ │ └── vc90.pdb │ ├── sys │ ├── makefile │ ├── makefile.inc │ ├── sources │ ├── vmulti.c │ ├── vmulti.h │ ├── vmulti.inx │ └── vmulti.rc │ ├── test │ ├── makefile │ ├── sources │ ├── testvmulti.c │ ├── testvmulti.cbp │ ├── testvmulti.rc │ └── testvmulti.vcproj │ └── vmulticlient.sln ├── dcoder.keygenme2 ├── keygenme2.exe ├── kgn │ ├── README │ ├── hash.asm │ ├── keygen.c │ ├── lambda.c │ └── makefile └── readme.txt ├── dcoder.keygenme3 ├── 4sum.py ├── keygenme3.zip ├── makefile ├── readme.txt ├── siphash.c ├── siphash.h └── sum4.c ├── phdays.2012 ├── README ├── bh.2012.crackme.exe ├── kg.py ├── phdays.2012.cm.zip ├── solver.py └── tab.py ├── pimp ├── README ├── bf.c ├── go.py ├── pimp_crackme.exe ├── readme.txt └── rip_vm.py ├── tmrth2 ├── kgnme2.zip └── tmrth2-kgn │ ├── kg.c │ ├── kg.h │ ├── makefile │ ├── skein │ ├── SHA3api_ref.c │ ├── SHA3api_ref.h │ ├── brg_endian.h │ ├── brg_types.h │ ├── skein.c │ ├── skein.h │ ├── skein_block.c │ ├── skein_debug.c │ ├── skein_debug.h │ ├── skein_iv.h │ └── skein_port.h │ └── smth.asm └── weak.dsa ├── AuthServer.cs ├── Program.cs ├── readme.txt └── weak_dsa_kg.exe /confidence.2011/README: -------------------------------------------------------------------------------- 1 | Confidence 2011 crackme solution 2 | -------------------------------- 3 | 4 | pa_kt 5 | 7e476857-pcp1aa1agslatl3tptgs 6 | 7 | Files: 8 | 9 | force64.exe - crackme 10 | elf.bin - mapped ELF binary, core of the scheme is implemented here 11 | bf.c - bruteforcer 12 | kg.py - "keygen". You will need to add CubeHash computation and rip a bit of 13 | code from the crackme, to make it a real keygen. 14 | dump_tab.txt - table ripping script. You will need OllyScript to use it. 15 | 16 | If you are interested why this CRC implementation works, see my blog. 17 | 18 | pa_kt 19 | gdtr.wordpress.com 20 | 21 | -------------------------------------------------------------------------------- /confidence.2011/bf.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef unsigned int uint; 5 | 6 | uint tab_hi[] = {0x474681bf, 0x76c8876b, 0xed910ed6, 0x236799b9, 7 | 0xbe8ab767, 0x7d156ece, 0x026f5989, 0x04deb312, 8 | 0x09bd6624, 0x137acc48, 0x26f59890, 0x4deb3120, 9 | 0x6393e655, 0x3f6248bf, 0x7ec4917e, 0xfd8922fc, 10 | 0x0357c1ed, 0xfeea07cf, 0xfdd40f9e, 0xfba81f3c, 11 | 0x0f15ba6d, 0x1e2b74da, 0xc4136da1, 0x8826db42, 12 | 0xe8083291, 0xd0106522, 0x58654e51, 0xb0ca9ca2, 13 | 0x61953944, 0xc32a7288, 0x7e116105, 0xfc22c20a}; 14 | 15 | uint tab_lo[] = {0x8d915d6b, 0x7ed5ef07, 0xfdabde0e, 0x9ea0e9cc, 16 | 0x58b68649, 0xb16d0c93, 0x072d4cf7, 0x0e5a99ee, 0x1cb533dc, 17 | 0x396a67b8, 0x72d4cf70, 0xe5a99ee0, 0xaea46811, 0x38bf85f3, 18 | 0x717f0be6, 0xe2fe17cc, 0xa00b7a48, 0x25e1a141, 0x4bc34283, 19 | 0x97868507, 0x4afa5fde, 0x95f4bfbc, 0x4e1e2aa9, 0x9c3c5553, 20 | 0x5d8fff76, 0xbb1ffeed, 0x13c8a80a, 0x27915014, 0x4f22a029, 21 | 0x9e454052, 0x597dd574, 0xb2fbaae8}; 22 | 23 | void crc64(uint x, uint *h, uint *l){ 24 | int i; 25 | uint hi,lo, b; 26 | 27 | hi = lo = b = 0; 28 | 29 | for(i=0;i<32;i++){ 30 | b = (x>>i) & 1; 31 | if (b){ 32 | hi ^= tab_hi[i]; 33 | lo ^= tab_lo[i]; 34 | } 35 | } 36 | 37 | *h = hi; 38 | *l = lo; 39 | } 40 | 41 | void test(){ 42 | 43 | uint h,l; 44 | 45 | crc64(0xaabbccdd, &h, &l); 46 | printf("test: 0x%08x 0x%08x\n", h, l); 47 | crc64(0x3, &h, &l); 48 | printf("test: 0x%08x 0x%08x\n", h, l); 49 | } 50 | 51 | //.text:00401553 push 160h ; _DWORD 52 | //.text:00401558 push offset computed_hash ; _DWORD 53 | //.text:0040155D call interestingFunc 54 | //.text:00401563 add esp, 8 55 | //.text:00401566 cmp edx, 53534532h 56 | //.text:0040156C jnz short loc_401579 57 | //.text:0040156E cmp eax, 33444F4Eh 58 | //.text:00401573 jnz short loc_401579 59 | 60 | //.text:08002C0F mov [ebp+hi_dword], esi 61 | //.text:08002C34 mov eax, esi 62 | //.text:08002C36 xor eax, 6008E054h 63 | //.text:08002C3B mov edx, [ebp+lo_dword] 64 | //.text:08002C41 xor edx, 6B3E997Ah 65 | 66 | // 6B3E997A ^ 53534532 = 386DDC48 (lo dword) 67 | // 6008E054 ^ 33444F4E = 534CAF1A (hi dword) 68 | // 69 | // 0x01814a43 -> 0x70cd1b75 0x386ddc48 (h3, l3) 70 | // 71 | // 72 | // h3' = h3 ^ old_l2 == 534caf1a 73 | // h3 == 0x70cd1b75 74 | // old_l2 = 70cd1b75 ^ 534caf1a = 2381b46f 75 | // 76 | // 77 | // 0xffffc8ca -> 0xcb49b5bc 0x2381b46f 78 | // 79 | 80 | int main(int argc, char *argv[]){ 81 | 82 | uint h,l,dw; 83 | 84 | //test(); 85 | 86 | for(dw=0;dw<0xFFFFFFFF;dw++){ 87 | crc64(dw, &h, &l); 88 | 89 | //if(l == 0x386DDC48){ 90 | if(l == 0x2381B46F){ 91 | printf("lol: 0x%08x 0x%08x 0x%08x\n", dw, h, l); 92 | return 0; 93 | } 94 | 95 | if(dw % (1<<27) == 0){ 96 | printf("dw=0x%08x\n", dw); 97 | } 98 | } 99 | 100 | return 0; 101 | } 102 | -------------------------------------------------------------------------------- /confidence.2011/dump_tab.txt: -------------------------------------------------------------------------------- 1 | // 2 | // put a breakpoint at 3 | // 0026090F 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX 4 | // and run the script 5 | // 6 | // 7 | 8 | var d1_ptr 9 | var d2_ptr 10 | var c_ptr 11 | 12 | var d1 13 | var d2 14 | var count 15 | var shift 16 | 17 | 18 | mov c_ptr, 18f7f0 19 | mov d1_ptr, c_ptr 20 | add d1_ptr, 4 21 | mov d2_ptr, d1_ptr 22 | add d2_ptr, 4 23 | 24 | mov count, 0 25 | mov shift, 1 26 | 27 | next: 28 | 29 | mov ecx, shift 30 | 31 | mov [d1_ptr], 0 32 | mov [d2_ptr], 0 33 | mov [c_ptr], 0 34 | 35 | sti 36 | run 37 | 38 | mov d1, [d1_ptr] 39 | mov d2, [d2_ptr] 40 | 41 | eval "{d1} {d2} {count}" 42 | log $RESULT 43 | 44 | inc count 45 | mul shift, 2 46 | cmp count, 20 //32 dec. 47 | jne next 48 | 49 | ret -------------------------------------------------------------------------------- /confidence.2011/elf.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/confidence.2011/elf.bin -------------------------------------------------------------------------------- /confidence.2011/force64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/confidence.2011/force64.exe -------------------------------------------------------------------------------- /confidence.2011/kg.py: -------------------------------------------------------------------------------- 1 | # pa_kt 2 | # 7e476857-pcp1aa1agslatl3tptgs 3 | 4 | def import_tab(fn): 5 | f = open(fn, "r") 6 | l = f.readlines() 7 | l = map(lambda x: x.strip(), l) 8 | 9 | o = [] 10 | for x in l: 11 | d1, d2, c = x.split(" ") 12 | #print d1, d2, c 13 | 14 | d1, d2, c = int(d1, 16), int(d2, 16), int(c, 16) 15 | 16 | o.append((d1,d2)) 17 | 18 | return o 19 | 20 | def dump_tab(tab): 21 | 22 | h = map(lambda (x,y): "0x%08x"%x, tab) 23 | l = map(lambda (x,y): "0x%08x"%y, tab) 24 | 25 | o = ", ".join(h) 26 | print "tab_hi[] = {%s}" % o 27 | 28 | o = ", ".join(l) 29 | print "tab_lo[] = {%s}" % o 30 | 31 | def crc64(hi, lo, tab, dw): 32 | HI = 0 33 | LO = 1 34 | 35 | old_lo = lo 36 | 37 | lo = 0 38 | hi = 0 39 | for pos in range(32): 40 | b = dw>>pos 41 | b = b & 1 42 | if b: 43 | hi ^= tab[pos][HI] 44 | lo ^= tab[pos][LO] 45 | 46 | return (hi^old_lo,lo) 47 | 48 | def tests(tab): 49 | 50 | hi,lo = crc64(0, 0, tab, 3) 51 | print hex(hi), hex(lo) 52 | assert(hi == 0x318e06d4 and lo == 0xf344b26c) 53 | 54 | hi,lo = crc64(0xffffffff, 0xffffffff, tab, 3) 55 | print hex(hi), hex(lo) 56 | assert(hi == 0xce71f92b and lo == 0xf344b26c) 57 | 58 | hi,lo = crc64(0, 0, tab, 0xaabbccdd) 59 | print hex(hi), hex(lo) 60 | assert (hi == 0x1907d4f7 and lo == 0x5ac9db3f) 61 | 62 | hi,lo = crc64(0x11223344, 0x55667788, tab, 0xaabbccdd) 63 | print hex(hi), hex(lo) 64 | assert (hi == 0x4c61a37f and lo == 0x5ac9db3f) 65 | 66 | hi,lo = crc64(0, 0x12345678, tab, 0xaabbccdd) 67 | print hex(hi), hex(lo) 68 | assert (hi == 0xb33828f and lo == 0x5ac9db3f) 69 | 70 | def lol(s, tab): 71 | 72 | o = [] 73 | for c in s: 74 | x = ord(c) 75 | i = tab.index(x) 76 | o.append(i) 77 | return o 78 | 79 | def encode(words): 80 | tab = [0x00, 0x35, 0x0D, 0x39, 0x20, 0x23, 0x2C, 0x2E, 0x0A, 0x29, 0x34, 0x26, 0x38, 0x30, 0x3A, 0x3B, 81 | 0x33, 0x22, 0x24, 0x3F, 0x27, 0x36, 0x21, 0x2F, 0x2D, 0x32, 0x27, 0x20, 0x37, 0x31, 0x28, 0x20] 82 | 83 | serial = "" 84 | for w in words: 85 | d = str(w) 86 | n = len(d) 87 | d = "0"*max(0, 5-n)+d 88 | l = lol(d, tab) 89 | l2 = [] 90 | for x in l: 91 | if x<10: 92 | y = x+0x30 93 | else: 94 | y = x+ord('W') 95 | l2.append(chr(y)) 96 | 97 | print hex(w),d,l2 98 | serial += "".join(l2) 99 | 100 | return serial 101 | 102 | 103 | if __name__=="__main__": 104 | 105 | tab = import_tab("tab.txt") 106 | 107 | # 108 | # 0x01814a43 -> 0x70cd1b75 0x386ddc48 (h3, l3) 109 | # 0xffffc8ca -> 0xcb49b5bc 0x2381b46f 110 | # 111 | 112 | #pa_kt 113 | 114 | magic1 = 0xffffc8ca 115 | magic2 = 0x01814a43 116 | 117 | hi = 0x4e82a694 118 | lo = 0xe5a10556 119 | 120 | d1 = hi ^ magic1 121 | 122 | hi,lo = crc64(hi, lo, tab, magic1) 123 | print hex(hi), hex(lo) 124 | 125 | d2 = hi ^ magic2 126 | 127 | hi,lo = crc64(hi, lo, tab, 0x01814a43) 128 | print hex(hi), hex(lo) 129 | 130 | print hex(d1), hex(d2) 131 | words = [d1 & 0xFFFF, d1>>16, d2 & 0xFFFF, d2 >> 16] 132 | print words 133 | o = encode(words) 134 | print o 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /confidence.2011/tab.h: -------------------------------------------------------------------------------- 1 | tab_hi[] = {0x474681bf, 0x76c8876b, 0xed910ed6, 0x236799b9, 0xbe8ab767, 0x7d156ece, 0x026f5989, 0x04deb312, 0x09bd6624, 0x137acc48, 0x26f59890, 0x4deb3120, 0x6393e655, 0x3f6248bf, 0x7ec4917e, 0xfd8922fc, 0x0357c1ed, 0xfeea07cf, 0xfdd40f9e, 0xfba81f3c, 0x0f15ba6d, 0x1e2b74da, 0xc4136da1, 0x8826db42, 0xe8083291, 0xd0106522, 0x58654e51, 0xb0ca9ca2, 0x61953944, 0xc32a7288, 0x7e116105, 0xfc22c20a} 2 | tab_lo[] = {0x8d915d6b, 0x7ed5ef07, 0xfdabde0e, 0x9ea0e9cc, 0x58b68649, 0xb16d0c93, 0x072d4cf7, 0x0e5a99ee, 0x1cb533dc, 0x396a67b8, 0x72d4cf70, 0xe5a99ee0, 0xaea46811, 0x38bf85f3, 0x717f0be6, 0xe2fe17cc, 0xa00b7a48, 0x25e1a141, 0x4bc34283, 0x97868507, 0x4afa5fde, 0x95f4bfbc, 0x4e1e2aa9, 0x9c3c5553, 0x5d8fff76, 0xbb1ffeed, 0x13c8a80a, 0x27915014, 0x4f22a029, 0x9e454052, 0x597dd574, 0xb2fbaae8} 3 | -------------------------------------------------------------------------------- /confidence.2011/tab.txt: -------------------------------------------------------------------------------- 1 | 474681BF 8D915D6B 0 2 | 76C8876B 7ED5EF07 1 3 | ED910ED6 FDABDE0E 2 4 | 236799B9 9EA0E9CC 3 5 | BE8AB767 58B68649 4 6 | 7D156ECE B16D0C93 5 7 | 26F5989 72D4CF7 6 8 | 4DEB312 E5A99EE 7 9 | 9BD6624 1CB533DC 8 10 | 137ACC48 396A67B8 9 11 | 26F59890 72D4CF70 A 12 | 4DEB3120 E5A99EE0 B 13 | 6393E655 AEA46811 C 14 | 3F6248BF 38BF85F3 D 15 | 7EC4917E 717F0BE6 E 16 | FD8922FC E2FE17CC F 17 | 357C1ED A00B7A48 10 18 | FEEA07CF 25E1A141 11 19 | FDD40F9E 4BC34283 12 20 | FBA81F3C 97868507 13 21 | F15BA6D 4AFA5FDE 14 22 | 1E2B74DA 95F4BFBC 15 23 | C4136DA1 4E1E2AA9 16 24 | 8826DB42 9C3C5553 17 25 | E8083291 5D8FFF76 18 26 | D0106522 BB1FFEED 19 27 | 58654E51 13C8A80A 1A 28 | B0CA9CA2 27915014 1B 29 | 61953944 4F22A029 1C 30 | C32A7288 9E454052 1D 31 | 7E116105 597DD574 1E 32 | FC22C20A B2FBAAE8 1F -------------------------------------------------------------------------------- /cyclops.dongle.me/README: -------------------------------------------------------------------------------- 1 | Dongle Me by cyclops 2 | -------------------- 3 | 4 | Usage (emulator): 5 | ----------------- 6 | - go to dongle\bin\vmulti and run install_driver.bat. Successful installation 7 | will result in new HID devices being shown in Device Manager (tested on XP). 8 | - go to \dongle\bin and run kg.exe /emu 9 | - run the crackme 10 | 11 | Usage (hw dongle): 12 | ------------------ 13 | - program your dongle as explained below 14 | - run kg.exe /dongle to write correct signature to the dongle 15 | - unplug and plug again 16 | - run the crackme 17 | 18 | Hw dongle 19 | --------- 20 | 21 | You will need to acquire a Teensy compatible dongle, or build one yourself. 22 | 23 | The keygen generates a correct ECNR signature for current user's username 24 | and transmits it to the dongle. Dongle stores it in EEPROM and peridically 25 | sends the signature to the OS. 26 | 27 | You will need: 28 | - teensy (www.pjrc.com/teensy), or a compatible clone 29 | - mingw compiler 30 | - WinAVR 31 | - unix utils (not essential, but used in makefile) 32 | - miracl library (www.shamus.ie), but only for headers, you don't need to 33 | compile it -- necessary .o files are in \mingw-obj folder 34 | - FLIP 3.4.3 (http://goo.gl/ZRqFD), but only if you are using a clone and 35 | the original Teensy loader doesn't work for you 36 | 37 | Installation: 38 | - go to usb_rawhid dir. and change "MCU" in makefile, to match the processor 39 | you are using. When done, build example.hex with "make". 40 | - using FLIP, or the original Teensy loader, load example.hex onto the 41 | dongle. There should be a button on the dongle, don't forget to keep it 42 | pressed when plugging it in, otherwise you won't be able to program it. 43 | - Unplug the dongle and plug it again, but without pressing the button. This 44 | will allow your program to run. 45 | - Go to \kg directory and build with "make". 46 | - Run kg.exe /dongle to send necessary information to the dongle. 47 | - Done. Your dongle will be accepted by the crackme, but only on system 48 | accounts you run kg.exe under (usernames must match, otherwise you will 49 | need to reprogram). 50 | 51 | WARNING 52 | ------- 53 | If you ever decide to mix mingw and VS object files, punch yourself in the face 54 | and think again. 55 | Here are some tips, if you decide to ignore these words of wisdom: 56 | 57 | - to disable name mangling in VS, declare functions as __cdecl. This will 58 | produce _foo, instead of foo@N 59 | - in sources compiled with mingw (g++), declare functions linked from VS objects 60 | in extern "C" {} 61 | - if you are getting errors regarding __security_cookie* symbols, remove /GS 62 | flag from VS parameters. In case of DDK, change BUFFER_OVERFLOW_CHECKS to 0, 63 | inside i386mk.inc. 64 | 65 | pa_kt 66 | gdtr.wordpress.com 67 | -------------------------------------------------------------------------------- /cyclops.dongle.me/crackme/Dongle Me.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/crackme/Dongle Me.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/crackme/ReadMe.txt: -------------------------------------------------------------------------------- 1 | Dongle Me By Cyclops 2 | -------------------- 3 | 4 | Acceptable solution: 1. A hardware(you can send it via snail mail..lol). Schematic and a pic/video will do. 5 | 2. A custom dongle emulator program. 6 | A separate keygen is much appreciated ;) 7 | 8 | Level: It is fairly easy. Both dongle and crypto. 9 | 10 | Tested on: XP SP3, Vista x86, Vista x64 11 | 12 | Greetings to my friends, especially the ones over #crackmesde on dalnet. 13 | Thanks to Sam for a quick GFX, J&J for HW support. 14 | 15 | http://crackmes.de 16 | http://cyclops.ueuo.com -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/kg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/kg.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/libgcc_s_dw2-1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/libgcc_s_dw2-1.dll -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/libstdc++-6.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/libstdc++-6.dll -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/WdfCoInstaller01009.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/vmulti/WdfCoInstaller01009.dll -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/devcon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/vmulti/devcon.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/hidkmdf.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/vmulti/hidkmdf.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/install_driver.bat: -------------------------------------------------------------------------------- 1 | devcon.exe install vmulti.inf HID\vmulti 2 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/remove.bat: -------------------------------------------------------------------------------- 1 | devcon.exe remove "HID\VMulti&Col01" 2 | devcon.exe remove "HID\VMulti&Col02" 3 | devcon.exe remove "HID\VMulti&Col03" 4 | devcon.exe remove "HID\VMulti&Col04" 5 | devcon.exe remove "HID\VMulti&Col05" 6 | devcon.exe remove "HID\VMulti&Col06" 7 | devcon.exe remove "HID\VMulti&Col07" 8 | devcon.exe remove "HID\VMulti&Col08" 9 | devcon.exe remove "HID\vmulti" 10 | 11 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/test.bat: -------------------------------------------------------------------------------- 1 | C:\WinDDK\7600.16385.1\tools\devcon\i386\devcon.exe remove HID\vmulti 2 | cd .. 3 | cmd /c buildme.bat 4 | cd bin 5 | cmd /c install_driver.bat 6 | echo After keypress, launching testvmulti 7 | pause 8 | testvmulti /joystick 9 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/testvmulti.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/vmulti/testvmulti.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/vmulti.inf: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$CHICAGO$" 3 | Class=HIDClass 4 | ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da} 5 | Provider=%VENDOR% 6 | DriverVer=07/10/2011,6.1.7600.16385 7 | CatalogFile=kmdfsamples.cat 8 | 9 | [SourceDisksFiles] 10 | vmulti.sys = 99 11 | hidkmdf.sys = 99 12 | 13 | [SourceDisksNames] 14 | 99 = %DISK_NAME%,,,"" 15 | 16 | [DestinationDirs] 17 | CopyFunctionDriver = 12 18 | 19 | [Manufacturer] 20 | %VENDOR%=Vendor, NTx86, NTx86.6.1 21 | 22 | ; For XP and later 23 | [Vendor.NTx86] 24 | %vmulti% = vmulti.Inst, HID\vmulti 25 | 26 | ; For Win7 and later so that we can use inbox HID-KMDF mapper 27 | [Vendor.NTx86.6.1] 28 | %vmulti% = vmulti.Inst.Win7, HID\vmulti 29 | 30 | ;=============================================================== 31 | ; vmulti for XP thru Vista 32 | ;=============================================================== 33 | [vmulti.Inst.NT] 34 | CopyFiles = CopyFunctionDriver 35 | 36 | [vmulti.Inst.NT.HW] 37 | AddReg = vmulti_Parameters.AddReg 38 | 39 | ; 40 | ; vmulti is the function driver and hidkmdf is the WDM HID minidriver 41 | ; 42 | [vmulti.Inst.NT.Services] 43 | AddService = hidkmdf,,hidkmdf_Service_Inst, 44 | AddService = vmulti,0x00000002, vmulti_Service_Inst 45 | 46 | [CopyFunctionDriver] 47 | hidkmdf.sys 48 | 49 | [vmulti_Parameters.AddReg] 50 | HKR,,"UpperFilters",0x00010000,"hidkmdf" 51 | 52 | [hidkmdf_Service_Inst] 53 | DisplayName = %hidkmdf.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\hidkmdf.sys 58 | LoadOrderGroup = PNP Filter 59 | 60 | 61 | ;=============================================================== 62 | ; vmulti for Win7 63 | ; Instead of using hidkmdf.sys as a filter, use the inbox 64 | ; mshidkmdf.sys as a mapper filter 65 | ;=============================================================== 66 | [vmulti.Inst.Win7.NT] 67 | ; Just copy the driver. No neeed to copy other system binaries. 68 | CopyFiles = CopyFunctionDriver 69 | 70 | [vmulti.Inst.Win7.NT.HW] 71 | AddReg = vmulti_Win7_Parameters.AddReg 72 | 73 | ; 74 | ; vmulti is the function driver and mshidkmdf is the WDM HID minidriver 75 | ; 76 | [vmulti.Inst.Win7.NT.Services] 77 | AddService = vmulti,0x00000002, vmulti_Service_Inst 78 | 79 | [vmulti_Win7_Parameters.AddReg] 80 | HKR,,"UpperFilters",0x00010000,"mshidkmdf" 81 | 82 | ;=============================================================== 83 | ; Sections common to all OS versions 84 | ;=============================================================== 85 | 86 | [CopyFunctionDriver] 87 | vmulti.sys 88 | 89 | [vmulti_Service_Inst] 90 | DisplayName = %vmulti% 91 | ServiceType = %SERVICE_KERNEL_DRIVER% 92 | StartType = %SERVICE_DEMAND_START% 93 | ErrorControl = %SERVICE_ERROR_IGNORE% 94 | ServiceBinary = %12%\vmulti.sys 95 | 96 | ;================================================================ 97 | ;--- WDF Coinstaller installation ------ 98 | ; 99 | [DestinationDirs] 100 | vmulti.Inst_CoInstaller_CopyFiles = 11 101 | 102 | [vmulti.Inst.NT.CoInstallers] 103 | AddReg=vmulti.Inst_CoInstaller_AddReg 104 | CopyFiles=vmulti.Inst_CoInstaller_CopyFiles 105 | 106 | [vmulti.Inst_CoInstaller_AddReg] 107 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 108 | 109 | [vmulti.Inst_CoInstaller_CopyFiles] 110 | WdfCoInstaller01009.dll,,,0x00000010 ;COPYFLG_NO_OVERWRITE (for win2k) 111 | 112 | [SourceDisksFiles] 113 | WdfCoInstaller01009.dll=99 ; make sure the number matches with SourceDisksNames 114 | 115 | [vmulti.Inst.NT.Wdf] 116 | KmdfService = vmulti, vmulti_wdfsect 117 | [vmulti_wdfsect] 118 | KmdfLibraryVersion = 1.9 119 | 120 | [Strings] 121 | ; *******Localizable Strings******* 122 | VENDOR = "djpnewton@gmail.com" 123 | vmulti = "VMulti HID" 124 | DISK_NAME = "VMulti Device Install Disk" 125 | hidkmdf.SVCDESC= "Filter Driver Service for HID-KMDF Interface layer" 126 | 127 | ; *******Non Localizable Strings******* 128 | 129 | SERVICE_BOOT_START = 0x0 130 | SERVICE_SYSTEM_START = 0x1 131 | SERVICE_AUTO_START = 0x2 132 | SERVICE_DEMAND_START = 0x3 133 | SERVICE_DISABLED = 0x4 134 | 135 | SERVICE_KERNEL_DRIVER = 0x1 136 | SERVICE_ERROR_IGNORE = 0x0 137 | SERVICE_ERROR_NORMAL = 0x1 138 | SERVICE_ERROR_SEVERE = 0x2 139 | SERVICE_ERROR_CRITICAL = 0x3 140 | 141 | REG_EXPAND_SZ = 0x00020000 142 | REG_DWORD = 0x00010001 143 | REG_MULTI_SZ = 0x00010000 144 | REG_BINARY = 0x00000001 145 | REG_SZ = 0x00000000 146 | 147 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/bin/vmulti/vmulti.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/bin/vmulti/vmulti.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/crc32.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * efone - Distributed internet phone system. 3 | * 4 | * (c) 1999,2000 Krzysztof Dabrowski 5 | * (c) 1999,2000 ElysiuM deeZine 6 | * 7 | * This program is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU General Public License 9 | * as published by the Free Software Foundation; either version 10 | * 2 of the License, or (at your option) any later version. 11 | * 12 | */ 13 | 14 | /* based on implementation by Finn Yannick Jacobs */ 15 | 16 | #include "crc32.h" 17 | 18 | 19 | 20 | int initialized = 0; 21 | /* crc_tab[] -- this crcTable is being build by chksum_crc32GenTab(). 22 | * so make sure, you call it before using the other 23 | * functions! 24 | */ 25 | u_int32_t crc_tab[256]; 26 | 27 | /* chksum_crc32gentab() -- to a global crc_tab[256], this one will 28 | * calculate the crcTable for crc32-checksums. 29 | * it is generated to the polynom [..] 30 | */ 31 | void chksum_crc32gentab () 32 | { 33 | unsigned long crc, poly; 34 | int i, j; 35 | 36 | poly = 0xEDB88320L; 37 | for (i = 0; i < 256; i++) 38 | { 39 | crc = i; 40 | for (j = 8; j > 0; j--) 41 | { 42 | if (crc & 1) 43 | { 44 | crc = (crc >> 1) ^ poly; 45 | } 46 | else 47 | { 48 | crc >>= 1; 49 | } 50 | } 51 | crc_tab[i] = crc; 52 | } 53 | } 54 | 55 | /* chksum_crc() -- to a given block, this one calculates the 56 | * crc32-checksum until the length is 57 | * reached. the crc32-checksum will be 58 | * the result. 59 | */ 60 | u_int32_t chksum_crc32 (unsigned char *block, unsigned int length){ 61 | register unsigned long crc; 62 | unsigned long i; 63 | 64 | crc = 0xFFFFFFFF; 65 | for (i = 0; i < length; i++) 66 | { 67 | crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF]; 68 | } 69 | return (crc ^ 0xFFFFFFFF); 70 | } 71 | 72 | u_int32_t crc32(unsigned char *block, unsigned int length){ 73 | if(!initialized){ 74 | chksum_crc32gentab(); 75 | initialized = 1; 76 | } 77 | 78 | return chksum_crc32(block, length); 79 | } 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/crc32.h: -------------------------------------------------------------------------------- 1 | #ifndef __CRC32_H__ 2 | #define __CRC32_H__ 3 | 4 | typedef unsigned int u_int32_t; 5 | u_int32_t crc32(unsigned char *block, unsigned int length); 6 | 7 | #endif -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/ecnr.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "ecnr.h" 3 | 4 | 5 | //using namespace std; 6 | 7 | // y^2 == x^3 + a*x^2 + b mod p 8 | int ECNR::set_curve(char *a_, char *b_, char *p_){ 9 | a = a_; 10 | b = b_; 11 | p = p_; 12 | ecurve(a,b,p,MR_PROJECTIVE); 13 | 14 | // don't forget to set_point 15 | state = GOT_CURVE; 16 | 17 | return TRUE; 18 | } 19 | 20 | // Q = k*P 21 | bool ECNR::set_point(char *k_, char *ord_, char *Px, char *Py){ 22 | Big x,y; 23 | 24 | if(state == NO_CURVE) 25 | return FALSE; 26 | 27 | k = k_; 28 | ord = ord_; 29 | x = Px; 30 | y = Py; 31 | 32 | if (!P.set(x,y)) 33 | { 34 | cout << "Problem - point (x,y) is not on the curve" << endl; 35 | return FALSE; 36 | } 37 | 38 | W = P; 39 | W *= ord; 40 | 41 | if (!W.iszero()) 42 | { 43 | cout << "Problem - point (x,y) is not of order ord" << endl; 44 | return FALSE; 45 | } 46 | 47 | Q = k*P; 48 | 49 | state = OK; 50 | 51 | return TRUE; 52 | } 53 | 54 | void ECNR::set_seed(unsigned int s){ 55 | rnd_seed = s; 56 | irand(rnd_seed); //weak, 32 bit seed :P 57 | } 58 | 59 | bool ECNR::sign(Big msg, Big& sig1, Big& sig2) 60 | { 61 | Big t,x,y; 62 | ECn R; 63 | 64 | if(state != OK) 65 | return FALSE; 66 | 67 | //cout << ord << k << " " << p << endl; 68 | 69 | if(rnd_seed) 70 | t = rand(ord); 71 | else 72 | t = 4; //chosen by fair dice roll 73 | //guaranteed to be random 74 | 75 | R = t*P; 76 | R.get(x,y); 77 | 78 | sig1 = (x + msg)%ord; 79 | sig2 = (t-k*sig1)%ord; 80 | 81 | if(sig1<0) sig1 += ord; 82 | if(sig2<0) sig2 += ord; 83 | 84 | 85 | return TRUE; 86 | } 87 | 88 | bool ECNR::verify(Big msg, Big sig1, Big sig2) 89 | { 90 | if(state != OK) 91 | return FALSE; 92 | 93 | Big x,y,o; 94 | ECn R,S; 95 | 96 | R = mul(sig2, P, sig1, k*P); 97 | R.get(x,y); 98 | 99 | o = (sig1 - x)%ord; 100 | 101 | return (msg == o); 102 | } 103 | 104 | 105 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/ecnr.h: -------------------------------------------------------------------------------- 1 | #ifndef __ECNR_H__ 2 | #define __ECNR_H__ 3 | 4 | #include "big.h" 5 | #include "ecn.h" 6 | 7 | enum STATE {NO_CURVE, GOT_CURVE, OK}; 8 | 9 | class ECNR 10 | { 11 | private: 12 | STATE state; 13 | unsigned int rnd_seed; 14 | Big a,b,p; 15 | Big k,ord; 16 | ECn P,Q,W; 17 | 18 | public: 19 | ECNR() 20 | { 21 | rnd_seed = 0; 22 | state = NO_CURVE; 23 | } 24 | ~ECNR() 25 | { } 26 | 27 | int set_curve(char *a, char *b, char *p); 28 | bool set_point(char *k, char *ord, char *Px, char *Py); 29 | 30 | void set_seed(unsigned int s); 31 | 32 | bool sign(Big msg, Big& sig1, Big& sig2); 33 | bool verify(Big msg, Big sig1, Big sig2); 34 | }; 35 | 36 | 37 | 38 | #endif -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/keygen.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "ecnr.h" 5 | #include "big.h" 6 | #include "crc32.h" 7 | #include "usb_rawhid.h" //constants 8 | 9 | extern "C" { 10 | #include "hid.h" 11 | #include "vmulticlient.h" 12 | } 13 | 14 | 15 | using namespace std; 16 | 17 | #ifndef MR_NOFULLWIDTH 18 | Miracl precision(50,0); 19 | #else 20 | Miracl precision(50,MAXBASE); 21 | #endif 22 | 23 | #define USER_NAME_MAX_SIZE 256 24 | 25 | void printError( TCHAR* msg ) 26 | { 27 | DWORD eNum; 28 | TCHAR sysMsg[256]; 29 | TCHAR* p; 30 | 31 | eNum = GetLastError( ); 32 | FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | 33 | FORMAT_MESSAGE_IGNORE_INSERTS, 34 | NULL, eNum, 35 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 36 | sysMsg, 256, NULL ); 37 | 38 | // Trim the end of the line and terminate it with a null 39 | p = sysMsg; 40 | while( ( *p > 31 ) || ( *p == 9 ) ) 41 | ++p; 42 | do { *p-- = 0; } while( ( p >= sysMsg ) && 43 | ( ( *p == '.' ) || ( *p < 33 ) ) ); 44 | 45 | // Display the message 46 | _tprintf( TEXT("\n\t%s failed with error %d (%s)"), msg, (int)eNum, sysMsg ); 47 | } 48 | 49 | int main(int argc, char *argv[]){ 50 | Big n; 51 | ECNR signer; 52 | char *a = (char*)"DB7C2ABF62E35E668076BEAD2088"; 53 | char *b = (char*)"659EF8BA043916EEDE8911702B22"; 54 | char *p = (char*)"DB7C2ABF62E35E668076BEAD208B"; 55 | 56 | char *Px = (char*)"9487239995A5EE76B55F9C2F098"; 57 | char *Py = (char*)"A89CE5AF8724C0A23E0E0FF77500"; 58 | char *ord = (char*)"DB7C2ABF62E35E7628DFAC6561C5"; //point order 59 | 60 | //char *Qx = (char*)"45CF81634B4CA4C6AAC505843B94"; 61 | //char *Qy = (char*)"BDA8EEA7A5004255FA03C48D4AE8"; 62 | char *k = (char*)"f6893de509504e9be7e85b7ae3b"; //ECDLP solution 63 | 64 | char sig1[64], sig2[64], buf[RAWHID_TX_SIZE]; 65 | 66 | int emu, r, l1, l2; 67 | 68 | TCHAR userName[USER_NAME_MAX_SIZE]; 69 | DWORD bufCharCount = USER_NAME_MAX_SIZE; 70 | 71 | pvmulti_client vmulti; 72 | 73 | miracl *mip=&precision; 74 | mip->IOBASE=16; 75 | 76 | if(argc<2){ 77 | printf("%s /dongle|/emu\n", argv[0]); 78 | return 1; 79 | } 80 | 81 | emu = 0; 82 | if(!strcmp(argv[1], "/emu")){ 83 | emu = 1; 84 | } 85 | 86 | signer = ECNR(); 87 | signer.set_curve(a, b, p); 88 | signer.set_point(k, ord, Px, Py); 89 | 90 | if(!GetUserName(userName, &bufCharCount)) 91 | printError( TEXT((TCHAR*)"GetUserName") ); 92 | _tprintf( TEXT("\nuser name: %s\n"), userName); 93 | 94 | unsigned int crc; 95 | crc = crc32((unsigned char*)userName, strlen(userName)); 96 | printf("user name crc: %08x\n", crc); 97 | 98 | Big msg; 99 | Big n1 = Big(0), n2 = Big(0); 100 | Big &s1 = n1, &s2 = n2; 101 | //bool ok; 102 | 103 | msg = crc; 104 | signer.sign(msg, s1, s2); 105 | 106 | cout << "sig1=" << s1 << endl; 107 | cout << "sig2=" << s2 << endl; 108 | 109 | //ok = signer.verify(msg, s1, s2); 110 | //cout << "ok=" << ok << endl; 111 | 112 | sig1 << s1; 113 | sig2 << s2; 114 | 115 | l1 = strlen(sig1); 116 | l2 = strlen(sig2); 117 | 118 | if(l1+l2+2+1 > RAWHID_TX_SIZE){ 119 | printf("signature won't fit in xfer packet :p\n"); 120 | return 1; 121 | } 122 | 123 | buf[0] = l1; 124 | buf[1] = l2; 125 | memcpy(buf+2, sig1, l1); 126 | memcpy(buf+2+l1, sig2, l2); 127 | 128 | if(emu){ 129 | vmulti = vmulti_alloc(); 130 | if (vmulti == NULL) 131 | { 132 | printf("vmulti_alloc failed\n"); 133 | return 1; 134 | } 135 | 136 | if (!vmulti_connect(vmulti)) 137 | { 138 | printf("can't connect to vmulti, did you install the driver?\n"); 139 | vmulti_free(vmulti); 140 | return 1; 141 | } 142 | 143 | VMultiMessageReport report; 144 | int msg=0; 145 | 146 | while(1){ 147 | 148 | memcpy(report.Message, buf, 64); 149 | 150 | if(!vmulti_write_message(vmulti, &report)) 151 | { 152 | printf("can't write to vmulti\n"); 153 | break; 154 | } 155 | else if(!msg){ 156 | printf("you can run the crackme now\n"); 157 | msg=1; 158 | } 159 | 160 | printf("."); 161 | Sleep(1000); 162 | } 163 | 164 | vmulti_disconnect(vmulti); 165 | vmulti_free(vmulti); 166 | return 0; 167 | } 168 | else{ 169 | r = rawhid_open(1, VENDOR_ID, PRODUCT_ID, RAWHID_USAGE_PAGE, RAWHID_USAGE); 170 | if (r <= 0) { 171 | printf("no rawhid device found, please plug in the dongle\n"); 172 | return -1; 173 | } 174 | printf("found rawhid device\n"); 175 | 176 | 177 | 178 | printf("sending the packet...\n"); 179 | 180 | r = rawhid_send(0, buf, 64, 100); 181 | printf("r=%d\n", r); 182 | if(r != RAWHID_TX_SIZE){ 183 | printf("rawhid_send failed :(\n"); 184 | rawhid_close(0); 185 | return 1; 186 | } 187 | 188 | printf("success!\n"); 189 | rawhid_close(0); 190 | 191 | return 0; 192 | } 193 | } 194 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/makefile: -------------------------------------------------------------------------------- 1 | # 2 | ODIR = mingw-obj 3 | # 4 | _OBJS = big.o ecn.o miracl.a 5 | # 6 | OBJS = $(patsubst %,$(ODIR)\\%,$(_OBJS)) 7 | # 8 | LIBS = -lhid -lsetupapi 9 | # 10 | FLAGS = -Wall -I..\vmulti\inc -Ic:\miracl\include -I..\usb_rawhid -I..\rawhid_test -static 11 | 12 | all: ecnr.o keygen.o crc32.o hid.o 13 | g++ $(OBJS) ..\rawhid_test\hid.o ecnr.o keygen.o crc32.o vmulticlient.lib $(LIBS) -o kg.exe 14 | 15 | hid.o: 16 | cd "..\rawhid_test";$(MAKE) 17 | 18 | ecnr.o: ecnr.cpp ecnr.h 19 | g++ -c $(FLAGS) ecnr.cpp 20 | 21 | crc32.o: crc32.cpp crc32.h 22 | g++ -c crc32.cpp 23 | 24 | keygen.o: keygen.cpp 25 | g++ -c $(FLAGS) keygen.cpp 26 | 27 | clean: 28 | rm *.o 29 | cd "..\rawhid_test";rm *.o 30 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/big.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/big.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/crt.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/crt.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/ec2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/ec2.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/ecn.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/ecn.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/flash.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/flash.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/miracl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/miracl.a -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/mingw-obj/zzn.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/mingw-obj/zzn.o -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/kg/vmulticlient.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/kg/vmulticlient.lib -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/rawhid_test/Makefile: -------------------------------------------------------------------------------- 1 | 2 | #OS = LINUX 3 | #OS = MACOSX 4 | OS = WINDOWS 5 | 6 | PROG = rawhid_test 7 | 8 | ifeq ($(OS), LINUX) 9 | TARGET = $(PROG) 10 | CC = gcc 11 | STRIP = strip 12 | CFLAGS = -Wall -O2 -DOS_$(OS) 13 | LIBS = -lusb 14 | else ifeq ($(OS), MACOSX) 15 | TARGET = $(PROG).dmg 16 | SDK = /Developer/SDKs/MacOSX10.5.sdk 17 | ARCH = -mmacosx-version-min=10.5 -arch ppc -arch i386 18 | CC = gcc 19 | STRIP = strip 20 | CFLAGS = -Wall -O2 -DOS_$(OS) -isysroot $(SDK) $(ARCH) 21 | LIBS = $(ARCH) -Wl,-syslibroot,$(SDK) -framework IOKit -framework CoreFoundation 22 | else ifeq ($(OS), WINDOWS) 23 | TARGET = $(PROG) 24 | CC = gcc 25 | STRIP = strip 26 | CFLAGS = -Wall -O2 -DOS_$(OS) -I..\usb_rawhid -static 27 | LIBS = -lhid -lsetupapi 28 | endif 29 | 30 | OBJS = $(PROG).o hid.o 31 | 32 | 33 | all: $(TARGET) 34 | 35 | $(PROG): $(OBJS) 36 | $(CC) -o $(PROG) $(OBJS) $(LIBS) 37 | 38 | 39 | #$(PROG).exe: $(PROG) 40 | # cp $(PROG) $(PROG).exe 41 | 42 | $(PROG).dmg: $(PROG) 43 | mkdir tmp 44 | cp $(PROG) tmp 45 | hdiutil create -ov -volname "Raw HID Test" -srcfolder tmp $(PROG).dmg 46 | 47 | hid.o: hid_$(OS).c hid.h 48 | $(CC) $(CFLAGS) -c -o $@ $< 49 | 50 | clean: 51 | rm -f *.o $(PROG) $(PROG).exe $(PROG).dmg 52 | rm -rf tmp 53 | 54 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/rawhid_test/hid.h: -------------------------------------------------------------------------------- 1 | 2 | int rawhid_open(int max, int vid, int pid, int usage_page, int usage); 3 | int rawhid_recv(int num, void *buf, int len, int timeout); 4 | int rawhid_send(int num, void *buf, int len, int timeout); 5 | void rawhid_close(int num); 6 | 7 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/rawhid_test/rawhid_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #if defined(OS_LINUX) || defined(OS_MACOSX) 7 | #include 8 | #include 9 | #elif defined(OS_WINDOWS) 10 | #include 11 | #endif 12 | 13 | #include "hid.h" 14 | #include "usb_rawhid.h" 15 | 16 | 17 | int main() 18 | { 19 | int i, r, num, flag; 20 | char buf[64]; 21 | 22 | // solution for name: Administrator 23 | char *s1 = "5B2B9A62EEB59F85AC6269C1F020"; 24 | char *s2 = "8D0C6549677CD464B8EBA5463E8D"; 25 | 26 | r = rawhid_open(1, VENDOR_ID, PRODUCT_ID, RAWHID_USAGE_PAGE, RAWHID_USAGE); 27 | if (r <= 0) { 28 | printf("no rawhid device found\n"); 29 | return -1; 30 | } 31 | printf("found rawhid device\n"); 32 | 33 | flag = 0; 34 | while (1) { 35 | // check if any Raw HID packet has arrived 36 | num = rawhid_recv(0, buf, 64, 220); 37 | if (num < 0) { 38 | printf("\nerror reading, device went offline\n"); 39 | rawhid_close(0); 40 | return 0; 41 | } 42 | if (num > 0) { 43 | printf("\nrecv %d bytes:\n", num); 44 | for (i=0; i 4 | #include 5 | 6 | #include "analog.h" 7 | 8 | 9 | #if defined(__AVR_ATmega32U4__) 10 | 11 | uint8_t analog_reference_config_val = 0x40; 12 | 13 | static const uint8_t PROGMEM adc_mapping[] = { 14 | 0, 1, 4, 5, 6, 7, 13, 12, 11, 10, 9, 8 15 | }; 16 | 17 | int analogRead(uint8_t pin) 18 | { 19 | uint8_t low, adc; 20 | 21 | if (pin >= 12) return 0; 22 | adc = pgm_read_byte(adc_mapping + pin); 23 | if (adc < 8) { 24 | DIDR0 |= (1 << adc); 25 | ADCSRB = 0; 26 | ADMUX = analog_reference_config_val | adc; 27 | } else { 28 | adc -= 8; 29 | DIDR2 |= (1 << adc); 30 | ADCSRB = (1<= 8) return 0; 48 | DIDR0 |= (1 << pin); 49 | ADMUX = analog_reference_config_val | pin; 50 | ADCSRA = (1< 5 | 6 | #if defined(__AVR_AT90USB162__) 7 | #define analogRead(pin) (0) 8 | #define analogReference(ref) 9 | #else 10 | int16_t analogRead(uint8_t pin); 11 | extern uint8_t analog_reference_config_val; 12 | #define analogReference(ref) (analog_reference_config_val = (ref) << 6) 13 | #endif 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/usb_rawhid/example.c: -------------------------------------------------------------------------------- 1 | /* Teensy RawHID example 2 | * http://www.pjrc.com/teensy/rawhid.html 3 | * Copyright (c) 2009 PJRC.COM, LLC 4 | * 5 | * Permission is hereby granted, free of charge, to any person obtaining a copy 6 | * of this software and associated documentation files (the "Software"), to deal 7 | * in the Software without restriction, including without limitation the rights 8 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | * copies of the Software, and to permit persons to whom the Software is 10 | * furnished to do so, subject to the following conditions: 11 | * 12 | * The above description, website URL and copyright notice and this permission 13 | * notice shall be included in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | * THE SOFTWARE. 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include "usb_rawhid.h" 30 | #include "analog.h" 31 | 32 | #define CPU_PRESCALE(n) (CLKPR = 0x80, CLKPR = (n)) 33 | 34 | #define EEPROM_BUF_ADDR 0 35 | 36 | volatile uint8_t do_output=0; 37 | uint8_t buffer[RAWHID_TX_SIZE]; 38 | 39 | int main(void) 40 | { 41 | int8_t r; 42 | uint16_t count=0; 43 | 44 | // set for 16 MHz clock 45 | CPU_PRESCALE(0); 46 | 47 | // Initialize the USB, and then wait for the host to set configuration. 48 | // If the Teensy is powered without a PC connected to the USB port, 49 | // this will wait forever. 50 | usb_init(); 51 | while (!usb_configured()) /* wait */ ; 52 | 53 | // Wait an extra second for the PC's operating system to load drivers 54 | // and do whatever it does to actually be ready for input 55 | _delay_ms(1000); 56 | 57 | // Configure timer 0 to generate a timer overflow interrupt every 58 | // 256*1024 clock cycles, or approx 61 Hz when using 16 MHz clock 59 | TCCR0A = 0x00; 60 | TCCR0B = 0x05; 61 | TIMSK0 = (1< 0) { 69 | // save received data into eeprom 70 | eeprom_update_block(buffer, EEPROM_BUF_ADDR, RAWHID_TX_SIZE); 71 | } 72 | // if time to send output, transmit whatever we received earlier 73 | if (do_output) { 74 | do_output = 0; 75 | 76 | // put a count in the last 2 bytes 77 | buffer[62] = count >> 8; 78 | buffer[63] = count & 255; 79 | // send the packet 80 | usb_rawhid_send(buffer, 50); 81 | count++; 82 | } 83 | } 84 | } 85 | 86 | // This interrupt routine is run approx 61 times per second. 87 | ISR(TIMER0_OVF_vect) 88 | { 89 | static uint8_t count=0; 90 | 91 | // set the do_output variable every 2 seconds 92 | if (++count > 122) { 93 | count = 0; 94 | do_output = 1; 95 | } 96 | } 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/usb_rawhid/usb_rawhid.h: -------------------------------------------------------------------------------- 1 | #ifndef usb_serial_h__ 2 | #define usb_serial_h__ 3 | 4 | #include 5 | 6 | void usb_init(void); // initialize everything 7 | uint8_t usb_configured(void); // is the USB port configured 8 | int8_t usb_rawhid_recv(uint8_t *buffer, uint8_t timeout); // receive a packet, with timeout 9 | int8_t usb_rawhid_send(const uint8_t *buffer, uint8_t timeout); // send a packet, with timeout 10 | 11 | // This file does not include the HID debug functions, so these empty 12 | // macros replace them with nothing, so users can compile code that 13 | // has calls to these functions. 14 | #define usb_debug_putchar(c) 15 | #define usb_debug_flush_output() 16 | 17 | /************************************************************************** 18 | * 19 | * Configurable Options 20 | * 21 | **************************************************************************/ 22 | 23 | // You can change these to give your code its own name. 24 | #define STR_MANUFACTURER L"MfgName" 25 | #define STR_PRODUCT L"Teensy Raw HID Example" 26 | 27 | // These 4 numbers identify your device. Set these to 28 | // something that is (hopefully) not used by any others! 29 | #define VENDOR_ID 0x04d8 30 | #define PRODUCT_ID 0x003f 31 | #define RAWHID_USAGE_PAGE 0xFF00 // recommended: 0xFF00 to 0xFFFF 32 | #define RAWHID_USAGE 0x0002 // recommended: 0x0100 to 0xFFFF 33 | 34 | // These determine the bandwidth that will be allocated 35 | // for your communication. You do not need to use it 36 | // all, but allocating more than necessary means reserved 37 | // bandwidth is no longer available to other USB devices. 38 | #define RAWHID_TX_SIZE 64 // transmit packet size 39 | #define RAWHID_TX_INTERVAL 2 // max # of ms between transmit packets 40 | #define RAWHID_RX_SIZE RAWHID_TX_SIZE // receive packet size 41 | #define RAWHID_RX_INTERVAL 8 // max # of ms between receive packets 42 | 43 | 44 | // Everything below this point is only intended for usb_serial.c 45 | #ifdef USB_PRIVATE_INCLUDE 46 | #include 47 | #include 48 | #include 49 | 50 | #define EP_TYPE_CONTROL 0x00 51 | #define EP_TYPE_BULK_IN 0x81 52 | #define EP_TYPE_BULK_OUT 0x80 53 | #define EP_TYPE_INTERRUPT_IN 0xC1 54 | #define EP_TYPE_INTERRUPT_OUT 0xC0 55 | #define EP_TYPE_ISOCHRONOUS_IN 0x41 56 | #define EP_TYPE_ISOCHRONOUS_OUT 0x40 57 | 58 | #define EP_SINGLE_BUFFER 0x02 59 | #define EP_DOUBLE_BUFFER 0x06 60 | 61 | #define EP_SIZE(s) ((s) > 32 ? 0x30 : \ 62 | ((s) > 16 ? 0x20 : \ 63 | ((s) > 8 ? 0x10 : \ 64 | 0x00))) 65 | 66 | #define MAX_ENDPOINT 4 67 | 68 | #define LSB(n) (n & 255) 69 | #define MSB(n) ((n >> 8) & 255) 70 | 71 | #if defined(__AVR_AT90USB162__) 72 | #define HW_CONFIG() 73 | #define PLL_CONFIG() (PLLCSR = ((1< bin\install_driver.bat 30 | 31 | :: create bat file for easier testing 32 | echo %BASEDIR%\tools\devcon\i386\devcon.exe remove HID\vmulti > bin\test.bat 33 | echo cd .. >> bin\test.bat 34 | echo cmd /c buildme.bat >> bin\test.bat 35 | echo cd bin >> bin\test.bat 36 | echo cmd /c install_driver.bat >> bin\test.bat 37 | echo echo After keypress, launching testvmulti >> bin\test.bat 38 | echo pause >> bin\test.bat 39 | echo testvmulti /joystick >> bin\test.bat 40 | 41 | echo on 42 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/client/sources: -------------------------------------------------------------------------------- 1 | TARGETNAME=vmulticlient 2 | TARGETTYPE=LIBRARY 3 | USE_MSVCRT=1 4 | 5 | TARGETLIBS=$(SDK_LIB_PATH)\hid.lib \ 6 | $(SDK_LIB_PATH)\setupapi.lib \ 7 | $(SDK_LIB_PATH)\comdlg32.lib 8 | 9 | SOURCES=client.c 10 | 11 | INCLUDES=..\inc 12 | 13 | TARGET_DESTINATION=bin 14 | 15 | _NT_TARGET_VERSION= $(_NT_TARGET_VERSION_WINXP) 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/client/vmulticlient.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 10 | 11 | 14 | 15 | 16 | 17 | 18 | 25 | 28 | 31 | 34 | 37 | 40 | 51 | 54 | 57 | 60 | 63 | 66 | 69 | 72 | 75 | 78 | 79 | 87 | 90 | 93 | 96 | 99 | 102 | 113 | 116 | 119 | 122 | 125 | 128 | 131 | 134 | 137 | 140 | 141 | 142 | 143 | 144 | 145 | 150 | 153 | 154 | 155 | 160 | 163 | 164 | 165 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/dirs: -------------------------------------------------------------------------------- 1 | DIRS= \ 2 | hidmapper \ 3 | sys \ 4 | client \ 5 | test 6 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/hidmapper/hidkmdf.rc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define VER_FILETYPE VFT_DRV 5 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 6 | #define VER_FILEDESCRIPTION_STR "Filter Driver for HID-KMDF Interface" 7 | #define VER_INTERNALNAME_STR "HIDKMDF.SYS" 8 | #define VER_ORIGINALFILENAME_STR "HIDKMDF.SYS" 9 | 10 | #include "common.ver" 11 | 12 | 13 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/hidmapper/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | 9 | 10 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/hidmapper/sources: -------------------------------------------------------------------------------- 1 | TARGETNAME=hidkmdf 2 | TARGETTYPE=DRIVER 3 | 4 | TARGETLIBS=$(DDK_LIB_PATH)\hidclass.lib 5 | 6 | 7 | SOURCES= hidkmdf.c \ 8 | hidkmdf.rc 9 | 10 | TARGET_DESTINATION=bin 11 | 12 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/inc/hidport.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) 1996 Microsoft Corporation 4 | 5 | Module Name: 6 | 7 | hidmini.h 8 | 9 | Abstract 10 | 11 | Definitions that are common to all HID minidrivers. 12 | 13 | Authors: 14 | 15 | Forrest Foltz 16 | Ervin Peretz 17 | 18 | Environment: 19 | 20 | Kernel mode only 21 | 22 | Revision History: 23 | 24 | 25 | --*/ 26 | 27 | #ifndef __HIDPORT_H__ 28 | #define __HIDPORT_H__ 29 | 30 | #include 31 | 32 | // 33 | // HID_MINIDRIVER_REGISTRATION is a packet of information describing the 34 | // HID minidriver to the class driver. It must be filled in by the minidriver 35 | // and passed to the class driver via HidRegisterMinidriver() from the 36 | // minidriver's DriverEntry() routine. 37 | // 38 | 39 | typedef struct _HID_MINIDRIVER_REGISTRATION { 40 | 41 | // 42 | // Revision must be set to HID_REVISION by the minidriver 43 | // 44 | 45 | ULONG Revision; 46 | 47 | // 48 | // DriverObject is a pointer to the minidriver's DriverObject that it 49 | // received as a DriverEntry() parameter. 50 | // 51 | 52 | PDRIVER_OBJECT DriverObject; 53 | 54 | // 55 | // RegistryPath is a pointer to the minidriver's RegistryPath that it 56 | // received as a DriverEntry() parameter. 57 | // 58 | 59 | PUNICODE_STRING RegistryPath; 60 | 61 | // 62 | // DeviceExtensionSize is the size of the minidriver's per-device 63 | // extension. 64 | // 65 | 66 | ULONG DeviceExtensionSize; 67 | 68 | // 69 | // Either all or none of the devices driven by a given minidriver are polled. 70 | // 71 | BOOLEAN DevicesArePolled; 72 | UCHAR Reserved[3]; 73 | 74 | } HID_MINIDRIVER_REGISTRATION, *PHID_MINIDRIVER_REGISTRATION; 75 | 76 | // 77 | // HID_DEVICE_EXTENSION is the public part of the device extension of a HID 78 | // functional device object. 79 | // 80 | 81 | typedef struct _HID_DEVICE_EXTENSION { 82 | 83 | // 84 | // PhysicalDeviceObject... normally IRPs are not passed to this. 85 | // 86 | 87 | PDEVICE_OBJECT PhysicalDeviceObject; 88 | 89 | // 90 | // NextDeviceObject... IRPs are sent here by the minidriver. Note that 91 | // NextDeviceObject and PhysicalDeviceObject are the same unless someone 92 | // has inserted a 'filter' device object, in which case they are not the 93 | // same. Sending IRPs to NextDeviceObject will hit the filter device 94 | // objects on the way down. 95 | // 96 | 97 | PDEVICE_OBJECT NextDeviceObject; 98 | 99 | // 100 | // MiniDeviceExtension is the per-device extension area for use by 101 | // the minidriver. It's size is determined by the DeviceExtensionSize 102 | // parameter passed in to HidAddDevice(). 103 | // 104 | // So, given a Functional Device Object, a mininidriver finds this 105 | // structure by: 106 | // 107 | // HidDeviceExtension = (PHID_DEVICE_EXTENSION)(Fdo->DeviceExtension); 108 | // 109 | // And of course it's per-device extension is found by: 110 | // 111 | // MiniDeviceExtension = HidDeviceExtension->MiniDeviceExtension; 112 | // 113 | 114 | PVOID MiniDeviceExtension; 115 | 116 | } HID_DEVICE_EXTENSION, *PHID_DEVICE_EXTENSION; 117 | 118 | typedef struct _HID_DEVICE_ATTRIBUTES { 119 | 120 | ULONG Size; 121 | // 122 | // sizeof (struct _HID_DEVICE_ATTRIBUTES) 123 | // 124 | 125 | // 126 | // Vendor ids of this hid device 127 | // 128 | USHORT VendorID; 129 | USHORT ProductID; 130 | USHORT VersionNumber; 131 | USHORT Reserved[11]; 132 | 133 | } HID_DEVICE_ATTRIBUTES, * PHID_DEVICE_ATTRIBUTES; 134 | 135 | 136 | #include 137 | typedef struct _HID_DESCRIPTOR 138 | { 139 | UCHAR bLength; 140 | UCHAR bDescriptorType; 141 | USHORT bcdHID; 142 | UCHAR bCountry; 143 | UCHAR bNumDescriptors; 144 | 145 | /* 146 | * This is an array of one OR MORE descriptors. 147 | */ 148 | struct _HID_DESCRIPTOR_DESC_LIST { 149 | UCHAR bReportType; 150 | USHORT wReportLength; 151 | } DescriptorList [1]; 152 | 153 | } HID_DESCRIPTOR, * PHID_DESCRIPTOR; 154 | #include 155 | 156 | 157 | typedef 158 | VOID 159 | (*HID_SEND_IDLE_CALLBACK)( 160 | PVOID Context 161 | ); 162 | 163 | typedef struct _HID_SUBMIT_IDLE_NOTIFICATION_CALLBACK_INFO { 164 | HID_SEND_IDLE_CALLBACK IdleCallback; 165 | PVOID IdleContext; 166 | } HID_SUBMIT_IDLE_NOTIFICATION_CALLBACK_INFO, *PHID_SUBMIT_IDLE_NOTIFICATION_CALLBACK_INFO; 167 | 168 | // 169 | // Function prototypes for the HID services exported by the hid class driver 170 | // follow. 171 | // 172 | 173 | NTSTATUS 174 | HidRegisterMinidriver( 175 | __in PHID_MINIDRIVER_REGISTRATION MinidriverRegistration 176 | ); 177 | 178 | // 179 | // Internal IOCTLs for the class/mini driver interface. 180 | // 181 | 182 | #define IOCTL_HID_GET_DEVICE_DESCRIPTOR HID_CTL_CODE(0) 183 | #define IOCTL_HID_GET_REPORT_DESCRIPTOR HID_CTL_CODE(1) 184 | #define IOCTL_HID_READ_REPORT HID_CTL_CODE(2) 185 | #define IOCTL_HID_WRITE_REPORT HID_CTL_CODE(3) 186 | #define IOCTL_HID_GET_STRING HID_CTL_CODE(4) 187 | #define IOCTL_HID_ACTIVATE_DEVICE HID_CTL_CODE(7) 188 | #define IOCTL_HID_DEACTIVATE_DEVICE HID_CTL_CODE(8) 189 | #define IOCTL_HID_GET_DEVICE_ATTRIBUTES HID_CTL_CODE(9) 190 | #define IOCTL_HID_SEND_IDLE_NOTIFICATION_REQUEST HID_CTL_CODE(10) 191 | 192 | /* 193 | * Codes for HID-specific descriptor types, from HID USB spec. 194 | */ 195 | #define HID_HID_DESCRIPTOR_TYPE 0x21 196 | #define HID_REPORT_DESCRIPTOR_TYPE 0x22 197 | #define HID_PHYSICAL_DESCRIPTOR_TYPE 0x23 // for body part associations 198 | 199 | 200 | 201 | /* 202 | * These are string IDs for use with IOCTL_HID_GET_STRING 203 | * They match the string field offsets in Chapter 9 of the USB Spec. 204 | */ 205 | #define HID_STRING_ID_IMANUFACTURER 14 206 | #define HID_STRING_ID_IPRODUCT 15 207 | #define HID_STRING_ID_ISERIALNUMBER 16 208 | 209 | 210 | 211 | #endif // __HIDPORT_H__ 212 | 213 | 214 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/inc/vmulticlient.h: -------------------------------------------------------------------------------- 1 | #if !defined(_VMULTI_CLIENT_H_) 2 | #define _VMULTI_CLIENT_H_ 3 | 4 | #include "vmulticommon.h" 5 | 6 | typedef struct _vmulti_client_t* pvmulti_client; 7 | 8 | pvmulti_client __cdecl vmulti_alloc(void); 9 | 10 | void __cdecl vmulti_free(pvmulti_client vmulti); 11 | 12 | BOOL __cdecl vmulti_connect(pvmulti_client vmulti); 13 | 14 | void __cdecl vmulti_disconnect(pvmulti_client vmulti); 15 | 16 | BOOL __cdecl vmulti_update_mouse(pvmulti_client vmulti, BYTE button, USHORT x, USHORT y, BYTE wheelPosition); 17 | 18 | BOOL __cdecl vmulti_update_digi(pvmulti_client vmulti, BYTE status, USHORT x, USHORT y); 19 | 20 | BOOL __cdecl vmulti_update_multitouch(pvmulti_client vmulti, PTOUCH pTouch, BYTE actualCount); 21 | 22 | BOOL __cdecl vmulti_update_joystick(pvmulti_client vmulti, USHORT buttons, BYTE hat, BYTE x, BYTE y, BYTE rx, BYTE ry, BYTE throttle); 23 | 24 | BOOL __cdecl vmulti_update_keyboard(pvmulti_client vmulti, BYTE shiftKeyFlags, BYTE keyCodes[KBD_KEY_CODES]); 25 | 26 | BOOL __cdecl vmulti_write_message(pvmulti_client vmulti, VMultiMessageReport* pReport); 27 | 28 | BOOL __cdecl vmulti_read_message(pvmulti_client vmulti, VMultiMessageReport* pReport); 29 | 30 | 31 | #endif -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/inc/vmulticommon.h: -------------------------------------------------------------------------------- 1 | #if !defined(_VMULTI_COMMON_H_) 2 | #define _VMULTI_COMMON_H_ 3 | 4 | // 5 | //These are the device attributes returned by vmulti in response 6 | // to IOCTL_HID_GET_DEVICE_ATTRIBUTES. 7 | // 8 | 9 | #define VMULTI_PID 0x003f 10 | #define VMULTI_VID 0x04d8 11 | #define VMULTI_VERSION 0x0001 12 | 13 | // 14 | // These are the report ids 15 | // 16 | 17 | #define REPORTID_MTOUCH 0x01 18 | #define REPORTID_FEATURE 0x02 19 | #define REPORTID_MOUSE 0x03 20 | #define REPORTID_DIGI 0x04 21 | #define REPORTID_JOYSTICK 0x05 22 | #define REPORTID_KEYBOARD 0x06 23 | #define REPORTID_MESSAGE 0x10 24 | #define REPORTID_CONTROL 0x40 25 | 26 | // 27 | // Control defined report size 28 | // 29 | 30 | #define CONTROL_REPORT_SIZE 0x41 31 | 32 | // 33 | // Report header 34 | // 35 | 36 | #pragma pack(1) 37 | typedef struct _VMULTI_CONTROL_REPORT_HEADER 38 | { 39 | 40 | BYTE ReportID; 41 | 42 | BYTE ReportLength; 43 | 44 | } VMultiControlReportHeader; 45 | #pragma pack() 46 | 47 | // 48 | // Keyboard specific report infomation 49 | // 50 | 51 | #define KBD_LCONTROL_BIT 1 52 | #define KBD_LSHIFT_BIT 2 53 | #define KBD_LALT_BIT 4 54 | #define KBD_LGUI_BIT 8 55 | #define KBD_RCONTROL_BIT 16 56 | #define KBD_RSHIFT_BIT 32 57 | #define KBD_RALT_BIT 64 58 | #define KBD_RGUI_BIT 128 59 | 60 | #define KBD_KEY_CODES 6 61 | 62 | #pragma pack(1) 63 | typedef struct _VMULTI_KEYBOARD_REPORT 64 | { 65 | 66 | BYTE ReportID; 67 | 68 | // Left Control, Left Shift, Left Alt, Left GUI 69 | // Right Control, Right Shift, Right Alt, Right GUI 70 | BYTE ShiftKeyFlags; 71 | 72 | BYTE Reserved; 73 | 74 | // See http://www.usb.org/developers/devclass_docs/Hut1_11.pdf 75 | // for a list of key codes 76 | BYTE KeyCodes[KBD_KEY_CODES]; 77 | 78 | } VMultiKeyboardReport; 79 | 80 | typedef struct _VMULTI_KEYBOARD_OUTPUT_REPORT 81 | { 82 | // Num Lock, Caps Lock, Scroll Lock, Compose, Kana 83 | BYTE LedFlags; 84 | } VMultiKeyboardOutputReport; 85 | 86 | #pragma pack() 87 | 88 | // 89 | // Joystick specific report infomation 90 | // 91 | 92 | #pragma pack(1) 93 | typedef struct _VMULTI_JOYSTICK_REPORT 94 | { 95 | 96 | BYTE ReportID; 97 | 98 | BYTE Throttle; 99 | 100 | BYTE XValue; 101 | 102 | BYTE YValue; 103 | 104 | BYTE Hat; 105 | 106 | BYTE RXValue; 107 | 108 | BYTE RYValue; 109 | 110 | USHORT Buttons; 111 | 112 | } VMultiJoystickReport; 113 | #pragma pack() 114 | 115 | // 116 | // Digitizer specific report infomation 117 | // 118 | 119 | #define DIGI_TIPSWITCH_BIT 1 120 | #define DIGI_IN_RANGE_BIT 2 121 | 122 | #define DIGI_MIN_COORDINATE 0x0000 123 | #define DIGI_MAX_COORDINATE 0x7FFF 124 | 125 | #pragma pack(1) 126 | typedef struct _VMULTI_DIGI_REPORT 127 | { 128 | 129 | BYTE ReportID; 130 | 131 | BYTE Status; 132 | 133 | USHORT XValue; 134 | 135 | USHORT YValue; 136 | 137 | } VMultiDigiReport; 138 | #pragma pack() 139 | 140 | // 141 | // Mouse specific report information 142 | // 143 | 144 | #define MOUSE_BUTTON_1 0x01 145 | #define MOUSE_BUTTON_2 0x02 146 | 147 | #define MOUSE_MIN_COORDINATE 0x0000 148 | #define MOUSE_MAX_COORDINATE 0x7FFF 149 | 150 | #define MIN_WHEEL_POS -127 151 | #define MAX_WHEEL_POS 127 152 | 153 | #pragma pack(1) 154 | typedef struct _VMULTI_MOUSE_REPORT 155 | { 156 | 157 | BYTE ReportID; 158 | 159 | BYTE Button; 160 | 161 | USHORT XValue; 162 | 163 | USHORT YValue; 164 | 165 | BYTE WheelPosition; 166 | 167 | } VMultiMouseReport; 168 | #pragma pack() 169 | 170 | // 171 | // Multitouch specific report information 172 | // 173 | 174 | #define MULTI_TIPSWITCH_BIT 1 175 | #define MULTI_IN_RANGE_BIT 2 176 | #define MULTI_CONFIDENCE_BIT 4 177 | 178 | #define MULTI_MIN_COORDINATE 0x0000 179 | #define MULTI_MAX_COORDINATE 0x7FFF 180 | 181 | #define MULTI_MAX_COUNT 20 182 | 183 | #pragma pack(1) 184 | typedef struct 185 | { 186 | 187 | BYTE Status; 188 | 189 | BYTE ContactID; 190 | 191 | USHORT XValue; 192 | 193 | USHORT YValue; 194 | 195 | USHORT Width; 196 | 197 | USHORT Height; 198 | 199 | } 200 | TOUCH, *PTOUCH; 201 | 202 | typedef struct _VMULTI_MULTITOUCH_REPORT 203 | { 204 | 205 | BYTE ReportID; 206 | 207 | TOUCH Touch[2]; 208 | 209 | BYTE ActualCount; 210 | 211 | } VMultiMultiTouchReport; 212 | #pragma pack() 213 | 214 | // 215 | // Feature report infomation 216 | // 217 | 218 | #define DEVICE_MODE_MOUSE 0x00 219 | #define DEVICE_MODE_SINGLE_INPUT 0x01 220 | #define DEVICE_MODE_MULTI_INPUT 0x02 221 | 222 | #pragma pack(1) 223 | typedef struct _VMULTI_FEATURE_REPORT 224 | { 225 | 226 | BYTE ReportID; 227 | 228 | BYTE DeviceMode; 229 | 230 | BYTE DeviceIdentifier; 231 | 232 | } VMultiFeatureReport; 233 | 234 | typedef struct _VMULTI_MAXCOUNT_REPORT 235 | { 236 | 237 | BYTE ReportID; 238 | 239 | BYTE MaximumCount; 240 | 241 | } VMultiMaxCountReport; 242 | #pragma pack() 243 | 244 | // 245 | // Message specific report information 246 | // 247 | 248 | #define MESSAGE_SIZE 0x3e 249 | 250 | #pragma pack(1) 251 | typedef struct _VMULTI_MESSAGE_REPORT 252 | { 253 | 254 | BYTE ReportID; 255 | 256 | char Message[MESSAGE_SIZE]; 257 | 258 | } VMultiMessageReport; 259 | #pragma pack() 260 | 261 | #endif 262 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/client/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\client.obj \ 5 | 6 | 7 | 8 | 9 | 10 | # lowercased 11 | BASEDIR=c:\winddk\7600.16385.1 12 | OBJECT_ROOT=c:\dongle\vmulti\obj 13 | MAKEDIR_LOWERCASE=c:\dongle\vmulti\client 14 | OBJ_PATH=c:\dongle\vmulti\obj\dongle\vmulti\client 15 | CONCURRENT_MIDL=0 16 | CONCURRENT_MANIFEST_BUILD=0 17 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/client/objchk_wxp_x86/i386/client.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/client/objchk_wxp_x86/i386/client.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/client/objchk_wxp_x86/i386/vmulticlient.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/client/objchk_wxp_x86/i386/vmulticlient.lib -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\hidkmdf.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\hidkmdf.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\dongle\vmulti\obj 14 | MAKEDIR_LOWERCASE=c:\dongle\vmulti\hidmapper 15 | OBJ_PATH=c:\dongle\vmulti\obj\dongle\vmulti\hidmapper 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/hidkmdf.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/hidmapper/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\vmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\vmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\dongle\vmulti\obj 14 | MAKEDIR_LOWERCASE=c:\dongle\vmulti\sys 15 | OBJ_PATH=c:\dongle\vmulti\obj\dongle\vmulti\sys 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.inf: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$CHICAGO$" 3 | Class=HIDClass 4 | ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da} 5 | Provider=%VENDOR% 6 | DriverVer=07/10/2011,6.1.7600.16385 7 | CatalogFile=kmdfsamples.cat 8 | 9 | [SourceDisksFiles] 10 | vmulti.sys = 99 11 | hidkmdf.sys = 99 12 | 13 | [SourceDisksNames] 14 | 99 = %DISK_NAME%,,,"" 15 | 16 | [DestinationDirs] 17 | CopyFunctionDriver = 12 18 | 19 | [Manufacturer] 20 | %VENDOR%=Vendor, NTx86, NTx86.6.1 21 | 22 | ; For XP and later 23 | [Vendor.NTx86] 24 | %vmulti% = vmulti.Inst, HID\vmulti 25 | 26 | ; For Win7 and later so that we can use inbox HID-KMDF mapper 27 | [Vendor.NTx86.6.1] 28 | %vmulti% = vmulti.Inst.Win7, HID\vmulti 29 | 30 | ;=============================================================== 31 | ; vmulti for XP thru Vista 32 | ;=============================================================== 33 | [vmulti.Inst.NT] 34 | CopyFiles = CopyFunctionDriver 35 | 36 | [vmulti.Inst.NT.HW] 37 | AddReg = vmulti_Parameters.AddReg 38 | 39 | ; 40 | ; vmulti is the function driver and hidkmdf is the WDM HID minidriver 41 | ; 42 | [vmulti.Inst.NT.Services] 43 | AddService = hidkmdf,,hidkmdf_Service_Inst, 44 | AddService = vmulti,0x00000002, vmulti_Service_Inst 45 | 46 | [CopyFunctionDriver] 47 | hidkmdf.sys 48 | 49 | [vmulti_Parameters.AddReg] 50 | HKR,,"UpperFilters",0x00010000,"hidkmdf" 51 | 52 | [hidkmdf_Service_Inst] 53 | DisplayName = %hidkmdf.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\hidkmdf.sys 58 | LoadOrderGroup = PNP Filter 59 | 60 | 61 | ;=============================================================== 62 | ; vmulti for Win7 63 | ; Instead of using hidkmdf.sys as a filter, use the inbox 64 | ; mshidkmdf.sys as a mapper filter 65 | ;=============================================================== 66 | [vmulti.Inst.Win7.NT] 67 | ; Just copy the driver. No neeed to copy other system binaries. 68 | CopyFiles = CopyFunctionDriver 69 | 70 | [vmulti.Inst.Win7.NT.HW] 71 | AddReg = vmulti_Win7_Parameters.AddReg 72 | 73 | ; 74 | ; vmulti is the function driver and mshidkmdf is the WDM HID minidriver 75 | ; 76 | [vmulti.Inst.Win7.NT.Services] 77 | AddService = vmulti,0x00000002, vmulti_Service_Inst 78 | 79 | [vmulti_Win7_Parameters.AddReg] 80 | HKR,,"UpperFilters",0x00010000,"mshidkmdf" 81 | 82 | ;=============================================================== 83 | ; Sections common to all OS versions 84 | ;=============================================================== 85 | 86 | [CopyFunctionDriver] 87 | vmulti.sys 88 | 89 | [vmulti_Service_Inst] 90 | DisplayName = %vmulti% 91 | ServiceType = %SERVICE_KERNEL_DRIVER% 92 | StartType = %SERVICE_DEMAND_START% 93 | ErrorControl = %SERVICE_ERROR_IGNORE% 94 | ServiceBinary = %12%\vmulti.sys 95 | 96 | ;================================================================ 97 | ;--- WDF Coinstaller installation ------ 98 | ; 99 | [DestinationDirs] 100 | vmulti.Inst_CoInstaller_CopyFiles = 11 101 | 102 | [vmulti.Inst.NT.CoInstallers] 103 | AddReg=vmulti.Inst_CoInstaller_AddReg 104 | CopyFiles=vmulti.Inst_CoInstaller_CopyFiles 105 | 106 | [vmulti.Inst_CoInstaller_AddReg] 107 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 108 | 109 | [vmulti.Inst_CoInstaller_CopyFiles] 110 | WdfCoInstaller01009.dll,,,0x00000010 ;COPYFLG_NO_OVERWRITE (for win2k) 111 | 112 | [SourceDisksFiles] 113 | WdfCoInstaller01009.dll=99 ; make sure the number matches with SourceDisksNames 114 | 115 | [vmulti.Inst.NT.Wdf] 116 | KmdfService = vmulti, vmulti_wdfsect 117 | [vmulti_wdfsect] 118 | KmdfLibraryVersion = 1.9 119 | 120 | [Strings] 121 | ; *******Localizable Strings******* 122 | VENDOR = "djpnewton@gmail.com" 123 | vmulti = "VMulti HID" 124 | DISK_NAME = "VMulti Device Install Disk" 125 | hidkmdf.SVCDESC= "Filter Driver Service for HID-KMDF Interface layer" 126 | 127 | ; *******Non Localizable Strings******* 128 | 129 | SERVICE_BOOT_START = 0x0 130 | SERVICE_SYSTEM_START = 0x1 131 | SERVICE_AUTO_START = 0x2 132 | SERVICE_DEMAND_START = 0x3 133 | SERVICE_DISABLED = 0x4 134 | 135 | SERVICE_KERNEL_DRIVER = 0x1 136 | SERVICE_ERROR_IGNORE = 0x0 137 | SERVICE_ERROR_NORMAL = 0x1 138 | SERVICE_ERROR_SEVERE = 0x2 139 | SERVICE_ERROR_CRITICAL = 0x3 140 | 141 | REG_EXPAND_SZ = 0x00020000 142 | REG_DWORD = 0x00010001 143 | REG_MULTI_SZ = 0x00010000 144 | REG_BINARY = 0x00000001 145 | REG_SZ = 0x00000000 146 | 147 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.obj.oacr.root.x86chk.pft.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2 4 | 0 5 | 490vmulti.cc:\dongle\vmulti\sys\28172The function 'VMultiEvtDeviceAdd' has PAGED_CODE or PAGED_CODE_LOCKED but is not declared to be in a paged segment.VMultiEvtDeviceAdd49 6 | 1730vmulti.cc:\dongle\vmulti\sys\28172The function 'VMultiEvtWdmPreprocessMnQueryId' has PAGED_CODE or PAGED_CODE_LOCKED but is not declared to be in a paged segment.VMultiEvtWdmPreprocessMnQueryId173 7 | 8 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/sys/objchk_wxp_x86/i386/vmulti.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\testvmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\testvmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\dongle\vmulti\obj 14 | MAKEDIR_LOWERCASE=c:\dongle\vmulti\test 15 | OBJ_PATH=c:\dongle\vmulti\obj\dongle\vmulti\test 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/testvmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/dongle/vmulti/test/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\client.obj \ 5 | 6 | 7 | 8 | 9 | 10 | # lowercased 11 | BASEDIR=c:\winddk\7600.16385.1 12 | OBJECT_ROOT=c:\multi\obj 13 | MAKEDIR_LOWERCASE=c:\multi\client 14 | OBJ_PATH=c:\multi\obj\multi\client 15 | CONCURRENT_MIDL=0 16 | CONCURRENT_MANIFEST_BUILD=0 17 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objchk_wxp_x86/i386/client.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/client/objchk_wxp_x86/i386/client.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objchk_wxp_x86/i386/vmulticlient.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/client/objchk_wxp_x86/i386/vmulticlient.lib -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objfre_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\client.obj \ 5 | 6 | 7 | 8 | 9 | 10 | # lowercased 11 | BASEDIR=c:\winddk\7600.16385.1 12 | OBJECT_ROOT=c:\multi\obj 13 | MAKEDIR_LOWERCASE=c:\multi\client 14 | OBJ_PATH=c:\multi\obj\multi\client 15 | CONCURRENT_MIDL=0 16 | CONCURRENT_MANIFEST_BUILD=0 17 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objfre_wxp_x86/i386/client.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/client/objfre_wxp_x86/i386/client.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/client/objfre_wxp_x86/i386/vmulticlient.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/client/objfre_wxp_x86/i386/vmulticlient.lib -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\hidkmdf.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\hidkmdf.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\hidmapper 15 | OBJ_PATH=c:\multi\obj\multi\hidmapper 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/hidkmdf.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\hidkmdf.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\hidkmdf.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\hidmapper 15 | OBJ_PATH=c:\multi\obj\multi\hidmapper 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/hidkmdf.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/hidmapper/objfre_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\vmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\vmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\sys 15 | OBJ_PATH=c:\multi\obj\multi\sys 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.inf: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$CHICAGO$" 3 | Class=HIDClass 4 | ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da} 5 | Provider=%VENDOR% 6 | DriverVer=07/10/2011,6.1.7600.16385 7 | CatalogFile=kmdfsamples.cat 8 | 9 | [SourceDisksFiles] 10 | vmulti.sys = 99 11 | hidkmdf.sys = 99 12 | 13 | [SourceDisksNames] 14 | 99 = %DISK_NAME%,,,"" 15 | 16 | [DestinationDirs] 17 | CopyFunctionDriver = 12 18 | 19 | [Manufacturer] 20 | %VENDOR%=Vendor, NTx86, NTx86.6.1 21 | 22 | ; For XP and later 23 | [Vendor.NTx86] 24 | %vmulti% = vmulti.Inst, HID\vmulti 25 | 26 | ; For Win7 and later so that we can use inbox HID-KMDF mapper 27 | [Vendor.NTx86.6.1] 28 | %vmulti% = vmulti.Inst.Win7, HID\vmulti 29 | 30 | ;=============================================================== 31 | ; vmulti for XP thru Vista 32 | ;=============================================================== 33 | [vmulti.Inst.NT] 34 | CopyFiles = CopyFunctionDriver 35 | 36 | [vmulti.Inst.NT.HW] 37 | AddReg = vmulti_Parameters.AddReg 38 | 39 | ; 40 | ; vmulti is the function driver and hidkmdf is the WDM HID minidriver 41 | ; 42 | [vmulti.Inst.NT.Services] 43 | AddService = hidkmdf,,hidkmdf_Service_Inst, 44 | AddService = vmulti,0x00000002, vmulti_Service_Inst 45 | 46 | [CopyFunctionDriver] 47 | hidkmdf.sys 48 | 49 | [vmulti_Parameters.AddReg] 50 | HKR,,"UpperFilters",0x00010000,"hidkmdf" 51 | 52 | [hidkmdf_Service_Inst] 53 | DisplayName = %hidkmdf.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\hidkmdf.sys 58 | LoadOrderGroup = PNP Filter 59 | 60 | 61 | ;=============================================================== 62 | ; vmulti for Win7 63 | ; Instead of using hidkmdf.sys as a filter, use the inbox 64 | ; mshidkmdf.sys as a mapper filter 65 | ;=============================================================== 66 | [vmulti.Inst.Win7.NT] 67 | ; Just copy the driver. No neeed to copy other system binaries. 68 | CopyFiles = CopyFunctionDriver 69 | 70 | [vmulti.Inst.Win7.NT.HW] 71 | AddReg = vmulti_Win7_Parameters.AddReg 72 | 73 | ; 74 | ; vmulti is the function driver and mshidkmdf is the WDM HID minidriver 75 | ; 76 | [vmulti.Inst.Win7.NT.Services] 77 | AddService = vmulti,0x00000002, vmulti_Service_Inst 78 | 79 | [vmulti_Win7_Parameters.AddReg] 80 | HKR,,"UpperFilters",0x00010000,"mshidkmdf" 81 | 82 | ;=============================================================== 83 | ; Sections common to all OS versions 84 | ;=============================================================== 85 | 86 | [CopyFunctionDriver] 87 | vmulti.sys 88 | 89 | [vmulti_Service_Inst] 90 | DisplayName = %vmulti% 91 | ServiceType = %SERVICE_KERNEL_DRIVER% 92 | StartType = %SERVICE_DEMAND_START% 93 | ErrorControl = %SERVICE_ERROR_IGNORE% 94 | ServiceBinary = %12%\vmulti.sys 95 | 96 | ;================================================================ 97 | ;--- WDF Coinstaller installation ------ 98 | ; 99 | [DestinationDirs] 100 | vmulti.Inst_CoInstaller_CopyFiles = 11 101 | 102 | [vmulti.Inst.NT.CoInstallers] 103 | AddReg=vmulti.Inst_CoInstaller_AddReg 104 | CopyFiles=vmulti.Inst_CoInstaller_CopyFiles 105 | 106 | [vmulti.Inst_CoInstaller_AddReg] 107 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 108 | 109 | [vmulti.Inst_CoInstaller_CopyFiles] 110 | WdfCoInstaller01009.dll,,,0x00000010 ;COPYFLG_NO_OVERWRITE (for win2k) 111 | 112 | [SourceDisksFiles] 113 | WdfCoInstaller01009.dll=99 ; make sure the number matches with SourceDisksNames 114 | 115 | [vmulti.Inst.NT.Wdf] 116 | KmdfService = vmulti, vmulti_wdfsect 117 | [vmulti_wdfsect] 118 | KmdfLibraryVersion = 1.9 119 | 120 | [Strings] 121 | ; *******Localizable Strings******* 122 | VENDOR = "djpnewton@gmail.com" 123 | vmulti = "VMulti HID" 124 | DISK_NAME = "VMulti Device Install Disk" 125 | hidkmdf.SVCDESC= "Filter Driver Service for HID-KMDF Interface layer" 126 | 127 | ; *******Non Localizable Strings******* 128 | 129 | SERVICE_BOOT_START = 0x0 130 | SERVICE_SYSTEM_START = 0x1 131 | SERVICE_AUTO_START = 0x2 132 | SERVICE_DEMAND_START = 0x3 133 | SERVICE_DISABLED = 0x4 134 | 135 | SERVICE_KERNEL_DRIVER = 0x1 136 | SERVICE_ERROR_IGNORE = 0x0 137 | SERVICE_ERROR_NORMAL = 0x1 138 | SERVICE_ERROR_SEVERE = 0x2 139 | SERVICE_ERROR_CRITICAL = 0x3 140 | 141 | REG_EXPAND_SZ = 0x00020000 142 | REG_DWORD = 0x00010001 143 | REG_MULTI_SZ = 0x00010000 144 | REG_BINARY = 0x00000001 145 | REG_SZ = 0x00000000 146 | 147 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objchk_wxp_x86/i386/vmulti.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\vmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\vmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\sys 15 | OBJ_PATH=c:\multi\obj\multi\sys 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.inf: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$CHICAGO$" 3 | Class=HIDClass 4 | ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da} 5 | Provider=%VENDOR% 6 | DriverVer=07/04/2011,6.1.7600.16385 7 | CatalogFile=kmdfsamples.cat 8 | 9 | [SourceDisksFiles] 10 | vmulti.sys = 99 11 | hidkmdf.sys = 99 12 | 13 | [SourceDisksNames] 14 | 99 = %DISK_NAME%,,,"" 15 | 16 | [DestinationDirs] 17 | CopyFunctionDriver = 12 18 | 19 | [Manufacturer] 20 | %VENDOR%=Vendor, NTx86, NTx86.6.1 21 | 22 | ; For XP and later 23 | [Vendor.NTx86] 24 | %vmulti% = vmulti.Inst, HID\vmulti 25 | 26 | ; For Win7 and later so that we can use inbox HID-KMDF mapper 27 | [Vendor.NTx86.6.1] 28 | %vmulti% = vmulti.Inst.Win7, HID\vmulti 29 | 30 | ;=============================================================== 31 | ; vmulti for XP thru Vista 32 | ;=============================================================== 33 | [vmulti.Inst.NT] 34 | CopyFiles = CopyFunctionDriver 35 | 36 | [vmulti.Inst.NT.HW] 37 | AddReg = vmulti_Parameters.AddReg 38 | 39 | ; 40 | ; vmulti is the function driver and hidkmdf is the WDM HID minidriver 41 | ; 42 | [vmulti.Inst.NT.Services] 43 | AddService = hidkmdf,,hidkmdf_Service_Inst, 44 | AddService = vmulti,0x00000002, vmulti_Service_Inst 45 | 46 | [CopyFunctionDriver] 47 | hidkmdf.sys 48 | 49 | [vmulti_Parameters.AddReg] 50 | HKR,,"UpperFilters",0x00010000,"hidkmdf" 51 | 52 | [hidkmdf_Service_Inst] 53 | DisplayName = %hidkmdf.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\hidkmdf.sys 58 | LoadOrderGroup = PNP Filter 59 | 60 | 61 | ;=============================================================== 62 | ; vmulti for Win7 63 | ; Instead of using hidkmdf.sys as a filter, use the inbox 64 | ; mshidkmdf.sys as a mapper filter 65 | ;=============================================================== 66 | [vmulti.Inst.Win7.NT] 67 | ; Just copy the driver. No neeed to copy other system binaries. 68 | CopyFiles = CopyFunctionDriver 69 | 70 | [vmulti.Inst.Win7.NT.HW] 71 | AddReg = vmulti_Win7_Parameters.AddReg 72 | 73 | ; 74 | ; vmulti is the function driver and mshidkmdf is the WDM HID minidriver 75 | ; 76 | [vmulti.Inst.Win7.NT.Services] 77 | AddService = vmulti,0x00000002, vmulti_Service_Inst 78 | 79 | [vmulti_Win7_Parameters.AddReg] 80 | HKR,,"UpperFilters",0x00010000,"mshidkmdf" 81 | 82 | ;=============================================================== 83 | ; Sections common to all OS versions 84 | ;=============================================================== 85 | 86 | [CopyFunctionDriver] 87 | vmulti.sys 88 | 89 | [vmulti_Service_Inst] 90 | DisplayName = %vmulti% 91 | ServiceType = %SERVICE_KERNEL_DRIVER% 92 | StartType = %SERVICE_DEMAND_START% 93 | ErrorControl = %SERVICE_ERROR_IGNORE% 94 | ServiceBinary = %12%\vmulti.sys 95 | 96 | ;================================================================ 97 | ;--- WDF Coinstaller installation ------ 98 | ; 99 | [DestinationDirs] 100 | vmulti.Inst_CoInstaller_CopyFiles = 11 101 | 102 | [vmulti.Inst.NT.CoInstallers] 103 | AddReg=vmulti.Inst_CoInstaller_AddReg 104 | CopyFiles=vmulti.Inst_CoInstaller_CopyFiles 105 | 106 | [vmulti.Inst_CoInstaller_AddReg] 107 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 108 | 109 | [vmulti.Inst_CoInstaller_CopyFiles] 110 | WdfCoInstaller01009.dll,,,0x00000010 ;COPYFLG_NO_OVERWRITE (for win2k) 111 | 112 | [SourceDisksFiles] 113 | WdfCoInstaller01009.dll=99 ; make sure the number matches with SourceDisksNames 114 | 115 | [vmulti.Inst.NT.Wdf] 116 | KmdfService = vmulti, vmulti_wdfsect 117 | [vmulti_wdfsect] 118 | KmdfLibraryVersion = 1.9 119 | 120 | [Strings] 121 | ; *******Localizable Strings******* 122 | VENDOR = "djpnewton@gmail.com" 123 | vmulti = "VMulti HID" 124 | DISK_NAME = "VMulti Device Install Disk" 125 | hidkmdf.SVCDESC= "Filter Driver Service for HID-KMDF Interface layer" 126 | 127 | ; *******Non Localizable Strings******* 128 | 129 | SERVICE_BOOT_START = 0x0 130 | SERVICE_SYSTEM_START = 0x1 131 | SERVICE_AUTO_START = 0x2 132 | SERVICE_DEMAND_START = 0x3 133 | SERVICE_DISABLED = 0x4 134 | 135 | SERVICE_KERNEL_DRIVER = 0x1 136 | SERVICE_ERROR_IGNORE = 0x0 137 | SERVICE_ERROR_NORMAL = 0x1 138 | SERVICE_ERROR_SEVERE = 0x2 139 | SERVICE_ERROR_CRITICAL = 0x3 140 | 141 | REG_EXPAND_SZ = 0x00020000 142 | REG_DWORD = 0x00010001 143 | REG_MULTI_SZ = 0x00010000 144 | REG_BINARY = 0x00000001 145 | REG_SZ = 0x00000000 146 | 147 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/sys/objfre_wxp_x86/i386/vmulti.sys -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\testvmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\testvmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\test 15 | OBJ_PATH=c:\multi\obj\multi\test 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/testvmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objchk_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | 386_OBJECTS=\ 4 | $(OBJ_PATH)\$O\testvmulti.obj \ 5 | 6 | 7 | _RES_FILE=$(OBJ_PATH)\$O\testvmulti.res 8 | 9 | 10 | 11 | # lowercased 12 | BASEDIR=c:\winddk\7600.16385.1 13 | OBJECT_ROOT=c:\multi\obj 14 | MAKEDIR_LOWERCASE=c:\multi\test 15 | OBJ_PATH=c:\multi\obj\multi\test 16 | CONCURRENT_MIDL=0 17 | CONCURRENT_MANIFEST_BUILD=0 18 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.exe -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.obj -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/testvmulti.res -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/cyclops.dongle.me/dongle/vmulti/obj/multi/test/objfre_wxp_x86/i386/vc90.pdb -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/sys/makefile: -------------------------------------------------------------------------------- 1 | ############################################################################# 2 | # 3 | # Copyright (C) Microsoft Corporation 1995 - 1998 4 | # All Rights Reserved. 5 | # 6 | # MAKEFILE for HIDGAME directory 7 | # 8 | ############################################################################# 9 | 10 | 11 | # 12 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 13 | # file to this component. This file merely indirects to the real make file 14 | # that is shared by all the driver components of the Windows NT DDK 15 | # 16 | 17 | !INCLUDE $(NTMAKEENV)\makefile.def 18 | 19 | 20 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/sys/makefile.inc: -------------------------------------------------------------------------------- 1 | _LNG=$(LANGUAGE) 2 | _INX=. 3 | STAMP=stampinf -f $@ -a $(_BUILDARCH) -k $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) 4 | 5 | 6 | $(OBJ_PATH)\$O\$(INF_NAME).inf: $(_INX)\$(INF_NAME).inx 7 | copy $(_INX)\$(@B).inx $@ 8 | $(STAMP) 9 | 10 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/sys/sources: -------------------------------------------------------------------------------- 1 | TARGETNAME=vmulti 2 | TARGETTYPE=DRIVER 3 | 4 | KMDF_VERSION_MAJOR=1 5 | 6 | TARGETLIBS=$(DDK_LIB_PATH)\hidclass.lib \ 7 | $(DDK_LIB_PATH)\ntstrsafe.lib 8 | 9 | INCLUDES=..\inc 10 | 11 | SOURCES= \ 12 | vmulti.c \ 13 | vmulti.rc \ 14 | 15 | INF_NAME=vmulti 16 | NTTARGETFILE0=$(OBJ_PATH)\$(O)\$(INF_NAME).inf 17 | PASS0_BINPLACE=$(NTTARGETFILE0) 18 | 19 | TARGET_DESTINATION=bin 20 | 21 | # Temporarily excuse usage of serviceability impairing macros in code... 22 | ALLOW_DATE_TIME=1 23 | 24 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/sys/vmulti.inx: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$CHICAGO$" 3 | Class=HIDClass 4 | ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da} 5 | Provider=%VENDOR% 6 | DriverVer=01/10/2007,1.0.0.0 7 | CatalogFile=kmdfsamples.cat 8 | 9 | [SourceDisksFiles] 10 | vmulti.sys = 99 11 | hidkmdf.sys = 99 12 | 13 | [SourceDisksNames] 14 | 99 = %DISK_NAME%,,,"" 15 | 16 | [DestinationDirs] 17 | CopyFunctionDriver = 12 18 | 19 | [Manufacturer] 20 | %VENDOR%=Vendor, NT$ARCH$, NT$ARCH$.6.1 21 | 22 | ; For XP and later 23 | [Vendor.NT$ARCH$] 24 | %vmulti% = vmulti.Inst, HID\vmulti 25 | 26 | ; For Win7 and later so that we can use inbox HID-KMDF mapper 27 | [Vendor.NT$ARCH$.6.1] 28 | %vmulti% = vmulti.Inst.Win7, HID\vmulti 29 | 30 | ;=============================================================== 31 | ; vmulti for XP thru Vista 32 | ;=============================================================== 33 | [vmulti.Inst.NT] 34 | CopyFiles = CopyFunctionDriver 35 | 36 | [vmulti.Inst.NT.HW] 37 | AddReg = vmulti_Parameters.AddReg 38 | 39 | ; 40 | ; vmulti is the function driver and hidkmdf is the WDM HID minidriver 41 | ; 42 | [vmulti.Inst.NT.Services] 43 | AddService = hidkmdf,,hidkmdf_Service_Inst, 44 | AddService = vmulti,0x00000002, vmulti_Service_Inst 45 | 46 | [CopyFunctionDriver] 47 | hidkmdf.sys 48 | 49 | [vmulti_Parameters.AddReg] 50 | HKR,,"UpperFilters",0x00010000,"hidkmdf" 51 | 52 | [hidkmdf_Service_Inst] 53 | DisplayName = %hidkmdf.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\hidkmdf.sys 58 | LoadOrderGroup = PNP Filter 59 | 60 | 61 | ;=============================================================== 62 | ; vmulti for Win7 63 | ; Instead of using hidkmdf.sys as a filter, use the inbox 64 | ; mshidkmdf.sys as a mapper filter 65 | ;=============================================================== 66 | [vmulti.Inst.Win7.NT] 67 | ; Just copy the driver. No neeed to copy other system binaries. 68 | CopyFiles = CopyFunctionDriver 69 | 70 | [vmulti.Inst.Win7.NT.HW] 71 | AddReg = vmulti_Win7_Parameters.AddReg 72 | 73 | ; 74 | ; vmulti is the function driver and mshidkmdf is the WDM HID minidriver 75 | ; 76 | [vmulti.Inst.Win7.NT.Services] 77 | AddService = vmulti,0x00000002, vmulti_Service_Inst 78 | 79 | [vmulti_Win7_Parameters.AddReg] 80 | HKR,,"UpperFilters",0x00010000,"mshidkmdf" 81 | 82 | ;=============================================================== 83 | ; Sections common to all OS versions 84 | ;=============================================================== 85 | 86 | [CopyFunctionDriver] 87 | vmulti.sys 88 | 89 | [vmulti_Service_Inst] 90 | DisplayName = %vmulti% 91 | ServiceType = %SERVICE_KERNEL_DRIVER% 92 | StartType = %SERVICE_DEMAND_START% 93 | ErrorControl = %SERVICE_ERROR_IGNORE% 94 | ServiceBinary = %12%\vmulti.sys 95 | 96 | ;================================================================ 97 | ;--- WDF Coinstaller installation ------ 98 | ; 99 | [DestinationDirs] 100 | vmulti.Inst_CoInstaller_CopyFiles = 11 101 | 102 | [vmulti.Inst.NT.CoInstallers] 103 | AddReg=vmulti.Inst_CoInstaller_AddReg 104 | CopyFiles=vmulti.Inst_CoInstaller_CopyFiles 105 | 106 | [vmulti.Inst_CoInstaller_AddReg] 107 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 108 | 109 | [vmulti.Inst_CoInstaller_CopyFiles] 110 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,,,0x00000010 ;COPYFLG_NO_OVERWRITE (for win2k) 111 | 112 | [SourceDisksFiles] 113 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=99 ; make sure the number matches with SourceDisksNames 114 | 115 | [vmulti.Inst.NT.Wdf] 116 | KmdfService = vmulti, vmulti_wdfsect 117 | [vmulti_wdfsect] 118 | KmdfLibraryVersion = $KMDFVERSION$ 119 | 120 | [Strings] 121 | ; *******Localizable Strings******* 122 | VENDOR = "djpnewton@gmail.com" 123 | vmulti = "VMulti HID" 124 | DISK_NAME = "VMulti Device Install Disk" 125 | hidkmdf.SVCDESC= "Filter Driver Service for HID-KMDF Interface layer" 126 | 127 | ; *******Non Localizable Strings******* 128 | 129 | SERVICE_BOOT_START = 0x0 130 | SERVICE_SYSTEM_START = 0x1 131 | SERVICE_AUTO_START = 0x2 132 | SERVICE_DEMAND_START = 0x3 133 | SERVICE_DISABLED = 0x4 134 | 135 | SERVICE_KERNEL_DRIVER = 0x1 136 | SERVICE_ERROR_IGNORE = 0x0 137 | SERVICE_ERROR_NORMAL = 0x1 138 | SERVICE_ERROR_SEVERE = 0x2 139 | SERVICE_ERROR_CRITICAL = 0x3 140 | 141 | REG_EXPAND_SZ = 0x00020000 142 | REG_DWORD = 0x00010001 143 | REG_MULTI_SZ = 0x00010000 144 | REG_BINARY = 0x00000001 145 | REG_SZ = 0x00000000 146 | 147 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/sys/vmulti.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "HID mini driver for Virtual Multitouch Device" 8 | #define VER_INTERNALNAME_STR "vmulti.sys" 9 | 10 | #include "common.ver" 11 | 12 | 13 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/test/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/test/sources: -------------------------------------------------------------------------------- 1 | TARGETNAME=testvmulti 2 | TARGETTYPE=PROGRAM 3 | USE_MSVCRT=1 4 | 5 | TARGETLIBS=$(SDK_LIB_PATH)\hid.lib \ 6 | $(SDK_LIB_PATH)\setupapi.lib \ 7 | $(SDK_LIB_PATH)\comdlg32.lib \ 8 | $(OBJ_PATH)\..\client\$(O)\vmulticlient.lib 9 | 10 | SOURCES=testvmulti.c testvmulti.rc 11 | 12 | INCLUDES=..\inc 13 | 14 | UMTYPE=console 15 | UMBASE=0x400000 16 | 17 | TARGET_DESTINATION=bin 18 | 19 | _NT_TARGET_VERSION= $(_NT_TARGET_VERSION_WINXP) 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/test/testvmulti.cbp: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 55 | 56 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/test/testvmulti.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_APP 6 | #define VER_FILESUBTYPE VFT2_UNKNOWN 7 | #define VER_FILEDESCRIPTION_STR "Test Program for virtual multitouch (vmulti.sys) driver" 8 | #define VER_INTERNALNAME_STR "testvmulti.exe" 9 | #define VER_ORIGINALFILENAME_STR "testvmulti.exe" 10 | 11 | #include 12 | 13 | 14 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/test/testvmulti.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 15 | 16 | 17 | 18 | 19 | 26 | 29 | 32 | 35 | 38 | 41 | 53 | 56 | 59 | 62 | 71 | 74 | 77 | 80 | 83 | 86 | 89 | 92 | 93 | 101 | 104 | 107 | 110 | 113 | 116 | 128 | 131 | 134 | 137 | 148 | 151 | 154 | 157 | 160 | 163 | 166 | 169 | 170 | 171 | 172 | 173 | 174 | 179 | 182 | 183 | 184 | 189 | 190 | 195 | 196 | 197 | 198 | 199 | 200 | -------------------------------------------------------------------------------- /cyclops.dongle.me/dongle/vmulti/vmulticlient.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual Studio 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmulticlient", "client\vmulticlient.vcproj", "{CA3F49EF-F69C-46A0-A6BF-84F477255A5C}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testvmulti", "test\testvmulti.vcproj", "{8FB721A1-8820-45BF-AB35-978FADA6C188}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {CA3F49EF-F69C-46A0-A6BF-84F477255A5C} = {CA3F49EF-F69C-46A0-A6BF-84F477255A5C} 9 | EndProjectSection 10 | EndProject 11 | Global 12 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 13 | Debug|Win32 = Debug|Win32 14 | Release|Win32 = Release|Win32 15 | EndGlobalSection 16 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 17 | {CA3F49EF-F69C-46A0-A6BF-84F477255A5C}.Debug|Win32.ActiveCfg = Debug|Win32 18 | {CA3F49EF-F69C-46A0-A6BF-84F477255A5C}.Debug|Win32.Build.0 = Debug|Win32 19 | {CA3F49EF-F69C-46A0-A6BF-84F477255A5C}.Release|Win32.ActiveCfg = Release|Win32 20 | {CA3F49EF-F69C-46A0-A6BF-84F477255A5C}.Release|Win32.Build.0 = Release|Win32 21 | {8FB721A1-8820-45BF-AB35-978FADA6C188}.Debug|Win32.ActiveCfg = Debug|Win32 22 | {8FB721A1-8820-45BF-AB35-978FADA6C188}.Debug|Win32.Build.0 = Debug|Win32 23 | {8FB721A1-8820-45BF-AB35-978FADA6C188}.Release|Win32.ActiveCfg = Release|Win32 24 | {8FB721A1-8820-45BF-AB35-978FADA6C188}.Release|Win32.Build.0 = Release|Win32 25 | EndGlobalSection 26 | GlobalSection(SolutionProperties) = preSolution 27 | HideSolutionNode = FALSE 28 | EndGlobalSection 29 | EndGlobal 30 | -------------------------------------------------------------------------------- /dcoder.keygenme2/keygenme2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/dcoder.keygenme2/keygenme2.exe -------------------------------------------------------------------------------- /dcoder.keygenme2/kgn/README: -------------------------------------------------------------------------------- 1 | Keygen for Keygenme 2 by Dcoder 2 | ------------------------------- 3 | 4 | To compile, run make. You will need: 5 | - FLINT (www.flintlib.org) 6 | - MPIR/MPFR (dependecies for FLINT) 7 | 8 | It should compile without any warnings (tested on ubuntu 11.04). 9 | 10 | Compiled files are: 11 | * keygen - run ./keygen name, to get serial for name 12 | * lambda - implementation of Pollard's lambda (kangaroo) algorithm. 13 | It should find the DLOG in <1h on a modern (2Ghz) processor. 14 | 15 | pa_kt 16 | twitter.com/pa_kt 17 | gdtr.wordpress.com 18 | -------------------------------------------------------------------------------- /dcoder.keygenme2/kgn/keygen.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | //flint 7 | #include 8 | 9 | extern void hash_mix(int x); 10 | 11 | #define ROR(x,shift) (x >> shift) | (x << (32 - shift)) 12 | #define ROL(x,shift) (x << shift) | (x >> (32 - shift)) 13 | 14 | void encode_serial(unsigned int *a1, unsigned int *a2, unsigned int *a3, unsigned int *a4, int rounds){ 15 | int c; 16 | 17 | c = rounds; 18 | do { 19 | *a4 += *a3; 20 | *a1 = *a1 ^ *a4; 21 | *a1 = ROL(*a1, 16); 22 | 23 | *a2 += *a1; 24 | *a3 = *a3 ^ *a2; 25 | *a3 = ROL(*a3, 12); 26 | 27 | *a4 += *a3; 28 | *a1 = *a1 ^ *a4; 29 | *a1 = ROL(*a1, 8); 30 | 31 | *a2 += *a1; 32 | *a3 = *a3 ^ *a2; 33 | *a3 = ROL(*a3, 7); 34 | c--; 35 | }while(c); 36 | } 37 | 38 | void decode_serial(unsigned int *a1, unsigned int *a2, unsigned int *a3, unsigned int *a4, int rounds) 39 | { 40 | unsigned int v4; // edi@2 41 | unsigned int v5; // edi@2 42 | unsigned int v6; // edi@2 43 | unsigned int v7; // edi@2 44 | unsigned int v8; // [sp+8h] [bp-4h]@1 45 | 46 | v8 = rounds; 47 | do 48 | { 49 | v4 = ROR(*a3, 7); 50 | *a3 = v4; 51 | *a3 = v4 ^ *a2; 52 | *a2 -= *a1; 53 | v5 = ROR(*a1, 8); 54 | *a1 = v5; 55 | *a1 = v5 ^ *a4; 56 | *a4 -= *a3; 57 | v6 = ROR(*a3, 12); 58 | *a3 = v6; 59 | *a3 = v6 ^ *a2; 60 | *a2 -= *a1; 61 | v7 = ROR(*a1, 16); 62 | *a1 = v7; 63 | *a1 = v7 ^ *a4; 64 | *a4 -= *a3; 65 | --v8; 66 | } 67 | while ( v8 ); 68 | 69 | } 70 | 71 | // ripped from crackme 72 | void hash(char *name, char *out){ 73 | unsigned int hash_buf[128/4]; 74 | int i; 75 | int name_len, v15, name_len_masked, v18, tmp; 76 | char *name_ptr; 77 | int *v80; 78 | 79 | memset(hash_buf, 0, 128); 80 | 81 | hash_buf[0] = 8; 82 | hash_buf[1] = 1; 83 | hash_buf[2] = 8; 84 | i = 10; 85 | do{ 86 | hash_mix((int)&hash_buf[-1]); 87 | --i; 88 | }while(i); 89 | 90 | /* 91 | printf("first 4 dwords:\n"); 92 | printf("%08x %08x %08x %08x\n", hash_buf[0], hash_buf[1], hash_buf[2], hash_buf[3]); 93 | */ 94 | //e0432a5b fc8d8d58 bd65b19c 667eaf03 95 | 96 | v80 = (int*)hash_buf; 97 | v15 = 0; 98 | tmp = 0; 99 | name_len = strlen(name); 100 | name_ptr = name; 101 | v18 = 8 * name_len; 102 | if ( 8 * name_len >= 8 ) 103 | { 104 | name_len_masked = name_len & 0x1FFFFFFF; 105 | do 106 | { 107 | v18 -= 8; 108 | v80[v15 >> 5] ^= (unsigned char)*name_ptr << 8 * ((v15 >> 3) & 3); 109 | v15 = tmp + 8; 110 | ++name_ptr; 111 | tmp = v15; 112 | if ( v15 == 8 ) 113 | { 114 | hash_mix((int)&hash_buf[-1]); 115 | v15 = 0; 116 | tmp = 0; 117 | } 118 | --name_len_masked; 119 | } 120 | while ( name_len_masked ); 121 | } 122 | if ( v18 ) 123 | { 124 | v80[v15 >> 5] ^= (unsigned char)*name_ptr << 8 * ((v15 >> 3) & 3); 125 | tmp += v18; 126 | } 127 | 128 | //hash_copy_8bytes 129 | hash_buf[0] ^= 0x80; 130 | hash_mix((int)&hash_buf[-1]); 131 | hash_buf[31] ^= 1; 132 | i = 10; 133 | do{ 134 | hash_mix((int)&hash_buf[-1]); 135 | --i; 136 | }while(i); 137 | 138 | for(i=0;i<8;i++){ 139 | out[i] = ((char*)hash_buf)[i]; 140 | } 141 | } 142 | 143 | void split(fmpz_t x, unsigned int *lo, unsigned *hi){ 144 | char s[64]; 145 | uint64_t y; 146 | 147 | fmpz_get_str(s, 10, x); 148 | sscanf(s, "%"PRIu64"", &y); 149 | *lo = y & 0xffffffff; 150 | *hi = y >> (uint64_t)32; 151 | } 152 | 153 | void emit_sig(uint64_t hash_u, uint *sn12_lo, uint *sn12_hi, uint *sn34_lo, uint *sn34_hi){ 154 | char hash_str[64]; 155 | fmpz_t sn12, sn34, hash, a, k, dlog, order; 156 | 157 | fmpz_init(sn12); 158 | fmpz_init(sn34); 159 | fmpz_init(hash); 160 | fmpz_init(a); 161 | fmpz_init(k); 162 | fmpz_init(dlog); 163 | fmpz_init(order); 164 | 165 | //k=0x1122334455 166 | fmpz_set_str(k, "73588229205", 10); 167 | fmpz_set_str(a, "4297910449086477", 10); 168 | fmpz_set_str(dlog, "3414275298009790", 10); 169 | fmpz_set_str(order, "4518471260972087", 10); 170 | 171 | sprintf(hash_str, "%" PRIu64 "", hash_u); 172 | //printf("hash=%s\n", hash_str); 173 | fmpz_set_str(hash, hash_str, 10); 174 | fmpz_mod(hash, hash, order); 175 | 176 | /* 177 | fmpz_print(hash); 178 | printf("\n"); 179 | //sn34 = ((k_rand-hash-a)*dlog)%order 180 | */ 181 | 182 | fmpz_sub(sn34, k, hash); 183 | fmpz_sub(sn34, sn34, a); 184 | fmpz_mul(sn34, sn34, dlog); 185 | fmpz_mod(sn34, sn34, order); 186 | 187 | /* 188 | printf("sn34="); 189 | fmpz_print(sn34); 190 | printf("\n"); 191 | */ 192 | 193 | //sn12 = (hash+a)%order 194 | fmpz_add(sn12, hash, a); 195 | fmpz_mod(sn12, sn12, order); 196 | 197 | /* 198 | printf("sn12="); 199 | fmpz_print(sn12); 200 | printf("\n"); 201 | */ 202 | 203 | split(sn12, sn12_lo, sn12_hi); 204 | split(sn34, sn34_lo, sn34_hi); 205 | 206 | fmpz_clear(sn12); 207 | fmpz_clear(sn34); 208 | fmpz_clear(hash); 209 | fmpz_clear(a); 210 | fmpz_clear(k); 211 | fmpz_clear(dlog); 212 | fmpz_clear(order); 213 | } 214 | 215 | int main(int argc, char *argv[]){ 216 | unsigned int a1, a2, a3, a4; 217 | //unsigned int tab[]={0x0005ffb7, 0xca2ab634, 0x0005f4b3, 0x7f1418c2}; 218 | unsigned int name_hash[2]; 219 | uint64_t hash64; 220 | 221 | if(argc<2){ 222 | printf("%s \n", argv[0]); 223 | return 1; 224 | } 225 | 226 | hash(argv[1], (char*)name_hash); 227 | 228 | hash64 = ((uint64_t)name_hash[1]<<32) + (uint64_t)name_hash[0]; 229 | emit_sig(hash64, &a1, &a2, &a3, &a4); 230 | encode_serial(&a4, &a3, &a2, &a1, 32); 231 | 232 | printf("%08X%08X%08X%08X\n", a1, a2, a3, a4); 233 | 234 | return 0; 235 | } 236 | 237 | -------------------------------------------------------------------------------- /dcoder.keygenme2/kgn/makefile: -------------------------------------------------------------------------------- 1 | 2 | all: lambda.c keygen.c hash.o 3 | gcc -Wall -O3 -o lambda lambda.c -lflint -lmpir -lmpfr 4 | gcc -Wall -o keygen keygen.c hash.o -lflint -lmpir -lmpfr 5 | 6 | hash.o: hash.asm 7 | nasm -f elf hash.asm -o hash.o 8 | 9 | clean: 10 | rm *.o keygen lambda 11 | -------------------------------------------------------------------------------- /dcoder.keygenme2/readme.txt: -------------------------------------------------------------------------------- 1 | KeygenME #2 by Dcoder 2 | --------------------- 3 | 4 | In this crackme, your mission will be to produce a working key generator 5 | that will make the crackme go "Good!". 6 | 7 | Only keygen is a valid solution! -------------------------------------------------------------------------------- /dcoder.keygenme3/4sum.py: -------------------------------------------------------------------------------- 1 | import random as rnd 2 | 3 | N = 32 4 | M = 1<> (64 - s)); 7 | } 8 | 9 | 10 | static inline void sipround(uint64_t* v0, uint64_t* v1, uint64_t* v2, uint64_t* v3) 11 | { 12 | *v0 += *v1; 13 | *v1 = rotl64(*v1, 13); 14 | *v1 ^= *v0; 15 | *v0 = rotl64(*v0, 32); 16 | 17 | *v2 += *v3; 18 | *v3 = rotl64(*v3, 16); 19 | *v3 ^= *v2; 20 | 21 | *v2 += *v1; 22 | *v1 = rotl64(*v1, 17); 23 | *v1 ^= *v2; 24 | *v2 = rotl64(*v2, 32); 25 | 26 | *v0 += *v3; 27 | *v3 = rotl64(*v3, 21); 28 | *v3 ^= *v0; 29 | } 30 | 31 | 32 | static inline void sipcompress2(uint64_t* v0, uint64_t* v1, uint64_t* v2, uint64_t* v3, uint64_t m) 33 | { 34 | *v3 ^= m; 35 | 36 | sipround(v0, v1, v2, v3); 37 | sipround(v0, v1, v2, v3); 38 | 39 | *v0 ^= m; 40 | } 41 | 42 | 43 | static inline uint64_t get64le(void const* data, size_t ix) 44 | { 45 | uint8_t const* p = (uint8_t const*)data + ix * 8; 46 | uint64_t ret = 0; 47 | 48 | for (size_t i = 0; i < 8; ++i) { 49 | ret |= (uint64_t)p[i] << (i * 8); 50 | } 51 | 52 | return ret; 53 | } 54 | 55 | 56 | static inline void put64le(uint64_t v, void* out) 57 | { 58 | uint8_t* p = (uint8_t*)out; 59 | 60 | for (size_t i = 0; i < 8; ++i) { 61 | p[i] = (uint8_t)(v >> (i * 8)); 62 | } 63 | } 64 | 65 | 66 | static inline uint8_t get8(void const* data, size_t ix) 67 | { 68 | return *((uint8_t const*)data + ix); 69 | } 70 | 71 | 72 | static inline uint64_t siplast(void const* data, size_t size) 73 | { 74 | uint64_t last = 0; 75 | 76 | for (size_t i = 0; i < size % 8; ++i) { 77 | last |= (uint64_t)get8(data, size / 8 * 8 + i) << (i * 8); 78 | } 79 | last |= (uint64_t)(size % 0xff) << (7 * 8); 80 | 81 | return last; 82 | } 83 | 84 | 85 | void siphash24(uint8_t const* key, void const* data, size_t size, uint8_t* out) 86 | { 87 | uint64_t key0 = get64le(key, 0); 88 | uint64_t key1 = get64le(key, 1); 89 | 90 | uint64_t v0 = key0 ^ 0x736f6d6570736575ull; 91 | uint64_t v1 = key1 ^ 0x646f72616e646f6dull; 92 | uint64_t v2 = key0 ^ 0x6c7967656e657261ull; 93 | uint64_t v3 = key1 ^ 0x7465646279746573ull; 94 | 95 | for (size_t i = 0; i < size / 8; ++i) { 96 | sipcompress2(&v0, &v1, &v2, &v3, get64le(data, i)); 97 | } 98 | sipcompress2(&v0, &v1, &v2, &v3, siplast(data, size)); 99 | 100 | v2 ^= 0xff; 101 | 102 | sipround(&v0, &v1, &v2, &v3); 103 | sipround(&v0, &v1, &v2, &v3); 104 | sipround(&v0, &v1, &v2, &v3); 105 | sipround(&v0, &v1, &v2, &v3); 106 | 107 | put64le(v0 ^ v1 ^ v2 ^ v3, out); 108 | } 109 | 110 | -------------------------------------------------------------------------------- /dcoder.keygenme3/siphash.h: -------------------------------------------------------------------------------- 1 | #ifndef __SIPHASH_H__ 2 | #define __SIPHASH_H__ 3 | 4 | #include 5 | #include 6 | 7 | 8 | void siphash24(uint8_t const* key16, void const* data, size_t size, uint8_t* out8); 9 | 10 | 11 | #endif 12 | 13 | -------------------------------------------------------------------------------- /phdays.2012/README: -------------------------------------------------------------------------------- 1 | Crackme from "best reverser" contest held during PHDays 2012 2 | (http://phdays.com/program/contests/#6323). Only one person provided an 3 | incomplete solution (mr Skylarov). The problem was that crackme has a bug 4 | in the second stage (uninitialzied stack variable). 5 | 6 | I solved the first stage in time, but figured I won't be able to finish 7 | stage2 before deadline, so I didn't even analyze it and did not submit 8 | my partial solution. 9 | 10 | ESET crackme released during BlackHat 2012 is a modified version of this 11 | one. The only difference is that the bug was fixed and stages are swapped 12 | :P. 13 | 14 | I ran the BH crackme under a debugger just few times and completely missed 15 | the part where a stack pointer is overwritten -- I guess I implicitly assumed 16 | that this kind of solution would be considered "patching". Lesson: some 17 | authors don't allow in memory modifications, others do :P. 18 | -------------------------------------------------------------------------------- /phdays.2012/bh.2012.crackme.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/phdays.2012/bh.2012.crackme.exe -------------------------------------------------------------------------------- /phdays.2012/phdays.2012.cm.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/phdays.2012/phdays.2012.cm.zip -------------------------------------------------------------------------------- /phdays.2012/solver.py: -------------------------------------------------------------------------------- 1 | import itertools as it 2 | from z3 import * 3 | 4 | SEED = 0x48AEEFD486289CFB 5 | TAPS = 0x9B1ADEDF847D3481 6 | MASK=(1<<64)-1 7 | 8 | def possible_buttons(): 9 | possible_taps = [] 10 | for i in range(16): 11 | tap = (1+29*i)%64 12 | possible_taps.append(tap) 13 | return possible_taps 14 | 15 | def idx_set(x, idx): 16 | return (x&(1<>idx 17 | 18 | def to_bits(x): 19 | idx = 63 20 | o = [] 21 | while idx>=0: 22 | o.append(idx_set(x,idx)) 23 | idx = idx - 1 24 | return o 25 | 26 | def idx2button(idx): 27 | for i in range(16): 28 | if (1+29*i)%64==idx: 29 | return i 30 | assert(False) 31 | 32 | def solve2(seed, final, rounds): 33 | buttons = possible_buttons() 34 | buttons_bvs = map(lambda i: (i,BitVecVal(1<>1 95 | i += 1 96 | return bits 97 | 98 | if __name__=="__main__": 99 | final1 = 0xe7fd097289cbb591 100 | final2 = 0xe7fd097289cbef79 101 | #solve_with_z3(seed1) 102 | o = final1 103 | rounds = 22 104 | key = solve2(SEED, o, rounds) 105 | 106 | print key 107 | s = map(lambda x: hex(x).replace("0x", ""), key) 108 | print "".join(s) 109 | 110 | -------------------------------------------------------------------------------- /phdays.2012/tab.py: -------------------------------------------------------------------------------- 1 | TAB = [0x1,0x7e,0x82,0xea,0x40,0x4c,0xee,0x80,0x4,0x83,0x69,0xf0,0x1,0x38,0xe3,0x10,0x10,0x88,0x21,0xcc,0x47,0x48,0x84,0xa8,0x20,0x46,0x8,0x7,0x96,0xcb,0x84,0x5d,0x80,0x42,0x5a,0x15,0x55,0xb,0x2,0x38,0x4000000000L,0x66c4a7fbbL,0xaa7412dff1L,0xfea52fe28L,0x90002409b3L,0x801c1eb58bL,0x1036e8c80bL,0x2dd4da7318L,0x200,0x20,0x1a0,0x8a,0x25,0xcb,0xfd,0x135,0x400,0x173,0x26d,0xc1,0x164,0xa7,0x195,0x12f,0x20000000000L,0xbf8b2dbb7cL,0x14f1522b7cL,0x913c2e77b4L,0x15fbf3b342L,0x137fd0a9394L,0x382d81a7ecL,0x11f6790c299L,0x2,0xdd,0xb1,0x89,0xf4,0x91,0x14,0x68,0x4000000,0x202e236,0x10bd072,0x10beff3,0x3de7236,0x2511f6b,0x2881b29,0xea6b36,0x2000,0x1105,0x1cb8,0xa74,0x1f3c,0x1c72,0x3f6,0x1ccf,0x4000,0x221e,0xacf,0x375c,0xe90,0x2050,0x26b6,0x462,0x10000,0x6ca49f,0x7951,0xf44f84,0x86ba04,0xfc5e97,0xf61ddf,0xf2589b,0x40000,0xe3a0cb,0x6325bc,0xca6af9,0x3a13e9,0xbd52d,0x2e67c,0x7212ab,0x100000,0xabd7e6,0x887a21,0x4da0f3,0xc317bd,0x424f6f,0xe34ac8,0xcd824e,0x200000,0x96c335,0x8de448,0x88002b,0x55547e,0x58f42f,0x85aca7,0xcbd1bc,0x800,0x553,0x636,0x769,0x29a,0x464,0x26a,0x49f,0x800000,0x1b0042,0x4de06a,0x483b18,0x5b7ec2,0x7f04c6,0x7d58f5,0x200264,0x1000000,0xb71c90,0xbcef31,0xd2eabd,0xfc56cd,0x24fd98,0xe77301,0xf5979c,0x2000000,0x163f03d,0x15241f0,0x1b911c1,0x86810b,0x2650ea,0x99e12d,0xbfb329,0x20000,0x9c1d9f,0x3d76bb,0xb8e929,0x71fca2,0x21e5e2,0xd9111c,0x64392c,0x8000000,0x214b911,0x182e4ca,0x76c4cfc,0x735f54a,0x1c900d2,0x4b5e934,0x568df5b,0x8,0xd2,0x14,0x30,0x80,0x64,0xd4,0x40,0x4000000000000000L,0xc99f1e25aced91L,0x7ab70ee0c9a4f44L,0xfef5fc2082a2ca2L,0x707dea047ff9416L,0x4c14f67b79987d2L,0xe7e1958486fc41fL,0xe1e9c01d06a5076L,0x2000000000000L,0xb53f39f4b640d7L,0xb40ac6340d14a5L,0xe91c610319f87dL,0x84386c7ac45fd5L,0x30bbc0816d9884L,0xbc652fd3c59c3eL,0xbdb3a5c35cc2f5L,0x20000000,0x67d4a4b,0x1fe6e1f9,0xf4ea994,0x10c02c7a,0x1633dcb3,0x1a4635ec,0x6bab334,0x40000000,0x29b23a8,0x7e09222,0x32c48a90,0x2c3feddf,0x2f986ca2,0x2d7edae7,0x39c4df7,0x80000000L,0x54f1a048,0x1c5122db,0x4d443f03,0x6cfcc69c,0x20e386e7,0x60602cb1,0x76bba3a9,0x40000000000000L,0x3e1978f4c31d5aL,0x972c45b41828dfL,0xa58c0df7cff9aL,0x3ed40d7695907eL,0xb7aee22a57c4b8L,0x1158936d86f0daL,0x3a3e7af5eee1bL,0x400000,0xab59f3,0xa7c499,0xb8024,0x293ae3,0x256c1d,0xa162a8,0x3ec473,0x1000,0xdb4,0x814,0x43c,0x28a,0xa90,0x7f7,0xb60,0x20000000000000L,0x916a7bc2acc6bbL,0x4bbc4ff85db2f5L,0x56bdc38d64c811L,0x56275b31fa9421L,0x83909169c6ca72L,0x428bc10b1f16b0L,0xc898d94db573c8L,0x800000000L,0x9035edaa37L,0x25f2e6185aL,0x66e834237fL,0x551beb252L,0xe38cb1bda3L,0x81e8a5daa2L,0xa5b0f153dfL,0x1000000000L,0x628786cbbcL,0xcc52e16a6bL,0xc02e309f6aL,0x48c02a162eL,0x43b80bc153L,0x8ca36e1daL,0x8149c4e988L,0x2000000000L,0x92e58ce6e1L,0xcaa21f75a8L,0x5b0a7a6fdfL,0xc9ef00e383L,0x5dbaccb6f7L,0x5ca25f41d9L,0x9d8577596cL,0x40,0xab,0xd,0x3a,0x35,0x39,0x97,0x96,0x80000,0xf11d69,0x83709e,0x4481de,0xf61ddf,0x86abc6,0x538d78,0x50e73d,0x8000000000L,0x3ad6947321L,0x5cac901738L,0x6d108a5726L,0x214e406193L,0x8b6d054f0L,0xa00eec3afL,0x264b8c4872L,0x10000000000L,0x224310ddceL,0x9910257c86L,0x53e0e9d491L,0x728786cbbcL,0x5957e64927L,0x9a3946ec87L,0xfbd87dd246L,0x200000000L,0xa152a11bdcL,0x981584e535L,0xfc32a0c20cL,0x58b6f45ea3L,0x2cc2f96f6fL,0x514d8e5be1L,0x40a820f952L,0x40000000000L,0x474953b4c3L,0x1ca16424050L,0x33c1ae2c6caL,0xef58281ed0L,0x61fdba8fceL,0x2e5264e03d0L,0x3cf412679edL,0x80000000000L,0x2af36394e2fL,0x5ada7c8fb35L,0x3038edd74cfL,0x97f2a442b1L,0x5aad57e978bL,0x6972f45f8a2L,0x1368179f2a9L,0x1000000000000000L,0x3f615c147366134L,0x1d75191609112e7L,0x99a87799a8a0520L,0x24174fb45969c8fL,0x43a500ac9220bL,0x274560dfc5a975aL,0x61d72414166461eL,0x100000000000L,0x263e5654c9cL,0xd3dbdb4c482L,0xd057dc7ad80L,0x7c69bc6763fL,0xfe104151651L,0x25443ce38e9L,0x73feca2bf07L,0x200000000000L,0x1610828cc00bL,0x171309332bb5L,0x1117858f08faL,0x394ffe3bb24L,0x1628623eb8cbL,0xffcdcc8641bL,0xc385feef7ecL,0x100,0x5c,0x2e,0xce,0x4a,0xae,0x43,0x66,0x400000000000L,0x3c6ca205bca2L,0x196c7b38a2ceL,0x2062a59ce30L,0x38205dd09fa1L,0x20dd0443d4bL,0x33d8550b181fL,0x303b170c77eeL,0x800000000000L,0x7170bde7b430L,0x6511f9bca6adL,0x77f656556a7dL,0x7dfca7f0957aL,0x3a733d4ea3f7L,0x61a4fffe78e6L,0x207dd4035ef7L,0x1000000000000L,0xb6f580c92e6525L,0x878090ca5224fL,0xf0210a78a915beL,0x9421aca5e8e801L,0x546c71bce905caL,0x820f48c0839b65L,0x3cef016d85ec1eL,0x4000000000000L,0xa90b5c33daa755L,0xfb1e566525c19aL,0x318fa6c2d25788L,0x69405259b8fd7aL,0xc2e8ea9fb4f707L,0xc3edf5ce25e500L,0x1133ca725b6bbeL,0x8000000000000L,0x265726615d53fdL,0xe42b686af6e16cL,0xb18f7f8da1860eL,0x368a40b0754c0fL,0x242af95441e53dL,0x213be3b3f31a70L,0xf32b20d58af1b0L,0x10000000000000L,0x4668786a9d5c35L,0xaae42706aff8caL,0x92f20fccc4e7dL,0x2c50b4176fcb74L,0x29b1a34f96095aL,0x803be366a3465L,0xc37fa16580cdebL,0x8000,0x67f,0x4ece,0x1c2a,0x560b,0x2f7c,0x7012,0x4c89,0x80000000000000L,0x6ea660a700cd0fL,0x6815c0af05eb42L,0x6fef4609ff8e2L,0x54426fd53e48fcL,0x5f8bc9a636f97L,0x660c1ff1b683beL,0x1282b6018506e3L,0x100000000000000L,0xfe64a6999abf13L,0x13ae0bb62c307dL,0x6f3b33dcc7e1bdL,0xfc7fe2720f4568L,0x21d217c8718c68L,0x4024aed7b5a420L,0xb5a61f9a725592L,0x200000000000000L,0x16ea4ffc8496fc5L,0x1fd84eda0803361L,0xffb50d2af1987eL,0xa1f6f45e357a41L,0x665739fbf5bcbaL,0x1252b5b0d23b5f5L,0x97c34ae445a2b7L,0x400000000000000L,0x2621ce9f12c9aafL,0x3110ddb6841c38fL,0x196989f161caf83L,0xfbd0c49136634L,0x1e57688b1fb57aeL,0x2730487e4f3131bL,0x26427004e0e76a1L,0x800000000000000L,0x3cba94ea604aa7fL,0x80ba8df8f4fae5L,0x5ece651e0086fc3L,0x57a746b36760c2cL,0x14c3e07b855de31L,0x47b5543b5a142b2L,0x36b715d234f4b73L,0x100000000L,0x83f86b548L,0x783efb451fL,0x5884870ea3L,0x14191df3b6L,0xda08524945L,0xfc9dbc2f89L,0x22cd369ef3L,0x10000000,0x75dd2eb,0xb6a4c91,0x2eef634,0x54a7639,0x7823214,0x6c6e071,0x7d1ac27,0x2000000000000000L,0xe773f407d93b916L,0x7e8867b58fd2979L,0xd32951a7f1ac971L,0x1250776c83fa176L,0x3e83c3f7c27e8dbL,0x30ac9750096c592L,0x9bfd9aef0ec4c20L,0x400000000L,0xdb76190650L,0x4a70b898e5L,0xfbd1f36a49L,0x20b2eb2019L,0xe93b315068L,0xb8af395d4eL,0xcb61285ad7L,0x8000000000000000L,0xbf45515ab7abe00L,0xbda61ec956a68a2L,0xff8d9a1931920a9L,0xc19375461d9de2bL,0x3ccd3e050b7bcb7L,0x68c63a1cf306b2dL,0x28eb92db26e138dL] 2 | -------------------------------------------------------------------------------- /pimp/README: -------------------------------------------------------------------------------- 1 | Pimp crackme by j00ru & Gynvael Coldwind 2 | ---------------------------------------- 3 | 4 | Run rip_vm.py in IDA to decompile the VM. 5 | Compile bf.c with gcc bf.c -O3 and run it with 6 | go.py to get the second dword. 7 | 8 | Details on my blog 9 | 10 | pa_kt 11 | gdtr.wordpress.com 12 | -------------------------------------------------------------------------------- /pimp/bf.c: -------------------------------------------------------------------------------- 1 | // compile with 2 | // gcc bf.c -O3 3 | // run with go.py 4 | // 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | inline int vm_fancy0(int a1) 11 | { 12 | signed int v2; // [sp+4h] [bp-Ch]@1 13 | int v3; // [sp+8h] [bp-8h]@1 14 | unsigned int i; // [sp+Ch] [bp-4h]@1 15 | 16 | v2 = 63689; 17 | v3 = 0; 18 | for ( i = 0; i <= 0x1F; ++i ) 19 | { 20 | v3 = v2 * v3 + i * a1; 21 | v2 *= 378551; 22 | } 23 | return v3; 24 | } 25 | 26 | inline unsigned int vm_fancy1(int a1) 27 | { 28 | unsigned int v2; // [sp+8h] [bp-8h]@1 29 | unsigned int i; // [sp+Ch] [bp-4h]@1 30 | 31 | v2 = 1315423911; 32 | for ( i = 0; i <= 0x1F; ++i ) 33 | v2 ^= i * a1 + 32 * v2 + (v2 >> 2); 34 | return v2; 35 | } 36 | 37 | inline unsigned int vm_fancy2(int a1) 38 | { 39 | unsigned int v2; // [sp+14h] [bp-Ch]@1 40 | unsigned int i; // [sp+1Ch] [bp-4h]@1 41 | 42 | v2 = 0; 43 | for ( i = 0; i <= 0x1F; ++i ) 44 | { 45 | v2 = 16 * v2 + i * a1; 46 | if ( v2 & 0xF0000000 ) 47 | v2 = (v2 ^ ((v2 & 0xF0000000) >> 24)) & 0xFFFFFFF; 48 | } 49 | return v2; 50 | } 51 | 52 | inline int vm_fancy3(int a1) 53 | { 54 | int v2; // [sp+4h] [bp-Ch]@1 55 | int v3; // [sp+4h] [bp-Ch]@2 56 | int v4; // [sp+8h] [bp-8h]@2 57 | unsigned int i; // [sp+Ch] [bp-4h]@1 58 | 59 | v2 = 0; 60 | for ( i = 0; i <= 0x1F; ++i ) 61 | { 62 | v3 = 16 * v2 + i * a1; 63 | v4 = v3 & 0xF0000000; 64 | if ( v3 & 0xF0000000 ) 65 | v3 ^= (unsigned int)v4 >> 24; 66 | v2 = ~v4 & v3; 67 | } 68 | return v2; 69 | } 70 | 71 | inline int vm_fancy4(int a1) 72 | { 73 | int v2; // [sp+8h] [bp-8h]@1 74 | unsigned int i; // [sp+Ch] [bp-4h]@1 75 | 76 | v2 = 0; 77 | for ( i = 0; i <= 0x1F; ++i ) 78 | v2 = 131 * v2 + i * a1; 79 | return v2; 80 | } 81 | 82 | inline int vm_fancy5(int a1) 83 | { 84 | int v2; // [sp+8h] [bp-8h]@1 85 | unsigned int i; // [sp+Ch] [bp-4h]@1 86 | 87 | v2 = 0; 88 | for ( i = 0; i <= 0x1F; ++i ) 89 | v2 = (v2 << 6) + i * a1 + (v2 << 16) - v2; 90 | return v2; 91 | } 92 | 93 | inline int vm_fancy6(int a1) 94 | { 95 | int v2; // [sp+8h] [bp-8h]@1 96 | unsigned int i; // [sp+Ch] [bp-4h]@1 97 | 98 | v2 = 0; 99 | for ( i = 0; i <= 0x1F; ++i ) 100 | v2 = i * a1 ^ -2128831035 * v2; 101 | return v2; 102 | } 103 | 104 | 105 | inline unsigned int vm_fancy7(int a1) 106 | { 107 | signed int v2; // [sp+0h] [bp-14h]@3 108 | unsigned int v3; // [sp+Ch] [bp-8h]@1 109 | unsigned int i; // [sp+10h] [bp-4h]@1 110 | 111 | v3 = 0xAAAAAAAAu; 112 | for ( i = 0; i <= 0x1F; ++i ) 113 | { 114 | if ( i & 1 ) 115 | v2 = ~((v3 << 11) + (i * a1 ^ (v3 >> 5))); 116 | else 117 | v2 = i * a1 * (v3 >> 3) ^ (v3 << 7); 118 | v3 ^= v2; 119 | } 120 | return v3; 121 | } 122 | 123 | #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) 124 | #define DW(p) *(unsigned int*)(p) 125 | 126 | inline unsigned int round0(unsigned int sn2, unsigned char *mem){ 127 | unsigned int r1, r2, hr1,tmp1,tmp2; 128 | 129 | tmp1 = tmp2 = 0; 130 | r1 = sn2; 131 | hr1 = r1; 132 | r1 = r1 & 0xF; 133 | r1 = r1 << 6; 134 | tmp1 = r1; 135 | r1 = hr1; 136 | while(1){ 137 | hr1 = r1; 138 | r1 = tmp2; 139 | r2 = tmp1; 140 | r1 += 1; 141 | tmp2 = r1; 142 | if(r1-1 == r2) 143 | break; 144 | r1 = hr1; 145 | r1 = vm_fancy1(r1); 146 | r1 = ~r1; 147 | r1 = vm_fancy3(r1); 148 | r2 = tmp2; 149 | r1 = r1 ^ r2; 150 | r1 = vm_fancy2(r1); 151 | r1 += 0xdeadbeef; 152 | r1 = rol(r1, 7); 153 | r1 = vm_fancy0(r1); 154 | } 155 | r1 = hr1; 156 | // mix_handlers 0 157 | 158 | // cleanup 159 | tmp1 = 0; 160 | tmp2 = 0; 161 | 162 | return r1; 163 | } 164 | 165 | unsigned int round1(unsigned int sn2, unsigned char *mem){ 166 | unsigned int r1, r2, hr1, tmp1, tmp2, t; 167 | 168 | tmp1 = tmp2 = 0; 169 | r1 = sn2; 170 | hr1 = r1; 171 | r1 = r1 >> 4; 172 | r1 = r1 & 0xF; 173 | r1 = r1 << 6; 174 | tmp1 = r1; 175 | r1 = hr1; 176 | while(1){ 177 | hr1 = r1; 178 | r1 = tmp2; 179 | r2 = tmp1; 180 | r1 += 1; 181 | tmp2 = r1; 182 | if(r1-1 == r2) 183 | break; 184 | r1 = hr1; 185 | r1 = vm_fancy5(r1); 186 | t = r1; 187 | r1 = r2; 188 | r2 = t; 189 | r1 = r1*r2; 190 | r1 = vm_fancy7(r1); 191 | r1 = r1 ^ r2; 192 | r1 = vm_fancy6(r1); 193 | r1 = ~r1; 194 | r1 = vm_fancy4(r1); 195 | r1 = rol(r1, 0xd); 196 | } 197 | r1 = hr1; 198 | return r1; 199 | } 200 | 201 | int testx(int x, unsigned int sn2, unsigned int res, unsigned char *mem){ 202 | unsigned int r1; 203 | 204 | switch(x){ 205 | case 0: 206 | r1 = round0(sn2, mem); 207 | break; 208 | case 1: 209 | r1 = round1(sn2, mem); 210 | break; 211 | default: 212 | return 0; 213 | } 214 | 215 | return (r1==res); 216 | } 217 | 218 | int main(int argc, char *argv[]){ 219 | unsigned char mem[0x10000]; 220 | unsigned int r1, sn1, sn2; 221 | unsigned int total; 222 | unsigned N, id, end; 223 | double seconds; 224 | 225 | if(argc<3){ 226 | printf("%s \n", argv[0]); 227 | return 1; 228 | } 229 | 230 | if(!testx(0, 0x11111111, 0x3a240c00, mem)){ 231 | printf("test0 failed\n"); 232 | return 1; 233 | } 234 | if(!testx(1, 0x11111111, 0xA80E02FC, mem)){ 235 | printf("test1 failed\n"); 236 | return 1; 237 | } 238 | printf("all good\n"); 239 | 240 | N = atoi(argv[1]); 241 | id = atoi(argv[2]); 242 | 243 | sn2 = 0xFFFFFFFF/N; 244 | end = (id+1)*sn2; 245 | sn2 = id*sn2; 246 | total = 0; 247 | clock_t start = clock(); 248 | while(sn2 != end){ 249 | r1 = round0(sn2, mem); 250 | if(r1 == 0x9EE03FC0){ 251 | r1 = round1(sn2, mem); 252 | if(r1 == 0x38E008E){ 253 | printf("sn2 = 0x%08x\n", sn2); 254 | //return 0; 255 | } 256 | } 257 | if(sn2 % (1<<20) == 0){ 258 | seconds = ((double)clock() - start) / CLOCKS_PER_SEC; 259 | seconds ++; 260 | printf("current: 0x%08x, %d h/sec\n", sn2, total/(int)seconds); 261 | } 262 | sn2++; 263 | total++; 264 | } 265 | 266 | return 0; 267 | } 268 | 269 | -------------------------------------------------------------------------------- /pimp/go.py: -------------------------------------------------------------------------------- 1 | # Machine I had access to had limits on continuous CPU usage 2 | # by one process, so I had to split the work into small chunks 3 | # so that workers wouldn't be killed during a computation. 4 | # 5 | # pa_kt 6 | # gdtr.wordpress.com 7 | 8 | import subprocess as sub 9 | import sys 10 | 11 | if len(sys.argv)<3: 12 | print sys.argv[0], " " 13 | sys.exit(1) 14 | 15 | start = int(sys.argv[1], 16) 16 | end = int(sys.argv[2], 16) 17 | count = int(sys.argv[3], 10) 18 | 19 | N_SLAVES = 32 20 | BIG_CHUNK = 0X10000000/2 21 | SMALL_CHUNK = BIG_CHUNK/N_SLAVES 22 | 23 | f = open("out.txt", "w") 24 | 25 | for k in range(end/BIG_CHUNK): 26 | f.write("starting %d chunk\n"%k) 27 | f.flush() 28 | 29 | slaves = [] 30 | for i in range(N_SLAVES): 31 | s = start+i*SMALL_CHUNK 32 | e = s+SMALL_CHUNK 33 | 34 | f.write("i=%d s=0x%08x e=0x%08x\n"%(i,s,e)) 35 | f.flush() 36 | 37 | p = sub.Popen(["./a.out", hex(s), hex(e)], stdout=sub.PIPE) 38 | slaves.append(p) 39 | 40 | for p in slaves: 41 | stdout, stderr = p.communicate() 42 | f.write(stdout) 43 | f.write("###\n") 44 | f.flush() 45 | 46 | start += BIG_CHUNK 47 | -------------------------------------------------------------------------------- /pimp/pimp_crackme.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/pimp/pimp_crackme.exe -------------------------------------------------------------------------------- /pimp/readme.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | _____ _____ _______ _____ 5 | |_____] | | | | |_____] 6 | | __|__ | | | | 7 | 8 | _______ ______ _______ _______ _ _ _______ _______ 9 | | |_____/ |_____| | |____/ | | | |______ 10 | |_____ | \_ | | |_____ | \_ | | | |______ 11 | 12 | 13 | by 14 | 15 | Mateusz "j00ru" Jurczyk 16 | 17 | & 18 | 19 | Gynvael Coldwind 20 | 21 | 22 | T E A M 23 | _ _ ____ _ _ _ _ _ _ _ _ _ _ 24 | | | |___ \/ | | | | | | |\/| 25 | \/ |___ _/\_ | |___ |___ | |__| | | 26 | 27 | 2 0 1 1 28 | 29 | 30 | 31 | .- -. 32 | -------------------------=*) Requirements (*=------------------------ 33 | '- -' 34 | 35 | Intel x86 CPU or similar 36 | 32-bit Windows * 37 | 38 | * This CrackMe runs on 32-bit versions of Windows only. This is due 39 | to implementation differences between 32-bit Windows and WoW64. 40 | This CrackMe has been tested on Windows XP, Vista and 7. 41 | 42 | .- -. 43 | -------------------------=*) Objective (*=------------------------ 44 | '- -' 45 | 46 | Your mission is to find a valid key. 47 | 48 | A valid key, when typed into the password field of the original 49 | unmodified binary will display an explicit "victory screen" 50 | with big words "Mission Complete" on the top. 51 | 52 | A key that works only on a modified version of this crackme 53 | is considered INVALID. 54 | 55 | .- -. 56 | -------------------------=*) Authors (*=------------------------ 57 | '- -' 58 | 59 | Mateusz "j00ru" Jurczyk -=> http://j00ru.vexillium.org 60 | Gynvael Coldwind -=> http://gynvael.coldwind.pl 61 | 62 | Team Vexillium -=> http://vexillium.org 63 | 64 | .- -. 65 | -------------------------=*) THE END (*=------------------------ 66 | '- -' 67 | 68 | -------------------------------------------------------------------------------- /pimp/rip_vm.py: -------------------------------------------------------------------------------- 1 | import idc 2 | 3 | VM_MIX = 1 4 | VM_DIE = 2 5 | VM_JMP = 3 6 | VM_JZ = 4 7 | VM_JNZ = 5 8 | 9 | seed = 0 10 | def prng(): 11 | global seed 12 | 13 | v0 = ((10009 * seed + 31337) % 2**32) % 100000007 14 | seed = 5 * seed + 1337; 15 | seed = seed % 2**32 16 | return v0 17 | 18 | def find_op(op, l): 19 | for i,u in enumerate(l): 20 | if op==u[0]: 21 | return i,u[0],u[1] 22 | return -1,None,None 23 | 24 | def disasm(vm, handlers): 25 | i = 0 26 | for op, arg, _ in vm: 27 | oph, name, _, _ = handlers[op] 28 | #assert (op == oph) 29 | print "%d:\t[%02x]\t%s"%(i, op, name), 30 | if name in ["vm_JMP", "vm_JZ", "vm_JNZ"]: 31 | if arg & 0x80000000: 32 | print -((arg ^ 0xFFFFFFFF)+1) 33 | else: 34 | print arg 35 | else: 36 | print hex(arg) 37 | i += 1 38 | 39 | def is_nice(vm, handlers): 40 | trans = [] 41 | 42 | for op, arg, _ in vm: 43 | oph, name, _, _ = handlers[op] 44 | trans.append((oph, arg, name)) 45 | 46 | #premature VM_DIE 47 | f1 = lambda l: filter(lambda (op,arg,_): op==VM_DIE and arg!=0, l) 48 | # op reg1, reg2 with params 49 | f2 = lambda l: filter(lambda (op, arg, name): name.find("reg1_reg2")>=0 and arg!=0, l) 50 | # bad jumps 51 | f3 = lambda l: filter(lambda (op,arg,_): op in [VM_JMP,VM_JZ,VM_JNZ] and (arg==0 or arg>128 and arg<0x80000000), l) 52 | 53 | heurs = [f2, f3] 54 | for f in heurs: 55 | o = f(trans) 56 | if o: 57 | return False 58 | return True 59 | 60 | def mutate(handlers): 61 | 62 | for j in range(2, len(handlers)): 63 | k = prng() 64 | k = (k % 0x1B)+2 65 | t = handlers[j] 66 | handlers[j] = handlers[k] 67 | handlers[k] = t 68 | return handlers 69 | 70 | debug = False 71 | 72 | vm_code_addr = 0x0091F940 73 | vm_size = 1245 74 | 75 | vm = [] 76 | 77 | for off in range(vm_code_addr, vm_code_addr+vm_size, 5): 78 | 79 | vm_op = idc.Byte(off) 80 | vm_arg = idc.Dword(off+1) 81 | 82 | vm.append((vm_op, vm_arg, off)) 83 | 84 | if debug: 85 | print hex(off) 86 | print hex(vm_op), hex(vm_arg) 87 | 88 | print "total instructions:", len(vm) 89 | 90 | handlers_addr = 0x0091FE24 91 | handlers_count = 0x1c 92 | handlers = [(None,None,None,None)] 93 | 94 | for i in range(handlers_count): 95 | off = handlers_addr + i*20 96 | op = idc.Dword(off) 97 | if i>7: 98 | off += 4 99 | addr = idc.Dword(off+4) 100 | name = idc.GetFunctionName(addr) 101 | 102 | print hex(off), hex(op), hex(addr), name 103 | 104 | handlers.append((op, name, addr, off)) 105 | 106 | 107 | i = 0 108 | p,_,_ = find_op(VM_MIX, vm) 109 | disasm(vm[:p+1], handlers) 110 | 111 | 112 | print "possible disasms" 113 | sn1 = 0 114 | 115 | for pos in range(8): 116 | p,_,_ = find_op(VM_MIX, vm) 117 | assert(p>=0) 118 | vm = vm[p+1:] 119 | orig = handlers[:] 120 | solutions = [] 121 | for i in range(16): 122 | seed = sn1 | (i << pos*4) 123 | #print "seed: 0x%08x"%seed 124 | handlers = orig[:] 125 | handlers = mutate(handlers) 126 | p,_,_ = find_op(VM_MIX, vm) 127 | if p<0 and pos==7: 128 | p = len(vm) 129 | if is_nice(vm[:p+1], handlers): 130 | if (pos==7 and handlers[0xc][0]!=VM_DIE): 131 | continue 132 | print i, "#"*10 133 | solutions.append((i,handlers)) 134 | disasm(vm[:p+1], handlers) 135 | 136 | if pos!=7: 137 | assert(len(solutions)==1) 138 | i,handlers = solutions[0] 139 | sn1 = sn1 | (i << pos*4) 140 | print "0x%08x"%sn1 141 | else: 142 | for i,_ in solutions: 143 | sn = sn1 | (i << pos*4) 144 | print "solution: 0x%08x"%sn 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /tmrth2/kgnme2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/tmrth2/kgnme2.zip -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/kg.c: -------------------------------------------------------------------------------- 1 | // keygen for keygenm2 by tamaroth 2 | // 3 | // 25.03.2012 4 | // p_k 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include "skein.h" 13 | #include "SHA3api_ref.h" 14 | 15 | #include "kg.h" 16 | 17 | #define HASH_SIZE 32 18 | 19 | extern void init_smth(); 20 | extern void do_smth64(uint8_t *, size_t, uint8_t *); //msg,len,out 21 | 22 | void print_bytes(uint8_t *bytes, uint16_t byteslen) 23 | { 24 | int i; 25 | for (i=0; i index 93 | // pi[] - indexes in primes[] tab of primes in factorisation of n 94 | // e[] - exponents of these primes 95 | int is_smooth(mpz_t n, mpz_t prod){ 96 | int ok=0, eq; 97 | mpz_t t,d; 98 | 99 | mpz_inits(t,d,NULL); 100 | mpz_set(t, n); 101 | 102 | while(1){ 103 | mpz_gcd(d, t, prod); //d doesn't have to fit in int 104 | if(mpz_cmp_ui(d,1) == 0){ 105 | eq = mpz_cmp_ui(t, 1); 106 | if(eq != 0){ 107 | ok=0; 108 | break; //fail: gcd=1, but t!=1 109 | } 110 | else{ //gcd=1, t=1 111 | ok=1; 112 | break; 113 | } 114 | } 115 | while(mpz_divisible_p(t, d)){ 116 | mpz_divexact(t, t, d); 117 | } 118 | } 119 | 120 | mpz_clear(t); 121 | return ok; 122 | } 123 | 124 | inline void do_hash(char *msg, mpz_t h, mpz_t p){ 125 | uint8_t smth[8]={0}, result[HASH_SIZE]; 126 | char *ptr; 127 | 128 | memset(result, 0, HASH_SIZE); 129 | 130 | do_smth64(msg, strlen(msg), smth); 131 | //print_bytes(smth, sizeof(smth)); 132 | 133 | hash(smth, sizeof(smth), result); 134 | //print_bytes(result, HASH_SIZE); 135 | 136 | mpz_import(h, HASH_SIZE, 1, 1, 1, 0, result); 137 | mpz_mod(h, h, p); 138 | 139 | //ptr = mpz_get_str (NULL, 16, h); 140 | //printf("h mod p = %s\n", ptr); 141 | } 142 | 143 | void dump_pair(int p, int e){ 144 | if(e>1) 145 | printf("%d^%d", p, e); 146 | else 147 | printf("%d", p); 148 | } 149 | 150 | void dump_pe(int *primes, int *pi, int *ei, int count){ 151 | int i; 152 | 153 | assert(count>0); 154 | dump_pair(primes[pi[0]], ei[0]); 155 | if(count>1){ 156 | for(i=1;i\n", argv[0]); 182 | return 1; 183 | } 184 | 185 | if(strlen(argv[1])>MAX_NAME-1){ 186 | printf("name too long\n"); 187 | return 1; 188 | } 189 | 190 | strcpy(name, argv[1]); 191 | 192 | srand(time(0)); 193 | 194 | mpz_inits(h, prod, dlog, NULL); 195 | mpz_init_set_str (p, ps, 10); 196 | mpz_init_set_str (g, gs, 10); 197 | 198 | product(prod, primes, PRECOMP_COUNT); 199 | ptr = mpz_get_str (NULL, 10, prod); 200 | //printf("prod = %d\n", strlen(ptr)); 201 | 202 | init_smth(); 203 | start = clock(); 204 | 205 | total = 0; 206 | while(1){ 207 | total += 1; 208 | 209 | r = rand(); 210 | sprintf(rnd, "%s%d", name, r); 211 | 212 | do_hash(rnd, h, p); 213 | 214 | if(is_smooth(h, prod)){ 215 | delta = ((double)clock() - start)/ CLOCKS_PER_SEC; 216 | ptr = mpz_get_str (NULL, 10, h); 217 | printf("smooth h = %s, time: %fs\n", ptr, delta); 218 | factor(h, primes, PRECOMP_COUNT, pi, ei, &factors); 219 | printf("factorization: "); dump_pe(primes, pi, ei, factors); 220 | calc_dlog(dlog, p, dlps, pi, ei, factors); 221 | ptr = mpz_get_str (NULL, 16, dlog); 222 | printf("*** reg info:\n%s\n%d\n%s\n", name, r, ptr); 223 | break; 224 | } 225 | if(total%10000==0){ 226 | delta = ((double)clock() - start)/ CLOCKS_PER_SEC; 227 | printf("delta: %f, speed: %f h/s\n", delta, (double)total/delta); 228 | } 229 | } 230 | 231 | return 0; 232 | } 233 | 234 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/makefile: -------------------------------------------------------------------------------- 1 | all: kg.c smth.o 2 | gcc -g -o kg -Iskein/ skein/*.o smth.o kg.c -lgmp -lm 3 | 4 | smth.o: smth.asm 5 | nasm -felf smth.asm -o smth.o 6 | 7 | clean: 8 | rm kg *.o 9 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/skein/SHA3api_ref.c: -------------------------------------------------------------------------------- 1 | /*********************************************************************** 2 | ** 3 | ** Implementation of the AHS API using the Skein hash function. 4 | ** 5 | ** Source code author: Doug Whiting, 2008. 6 | ** 7 | ** This algorithm and source code is released to the public domain. 8 | ** 9 | ************************************************************************/ 10 | 11 | #include /* get the memcpy/memset functions */ 12 | #include "skein.h" /* get the Skein API definitions */ 13 | #include "SHA3api_ref.h"/* get the AHS API definitions */ 14 | 15 | /******************************************************************/ 16 | /* AHS API code */ 17 | /******************************************************************/ 18 | 19 | /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ 20 | /* select the context size and init the context */ 21 | HashReturn Init(hashState *state, int hashbitlen) 22 | { 23 | #if SKEIN_256_NIST_MAX_HASH_BITS 24 | if (hashbitlen <= SKEIN_256_NIST_MAX_HASHBITS) 25 | { 26 | Skein_Assert(hashbitlen > 0,BAD_HASHLEN); 27 | state->statebits = 64*SKEIN_256_STATE_WORDS; 28 | return Skein_256_Init(&state->u.ctx_256,(size_t) hashbitlen); 29 | } 30 | #endif 31 | if (hashbitlen <= SKEIN_512_NIST_MAX_HASHBITS) 32 | { 33 | state->statebits = 64*SKEIN_512_STATE_WORDS; 34 | return Skein_512_Init(&state->u.ctx_512,(size_t) hashbitlen); 35 | } 36 | else 37 | { 38 | state->statebits = 64*SKEIN1024_STATE_WORDS; 39 | return Skein1024_Init(&state->u.ctx1024,(size_t) hashbitlen); 40 | } 41 | } 42 | 43 | /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ 44 | /* process data to be hashed */ 45 | HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen) 46 | { 47 | /* only the final Update() call is allowed do partial bytes, else assert an error */ 48 | Skein_Assert((state->u.h.T[1] & SKEIN_T1_FLAG_BIT_PAD) == 0 || databitlen == 0, FAIL); 49 | 50 | Skein_Assert(state->statebits % 256 == 0 && (state->statebits-256) < 1024,FAIL); 51 | if ((databitlen & 7) == 0) /* partial bytes? */ 52 | { 53 | switch ((state->statebits >> 8) & 3) 54 | { 55 | case 2: return Skein_512_Update(&state->u.ctx_512,data,databitlen >> 3); 56 | case 1: return Skein_256_Update(&state->u.ctx_256,data,databitlen >> 3); 57 | case 0: return Skein1024_Update(&state->u.ctx1024,data,databitlen >> 3); 58 | default: return FAIL; 59 | } 60 | } 61 | else 62 | { /* handle partial final byte */ 63 | size_t bCnt = (databitlen >> 3) + 1; /* number of bytes to handle (nonzero here!) */ 64 | u08b_t b,mask; 65 | 66 | mask = (u08b_t) (1u << (7 - (databitlen & 7))); /* partial byte bit mask */ 67 | b = (u08b_t) ((data[bCnt-1] & (0-mask)) | mask); /* apply bit padding on final byte */ 68 | 69 | switch ((state->statebits >> 8) & 3) 70 | { 71 | case 2: Skein_512_Update(&state->u.ctx_512,data,bCnt-1); /* process all but the final byte */ 72 | Skein_512_Update(&state->u.ctx_512,&b , 1 ); /* process the (masked) partial byte */ 73 | break; 74 | case 1: Skein_256_Update(&state->u.ctx_256,data,bCnt-1); /* process all but the final byte */ 75 | Skein_256_Update(&state->u.ctx_256,&b , 1 ); /* process the (masked) partial byte */ 76 | break; 77 | case 0: Skein1024_Update(&state->u.ctx1024,data,bCnt-1); /* process all but the final byte */ 78 | Skein1024_Update(&state->u.ctx1024,&b , 1 ); /* process the (masked) partial byte */ 79 | break; 80 | default: return FAIL; 81 | } 82 | Skein_Set_Bit_Pad_Flag(state->u.h); /* set tweak flag for the final call */ 83 | 84 | return SUCCESS; 85 | } 86 | } 87 | 88 | /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ 89 | /* finalize hash computation and output the result (hashbitlen bits) */ 90 | HashReturn Final(hashState *state, BitSequence *hashval) 91 | { 92 | Skein_Assert(state->statebits % 256 == 0 && (state->statebits-256) < 1024,FAIL); 93 | switch ((state->statebits >> 8) & 3) 94 | { 95 | case 2: return Skein_512_Final(&state->u.ctx_512,hashval); 96 | case 1: return Skein_256_Final(&state->u.ctx_256,hashval); 97 | case 0: return Skein1024_Final(&state->u.ctx1024,hashval); 98 | default: return FAIL; 99 | } 100 | } 101 | 102 | /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ 103 | /* all-in-one hash function */ 104 | HashReturn Hash(int hashbitlen, const BitSequence *data, /* all-in-one call */ 105 | DataLength databitlen,BitSequence *hashval) 106 | { 107 | hashState state; 108 | HashReturn r = Init(&state,hashbitlen); 109 | if (r == SUCCESS) 110 | { /* these calls do not fail when called properly */ 111 | r = Update(&state,data,databitlen); 112 | Final(&state,hashval); 113 | } 114 | return r; 115 | } 116 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/skein/SHA3api_ref.h: -------------------------------------------------------------------------------- 1 | #ifndef _AHS_API_H_ 2 | #define _AHS_API_H_ 3 | 4 | /*********************************************************************** 5 | ** 6 | ** Interface declarations of the AHS API using the Skein hash function. 7 | ** 8 | ** Source code author: Doug Whiting, 2008. 9 | ** 10 | ** This algorithm and source code is released to the public domain. 11 | ** 12 | ************************************************************************/ 13 | 14 | #include "skein.h" 15 | 16 | typedef enum 17 | { 18 | SUCCESS = SKEIN_SUCCESS, 19 | FAIL = SKEIN_FAIL, 20 | BAD_HASHLEN = SKEIN_BAD_HASHLEN 21 | } 22 | HashReturn; 23 | 24 | typedef size_t DataLength; /* bit count type */ 25 | typedef u08b_t BitSequence; /* bit stream type */ 26 | 27 | typedef struct 28 | { 29 | uint_t statebits; /* 256, 512, or 1024 */ 30 | union 31 | { 32 | Skein_Ctxt_Hdr_t h; /* common header "overlay" */ 33 | Skein_256_Ctxt_t ctx_256; 34 | Skein_512_Ctxt_t ctx_512; 35 | Skein1024_Ctxt_t ctx1024; 36 | } u; 37 | } 38 | hashState; 39 | 40 | /* "incremental" hashing API */ 41 | HashReturn Init (hashState *state, int hashbitlen); 42 | HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen); 43 | HashReturn Final (hashState *state, BitSequence *hashval); 44 | 45 | /* "all-in-one" call */ 46 | HashReturn Hash (int hashbitlen, const BitSequence *data, 47 | DataLength databitlen, BitSequence *hashval); 48 | 49 | 50 | /* 51 | ** Re-define the compile-time constants below to change the selection 52 | ** of the Skein state size in the Init() function in SHA3api_ref.c. 53 | ** 54 | ** That is, the NIST API does not allow for explicit selection of the 55 | ** Skein block size, so it must be done implicitly in the Init() function. 56 | ** The selection is controlled by these constants. 57 | */ 58 | #ifndef SKEIN_256_NIST_MAX_HASHBITS 59 | #define SKEIN_256_NIST_MAX_HASHBITS (0) 60 | #endif 61 | 62 | #ifndef SKEIN_512_NIST_MAX_HASHBITS 63 | #define SKEIN_512_NIST_MAX_HASHBITS (512) 64 | #endif 65 | 66 | #endif /* ifdef _AHS_API_H_ */ 67 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/skein/skein_debug.h: -------------------------------------------------------------------------------- 1 | #ifndef _SKEIN_DEBUG_H_ 2 | #define _SKEIN_DEBUG_H_ 3 | /*********************************************************************** 4 | ** 5 | ** Interface definitions for Skein hashing debug output. 6 | ** 7 | ** Source code author: Doug Whiting, 2008. 8 | ** 9 | ** This algorithm and source code is released to the public domain. 10 | ** 11 | ************************************************************************/ 12 | 13 | #ifdef SKEIN_DEBUG 14 | /* callout functions used inside Skein code */ 15 | void Skein_Show_Block(uint_t bits,const Skein_Ctxt_Hdr_t *h,const u64b_t *X,const u08b_t *blkPtr, 16 | const u64b_t *wPtr,const u64b_t *ksPtr,const u64b_t *tsPtr); 17 | void Skein_Show_Round(uint_t bits,const Skein_Ctxt_Hdr_t *h,size_t r,const u64b_t *X); 18 | void Skein_Show_R_Ptr(uint_t bits,const Skein_Ctxt_Hdr_t *h,size_t r,const u64b_t *X_ptr[]); 19 | void Skein_Show_Final(uint_t bits,const Skein_Ctxt_Hdr_t *h,size_t cnt,const u08b_t *outPtr); 20 | void Skein_Show_Key (uint_t bits,const Skein_Ctxt_Hdr_t *h,const u08b_t *key,size_t keyBytes); 21 | 22 | extern uint_t skein_DebugFlag; /* flags to control debug output (0 --> none) */ 23 | 24 | #define SKEIN_RND_SPECIAL (1000u) 25 | #define SKEIN_RND_KEY_INITIAL (SKEIN_RND_SPECIAL+0u) 26 | #define SKEIN_RND_KEY_INJECT (SKEIN_RND_SPECIAL+1u) 27 | #define SKEIN_RND_FEED_FWD (SKEIN_RND_SPECIAL+2u) 28 | 29 | /* flag bits: skein_DebugFlag */ 30 | #define SKEIN_DEBUG_KEY (1u << 1) /* show MAC key */ 31 | #define SKEIN_DEBUG_CONFIG (1u << 2) /* show config block processing */ 32 | #define SKEIN_DEBUG_STATE (1u << 3) /* show input state during Show_Block() */ 33 | #define SKEIN_DEBUG_TWEAK (1u << 4) /* show input state during Show_Block() */ 34 | #define SKEIN_DEBUG_KEYSCHED (1u << 5) /* show expanded key schedule */ 35 | #define SKEIN_DEBUG_INPUT_64 (1u << 6) /* show input block as 64-bit words */ 36 | #define SKEIN_DEBUG_INPUT_08 (1u << 7) /* show input block as 8-bit bytes */ 37 | #define SKEIN_DEBUG_INJECT (1u << 8) /* show state after key injection & feedforward points */ 38 | #define SKEIN_DEBUG_ROUNDS (1u << 9) /* show state after all rounds */ 39 | #define SKEIN_DEBUG_FINAL (1u <<10) /* show final output of Skein */ 40 | #define SKEIN_DEBUG_HDR (1u <<11) /* show block header */ 41 | #define SKEIN_DEBUG_THREEFISH (1u <<12) /* use Threefish name instead of Skein */ 42 | #define SKEIN_DEBUG_PERMUTE (1u <<13) /* use word permutations */ 43 | #define SKEIN_DEBUG_ALL ((~0u) & ~(SKEIN_DEBUG_THREEFISH | SKEIN_DEBUG_PERMUTE)) 44 | #define THREEFISH_DEBUG_ALL (SKEIN_DEBUG_ALL | SKEIN_DEBUG_THREEFISH) 45 | 46 | #endif /* SKEIN_DEBUG */ 47 | 48 | #endif /* _SKEIN_DEBUG_H_ */ 49 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/skein/skein_iv.h: -------------------------------------------------------------------------------- 1 | #ifndef _SKEIN_IV_H_ 2 | #define _SKEIN_IV_H_ 3 | 4 | #include "skein.h" /* get Skein macros and types */ 5 | 6 | /* 7 | ***************** Pre-computed Skein IVs ******************* 8 | ** 9 | ** NOTE: these values are not "magic" constants, but 10 | ** are generated using the Threefish block function. 11 | ** They are pre-computed here only for speed; i.e., to 12 | ** avoid the need for a Threefish call during Init(). 13 | ** 14 | ** The IV for any fixed hash length may be pre-computed. 15 | ** Only the most common values are included here. 16 | ** 17 | ************************************************************ 18 | **/ 19 | 20 | #define MK_64 SKEIN_MK_64 21 | 22 | /* blkSize = 256 bits. hashSize = 128 bits */ 23 | const u64b_t SKEIN_256_IV_128[] = 24 | { 25 | MK_64(0xE1111906,0x964D7260), 26 | MK_64(0x883DAAA7,0x7C8D811C), 27 | MK_64(0x10080DF4,0x91960F7A), 28 | MK_64(0xCCF7DDE5,0xB45BC1C2) 29 | }; 30 | 31 | /* blkSize = 256 bits. hashSize = 160 bits */ 32 | const u64b_t SKEIN_256_IV_160[] = 33 | { 34 | MK_64(0x14202314,0x72825E98), 35 | MK_64(0x2AC4E9A2,0x5A77E590), 36 | MK_64(0xD47A5856,0x8838D63E), 37 | MK_64(0x2DD2E496,0x8586AB7D) 38 | }; 39 | 40 | /* blkSize = 256 bits. hashSize = 224 bits */ 41 | const u64b_t SKEIN_256_IV_224[] = 42 | { 43 | MK_64(0xC6098A8C,0x9AE5EA0B), 44 | MK_64(0x876D5686,0x08C5191C), 45 | MK_64(0x99CB88D7,0xD7F53884), 46 | MK_64(0x384BDDB1,0xAEDDB5DE) 47 | }; 48 | 49 | /* blkSize = 256 bits. hashSize = 256 bits */ 50 | const u64b_t SKEIN_256_IV_256[] = 51 | { 52 | MK_64(0xFC9DA860,0xD048B449), 53 | MK_64(0x2FCA6647,0x9FA7D833), 54 | MK_64(0xB33BC389,0x6656840F), 55 | MK_64(0x6A54E920,0xFDE8DA69) 56 | }; 57 | 58 | /* blkSize = 512 bits. hashSize = 128 bits */ 59 | const u64b_t SKEIN_512_IV_128[] = 60 | { 61 | MK_64(0xA8BC7BF3,0x6FBF9F52), 62 | MK_64(0x1E9872CE,0xBD1AF0AA), 63 | MK_64(0x309B1790,0xB32190D3), 64 | MK_64(0xBCFBB854,0x3F94805C), 65 | MK_64(0x0DA61BCD,0x6E31B11B), 66 | MK_64(0x1A18EBEA,0xD46A32E3), 67 | MK_64(0xA2CC5B18,0xCE84AA82), 68 | MK_64(0x6982AB28,0x9D46982D) 69 | }; 70 | 71 | /* blkSize = 512 bits. hashSize = 160 bits */ 72 | const u64b_t SKEIN_512_IV_160[] = 73 | { 74 | MK_64(0x28B81A2A,0xE013BD91), 75 | MK_64(0xC2F11668,0xB5BDF78F), 76 | MK_64(0x1760D8F3,0xF6A56F12), 77 | MK_64(0x4FB74758,0x8239904F), 78 | MK_64(0x21EDE07F,0x7EAF5056), 79 | MK_64(0xD908922E,0x63ED70B8), 80 | MK_64(0xB8EC76FF,0xECCB52FA), 81 | MK_64(0x01A47BB8,0xA3F27A6E) 82 | }; 83 | 84 | /* blkSize = 512 bits. hashSize = 224 bits */ 85 | const u64b_t SKEIN_512_IV_224[] = 86 | { 87 | MK_64(0xCCD06162,0x48677224), 88 | MK_64(0xCBA65CF3,0xA92339EF), 89 | MK_64(0x8CCD69D6,0x52FF4B64), 90 | MK_64(0x398AED7B,0x3AB890B4), 91 | MK_64(0x0F59D1B1,0x457D2BD0), 92 | MK_64(0x6776FE65,0x75D4EB3D), 93 | MK_64(0x99FBC70E,0x997413E9), 94 | MK_64(0x9E2CFCCF,0xE1C41EF7) 95 | }; 96 | 97 | /* blkSize = 512 bits. hashSize = 256 bits */ 98 | const u64b_t SKEIN_512_IV_256[] = 99 | { 100 | MK_64(0xCCD044A1,0x2FDB3E13), 101 | MK_64(0xE8359030,0x1A79A9EB), 102 | MK_64(0x55AEA061,0x4F816E6F), 103 | MK_64(0x2A2767A4,0xAE9B94DB), 104 | MK_64(0xEC06025E,0x74DD7683), 105 | MK_64(0xE7A436CD,0xC4746251), 106 | MK_64(0xC36FBAF9,0x393AD185), 107 | MK_64(0x3EEDBA18,0x33EDFC13) 108 | }; 109 | 110 | /* blkSize = 512 bits. hashSize = 384 bits */ 111 | const u64b_t SKEIN_512_IV_384[] = 112 | { 113 | MK_64(0xA3F6C6BF,0x3A75EF5F), 114 | MK_64(0xB0FEF9CC,0xFD84FAA4), 115 | MK_64(0x9D77DD66,0x3D770CFE), 116 | MK_64(0xD798CBF3,0xB468FDDA), 117 | MK_64(0x1BC4A666,0x8A0E4465), 118 | MK_64(0x7ED7D434,0xE5807407), 119 | MK_64(0x548FC1AC,0xD4EC44D6), 120 | MK_64(0x266E1754,0x6AA18FF8) 121 | }; 122 | 123 | /* blkSize = 512 bits. hashSize = 512 bits */ 124 | const u64b_t SKEIN_512_IV_512[] = 125 | { 126 | MK_64(0x4903ADFF,0x749C51CE), 127 | MK_64(0x0D95DE39,0x9746DF03), 128 | MK_64(0x8FD19341,0x27C79BCE), 129 | MK_64(0x9A255629,0xFF352CB1), 130 | MK_64(0x5DB62599,0xDF6CA7B0), 131 | MK_64(0xEABE394C,0xA9D5C3F4), 132 | MK_64(0x991112C7,0x1A75B523), 133 | MK_64(0xAE18A40B,0x660FCC33) 134 | }; 135 | 136 | /* blkSize = 1024 bits. hashSize = 384 bits */ 137 | const u64b_t SKEIN1024_IV_384[] = 138 | { 139 | MK_64(0x5102B6B8,0xC1894A35), 140 | MK_64(0xFEEBC9E3,0xFE8AF11A), 141 | MK_64(0x0C807F06,0xE32BED71), 142 | MK_64(0x60C13A52,0xB41A91F6), 143 | MK_64(0x9716D35D,0xD4917C38), 144 | MK_64(0xE780DF12,0x6FD31D3A), 145 | MK_64(0x797846B6,0xC898303A), 146 | MK_64(0xB172C2A8,0xB3572A3B), 147 | MK_64(0xC9BC8203,0xA6104A6C), 148 | MK_64(0x65909338,0xD75624F4), 149 | MK_64(0x94BCC568,0x4B3F81A0), 150 | MK_64(0x3EBBF51E,0x10ECFD46), 151 | MK_64(0x2DF50F0B,0xEEB08542), 152 | MK_64(0x3B5A6530,0x0DBC6516), 153 | MK_64(0x484B9CD2,0x167BBCE1), 154 | MK_64(0x2D136947,0xD4CBAFEA) 155 | }; 156 | 157 | /* blkSize = 1024 bits. hashSize = 512 bits */ 158 | const u64b_t SKEIN1024_IV_512[] = 159 | { 160 | MK_64(0xCAEC0E5D,0x7C1B1B18), 161 | MK_64(0xA01B0E04,0x5F03E802), 162 | MK_64(0x33840451,0xED912885), 163 | MK_64(0x374AFB04,0xEAEC2E1C), 164 | MK_64(0xDF25A0E2,0x813581F7), 165 | MK_64(0xE4004093,0x8B12F9D2), 166 | MK_64(0xA662D539,0xC2ED39B6), 167 | MK_64(0xFA8B85CF,0x45D8C75A), 168 | MK_64(0x8316ED8E,0x29EDE796), 169 | MK_64(0x053289C0,0x2E9F91B8), 170 | MK_64(0xC3F8EF1D,0x6D518B73), 171 | MK_64(0xBDCEC3C4,0xD5EF332E), 172 | MK_64(0x549A7E52,0x22974487), 173 | MK_64(0x67070872,0x5B749816), 174 | MK_64(0xB9CD28FB,0xF0581BD1), 175 | MK_64(0x0E2940B8,0x15804974) 176 | }; 177 | 178 | /* blkSize = 1024 bits. hashSize = 1024 bits */ 179 | const u64b_t SKEIN1024_IV_1024[] = 180 | { 181 | MK_64(0xD593DA07,0x41E72355), 182 | MK_64(0x15B5E511,0xAC73E00C), 183 | MK_64(0x5180E5AE,0xBAF2C4F0), 184 | MK_64(0x03BD41D3,0xFCBCAFAF), 185 | MK_64(0x1CAEC6FD,0x1983A898), 186 | MK_64(0x6E510B8B,0xCDD0589F), 187 | MK_64(0x77E2BDFD,0xC6394ADA), 188 | MK_64(0xC11E1DB5,0x24DCB0A3), 189 | MK_64(0xD6D14AF9,0xC6329AB5), 190 | MK_64(0x6A9B0BFC,0x6EB67E0D), 191 | MK_64(0x9243C60D,0xCCFF1332), 192 | MK_64(0x1A1F1DDE,0x743F02D4), 193 | MK_64(0x0996753C,0x10ED0BB8), 194 | MK_64(0x6572DD22,0xF2B4969A), 195 | MK_64(0x61FD3062,0xD00A579A), 196 | MK_64(0x1DE0536E,0x8682E539) 197 | }; 198 | 199 | #endif /* _SKEIN_IV_H_ */ 200 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/skein/skein_port.h: -------------------------------------------------------------------------------- 1 | #ifndef _SKEIN_PORT_H_ 2 | #define _SKEIN_PORT_H_ 3 | /******************************************************************* 4 | ** 5 | ** Platform-specific definitions for Skein hash function. 6 | ** 7 | ** Source code author: Doug Whiting, 2008. 8 | ** 9 | ** This algorithm and source code is released to the public domain. 10 | ** 11 | ** Many thanks to Brian Gladman for his portable header files. 12 | ** 13 | ** To port Skein to an "unsupported" platform, change the definitions 14 | ** in this file appropriately. 15 | ** 16 | ********************************************************************/ 17 | 18 | #include "brg_types.h" /* get integer type definitions */ 19 | 20 | typedef unsigned int uint_t; /* native unsigned integer */ 21 | typedef uint_8t u08b_t; /* 8-bit unsigned integer */ 22 | typedef uint_64t u64b_t; /* 64-bit unsigned integer */ 23 | 24 | #ifndef RotL_64 25 | #define RotL_64(x,N) (((x) << (N)) | ((x) >> (64-(N)))) 26 | #endif 27 | 28 | /* 29 | * Skein is "natively" little-endian (unlike SHA-xxx), for optimal 30 | * performance on x86 CPUs. The Skein code requires the following 31 | * definitions for dealing with endianness: 32 | * 33 | * SKEIN_NEED_SWAP: 0 for little-endian, 1 for big-endian 34 | * Skein_Put64_LSB_First 35 | * Skein_Get64_LSB_First 36 | * Skein_Swap64 37 | * 38 | * If SKEIN_NEED_SWAP is defined at compile time, it is used here 39 | * along with the portable versions of Put64/Get64/Swap64, which 40 | * are slow in general. 41 | * 42 | * Otherwise, an "auto-detect" of endianness is attempted below. 43 | * If the default handling doesn't work well, the user may insert 44 | * platform-specific code instead (e.g., for big-endian CPUs). 45 | * 46 | */ 47 | #ifndef SKEIN_NEED_SWAP /* compile-time "override" for endianness? */ 48 | 49 | #include "brg_endian.h" /* get endianness selection */ 50 | #if PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN 51 | /* here for big-endian CPUs */ 52 | #define SKEIN_NEED_SWAP (1) 53 | #elif PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN 54 | /* here for x86 and x86-64 CPUs (and other detected little-endian CPUs) */ 55 | #define SKEIN_NEED_SWAP (0) 56 | #if PLATFORM_MUST_ALIGN == 0 /* ok to use "fast" versions? */ 57 | #define Skein_Put64_LSB_First(dst08,src64,bCnt) memcpy(dst08,src64,bCnt) 58 | #define Skein_Get64_LSB_First(dst64,src08,wCnt) memcpy(dst64,src08,8*(wCnt)) 59 | #endif 60 | #else 61 | #error "Skein needs endianness setting!" 62 | #endif 63 | 64 | #endif /* ifndef SKEIN_NEED_SWAP */ 65 | 66 | /* 67 | ****************************************************************** 68 | * Provide any definitions still needed. 69 | ****************************************************************** 70 | */ 71 | #ifndef Skein_Swap64 /* swap for big-endian, nop for little-endian */ 72 | #if SKEIN_NEED_SWAP 73 | #define Skein_Swap64(w64) \ 74 | ( (( ((u64b_t)(w64)) & 0xFF) << 56) | \ 75 | (((((u64b_t)(w64)) >> 8) & 0xFF) << 48) | \ 76 | (((((u64b_t)(w64)) >>16) & 0xFF) << 40) | \ 77 | (((((u64b_t)(w64)) >>24) & 0xFF) << 32) | \ 78 | (((((u64b_t)(w64)) >>32) & 0xFF) << 24) | \ 79 | (((((u64b_t)(w64)) >>40) & 0xFF) << 16) | \ 80 | (((((u64b_t)(w64)) >>48) & 0xFF) << 8) | \ 81 | (((((u64b_t)(w64)) >>56) & 0xFF) ) ) 82 | #else 83 | #define Skein_Swap64(w64) (w64) 84 | #endif 85 | #endif /* ifndef Skein_Swap64 */ 86 | 87 | 88 | #ifndef Skein_Put64_LSB_First 89 | void Skein_Put64_LSB_First(u08b_t *dst,const u64b_t *src,size_t bCnt) 90 | #ifdef SKEIN_PORT_CODE /* instantiate the function code here? */ 91 | { /* this version is fully portable (big-endian or little-endian), but slow */ 92 | size_t n; 93 | 94 | for (n=0;n>3] >> (8*(n&7))); 96 | } 97 | #else 98 | ; /* output only the function prototype */ 99 | #endif 100 | #endif /* ifndef Skein_Put64_LSB_First */ 101 | 102 | 103 | #ifndef Skein_Get64_LSB_First 104 | void Skein_Get64_LSB_First(u64b_t *dst,const u08b_t *src,size_t wCnt) 105 | #ifdef SKEIN_PORT_CODE /* instantiate the function code here? */ 106 | { /* this version is fully portable (big-endian or little-endian), but slow */ 107 | size_t n; 108 | 109 | for (n=0;n<8*wCnt;n+=8) 110 | dst[n/8] = (((u64b_t) src[n ]) ) + 111 | (((u64b_t) src[n+1]) << 8) + 112 | (((u64b_t) src[n+2]) << 16) + 113 | (((u64b_t) src[n+3]) << 24) + 114 | (((u64b_t) src[n+4]) << 32) + 115 | (((u64b_t) src[n+5]) << 40) + 116 | (((u64b_t) src[n+6]) << 48) + 117 | (((u64b_t) src[n+7]) << 56) ; 118 | } 119 | #else 120 | ; /* output only the function prototype */ 121 | #endif 122 | #endif /* ifndef Skein_Get64_LSB_First */ 123 | 124 | #endif /* ifndef _SKEIN_PORT_H_ */ 125 | -------------------------------------------------------------------------------- /tmrth2/tmrth2-kgn/smth.asm: -------------------------------------------------------------------------------- 1 | section .data 2 | 3 | tab1 dd 0 4 | tab1p TIMES 1000h dd 0 5 | 6 | section .text 7 | 8 | global init_smth 9 | global do_smth64 10 | 11 | init_smth: 12 | push esi 13 | push edi 14 | xor edi, edi 15 | 16 | loc_401004: ; CODE XREF: init_smth+100j 17 | mov eax, edi 18 | cdq 19 | mov esi, eax 20 | shrd eax, edx, 1 21 | xor ecx, ecx 22 | and esi, 1 23 | shr edx, 1 24 | or esi, ecx 25 | mov ecx, eax 26 | mov eax, edx 27 | jz short loc_401027 28 | xor ecx, 0CAFEF00Dh 29 | xor eax, 0DEADBABEh 30 | 31 | loc_401027: ; CODE XREF: init_smth+1Aj 32 | mov edx, ecx 33 | shrd ecx, eax, 1 34 | and edx, 1 35 | xor esi, esi 36 | shr eax, 1 37 | or edx, esi 38 | jz short loc_401043 39 | xor ecx, 0CAFEF00Dh 40 | xor eax, 0DEADBABEh 41 | 42 | loc_401043: ; CODE XREF: init_smth+36j 43 | mov edx, ecx 44 | shrd ecx, eax, 1 45 | and edx, 1 46 | xor esi, esi 47 | shr eax, 1 48 | or edx, esi 49 | jz short loc_40105F 50 | xor ecx, 0CAFEF00Dh 51 | xor eax, 0DEADBABEh 52 | 53 | loc_40105F: ; CODE XREF: init_smth+52j 54 | mov edx, ecx 55 | shrd ecx, eax, 1 56 | and edx, 1 57 | xor esi, esi 58 | shr eax, 1 59 | or edx, esi 60 | jz short loc_40107B 61 | xor ecx, 0CAFEF00Dh 62 | xor eax, 0DEADBABEh 63 | 64 | loc_40107B: ; CODE XREF: init_smth+6Ej 65 | mov edx, ecx 66 | shrd ecx, eax, 1 67 | and edx, 1 68 | xor esi, esi 69 | shr eax, 1 70 | or edx, esi 71 | jz short loc_401097 72 | xor ecx, 0CAFEF00Dh 73 | xor eax, 0DEADBABEh 74 | 75 | loc_401097: ; CODE XREF: init_smth+8Aj 76 | mov edx, ecx 77 | shrd ecx, eax, 1 78 | and edx, 1 79 | xor esi, esi 80 | shr eax, 1 81 | or edx, esi 82 | jz short loc_4010B3 83 | xor ecx, 0CAFEF00Dh 84 | xor eax, 0DEADBABEh 85 | 86 | loc_4010B3: ; CODE XREF: init_smth+A6j 87 | mov edx, ecx 88 | shrd ecx, eax, 1 89 | and edx, 1 90 | xor esi, esi 91 | shr eax, 1 92 | or edx, esi 93 | jz short loc_4010CF 94 | xor ecx, 0CAFEF00Dh 95 | xor eax, 0DEADBABEh 96 | 97 | loc_4010CF: ; CODE XREF: init_smth+C2j 98 | mov edx, ecx 99 | shrd ecx, eax, 1 100 | and edx, 1 101 | xor esi, esi 102 | shr eax, 1 103 | or edx, esi 104 | jz short loc_4010EB 105 | xor ecx, 0CAFEF00Dh 106 | xor eax, 0DEADBABEh 107 | 108 | loc_4010EB: ; CODE XREF: init_smth+DEj 109 | mov [tab1+edi*8], ecx 110 | mov [tab1p+edi*8], eax 111 | inc edi 112 | cmp edi, 100h 113 | jl loc_401004 114 | pop edi 115 | pop esi 116 | retn 117 | 118 | ; Attributes: bp-based frame 119 | 120 | do_smth64: 121 | 122 | mov ecx, [esp+4] ;msg 123 | mov edi, [esp+8] ;msg_len 124 | xor eax, eax 125 | xor edx, edx 126 | xor esi, esi 127 | test edi, edi 128 | jz short loc_401145 129 | 130 | loc_40111F: ; CODE XREF: smth64+33j 131 | mov ecx, [esp+4] ;msg 132 | movzx ecx, byte [esi+ecx] 133 | movzx ebx, al 134 | shrd eax, edx, 8 135 | xor ecx, ebx 136 | xor eax, [tab1+ecx*8] 137 | shr edx, 8 138 | xor edx, [tab1p+ecx*8] 139 | inc esi 140 | cmp esi, edi 141 | jb short loc_40111F 142 | 143 | loc_401145: ; CODE XREF: smth64+Dj 144 | mov ebx, [esp+12] 145 | mov [ebx], eax ;1st dword 146 | mov [ebx+4], edx ;2nd one 147 | 148 | retn 149 | -------------------------------------------------------------------------------- /weak.dsa/AuthServer.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Numerics; 6 | using System.Security.Cryptography; 7 | using System.Text.RegularExpressions; 8 | 9 | namespace weak_dsa_kg 10 | { 11 | class AuthServer 12 | { 13 | public static BigInteger p = BigInteger.Parse("12343166190249099963844614971858188890660252314196981857116019178266498099196944436576774068596061785922642532486910253402920733695804947624905546363393363"); 14 | public static BigInteger q = BigInteger.Parse("6171583095124549981922307485929094445330126157098490928558009589133249049598472218288387034298030892961321266243455126701460366847902473812452773181696681"); 15 | public static BigInteger g = BigInteger.Parse("6786183533171661594262558814260314083384466978959974116431945959977589683740679922916498942642093589315722172714694250494775306223775833010063525305963887"); 16 | public static BigInteger y = BigInteger.Parse("10064244825758094072963970119807064710181088090418826682084640363233124440395354645467056460109079832312427767666487651151696929816590482407358254249751172"); 17 | public static int fieldSize = 0x40; 18 | public static int idSize = 6 ; 19 | public static int fingerPrintSize = fieldSize - idSize; 20 | public static MD5CryptoServiceProvider my_md5 = new MD5CryptoServiceProvider(); 21 | /* 22 | public AuthServer() 23 | { 24 | fieldSize = 0x40; 25 | idSize = 6; 26 | fingerPrintSize = fieldSize - idSize; 27 | p = BigInteger.Parse("12343166190249099963844614971858188890660252314196981857116019178266498099196944436576774068596061785922642532486910253402920733695804947624905546363393363"); 28 | q = BigInteger.Parse("6171583095124549981922307485929094445330126157098490928558009589133249049598472218288387034298030892961321266243455126701460366847902473812452773181696681"); 29 | g = BigInteger.Parse("6786183533171661594262558814260314083384466978959974116431945959977589683740679922916498942642093589315722172714694250494775306223775833010063525305963887"); 30 | y = BigInteger.Parse("10064244825758094072963970119807064710181088090418826682084640363233124440395354645467056460109079832312427767666487651151696929816590482407358254249751172"); 31 | } 32 | */ 33 | public static byte[] hash(MD5CryptoServiceProvider md5, string id, int h_size) 34 | { 35 | byte[] h = md5.ComputeHash(Encoding.ASCII.GetBytes(id)); 36 | h[h_size - 1] = (byte)(h[h_size - 1] & 0x7f); 37 | return h; 38 | } 39 | 40 | public static byte[] deriveData(string id, string fingerPrint) 41 | { 42 | if (!new Regex(@"^\d+$").IsMatch(id)) 43 | { 44 | throw new ArgumentException("Incorrect id format."); 45 | } 46 | byte[] buffer2 = Convert.FromBase64String(fingerPrint); 47 | if (buffer2.Length != fingerPrintSize) 48 | { 49 | throw new ArgumentException("Incorrect fingerprint size."); 50 | } 51 | byte[] destinationArray = new byte[fieldSize]; 52 | byte[] h = hash(my_md5, id, idSize); 53 | Array.Copy(buffer2, 0, destinationArray, 0, fingerPrintSize); 54 | Array.Copy(h, 0, destinationArray, fingerPrintSize, idSize); 55 | //destinationArray[fieldSize - 1] = (byte)(destinationArray[fieldSize - 1] & 0x7f); 56 | return destinationArray; 57 | } 58 | public static bool dsa_vrf(BigInteger h, BigInteger r, BigInteger s) 59 | { 60 | BigInteger w = BigInteger.ModPow(s, q - 2, q); 61 | BigInteger u1 = (h * w) % q; 62 | BigInteger u2 = (r * w) % q; 63 | BigInteger v = ((BigInteger.ModPow(g, u1, p) * BigInteger.ModPow(y, u2, p)) % p) % q; 64 | return (r == v); 65 | } 66 | public static bool Verify(string id, string fingerPrint, string signature) 67 | { 68 | BigInteger h = new BigInteger(deriveData(id, fingerPrint)); 69 | byte[] sourceArray = Convert.FromBase64String(signature); 70 | if (sourceArray.Length != (fieldSize * 2)) 71 | { 72 | throw new ArgumentException("Incorrect signature size."); 73 | } 74 | byte[] destinationArray = new byte[fieldSize]; 75 | byte[] buffer3 = new byte[fieldSize]; 76 | Array.Copy(sourceArray, 0, destinationArray, 0, fieldSize); 77 | Array.Copy(sourceArray, fieldSize, buffer3, 0, fieldSize); 78 | BigInteger r = new BigInteger(destinationArray); 79 | BigInteger s = new BigInteger(buffer3); 80 | if (((r <= 0L) || (r >= q)) || ((s <= 0L) || (s >= q))) 81 | { 82 | return false; 83 | } 84 | return dsa_vrf(h, r, s); 85 | } 86 | 87 | 88 | 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /weak.dsa/readme.txt: -------------------------------------------------------------------------------- 1 | keygen for http://crackmes.de/users/mr.haandi/weakdsa/ 2 | uses birthday paradox 3 | complexity: 2^24 4 | 5 | pk 6 | gdtr.wordpress.com 7 | -------------------------------------------------------------------------------- /weak.dsa/weak_dsa_kg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pakt/crackmes/eb4a1f139a759ac1370914f7d10c533cf41d49b9/weak.dsa/weak_dsa_kg.exe --------------------------------------------------------------------------------