How to keep uptodate with the +HCU academy
(Cracking The Maze Of Essays At fravia+ Web Site)

by wlc

(29 November 1997, with a special THANK by fravia+)


An addition by wlc: source code for it! (6 Dez 1997)
This is an interesting "learning IDA" addition as well!
Courtesy of fravia's page of reverse engineering
Well, this is really a nice addition! Wlc has written a pascal automated database for all those among you that are interested in this page!
And of course I like a lot wlc's definition of my site: "Fravia+ adds, modify and changes his pages on the fly... Just as bad as chasing dead listing calls and jumps in a crack. Lots of distraction and you forgot what it was you were looking for in the first place". Read and enjoy! (And thank a lot, REALLY, wlc, anything you need, from now on, just ask!
:-)

To Fravia+ :Cracking The Maze Of Essays At fravia+'s Web Site.

 This project started with the following proposal by +MaLattia inside
 Zero+'s HCU_Mail_List.

"I think it would be useful both for +Fravia and for all the guys who 
reach his site if we try to catalog the students' essays dividing them 
both by subject and difficulty, and maybe telling what lessons from 
+ORC's tutorial are useful to understand each essay. What do you think 
about it? Do you want to join me?"

Needless to say, I too thought that it would be a great idea for my 
own personal reasons.  I was getting lost, trying to keep tabs on all 
the submissions.  There was just too much stuff on fravia+ site to go 
over. Over 337 essays and growing.  With Teleport Pro, it grabs 
another 600 other files to shove into my subdirectory. 

Netscape running on my 486 notebook chokes on bringing up the 
directory where I store his goodies. Fravia+ adds, modify and changes 
his pages on the fly so you got to check his pages in case he throws 
in a new link or two.  Rule of thumb, you can't read his pages just 
once and forget about it, if you want to be a serious cracker.  With 
stuff you don't understand, you have to put aside and come back it 
later, if you can remember where it is.

You start opening up the pages.  You jump from one linked page to 
another. Just as bad as chasing dead listing calls and jumps in a 
crack. Lots of distraction and you forgot what it was you were looking 
for in the first place.  Sometimes you want to read all the essays for
a project or by an author but you can't find it readily.  You don't
want to tamper too much with the essays and the way you mirror his
site.  What do you do?

This calls for a crack to solve fravia+ essay maze. 

At first, our approach was to create html pages for fravia+ to post on 
his web site.  Bad idea.  Too much work for fravia+ and for us to 
update and maintain.  +.MaLattia. then came up with the idea of using 
a database.

"A problem is that with some of the older essays, there is no 
consistent categorization built into them i.e.. a constant location on 
an essay for a program to pick the information from.  Do we edit the 
old essays to insert these tags or do we provide a starting database 
with completed record info on these old essays and let the user 
add/edit his/her own?"

Again, too much work.  What database format should we choose that is 
common to all users?  How much overhead should be involved to enter 
the information, just to use it?

The focus then became to develop a tool for research and reference 
use.  Here is the working solution in Turbo Pascal 7 which will 
generate 4 html reference pages.  It is not a fancy solution but it 
will serve the purpose.  The file mazemap.Zip will contain the program 
called MazeMap.Exe with two data files called HTMLS.HCU and 
PROJECTS.HCU. 

Copy this to where you store your fravia+ downloads, unzip it and 
execute it from there.  Since it was written in TP7, it is a Dos 
application but you can setup a Windows DeskTop Icon to run it. The 
program will go through files in your download subdirectory,  pick out 
any new html and create a database record for it.  The database 
HTMLS.HCU contains basic information updated to Nov/22/97.  

When you run this program, pressing F7 in the Main Menu will retrieve 
in new HTMLS filenames.  It may be that I have more records than what 
is in your directory or you may have files that is not in the 
database.  It don't matter, the link will fail if the file does not 
exist, that's all.  Some of the essays may have been moved off and you 
can't retrieve them anymore.  Post a query and someone may email you a 
copy.

It is up to you, the user, to fill in the other data fields from now 
on to make this program work. You can select F2 in the Main Menu to 
edit, add, and delete the records in this database.  

Rotate forward or back using (N)ext, or (P)revious to cycle through 
the records and complete the other fields. (E)nter in the last field 
of the record to save it as is.  Sorry no mouse support, it gets in 
the way.  When you retrieve new HTML filenames they are located at the 
end of the HTMLS.HCU file which you can reach by pressing (P) becasue 
the program opens up positioned at the 1st record of the file. If you 
want to full screen editing, use F4 in the Main Menu to convert it to 
a text file.  Use any hex editor and remember to retain the record 
alignment. When finish, convert it back to binary file format. All you 
have to provide is three key piece of information.  The Writer, the 
Essay Topic and the Project Link. The other fields do not affect the 
reference page creation at this time and can be ignored.  Maybe if 
this basic model works, +.MaLaTTia. and I will then expand on other 
functions for this project further.  This program works best with Dos 
convention filenames.  It may be a problem with longfilenames but I
alloted a 35 character field for it just in case.

The Projects.HCU is a look up table to categorize the essays for the 
Project Link which takes a two digit integer [0..99]. Numbers 0-15 
correspond to the Projects set forth by fravia+. We didn't change the 
order fravia+ used to assigned to his essays so if you cycle through 
it, you will see the ones set up. I used Number 90 for unassigned 
essays. Essays by +Orc is assigned #95 the year he started with 
fravia+, #97 is assigned to fravia+, #98 is assigned to +gthorne, and 
#99 for assorted essays, as per the Academy pages.  If you type in the 
correct number, the title for it will show up in the HTMLS.HCU record. 
I took the Topic/Target mostly from the essay titles. Shouldn't take 
long for you to update the database as new entries comes in from your 
downloads. I did most of the preliminary work.  The maximum size for 
this program to work as is will be about 1800 records (limited by 
memory used to check records) and we are currently at 337, which will 
give us time to think another solution if this is a success. 

Difficulty level and Approach used range from 0-3 and can be assigned 
by the user to his or her taste to the essay.  There is also a URL 
Link field which may be be useful for storing personal links in the
future.  The program at this point does not use any of these fields
in the reference pages.

If you want, you can select the F6 in the Main Menu to sort the two 
databases.  Why bother?  The Main component is F8, which will generate 
4 Html pages.  These pages will be named 1Fravia.HTM, 2Fravia.HTM, 
3Fravia.HTM and 4Fravia.HTM. This is so that in a browser OPEN FILE 
listing of your subdirectory, it shows near the top. You can generate 
all 4 pages or just select the one you prefer. The HTMLS.HCU database 
is sorted and a screen full of html source codes will fly off your 
computer screen as the reference page is written to file.  It works. 

(I didn't know any thing about mark up language.  What I did was cut 
and paste some stuff from Fravia+ main page to see what code was 
generated and then translated the required code pattern to be output 
for the html features and links.)

Now you can switch back to your browser to open any one of the 4 HTML 
file generated. I used a small, fixed width font to fit output in both 
in Explorer and Netscape. The same info is displayed in 4 different 
perspective pages. The links are near the right, close to the scroll 
bar.  The first column is the Writer, the second the Topic and the 
third is the FileName link. If you ran this program in where you store 
your files, you should have no problem. 

It takes less than 5 minutes and I have the four reference pages 
needed to open all the essays in either Netscape or Explorer. I put 
the + in front of fravia+, +gthorne and +Orc in the author field so 
that they will appear near the top of the pages most of the time. 
Others I ignored because some of them didn't appear in a consistent 
places.  Edit the information to suit your taste and how it affect 
your pages.  If you are really lazy or have no time maybe once a month,
you can email someone for the updated *.HCU datafiles.

I leave it up to fravia+ to evaluate and determine how this program 
will be released and distributed.  This is my way to say thanks to 
fravia+ for his efforts and to his friends and students for the 
precious knowledge that they have contributed so freely at his site.
I do not have a new crack to offer at this moment in time, but if 
we (+.MaLaTTia and myself), through our efforts have made the study 
at his site more productive, we succeeded on this project and would
like to share this with you.  Cracking should not be limited to just
breaking into serial numbers protections.  Solving problems of any
nature should be our reason for being here.   Thanks +All, enjoy!

wlc

6 Dez 1997
And since a reader asked for the source code of wlc's "maze program", here you have wlc's answer... the source code will be added here as soon as wlc sends it: the copy I received is corrupted.
The following text is interesting for all those among you that are learning IDA. Enjoy!

Hail fravia+:

The honor to share space at your essays' hall of fame site is all 
that I would ask for. Let it be there, available for those seeking 
knowledge, as I seek for my knowledge from there also.

You forwarded to me an email from one reader asking for the source 
codes to the program, MazeMap. I have no problem with that. I will
submit it to you, to make it available to those who seek it. 

(They may need it to fix a few bugs like the change in your site 
address in the HTML pages and the little nag screen promoting your 
name and cause on startup.)

They can use it as a stepping stone to improve their version and it
can serve as an example for reverse engineering or as a model for 
learning IDA Pro and disassembly. 

In the original submission I used a TP unit with uncalled variables, 
functions and procedures which I edited out from the current one to 
avoid confusion and combined into one singular source file called 
MazeDemo.Pas.  I included the compiled version called MazeDemo.Exe 
for those without the TP7 compiler. 

The lesson here is how to use the source code to understand any 
typical compiler (TP7) and to work with IDA.  First, print the 
source code and have it handy.  Secondly, execute IDAW MazeDemo.Exe 
and wait for the disassembly, it's worth it.  Next, save this file
to Mazedemo.IDC under the File Menu at the top of your screen.   
Following sessions would not take as long to load once this session
is saved.

Next, select from the Options Menu, the Text Representation. 
Unmark (un X) everything except for [X] Line Prefixes and [X] 
Display Comments to eliminate the clutter.  Activate them all
when you get comfortable with the environment.

When you get back to the main windows, use the scroll bar at the 
extreme right to get to the very top of the screen.  There you will 
see some general stuff about the program and

0000's on the extreme left and the start of a subroutine on 
your screen similar to the one below.

Extracted from IDA PRO

0000 ;               S u b r o u t i n e
0000 ; Attributes: bp-based frame
0000 sub_0_0         proc near     ; CODE XREF: sub_0_1988+66p
0000                               ; sub_0_2A39+2Ap ...
0000 arg_0           = byte ptr  4
0000 arg_2           = byte ptr  6
0000                 push    bp
0001                 mov     bp, sp
0003                 mov     al, [bp+arg_0]
0006                 cmp     al, 1
0008                 jnz     loc_0_3E
000A                 cmp     [bp+arg_2], 1
000E                 jnz     loc_0_2C
0010                 mov     di, 34EEh
0013                 push    ds
0014                 push    di
0015                 mov     al, 20h ; ' '
0017                 push    ax
0018                 xor     ax, ax
001A                 push    ax
001B                 call    sub_85F_8DE
0020                 call    sub_85F_861
0025                 call    sub_85F_4F4
002A                 jmp     short loc_0_3B
002C loc_0_2C:                     ; CODE XREF: sub_0_0+Ej
002C                 mov     di, 34EEh
002F                 push    ds
0030                 push    di
0031                 call    sub_85F_840
0036                 call    sub_85F_4F4
003B loc_0_3B:                     ; CODE XREF: sub_0_0+2Aj
003B                 jmp     loc_0_C6
003E loc_0_3E:                     ; CODE XREF: sub_0_0+8j
003E                 cmp     al, 2
0040                 jz      loc_0_45
0042                 jmp     loc_0_C6
0045 loc_0_45:                     ; CODE XREF: sub_0_0+40j
0045                 cmp     [bp+arg_2], 1
0049                 jnz     loc_0_88
004B                 cmp     byte_A70_3F73, 0
0050                 jnz     loc_0_6C
0052                 mov     di, 4832h
0055                 push    ds
0056                 push    di
0057                 mov     al, 20h ; ' '
0059                 push    ax
005A                 xor     ax, ax
005C                 push    ax
005D                 call    sub_85F_8DE
0062                 call    sub_85F_861
0067                 call    sub_85F_4F4
006C loc_0_6C:                     ; CODE XREF: sub_0_0+50j
006C                 mov     di, 32EEh
006F                 push    ds
0070                 push    di
0071                 mov     al, 20h ; ' '
0073                 push    ax
0074                 xor     ax, ax
0076                 push    ax
0077                 call    sub_85F_8DE
007C                 call    sub_85F_861
0081                 call    sub_85F_4F4
0086                 jmp     short loc_0_C6
0088 loc_0_88:                     ; CODE XREF: sub_0_0+49j
0088                 cmp     byte_A70_3F73, 0
008D                 jnz     loc_0_9E
008F                 mov     di, 4832h
0092                 push    ds
0093                 push    di
0094                 call    sub_85F_840
0099                 call    sub_85F_4F4
009E loc_0_9E:                     ; CODE XREF: sub_0_0+8Dj
009E                 mov     di, 32EEh
00A1                 push    ds
00A2                 push    di
00A3                 call    sub_85F_840
00A8                 call    sub_85F_4F4
00AD                 inc     byte_A70_3F6D
00B1                 cmp     byte_A70_3F7C, 0
00B6                 jz      loc_0_C6
00B8                 cmp     byte_A70_3F82, 0
00BD                 jz      loc_0_C6
00BF                 mov     al, byte_A70_3F71
00C2                 push    ax
00C3                 call    sub_0_17E6
00C6 loc_0_C6:                     ; CODE XREF: sub_0_0+3Bj
00C6                               ; sub_0_0+42j ...
00C6                 pop     bp
00C7                 retn    4
00C7 sub_0_0         endp

Without knowledge of assembly and the source codes, you could be
staring at this forever trying to make sense of it.  You scroll
up and down and it looks all the same.  Now take a look at your
printed source code. 

First, it declared the standard unit libraries used, global 
constants, type, and variables.  Next is a segment of forward 
declarations used, so that functions can be called out of logical 
sequence.  This makes it easier to find procedures by alphabetical 
names in the source code.  

The first procedure you see, called procedure ALfSp(Frm,LFT:byte); 
is sub_0_0 which in Pascal is as follow.

procedure ALfSp(Frm,LFT:byte);
begin case LFT of
 1:if Frm=1 then write(WrF,' ') else writeln(WrF);
 2:if Frm=1 then
   begin if not Console then write(' '); write(Dev,' ') end else
   begin if not Console then writeln; writeln(Dev); inc(Lines);
   if PrintTo and TabOn then Indent(TabIn) end end
end;  

Note: I do not comment and I limit my indentations and spacing
so that more lines of code can be viewable.  Less clutter for you
also, to view.

Can you see the similarities?  Now comes the fun part. 

Place your cursor on the line sub_0_0 and press the N key. An 
input screen will open up and you type in the name of the 
procedure ALfSp.  Now click on the View Menu option and then 
select Functions.  You will now see ALfSp identified in place
of sub_0_0 which was there before.  Click on the portion of the 
main window and you will get back to the disassembly.  

If you click on the right part where there is an arrow showing at 
the cross reference line, it will take you up or down to a procedure 
which calls it and has now been also identified as ALfSp.

  ; CODE XREF: sub_0_1988+66p  <-- look for arrows at references points and click to make your jumps Now then, back to ALfSp. Which arg is Frm and which is arg LFT? Which byte_ is variable Console, PrintTo, and so on? Follow the assembly and use the Name function to name them all and soon you will see that eventually the disassembly will closely resemble the pascal procedure from which it came. I won't do everything for you, but by giving you the source code "you.class" tppabs="http://fravia.org/you.class" will understand the power of disassembly in no time. You will see how case statements and loops are handled. Where the variables and string constants will appear. How the decision comparisons are made. Everything compiled now disassembled in front of you. It is like a giant jigsaw puzzle. Name it and comment it with IDA and see the relationship between the source code and the disassembly. Do it as an exercise just once and fill in all the missing pieces of this puzzle. Compare the source code to the disassembly from WDasm or Sourcer. Use this as a simple exercise to prepare yourself for the big projects and tough protection schemes ahead. It is less than 50K of machine code handling a record database, with file i/o, field inputs so on. Things you normally find in most programs. If the release of the source code helps in providing a better understanding and furthering the cause, I give it freely with no strings attached. Ask me not for a crack, but I will give to you a stepping stone to reach a higher level on your own. wlc
(c) wlc All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?