This is Google's cache of http://www.gamedeception.net/archive/index.php?t-20526.html. It is a snapshot of the page as it appeared on Aug 15, 2013 05:56:35 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version
 
Decrypting VAC's scan code [Archive] - GameDeception - A Development Site for Reverse Engineering
PDA

View Full Version : Decrypting VAC's scan code


wav
08-21-2010, 06:06 AM
memcpy ( pMem, ( void* )g_dwVACEncryptedCodeStart[iIterator], g_dwVACScanCodeLength[iIterator] );

IceKey Ice(1);

Ice.set ( szFixedCipherText );

iBytesLeft = g_dwVACScanCodeLength[iIterator];

iBytesLeft = ( ( ( iBytesLeft - 1 ) >> 3 ) + 1 );

while ( iBytesLeft )
{
Ice.decrypt ( pMem, pOut );

pMem += 0x8;
pOut += 0x8;

iBytesLeft--;
}

Ice.~IceKey();

pOut = pOutStart; // realign pOut for CRC

pOut += 0x30;

CRC32_Init( &crc );
CRC32_ProcessBuffer( &crc, pOut, g_dwOffsetToEncryptedCode[iIterator] );
CRC32_Final( &crc );

if ( crc == g_dwVACScanFunctionCrcs[iIterator] )
{
printf ( "Match found for 0x%X with length of 0x%X.\n", g_dwVACEncryptedCodeStart[iIterator], g_dwVACScanCodeLength[iIterator] );

printf( "0x%llX\n", liIterator.QuadPart );
}
else
{
pMem = pMemStart;

memset ( pOut, 0, 0x2000 );
}


Same principle is applied to bruteforcing. That is all.

Credits: Patrick

ps Anti copy paste is added, smart people will notice it right away
Chazwazza
08-21-2010, 03:37 PM
Lol, I like the anti-copypasta.
ThatLameDude
08-21-2010, 04:10 PM
I've been going in circles trying to figure out the algorithm, since I thought Valve would be smarter than to reuse code in the Source SDK. Now that expectation is smashed and VAC continues to be shitty.
wav
08-21-2010, 08:10 PM
eh might as well release the VAC Ice Key for packet decrypt

34B2A2487FD68FD1

iBytesLeft = 0xA8

same crap as before
Jurugi
08-22-2010, 03:16 PM
Ello in terms of VAC2, I'm always unsure if vac is in the hl.exe or in steam.exe, but I see people saying its in steam.exe. So which one is it?
syntroniks
08-22-2010, 05:41 PM
steam.exe The people worth listening to say it is located there.
ThatLameDude
08-22-2010, 07:54 PM
Dumping the encrypted header struct here since people might be interested.



.text:08CB29CD db 0Eh
.text:08CB29CE dword_8CB29CE dd 4E8h
.text:08CB29D2 dd 634h
.text:08CB29D6 dd 2B4D977h

typedef struct {
UINT8 fcn_slot; // Function # in order of linking.
// This never gets used during decryption.

UINT32 fcn_size; // Size of the block

UINT32 fcn_passes; // Passes during decryption, leftshifted by 3.

UINT32 fcn_crc32; // CRC32 of the function

// null space for decrypted code is left past this header
// and is overwritten when decryption succeeds.
//
// the encrypted code is usually past fcn_size, give or take
// a couple of bytes. snoop around in the decryption function
// to see how the encrypted code offset is found
} vac_cryptcode_header;
wav
08-22-2010, 08:32 PM
Dumping the encrypted header struct here since people might be interested.



.text:08CB29CD db 0Eh
.text:08CB29CE dword_8CB29CE dd 4E8h
.text:08CB29D2 dd 634h
.text:08CB29D6 dd 2B4D977h

typedef struct {
UINT8 fcn_slot; // Function # in order of linking.
// This never gets used during decryption.

UINT32 fcn_size; // Size of the block

UINT32 fcn_passes; // Passes during decryption, leftshifted by 3.

UINT32 fcn_crc32; // CRC32 of the function

// null space for decrypted code is left past this header
// and is overwritten when decryption succeeds.
//
// the encrypted code is usually past fcn_size, give or take
// a couple of bytes. snoop around in the decryption function
// to see how the encrypted code offset is found
} vac_cryptcode_header;


Yeah I already documented this so you pretty much just reposted. Also I showed how to obtain the address of the encrypted code block.