Something New! A CrackMe Game.

I’ve created a new CrackMe specifically designed to be cracked using Cheat Engine. It might help you learn how to use it if you are new but if you are not new, it will most probably piss you off.

The aim of the game

To complete the game you need to set the on-screen value to 5000 and press enter. As soon as you do this you will recieve confirmation of your success and you have beat the game and me =D.

The Rules

Theres obviously rules, like in any other game, but they can be bent a bit. Firstly, using a debugger like OllyDbg isn’t really reccomended and i’ve used measures to really piss you off if you try. IDA is fine though.
Also, patching in ollydbg and saving the modification to the file is against the rules. Cheat Engine is really reccomended as you should “freeze” the number at 5000 when you find it.
Anything else should be fine.

Download Links??!??!!

You can get the current version: Here
And the thread for this (with posts containing “solutions”): Here
Cheat Engine 5.4: Here

Have fun & Good luck ;D

Retrieving your computers MAC Address

I was browsing through The Dark Alliance’s website the other day and came across a post asking how to get the MAC Address of his PC with ASM. I wasn’t in the mood for ASM so I had a go in C++ instead.

#include "Rpc.h"
#pragma comment (lib, "Rpcrt4.lib") // UuidCreateSequential

int main() {
char MACAddress[50];
unsigned char MACData[6];
int i = 2; UUID id;

UuidCreateSequential( &id );

for(; i < 8 ; i++)
{
MACData[i-2] = id.Data4[i]; // Apparently, bytes 2 through 10 are the MAC address
}

printf("%02X-%02X-%02X-%02X-%02X-%02X",
MACData[0], MACData[1], MACData[2], MACData[3], MACData[4], MACData[5]);

return 0;
}

Well, thats how its done.. Anyway Im gonna go so it in ASM now so ill post that later too.

Beginner Driver Programming

Haha, finally time to write another blog. I’ve been having too much fun messing around in kernel mode and getting random BSOD’s because I messed something up.

Anyway, this blog will teach you the very basics of writing kernel mode drivers for windows 2000 / XP.

Note: Kernel-Mode Drivers will NOT work on Windows Vista because of it’s security!

//=====================
// Writing a driver for windows
//=====================

Tools Needed:

Windows Driver Development Kit: Download
Driver Tools: Download
A Text Editor (For writing the source code)
Medium level C knowledge

Win DDK

Before you start creating drivers you will need to understand the DDK – What it is and how to use it.
By now I hope you have already installed the DDK and have it ready for use.

The Driver Development Kit coontains all the header files needed to compile your kernel driver and it also compiles your source. For example: In a normal Windows Usermode application you would be a custom to including windows.h as a header file. In kernel mode this is replaced by ntddk.h. The kernel mode “version” of windows.h.
ntddk.h is where most kernel mode API are declared.

Later, after you learn the skeleton of a driver source, I will explain how to compile a driver with the DDK.

The Source

Now I am going to show you how a basic driver should look. Think of this as the drivr version of the “hello world” program. Infact, I think we should make our driver print hello world!

Now, as I stated in the DDK explanation, the header file ntddk.h MUST be included at the top of your source:

#include "ntddk.h"

If you have already programmed for the console in C / C++, i’ll assume that you know about the int main() function. Well the driver equivalent to that is DriverEntry:

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

Treat this exaclty as you would int main(). But as you can see, DriverEntry is type NTSTATUS which means it will return NTSTATUS. So in the body of DriverEntry we will put:

return STATUS_SUCCESS;

And this will tell the Operating system that the function succeeded.

Here is an example of what your driver source should look like at the moment:


#include "ntddk.h"

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )
{

return STATUS_SUCCESS;
}


It might seem too simple to be a kernel mode driver but this will compile and can be loaded successfully.

DbgPrint(”Noz3001″);

If you have written C / C++ programs in the past, you might have found yourself in a situation where you need to print information to the screen for debugging or other purposes. If you use C, you will probably be familiar with using the printf() function to print information.
There is an equivalent function in kernel mode. It takes the same paramaters and is just as easy to call! The only problem is that viewing the output is not as simple as using printf. This function is DbgPrint();.

We are going to make our driver print “hello world” when it’s run by using DbgPrint. An example of doing so is shown below:

DbgPrint("Hello World!");

If you place this code in the DriverEntry function, the driver will print our string when it is run. The only problem is that we have nothing to view the string with! Don’t worry, thats why I made you download the “driver tools” at the beginning og this article. Extract them to your computer using WinRAR and open the file called “Dbgview”.

It should look like this:

This program catches all the strings “DbgPrinted” and display them to you! This is how you are going to view your hello world string later on.

Now add your DbgPrint() code to your source. My source looks like this:


#include "ntddk.h"

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )
{

DbgPrint("Hello World!");

DriverObject->DriverUnload; // Unload the driver.
return STATUS_SUCCESS;
}


Note the line DriverObject->DriverUnload; // Unload the driver. You always need to unload your driver so the user doesn’t have to restart to unload it!

Compiling your first Driver

This is the fun part!! Getting to use the DDK!!
Firsly, I hope you have created your source file on the same drive as you installed the DDK! If not, copy it over.

Note: Make sure the folder / source name have NO spaces in them!

There are two more small files you need to create before the DDK will compile your source. SOURCES and MAKEFILE.
Both have NO file extension and MAKEFILE is always the same.

MAKEFILE
!INCLUDE $(NTMAKEENV)\makefile.def

SOURCES
TARGETNAME=Noz3001_Driver

TARGETPATH=Release

TARGETTYPE=DRIVER

SOURCES=DriverMain.c

In SOURCES, TARGETNAME is the filename of the compiled driver. TARGETPATH is the folder where the driver will be put. TARGETTYPE is pretty self-explanatory and SOURCES is your source file.

Ok now we can open the DDK compiler. Click Start->Development Kits and look for “Windows XP Free Build Environment”
once here type “cd..” and press enter until the current directory cant get any lower. Eg “C:/>”.

Now type CD again and after it put the full path to the folder where your 3 files are. Now type “build” (without the ” ’s) and press enter. You should see something like this:

Note: If you get any errors, review your source and try to find what you did wrong.

If your DDK screen looks like mine, CONGRATULATIONS! You just created your first Kernel-Mode driver!
But wait, thats not all! You still have to make sure it works.

Make sure you still have DbgView open so ou can see the result of your DbgPrint. Now it’s time o use the other program i included in my “driver tools” file, “INSTDRV”. This program can load your driver for you! It saves you a lot of time when you are still testing your driver so keep it handy!

Once opened it will look like this:

Now enter the full path to your driver in the pathname text box and click install. Once the status says “Operation successful”, click the start button to start your driver.

Now go back to DbgView. If your driver has worked you will see something like this:

WELL DONE!! You just created a working kernel mode driver AND used a kernel mode function!

I think you should give yourself a pat on the back!

Busy =|

Noticed i’ve not posted a lot recently? Yeah, i’ve been pretty busy this month. I will post some more knowledge next week! =D

Keep checking back for upadtes and stuff!

PostMessage Example

No really! It IS! IF you understand SendMessage i’m going to assume you understand the following code and will know how to use it:

// *Removed Title*
//
// Updated 05/05/08

#include "windows.h"
#include "conio.h"

void RMBypass( void )
{
for( ;; ) {
HWND RMTutorWindow = FindWindow( NULL, _TEXT("Demo") );

if (RMTutorWindow)
PostMessage( RMTutorWindow, WM_DESTROY, NULL, NULL );

Sleep(10);
}
}

int main( void )
{
CreateThread( 0, 0, (LPTHREAD_START_ROUTINE)&RMBypass, 0, 0, 0 );
_getch(); // Wait

return 0;
}


Console Style

If you’re bored of the console and don’t want to learn how to program GUI, heres a few things you can do to change your console.

Console HWND

First of all, some times you need to get the handle of your console window but cant use FindWindow to accomplish it. Luckily theres a function in “windows.h” which allows you to do it very simply.

Example:

HWND ConsoleHandle = GetConsoleWindow();

Console text colour

By now you’ve probably got bored of writing in that terrible white color. Theres a simple function that changes the color of the text =D

Example:

#include "windows.h"
#include

using namespace std;

int main()
{
HANDLE Std = GetStdHandle(STD_OUTPUT_HANDLE); // Get std handle
SetConsoleTextAttribute(Std, FOREGROUND_RED);
cout

Setting the window text

I know its annoying that the title of the console is always the path.. You can change it by using SetConsoleTitle().

Example:

SetConsoleTitle("New Title");

Theres lots more console functions here.

Bitmap Buttons

By now, you must have noticed how ugly the normal buttons are. Well i’m here to give you a tip on how to liven them up a bit.
We are going to use Bitmap Buttons.

Heres something I made earlier which has a bitmap button in the top right of the window:

Ok, First of all you need to create a button on your window. Mine looked rather like this:

ExitButton = CreateWindowEx( NULL, "BUTTON", "", WS_VISIBLE | WS_CHILD | BS_BITMAP,
175, 9, 14, 14, hWnd, (HMENU)EXIT_BUTTON, hInstance, 0 );

Notice the BS_BITMAP style, this makes it possible for us to slap our image onto the button. So thats what we are going to do next.

You can do this anywhere, but I prefer to execute it in the WM_PAINT case of your message handler.

Firstly, you need to add your bitmap to your workspace. Do this by clicking Insert->Resource->Bitmap->Import. After that right click the imported image in your res file and change its name.

To place the bitmap on the button, we are going to use the SendDlgItemMessage function.

We are going to send the BM_SETIMAGE message to the main window, pass our button ID into nIDDlgItem (In my case it was BUTTON_EXIT), pass (WPARAM)IMAGE_BITMAP as the wParam and pass the image as the lParam.
My final code looked like this:

SendDlgItemMessage(hWnd,
EXIT_BUTTON,
BM_SETIMAGE,
(WPARAM)IMAGE_BITMAP,
(LPARAM)LoadBitmap(hInst, MAKEINTRESOURCE(IDB_CROSS)));

Now if you run your program, the button should have the bitmap over it =).

Writing a Trainer

So you want to write a trainer eh?

First of all, you are going to need to download Cheat Engine 5.3 from my Tools + Programs page and find out how to find addresses and values. Once you have mastered this, read on.

Getting a handle?

First of all you need to get a handle to the games window. You can do this by using the FindWindow API like so:

HWND hWindow = FindWindow(NULL, "Minesweeper"); /*Finds Minesweepers window */

Now we have a handle to the games window we need to open the process with OpenProcess. But to do this we need to have the PID of the game.
We can find the PID using one very simple API, GetWindowThreadProcessId().

Heres an example of doing so:
DWORD PID; // We need this now to store the PID.
HANDLE hProcess; //We will use this for OpenProcess
HWND hWindow = FindWindow(NULL, "Minesweeper");
GetWindowThreadProcessId(hWindow, &PID);

Now we have the PID of the process, we can open it :

hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID);

PROCESS_ALL_ACCESS Might not always work so go look up others on MSDN.
Now we have an open handle to the game and we can do whatever we like.

Changing Values?

Now we have access to the game and its memory, its time to use another common, easy to use, API. WriteProcessMemory.
We will use it to change the value of the address which controls the timer in minesweeper.

First lets declare two variables to hold What we want to write, and the size of what we want to write. I declared and defined them like so:

DWORD nop = 0x90;
DWORD size = sizeof(ToBeWritten);

Look at the data i’ve put into ToBeWritten. 0×90 is a nop in ASM.

Ok now that we have all the variables needed to write to the memory lets actually do it!

WriteProcessMemory(hProcess, (void*)0x01002FF5, &nop, size, 0);

If you look at that line, hProcess is the result of OpenProcess which was the handle to Minesweeper. (LPVOID)0×01002FF5 is the address at which the timer is controlled, nop is the value to be written and size is the size of the data we are writing to the process. Oh and you SHOULD close the handle by using:


CloseHandle(hProcess);


Now if you run it while Minesweeper is running, the timer will stop .

Getting AlphaBlend working!

If you’ve ever tried to make your windows look nices with a bit of transparency, you’ve proably stumbled upon AlphaBlend(). If you took the time to look at it and try it out, i’m guessing you got lots of errors. Well i’m here to help you get it working… Anyway.

First, we need to define all the stuff which is needed for AlphaBlend.
Add this to the top of your source under your includes:

#define LWA_COLORKEY 0x00000001
#define LWA_ALPHA 0x00000002

#ifndef WS_EX_LAYERED
#define WS_EX_LAYERED 0x00080000
#endif

typedef BOOL (CALLBACK* SETLAYEREDWINDOWATTRIBUTES)(HWND, COLORREF, BYTE, DWORD);
void Alpha();


Now we have ecerything defined and are ready to get AlphaBlend Working.

First of all, AlphaBlend requires your window to be layered. You can set this attribute by using SetWindowLong.


void Alpha()
{
SetWindowLong(hWnd, GWL_EXSTYLE, GetWindowLong(hWnd, GWL_EXSTYLE)| WS_EX_LAYERED);

SETLAYEREDWINDOWATTRIBUTES pLayered; // function pointer
HMODULE hUser32;

hUser32 = LoadLibrary( "user32.dll" );
pLayered = (SETLAYEREDWINDOWATTRIBUTES)GetProcAddress (hUser32, "SetLayeredWindowAttributes");
pLayered (hWnd, 0, 100, LWA_ALPHA); // 3rd param is alpha blend value 0 - 255.
FreeLibrary( hUser32 );
}


TextOut to another program / desktop

Writing text to other windows or your desktop is actually reall easy.
Heres an example of doing so:

void ScreenText( void )
{
char szScreenText[] = "Noz3001 Was Here";
HFONT ScreenFont = CreateFont( 100, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, PROOF_QUALITY,
0, "Times New Roman" );

for(;;) {

// Set Screen Text Attributes
HDC Screen = GetDC( 0 );
SetBkMode( Screen, TRANSPARENT );
SetTextColor( Screen, RGB(255,255,0) );
SelectObject( Screen, ScreenFont ); // Select out font

// Print text
TextOut( Screen, 0, 0, szScreenText, lstrlen(szScreenText) );

Sleep( 10 );
}
}


Of course, this is an infinite loop, so we need to run it in a seperate thread:

CreateThread( 0, 0, (LPTHREAD_START_ROUTINE)&ScreenText, 0, 0, 0);


To draw on a window instead of your desktop, you need to get the HWND of the program and pass it as GetDC’s paramater.


HWND OtherWindow = FindWindow( "WindowClassName", "WindowTitle" );
HDC WndDC = GetDC( OtherWindow );


Or just use:


HDC WndDC = GetDC( FindWindow( "WindowClassName", "WindowTitle" ) );


Whichever you find more convenient.