How to keep uptodate with the +HCU academy
(Cracking The Maze Of Essays At fravia+ Web Site)
by wlc
(29 November 1997, with a special THANK by fravia+)
An addition by wlc: source code for it! (6 Dez 1997)
This is an interesting "learning IDA" addition as well!
Courtesy of fravia's page
of reverse engineering
Well, this is really a nice addition! Wlc has written a pascal
automated database for all those among you that are interested in
this page!
And of course I like a lot wlc's definition of
my site: "Fravia+ adds, modify and changes
his pages on the fly... Just as bad as chasing dead listing calls and jumps in a
crack. Lots of distraction and you forgot what it was you were looking
for in the first place". Read and enjoy! (And thank a lot, REALLY, wlc,
anything you need, from now on, just ask! :-)
To Fravia+ :Cracking The Maze Of Essays At fravia+'s Web Site.
This project started with the following proposal by +MaLattia inside
Zero+'s HCU_Mail_List.
"I think it would be useful both for +Fravia and for all the guys who
reach his site if we try to catalog the students' essays dividing them
both by subject and difficulty, and maybe telling what lessons from
+ORC's tutorial are useful to understand each essay. What do you think
about it? Do you want to join me?"
Needless to say, I too thought that it would be a great idea for my
own personal reasons. I was getting lost, trying to keep tabs on all
the submissions. There was just too much stuff on fravia+ site to go
over. Over 337 essays and growing. With Teleport Pro, it grabs
another 600 other files to shove into my subdirectory.
Netscape running on my 486 notebook chokes on bringing up the
directory where I store his goodies. Fravia+ adds, modify and changes
his pages on the fly so you got to check his pages in case he throws
in a new link or two. Rule of thumb, you can't read his pages just
once and forget about it, if you want to be a serious cracker. With
stuff you don't understand, you have to put aside and come back it
later, if you can remember where it is.
You start opening up the pages. You jump from one linked page to
another. Just as bad as chasing dead listing calls and jumps in a
crack. Lots of distraction and you forgot what it was you were looking
for in the first place. Sometimes you want to read all the essays for
a project or by an author but you can't find it readily. You don't
want to tamper too much with the essays and the way you mirror his
site. What do you do?
This calls for a crack to solve fravia+ essay maze.
At first, our approach was to create html pages for fravia+ to post on
his web site. Bad idea. Too much work for fravia+ and for us to
update and maintain. +.MaLattia. then came up with the idea of using
a database.
"A problem is that with some of the older essays, there is no
consistent categorization built into them i.e.. a constant location on
an essay for a program to pick the information from. Do we edit the
old essays to insert these tags or do we provide a starting database
with completed record info on these old essays and let the user
add/edit his/her own?"
Again, too much work. What database format should we choose that is
common to all users? How much overhead should be involved to enter
the information, just to use it?
The focus then became to develop a tool for research and reference
use. Here is the working solution in Turbo Pascal 7 which will
generate 4 html reference pages. It is not a fancy solution but it
will serve the purpose. The file mazemap.Zip will contain the program
called MazeMap.Exe with two data files called HTMLS.HCU and
PROJECTS.HCU.
Copy this to where you store your fravia+ downloads, unzip it and
execute it from there. Since it was written in TP7, it is a Dos
application but you can setup a Windows DeskTop Icon to run it. The
program will go through files in your download subdirectory, pick out
any new html and create a database record for it. The database
HTMLS.HCU contains basic information updated to Nov/22/97.
When you run this program, pressing F7 in the Main Menu will retrieve
in new HTMLS filenames. It may be that I have more records than what
is in your directory or you may have files that is not in the
database. It don't matter, the link will fail if the file does not
exist, that's all. Some of the essays may have been moved off and you
can't retrieve them anymore. Post a query and someone may email you a
copy.
It is up to you, the user, to fill in the other data fields from now
on to make this program work. You can select F2 in the Main Menu to
edit, add, and delete the records in this database.
Rotate forward or back using (N)ext, or (P)revious to cycle through
the records and complete the other fields. (E)nter in the last field
of the record to save it as is. Sorry no mouse support, it gets in
the way. When you retrieve new HTML filenames they are located at the
end of the HTMLS.HCU file which you can reach by pressing (P) becasue
the program opens up positioned at the 1st record of the file. If you
want to full screen editing, use F4 in the Main Menu to convert it to
a text file. Use any hex editor and remember to retain the record
alignment. When finish, convert it back to binary file format. All you
have to provide is three key piece of information. The Writer, the
Essay Topic and the Project Link. The other fields do not affect the
reference page creation at this time and can be ignored. Maybe if
this basic model works, +.MaLaTTia. and I will then expand on other
functions for this project further. This program works best with Dos
convention filenames. It may be a problem with longfilenames but I
alloted a 35 character field for it just in case.
The Projects.HCU is a look up table to categorize the essays for the
Project Link which takes a two digit integer [0..99]. Numbers 0-15
correspond to the Projects set forth by fravia+. We didn't change the
order fravia+ used to assigned to his essays so if you cycle through
it, you will see the ones set up. I used Number 90 for unassigned
essays. Essays by +Orc is assigned #95 the year he started with
fravia+, #97 is assigned to fravia+, #98 is assigned to +gthorne, and
#99 for assorted essays, as per the Academy pages. If you type in the
correct number, the title for it will show up in the HTMLS.HCU record.
I took the Topic/Target mostly from the essay titles. Shouldn't take
long for you to update the database as new entries comes in from your
downloads. I did most of the preliminary work. The maximum size for
this program to work as is will be about 1800 records (limited by
memory used to check records) and we are currently at 337, which will
give us time to think another solution if this is a success.
Difficulty level and Approach used range from 0-3 and can be assigned
by the user to his or her taste to the essay. There is also a URL
Link field which may be be useful for storing personal links in the
future. The program at this point does not use any of these fields
in the reference pages.
If you want, you can select the F6 in the Main Menu to sort the two
databases. Why bother? The Main component is F8, which will generate
4 Html pages. These pages will be named 1Fravia.HTM, 2Fravia.HTM,
3Fravia.HTM and 4Fravia.HTM. This is so that in a browser OPEN FILE
listing of your subdirectory, it shows near the top. You can generate
all 4 pages or just select the one you prefer. The HTMLS.HCU database
is sorted and a screen full of html source codes will fly off your
computer screen as the reference page is written to file. It works.
(I didn't know any thing about mark up language. What I did was cut
and paste some stuff from Fravia+ main page to see what code was
generated and then translated the required code pattern to be output
for the html features and links.)
Now you can switch back to your browser to open any one of the 4 HTML
file generated. I used a small, fixed width font to fit output in both
in Explorer and Netscape. The same info is displayed in 4 different
perspective pages. The links are near the right, close to the scroll
bar. The first column is the Writer, the second the Topic and the
third is the FileName link. If you ran this program in where you store
your files, you should have no problem.
It takes less than 5 minutes and I have the four reference pages
needed to open all the essays in either Netscape or Explorer. I put
the + in front of fravia+, +gthorne and +Orc in the author field so
that they will appear near the top of the pages most of the time.
Others I ignored because some of them didn't appear in a consistent
places. Edit the information to suit your taste and how it affect
your pages. If you are really lazy or have no time maybe once a month,
you can email someone for the updated *.HCU datafiles.
I leave it up to fravia+ to evaluate and determine how this program
will be released and distributed. This is my way to say thanks to
fravia+ for his efforts and to his friends and students for the
precious knowledge that they have contributed so freely at his site.
I do not have a new crack to offer at this moment in time, but if
we (+.MaLaTTia and myself), through our efforts have made the study
at his site more productive, we succeeded on this project and would
like to share this with you. Cracking should not be limited to just
breaking into serial numbers protections. Solving problems of any
nature should be our reason for being here. Thanks +All, enjoy!
wlc
6 Dez 1997
And since a reader asked for the source code of wlc's "maze program", here you have
wlc's answer...
the source code will be added here as soon as wlc sends it: the copy I received
is corrupted.
The following text is interesting for all those among you that
are learning IDA. Enjoy!
Hail fravia+:
The honor to share space at your essays' hall of fame site is all
that I would ask for. Let it be there, available for those seeking
knowledge, as I seek for my knowledge from there also.
You forwarded to me an email from one reader asking for the source
codes to the program, MazeMap. I have no problem with that. I will
submit it to you, to make it available to those who seek it.
(They may need it to fix a few bugs like the change in your site
address in the HTML pages and the little nag screen promoting your
name and cause on startup.)
They can use it as a stepping stone to improve their version and it
can serve as an example for reverse engineering or as a model for
learning IDA Pro and disassembly.
In the original submission I used a TP unit with uncalled variables,
functions and procedures which I edited out from the current one to
avoid confusion and combined into one singular source file called
MazeDemo.Pas. I included the compiled version called MazeDemo.Exe
for those without the TP7 compiler.
The lesson here is how to use the source code to understand any
typical compiler (TP7) and to work with IDA. First, print the
source code and have it handy. Secondly, execute IDAW MazeDemo.Exe
and wait for the disassembly, it's worth it. Next, save this file
to Mazedemo.IDC under the File Menu at the top of your screen.
Following sessions would not take as long to load once this session
is saved.
Next, select from the Options Menu, the Text Representation.
Unmark (un X) everything except for [X] Line Prefixes and [X]
Display Comments to eliminate the clutter. Activate them all
when you get comfortable with the environment.
When you get back to the main windows, use the scroll bar at the
extreme right to get to the very top of the screen. There you will
see some general stuff about the program and
0000's on the extreme left and the start of a subroutine on
your screen similar to the one below.
Extracted from IDA PRO
0000 ; S u b r o u t i n e
0000 ; Attributes: bp-based frame
0000 sub_0_0 proc near ; CODE XREF: sub_0_1988+66p
0000 ; sub_0_2A39+2Ap ...
0000 arg_0 = byte ptr 4
0000 arg_2 = byte ptr 6
0000 push bp
0001 mov bp, sp
0003 mov al, [bp+arg_0]
0006 cmp al, 1
0008 jnz loc_0_3E
000A cmp [bp+arg_2], 1
000E jnz loc_0_2C
0010 mov di, 34EEh
0013 push ds
0014 push di
0015 mov al, 20h ; ' '
0017 push ax
0018 xor ax, ax
001A push ax
001B call sub_85F_8DE
0020 call sub_85F_861
0025 call sub_85F_4F4
002A jmp short loc_0_3B
002C loc_0_2C: ; CODE XREF: sub_0_0+Ej
002C mov di, 34EEh
002F push ds
0030 push di
0031 call sub_85F_840
0036 call sub_85F_4F4
003B loc_0_3B: ; CODE XREF: sub_0_0+2Aj
003B jmp loc_0_C6
003E loc_0_3E: ; CODE XREF: sub_0_0+8j
003E cmp al, 2
0040 jz loc_0_45
0042 jmp loc_0_C6
0045 loc_0_45: ; CODE XREF: sub_0_0+40j
0045 cmp [bp+arg_2], 1
0049 jnz loc_0_88
004B cmp byte_A70_3F73, 0
0050 jnz loc_0_6C
0052 mov di, 4832h
0055 push ds
0056 push di
0057 mov al, 20h ; ' '
0059 push ax
005A xor ax, ax
005C push ax
005D call sub_85F_8DE
0062 call sub_85F_861
0067 call sub_85F_4F4
006C loc_0_6C: ; CODE XREF: sub_0_0+50j
006C mov di, 32EEh
006F push ds
0070 push di
0071 mov al, 20h ; ' '
0073 push ax
0074 xor ax, ax
0076 push ax
0077 call sub_85F_8DE
007C call sub_85F_861
0081 call sub_85F_4F4
0086 jmp short loc_0_C6
0088 loc_0_88: ; CODE XREF: sub_0_0+49j
0088 cmp byte_A70_3F73, 0
008D jnz loc_0_9E
008F mov di, 4832h
0092 push ds
0093 push di
0094 call sub_85F_840
0099 call sub_85F_4F4
009E loc_0_9E: ; CODE XREF: sub_0_0+8Dj
009E mov di, 32EEh
00A1 push ds
00A2 push di
00A3 call sub_85F_840
00A8 call sub_85F_4F4
00AD inc byte_A70_3F6D
00B1 cmp byte_A70_3F7C, 0
00B6 jz loc_0_C6
00B8 cmp byte_A70_3F82, 0
00BD jz loc_0_C6
00BF mov al, byte_A70_3F71
00C2 push ax
00C3 call sub_0_17E6
00C6 loc_0_C6: ; CODE XREF: sub_0_0+3Bj
00C6 ; sub_0_0+42j ...
00C6 pop bp
00C7 retn 4
00C7 sub_0_0 endp
Without knowledge of assembly and the source codes, you could be
staring at this forever trying to make sense of it. You scroll
up and down and it looks all the same. Now take a look at your
printed source code.
First, it declared the standard unit libraries used, global
constants, type, and variables. Next is a segment of forward
declarations used, so that functions can be called out of logical
sequence. This makes it easier to find procedures by alphabetical
names in the source code.
The first procedure you see, called procedure ALfSp(Frm,LFT:byte);
is sub_0_0 which in Pascal is as follow.
procedure ALfSp(Frm,LFT:byte);
begin case LFT of
1:if Frm=1 then write(WrF,' ') else writeln(WrF);
2:if Frm=1 then
begin if not Console then write(' '); write(Dev,' ') end else
begin if not Console then writeln; writeln(Dev); inc(Lines);
if PrintTo and TabOn then Indent(TabIn) end end
end;
Note: I do not comment and I limit my indentations and spacing
so that more lines of code can be viewable. Less clutter for you
also, to view.
Can you see the similarities? Now comes the fun part.
Place your cursor on the line sub_0_0 and press the N key. An
input screen will open up and you type in the name of the
procedure ALfSp. Now click on the View Menu option and then
select Functions. You will now see ALfSp identified in place
of sub_0_0 which was there before. Click on the portion of the
main window and you will get back to the disassembly.
If you click on the right part where there is an arrow showing at
the cross reference line, it will take you up or down to a procedure
which calls it and has now been also identified as ALfSp.
; CODE XREF: sub_0_1988+66p <-- look for arrows at references points and click to make your jumps Now then, back to ALfSp. Which arg is Frm and which is arg LFT? Which byte_ is variable Console, PrintTo, and so on? Follow the assembly and use the Name function to name them all and soon you will see that eventually the disassembly will closely resemble the pascal procedure from which it came. I won't do everything for you, but by giving you the source code "you.class" tppabs="http://fravia.org/you.class" will understand the power of disassembly in no time. You will see how case statements and loops are handled. Where the variables and string constants will appear. How the decision comparisons are made. Everything compiled now disassembled in front of you. It is like a giant jigsaw puzzle. Name it and comment it with IDA and see the relationship between the source code and the disassembly. Do it as an exercise just once and fill in all the missing pieces of this puzzle. Compare the source code to the disassembly from WDasm or Sourcer. Use this as a simple exercise to prepare yourself for the big projects and tough protection schemes ahead. It is less than 50K of machine code handling a record database, with file i/o, field inputs so on. Things you normally find in most programs. If the release of the source code helps in providing a better understanding and furthering the cause, I give it freely with no strings attached. Ask me not for a crack, but I will give to you a stepping stone to reach a higher level on your own. wlc
(c) wlc All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?