+HCU 1999
A great strainer from Master +Aesculapius, I know that thousand (literally: I
reckon I received lately more than 900 emailings about this!) future reversers and
protectors all
around the world are awaiting this with impatience. Once more: the +HCU is NOT
a cracking group, it's a open university, open to ALL crackers, protectors and
reversers alike... if capable. You may be in a group, you may be a lone wolf cracker,
you may be an university professor for informatic or the CEO of your own
software company, we
couldn't care less: we want your knowledges, we'll give you our knowledges. You don't need to be a programmer, you need to understand
code, it is NOT the same thing.
So, if we're not a group, why do we keep publishing our
'strainers for admission' every year?
Well... we'll of course continue to teach openly (for everybody that
wishes to read our essays) all the basic and advanced
techniques, as we have always done, yet we need a "Kern" of dedicated and
capable +crackers in order to imagine new solutions, devise new techniques, develop
old and new team projects and understand very advanced (and new)
reversing topics. That's
the mission +ORC trusted us, that's what has changed dramatically the cracker
scene in the last three years (everyone and is dog is now publishing essays, which
is GOOD :-) and that's therefore the scope of our yearly strainers: to find the best
among you and to commit them to teach (and understand) our wonderful trade:
reversing.
As usual, all answers for +Aesculapius' 1999 strainer should be sent to us BEFORE
end September 1998. Looks to you like a long time? You better be careful: think
again. It's more than enough in order to do a good work, if you start working now.
All answers should be directed to +Aesculapius
aesculapius(at)stones(point)com
or to any +HCU caretaker (+gthorne, fravia+, +Sync). All
answers will anyway land by +Aesculapius, who will have
the pleasure (and the responsability) to decide WHO among
the partecipants should be admitted to the +HCU's next
year's courses.
And, of course, all 'old +hands' are invited to partecipate as well: to reverse
under the direction of a master +cracker is a rare
pleasure and this below is a beautiful strainer indeed!
fravia+
+HCU STRAINER 1999
By +Aesculapius
Published on 4 May 1998 - Must be solved BEFORE 30 September 1998
+ORC, our great mentor, trusted in me the responsibility of
releasing the +HCU Strainer for 1999. I regard myself as a "strict"
educator, that is why this year the strainer will be quite a challenge,
and only the worthy ones will succeed.
I have selected four (4) endearing challenges to assure that you are
the right person to enter our university.
The strainer release is every year an highly awaited time for many.
It is the time when all capable intermediate and advanced crackers have
the opportunity to transform their abilities into an art. We don't want to
teach you new techniques, we want YOU to create them. We don't want nor need
imitators, we wish to find true capable revrsers, able to adapt and evolve in
our complex rapidly changing world of protecting and cracking, capable to
understand the true meanings hidden inside all the code (and all the "reality")
that surround us.
We don't want selfish persons, we want people with enough humility to teach
what they know without any other expectation than the satisfaction of spreading
their sound and deep knowledge.
An small introduction will help you to understand the objectives of
every challenge. You have to solve all four challenges of course, and even so,
only the best answers will be accepted. I don't have to remind you, that any
"more than casual" resemblance between answers from different crackers will
result in the automatic elimination of both participants.
Obviously, you cannot imitate my own techniques in order to solve any of these
challenges either.
THE FIRST CHALLENGE:
The objectives of this challenge is to probe that:
1. The participant is able to design new techniques to solve a
cracking problem (main objective).
2. The participant knows assembly language coding.
3. The participant knows system memory manipulation.
4. The participant is capable of handling simple anti debugging
techniques.
5. The participant is able to analyze complex encryption systems.
Target: Terminate 5.0 32 bit.
Description: Communication package.
Considerations:
Terminate is an awesome DOS based communication program. Its
formidable encryption system has resisted the attacks of many crackers.
The author uses several interesting tricks which are susceptible for the
creation of the so called "new techniques". In resume, terminate 5.0
uses a key based protected scheme. The system accepts any key from an
authentic terminate's 4.0 owner, but it won't accept any old cracked key.
You could easily presume the encryption in terminate 5.0 has changed since
version 4.0. Interestingly, that is not true. The encryption remains the
same; however, terminate 5.0 keeps rejecting old false 4.0 keys and
accepting old authentic 4.0 keys.
To succeed in this challenge, you must:
1. Extensively analyze and explain Terminate's protection scheme.
2. Create a 16 bit assembly key generator for it.
3. Design a technique to assure that your generated key will be
valid in any further version of terminate, if the encryption system remains
the same. That is, your key generator must be able to bypass Terminate's
author trick to recognize old keys.
THE SECOND CHALLENGE:
The objectives of this challenge is to probe:
1. The participant is able to code his own Windows based 32 bit
patcher (main objective).
2. The participant is able to code in different programming
languages than assembly.
3. The participant is capable of coding Windows based applications
Considerations:
DOS is dead, thereby, new crackers have to probe they can adapt to
more challenging 32 bit operating system tasks. Its amazing, that even
now, when everybody is using a 32 bit operating system, most crackers still
rely in good old DOS to create their byte patchers. The byte patcher is
without any doubt a great symbol for any cracker. The first program, in any
language, any of us probably coded was the traditional "Hello World!" which
is featured in almost any programming teaching book. In the same way, the
first program, in any language, any cracker probably coded was the
traditional byte patcher. In fact, the byte patcher represents in many
cases the edge between the casual cracker and the truly committed
future reverser.
Target: 32 bit Windows based byte patcher.
Description: None.
In this task, you'll have some help from me. DOS still rules in file
patching among crackers, an incredible fact considering 32 bit
patching using API functions is easier, quicker and provides the cracker
with additional advantages never seen in 16 bit patching. I'm going to
code a byte patcher calling win32 API functions. This is not the state of
the art in file patching, because MFC goes beyond and encapsulates most
Win32 API functions providing the coder with high flexibility in
necessary API parameters and solving at the same time the terrible lack of
functionality of C/C++ in string management tasks. To preserve tradition,
I'll use assembly to do the job. You can use the language of your
preference, but remember, the patcher must run in 32 bit Windows based
environment.
If you want to code a windows based application, all
strings must be zero terminated (C style); API parameters must be pushed
backwards (only applies to assembly). As you know, API parameters are
gathered from the stack because that is the most efficient way to do the
job. Almost every compiler will translate your high level language code in
its most efficient assembly equivalent. Some API functions feature
additional advantages if compared with its hardcore interrupt equivalent.
For instance, OpenFile API function will fetch the desired file not only in
the current path but also in \windows\system directory, which is a good
thing if the patched file resides in that location. By the way, Openfile is
not the more suited API to open a file in a 32 bit environment, CreateFile
is the best choice. I used OpenFile because is easier and intuitive to
understand. As you can see, all API parameters are pushed line-by-line to
facilitate the learning process. Tasm permits to push everything at once
whenever a function is called, but is harder to understand (and
comment too) that way.
Here you have my code:
;--------------------------------------------------------------------------
; 32 bit Byte Patcher.
; Coded by +Aesculapius - 1998.
; Designed as part of the +HCU Strainer for 1999.
; Compile with Tasm32 & Tlink32
; tasm32 -ml -m5 -q bytpat32
; tlink32 -Tpe -aa -x -c bytpat32 ,,, import32
; You'll need files: windows.inc and import32.lib provided with
; Tasm 5.0 full package.
;--------------------------------------------------------------------------
.386p ; 386 instruction set enable
.model flat, stdCALL ; Linear addresing model
; Import several important API functions
; Some are not used, but I left them there
; in case you want to modify this program
; adding some other features
EXTRN OpenFile:PROC
EXTRN ReadFile:PROC
EXTRN WriteFile:PROC
EXTRN CloseFile:PROC
EXTRN GetLastError:PROC
EXTRN SetFileAtributes:PROC
EXTRN CreateFile:PROC
EXTRN SetFilePointer:PROC
EXTRN CloseHandle:PROC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
INCLUDE WINDOWS.INC ; Some useful includes
; Data segment begins
.DATA
HANDLE DD ? ; Holds target file handle
FILENAME DB 'nero.exe',0 ; <-- Change to meet your target filename
FILE_DATA DB 80H DUP (0) ; Holds some important target file data
; Welcome message
LOGO DB 0AH,0DH
DB 'Nero Burning Rom 3.0.4.0. ',0AH,0DH
DB 'Coded by Aesculapius - 1998. ',0AH,0DH
DB ' ',0AH,0DH
DB 'Email: ',0AH,0DH
DB 'aesculapius@stones.com ',0AH,0DH
DB 'Home Page: ',0AH,0DH
DB 'http://members.xoom.com/Aesculapius/Aescu.html ',0AH,0DH
DB ' ',0AH,0DH
DB 'Proceed? ',0AH,0DH
DB 0AH,0DH,0
; Error message if target file not found
ERROR_MESSAGE1 DB 'The target file is not present in the current',0AH,0DH
DB 'path or is write protected. Please solve the ',0AH,0DH
DB 'problem and try again. ',0AH,0DH
DB 0
; Error message if target already cracked
; or wrong target version
ERROR_MESSAGE2 DB 'The location to be patched was not found! ',0AH,0DH
DB 'This could happen if: ',0AH,0DH
DB '- The program has been already cracked. ',0AH,0DH
DB '- This is a different version of the program. ',0AH,0DH
DB 'Please, contact the author of this crack at ',0AH,0DH
DB 'aesculapius@cryogen.com to get an update. ',0AH,0DH
DB 0
; Message if crack successful
SUCCESS DB ' Crack Successful!',0AH,0DH
DB 0
; Default Title of every window
TIT DB 'Nero Burning Rom 3.0.4.0. Crack',0
; Useful Null definition
NULL EQU 0
; Number of bytes to patch in Hexadecimal
; <-- Modify according to your target
PATCH_SIZE DD 00000010H
; Original data present in the uncracked
; target. This data is used to diferentiate
; between a valid target and a wrong one
; (different version, already cracked).
; <-- Change according to your original
; target data
PREV_DATA DB 75H,22H,0C7H,45H,0FCH,0FFH,0FFH,0FFH,0FFH,0E8H
DB 7BH,03H,00H,00H,0B8H,01H
; Patching string
; <-- Modify according to your target
PATCH_BYTES DB 0EBH,00H,0C7H,45H,0FCH,0FFH,0FFH,0FFH,0FFH,0E8H
DB 7BH,03H,00H,00H,0B8H,00H
; Buffer to hold writen string
; Must be empty and at list of the same
; size or bigger than PATCH_BYTES buffer
BYTES_WRITEN DB 20H DUP (0)
; 32 bit offset location where the
; patch will be applied
; <-- Modify according to your target
PATCH_LOC DD 0003D579H
; Buffer to hold number of bytes read.
BYTES_READ DD ?
; Buffer to hold bytes read from the target
READ_BUFFER DB 20H DUP (0)
; Code "segment.class" tppabs="http://fravia.org/segment.class" begins
.CODE
; Label to designate program start
START:
PUSH MB_OKCANCEL OR MB_ICONQUESTION ; Define window characteristics
PUSH OFFSET TIT ; Window Title
PUSH OFFSET LOGO ; Window message
PUSH NULL ; Push 0
CALL MessageBoxA ; Show welcome message
CMP EAX, 00000002H ; Cancel button pressed?
JZ EXIT ; If yes, then exit
PUSH OF_READWRITE ; Open file with Read&Write Attributes
PUSH OFFSET FILE_DATA ; Buffer to hold file data once read
PUSH OFFSET FILENAME ; Filename to be opened
CALL OpenFile ; Open file
MOV HANDLE, EAX ; File handle from EAX to buffer
CMP EAX, -1 ; Check for errors
JNZ GO_ON1 ; No error, go on
; In case of error show proper
; message
PUSH MB_OK OR MB_ICONHAND
PUSH OFFSET TIT
PUSH OFFSET ERROR_MESSAGE1
PUSH NULL
CALL MessageBoxA
JMP EXIT ; Exit
GO_ON1:
; Check if file is suitable
; for cracking procedure
PUSH NULL ; Push 0
PUSH NULL ; Push 0
PUSH DWORD PTR [PATCH_LOC] ; Push patch location offset address
PUSH HANDLE ; Push file handle
CALL SetFilePointer ; Move file pointer to patch
; location
PUSH NULL ; Push 0
PUSH OFFSET BYTES_READ ; Push offset of buffer to hold
; read bytes from target file
PUSH DWORD PTR [PATCH_SIZE] ; Push number of bytes to be read
PUSH OFFSET READ_BUFFER ; Push offset of buffer to hold
; read bytes
PUSH HANDLE ; Push file handle
CALL ReadFile ; Read file patch location
; This function reads the target
; file at the patching location
; Set by the setfilepointer API,
; the number of bytes designated by
; PATCH_SIZE buffer and store the
; bytes read in READ_BUFFER
; The following code checks
; if the target file patching
; location has been previously
; modified
MOV ESI, OFFSET READ_BUFFER ; Point ESI to original patch
; location string in target file
MOV EDI, OFFSET PREV_DATA ; Point EDI to known orginal
; string in the uncracked
; file
MOV ECX, [PATCH_SIZE] ; Number of bytes to compare
REP CMPSB ; Guess!
JZ GO_ON2 ; File patching location is
; untouched thereby the crack
; can be applied
; In case of error: patching
; location does not match
; that one of the original
; target file, then present error
; message
PUSH MB_OK OR MB_ICONHAND
PUSH OFFSET TIT
PUSH OFFSET ERROR_MESSAGE2
PUSH NULL
CALL MessageBoxA
JMP EXIT ; Exit
; Target file elegible to
; be patched
; Now move filepointer to
; patching location once
; again
GO_ON2:
PUSH NULL ; Push 0
PUSH NULL ; Push 0
PUSH DWORD PTR [PATCH_LOC] ; Push offset of 32 bits address
; of patching location
PUSH HANDLE ; Push file handle
CALL SetFilePointer ; Move file pointer to patching
; location
; Next function excutes patch
PUSH NULL ; Push 0
PUSH OFFSET BYTES_WRITEN ; Buffer to hold bytes writen
PUSH DWORD PTR [PATCH_SIZE] ; Push number of bytes to patch
PUSH OFFSET PATCH_BYTES ; Push offset of patching string
PUSH HANDLE ; Push file handle
CALL WriteFile ; Patch file
; Next function informs of
; Successful patch procedure.
PUSH MB_OK
PUSH OFFSET TIT
PUSH OFFSET SUCCESS
PUSH NULL
CALL MessageBoxA
; Close file handle
EXIT: PUSH HANDLE
CALL CloseHandle
PUSH NULL ; Terminate program
CALL ExitProcess
END START
;-------------------------------------------------------------------------
To succeed in this challenge, you must:
1. Create a Windows based 32 bit byte patcher for any target you
wish, using any programming language.
Remember one thing: if you use assembly to build your patcher, your
code must NOT resemblance mine, otherwise, you are automatically out
of the game.
THE THIRD CHALLENGE:
The objectives of this challenge is to probe:
1. The participant is able to combine both the live and dead listing
approaches.
2. The participant is capable of defeat anti-cracker tricks.
3. The participant knows how to search&destroy hidden protections.
4. The participant understands the inner functioning of a good
protection.
Target: Brainsbreaker v. v. 2.1 (32 bit) by Juan Trujillo Tarradas.
Description: Puzzle Creation Game.
Considerations:
From now on, all the work comes directly from the genius of +ORC
himself. He proposed me to study Brainsbreaker and decide if it was good
enough to be included in the strainer, as always, he wasn't wrong.
Brainsbreaker is a puzzle creation game, so what could be better than a
puzzle to challenge a cracker, whose daily work is dealing with reversing
puzzles. I won't talk about the target itself because that will be your job.
To succeed in this challenge, you must:
1. Completely explain the protection scheme used by this program.
THE ULTIMATE CHALLENGE:
The objective of this challenge is to check that:
1. The participant understands the graphical part of demo-reversing.
Target: Brainsbreaker v. 2.1 (32 bit) by Juan Trujillo Tarradas.
Description: Puzzle Creation Game.
Considerations:
Once you run Brainsbreaker, a small graphical sparkle arises every so
often (when you quit the game or successfully complete a puzzle). You job in
the ultimate challenge is to code a program capable of reproducing this
nice sparkle which remind us the '+' sign in our names used to distinct us
from non-HCUkers.
To succeed in this challenge, you must:
1. Code a program to reproduce the graphic effect of the sparkle
featured in Brainsbreaker.
You have until September 30 1998 to send your answers.
Finally, I can't do anything else but wish to all of the
participants the best luck.
+Aesculapius - 1998.
aesculapius(at)stones(point)com
The new +Hcukers
Well, here they are, as decided by +Aesculapius on 4 October 1998
1) +Cruehead, complete solution.
2) +Q (his name is only this letter), complete solution.
3) +Mad, complete solution.
4) +iNT_03h, complete solution.
5) +Spath, Complete answer
6) +JaZZ, Complete solution
7) +Bogus, the answers are buggy but the solution is complete.
8?) Fatal+Exception complete solution (with partial source code)
Fatal Exception's admission is still under discussion (He included
some anti debugging tricks when sending his code-answers,
which looks suspicious to +some :-)
Will be eventually admitted if cleared from
the suspicion of having copied the answers.
The Solutions
Well, here they are, published on 4 October 1998
Have a look and download: one of the most intersting reversing project of this year:
some VERY good reversers tackle some difficult protection schemes
WARNING: This is GREAT reading for advanced protectors and reversers only. The TONS
of information that you'll find inside will keep you studying for a couple of weeks at least.
You should by all means, in your +truly's opinion, first try to crack the strainer on
your OWN. Even if you don't, because you'r simply too lazy and want only
to leech, reading this material you'll anyway get deep insights in some of the most advanced
protection and deprotection techniques. Enjoy!
homepage
links
anonymity
+ORC
students' essays
academy database
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?
(c)
Fravia+ & +Aesculapius 1998, All rights reserved