+HCU 1999

[The new +Hcukers]
[The solutions]
Strainer published in April 1998
Solutions published in October 1998

A great strainer from Master +Aesculapius, I know that thousand (literally: I reckon I received lately more than 900 emailings about this!) future reversers and protectors all around the world are awaiting this with impatience. Once more: the +HCU is NOT a cracking group, it's a open university, open to ALL crackers, protectors and reversers alike... if capable. You may be in a group, you may be a lone wolf cracker, you may be an university professor for informatic or the CEO of your own software company, we couldn't care less: we want your knowledges, we'll give you our knowledges. You don't need to be a programmer, you need to understand code, it is NOT the same thing.
So, if we're not a group, why do we keep publishing our 'strainers for admission' every year? Well... we'll of course continue to teach openly (for everybody that wishes to read our essays) all the basic and advanced techniques, as we have always done, yet we need a "Kern" of dedicated and capable +crackers in order to imagine new solutions, devise new techniques, develop old and new team projects and understand very advanced (and new) reversing topics. That's the mission +ORC trusted us, that's what has changed dramatically the cracker scene in the last three years (everyone and is dog is now publishing essays, which is GOOD :-) and that's therefore the scope of our yearly strainers: to find the best among you and to commit them to teach (and understand) our wonderful trade: reversing.

As usual, all answers for +Aesculapius' 1999 strainer should be sent to us BEFORE end September 1998. Looks to you like a long time? You better be careful: think again. It's more than enough in order to do a good work, if you start working now.

	All answers should be directed to +Aesculapius 
	or to any +HCU caretaker (+gthorne, reverser+, +Sync). All 
	answers will anyway land by +Aesculapius, who will have 
	the pleasure (and the responsability) to decide WHO among 
        the partecipants should be admitted to the +HCU's next 
	year's courses.

And, of course, all 'old +hands' are invited to partecipate as well: to reverse under the direction of a master +cracker is a rare pleasure and this below is a beautiful strainer indeed!


				 By +Aesculapius

        Published on 4 May 1998 - Must be solved BEFORE 30 September 1998
	+ORC, our great mentor, trusted in me the responsibility of 
releasing the +HCU Strainer for 1999. I regard myself as a "strict" 
educator, that is why this year the strainer will be quite a challenge, 
and only the worthy ones will succeed.
I have selected four (4) endearing challenges to assure that you are 
the right person to enter our university. 
The strainer release is every year an highly awaited time for many. 
It is the time when all capable intermediate and advanced crackers have 
the opportunity to transform their abilities into an art. We don't want to 
teach you new techniques, we want YOU to create them. We don't want nor need 
imitators, we wish to find true capable revrsers, able to adapt and evolve in 
our complex rapidly changing world of protecting and cracking, capable to 
understand the true meanings hidden inside all the code (and all the "reality")
that surround us. 
We don't want selfish persons, we want people with enough humility to teach 
what they know without any other expectation than the satisfaction of spreading 
their sound and deep knowledge. 

	An small introduction will help you to understand the objectives of 
every challenge. You have to solve all four challenges of course, and even so, 
only the best answers will be accepted. I don't have to remind you, that any 
"more than casual" resemblance between answers from different crackers will 
result in the automatic elimination of both participants. 
Obviously, you cannot imitate my own techniques in order to solve any of these 
challenges either.
THE FIRST CHALLENGE: The objectives of this challenge is to probe that: 1. The participant is able to design new techniques to solve a cracking problem (main objective). 2. The participant knows assembly language coding. 3. The participant knows system memory manipulation. 4. The participant is capable of handling simple anti debugging techniques. 5. The participant is able to analyze complex encryption systems. Target: Terminate 5.0 32 bit. Description: Communication package. Considerations: Terminate is an awesome DOS based communication program. Its formidable encryption system has resisted the attacks of many crackers. The author uses several interesting tricks which are susceptible for the creation of the so called "new techniques". In resume, terminate 5.0 uses a key based protected scheme. The system accepts any key from an authentic terminate's 4.0 owner, but it won't accept any old cracked key. You could easily presume the encryption in terminate 5.0 has changed since version 4.0. Interestingly, that is not true. The encryption remains the same; however, terminate 5.0 keeps rejecting old false 4.0 keys and accepting old authentic 4.0 keys. To succeed in this challenge, you must: 1. Extensively analyze and explain Terminate's protection scheme. 2. Create a 16 bit assembly key generator for it. 3. Design a technique to assure that your generated key will be valid in any further version of terminate, if the encryption system remains the same. That is, your key generator must be able to bypass Terminate's author trick to recognize old keys.
THE SECOND CHALLENGE: The objectives of this challenge is to probe: 1. The participant is able to code his own Windows based 32 bit patcher (main objective). 2. The participant is able to code in different programming languages than assembly. 3. The participant is capable of coding Windows based applications Considerations: DOS is dead, thereby, new crackers have to probe they can adapt to more challenging 32 bit operating system tasks. Its amazing, that even now, when everybody is using a 32 bit operating system, most crackers still rely in good old DOS to create their byte patchers. The byte patcher is without any doubt a great symbol for any cracker. The first program, in any language, any of us probably coded was the traditional "Hello World!" which is featured in almost any programming teaching book. In the same way, the first program, in any language, any cracker probably coded was the traditional byte patcher. In fact, the byte patcher represents in many cases the edge between the casual cracker and the truly committed future reverser. Target: 32 bit Windows based byte patcher. Description: None. In this task, you'll have some help from me. DOS still rules in file patching among crackers, an incredible fact considering 32 bit patching using API functions is easier, quicker and provides the cracker with additional advantages never seen in 16 bit patching. I'm going to code a byte patcher calling win32 API functions. This is not the state of the art in file patching, because MFC goes beyond and encapsulates most Win32 API functions providing the coder with high flexibility in necessary API parameters and solving at the same time the terrible lack of functionality of C/C++ in string management tasks. To preserve tradition, I'll use assembly to do the job. You can use the language of your preference, but remember, the patcher must run in 32 bit Windows based environment. If you want to code a windows based application, all strings must be zero terminated (C style); API parameters must be pushed backwards (only applies to assembly). As you know, API parameters are gathered from the stack because that is the most efficient way to do the job. Almost every compiler will translate your high level language code in its most efficient assembly equivalent. Some API functions feature additional advantages if compared with its hardcore interrupt equivalent. For instance, OpenFile API function will fetch the desired file not only in the current path but also in \windows\system directory, which is a good thing if the patched file resides in that location. By the way, Openfile is not the more suited API to open a file in a 32 bit environment, CreateFile is the best choice. I used OpenFile because is easier and intuitive to understand. As you can see, all API parameters are pushed line-by-line to facilitate the learning process. Tasm permits to push everything at once whenever a function is called, but is harder to understand (and comment too) that way. Here you have my code: ;-------------------------------------------------------------------------- ; 32 bit Byte Patcher. ; Coded by +Aesculapius - 1998. ; Designed as part of the +HCU Strainer for 1999. ; Compile with Tasm32 & Tlink32 ; tasm32 -ml -m5 -q bytpat32 ; tlink32 -Tpe -aa -x -c bytpat32 ,,, import32 ; You'll need files: windows.inc and import32.lib provided with ; Tasm 5.0 full package. ;-------------------------------------------------------------------------- .386p ; 386 instruction set enable .model flat, stdCALL ; Linear addresing model ; Import several important API functions ; Some are not used, but I left them there ; in case you want to modify this program ; adding some other features EXTRN OpenFile:PROC EXTRN ReadFile:PROC EXTRN WriteFile:PROC EXTRN CloseFile:PROC EXTRN GetLastError:PROC EXTRN SetFileAtributes:PROC EXTRN CreateFile:PROC EXTRN SetFilePointer:PROC EXTRN CloseHandle:PROC EXTRN ExitProcess:PROC EXTRN MessageBoxA:PROC INCLUDE WINDOWS.INC ; Some useful includes ; Data segment begins .DATA HANDLE DD ? ; Holds target file handle FILENAME DB 'nero.exe',0 ; <-- Change to meet your target filename FILE_DATA DB 80H DUP (0) ; Holds some important target file data ; Welcome message LOGO DB 0AH,0DH DB 'Nero Burning Rom ',0AH,0DH DB 'Coded by Aesculapius - 1998. ',0AH,0DH DB ' ',0AH,0DH DB 'Email: ',0AH,0DH DB 'aesculapius@stones.com ',0AH,0DH DB 'Home Page: ',0AH,0DH DB 'http://members.xoom.com/Aesculapius/Aescu.html ',0AH,0DH DB ' ',0AH,0DH DB 'Proceed? ',0AH,0DH DB 0AH,0DH,0 ; Error message if target file not found ERROR_MESSAGE1 DB 'The target file is not present in the current',0AH,0DH DB 'path or is write protected. Please solve the ',0AH,0DH DB 'problem and try again. ',0AH,0DH DB 0 ; Error message if target already cracked ; or wrong target version ERROR_MESSAGE2 DB 'The location to be patched was not found! ',0AH,0DH DB 'This could happen if: ',0AH,0DH DB '- The program has been already cracked. ',0AH,0DH DB '- This is a different version of the program. ',0AH,0DH DB 'Please, contact the author of this crack at ',0AH,0DH DB 'aesculapius@cryogen.com to get an update. ',0AH,0DH DB 0 ; Message if crack successful SUCCESS DB ' Crack Successful!',0AH,0DH DB 0 ; Default Title of every window TIT DB 'Nero Burning Rom Crack',0 ; Useful Null definition NULL EQU 0 ; Number of bytes to patch in Hexadecimal ; <-- Modify according to your target PATCH_SIZE DD 00000010H ; Original data present in the uncracked ; target. This data is used to diferentiate ; between a valid target and a wrong one ; (different version, already cracked). ; <-- Change according to your original ; target data PREV_DATA DB 75H,22H,0C7H,45H,0FCH,0FFH,0FFH,0FFH,0FFH,0E8H DB 7BH,03H,00H,00H,0B8H,01H ; Patching string ; <-- Modify according to your target PATCH_BYTES DB 0EBH,00H,0C7H,45H,0FCH,0FFH,0FFH,0FFH,0FFH,0E8H DB 7BH,03H,00H,00H,0B8H,00H ; Buffer to hold writen string ; Must be empty and at list of the same ; size or bigger than PATCH_BYTES buffer BYTES_WRITEN DB 20H DUP (0) ; 32 bit offset location where the ; patch will be applied ; <-- Modify according to your target PATCH_LOC DD 0003D579H ; Buffer to hold number of bytes read. BYTES_READ DD ? ; Buffer to hold bytes read from the target READ_BUFFER DB 20H DUP (0) ; Code "segment.class" tppabs="http://fravia.org/segment.class" begins .CODE ; Label to designate program start START: PUSH MB_OKCANCEL OR MB_ICONQUESTION ; Define window characteristics PUSH OFFSET TIT ; Window Title PUSH OFFSET LOGO ; Window message PUSH NULL ; Push 0 CALL MessageBoxA ; Show welcome message CMP EAX, 00000002H ; Cancel button pressed? JZ EXIT ; If yes, then exit PUSH OF_READWRITE ; Open file with Read&Write Attributes PUSH OFFSET FILE_DATA ; Buffer to hold file data once read PUSH OFFSET FILENAME ; Filename to be opened CALL OpenFile ; Open file MOV HANDLE, EAX ; File handle from EAX to buffer CMP EAX, -1 ; Check for errors JNZ GO_ON1 ; No error, go on ; In case of error show proper ; message PUSH MB_OK OR MB_ICONHAND PUSH OFFSET TIT PUSH OFFSET ERROR_MESSAGE1 PUSH NULL CALL MessageBoxA JMP EXIT ; Exit GO_ON1: ; Check if file is suitable ; for cracking procedure PUSH NULL ; Push 0 PUSH NULL ; Push 0 PUSH DWORD PTR [PATCH_LOC] ; Push patch location offset address PUSH HANDLE ; Push file handle CALL SetFilePointer ; Move file pointer to patch ; location PUSH NULL ; Push 0 PUSH OFFSET BYTES_READ ; Push offset of buffer to hold ; read bytes from target file PUSH DWORD PTR [PATCH_SIZE] ; Push number of bytes to be read PUSH OFFSET READ_BUFFER ; Push offset of buffer to hold ; read bytes PUSH HANDLE ; Push file handle CALL ReadFile ; Read file patch location ; This function reads the target ; file at the patching location ; Set by the setfilepointer API, ; the number of bytes designated by ; PATCH_SIZE buffer and store the ; bytes read in READ_BUFFER ; The following code checks ; if the target file patching ; location has been previously ; modified MOV ESI, OFFSET READ_BUFFER ; Point ESI to original patch ; location string in target file MOV EDI, OFFSET PREV_DATA ; Point EDI to known orginal ; string in the uncracked ; file MOV ECX, [PATCH_SIZE] ; Number of bytes to compare REP CMPSB ; Guess! JZ GO_ON2 ; File patching location is ; untouched thereby the crack ; can be applied ; In case of error: patching ; location does not match ; that one of the original ; target file, then present error ; message PUSH MB_OK OR MB_ICONHAND PUSH OFFSET TIT PUSH OFFSET ERROR_MESSAGE2 PUSH NULL CALL MessageBoxA JMP EXIT ; Exit ; Target file elegible to ; be patched ; Now move filepointer to ; patching location once ; again GO_ON2: PUSH NULL ; Push 0 PUSH NULL ; Push 0 PUSH DWORD PTR [PATCH_LOC] ; Push offset of 32 bits address ; of patching location PUSH HANDLE ; Push file handle CALL SetFilePointer ; Move file pointer to patching ; location ; Next function excutes patch PUSH NULL ; Push 0 PUSH OFFSET BYTES_WRITEN ; Buffer to hold bytes writen PUSH DWORD PTR [PATCH_SIZE] ; Push number of bytes to patch PUSH OFFSET PATCH_BYTES ; Push offset of patching string PUSH HANDLE ; Push file handle CALL WriteFile ; Patch file ; Next function informs of ; Successful patch procedure. PUSH MB_OK PUSH OFFSET TIT PUSH OFFSET SUCCESS PUSH NULL CALL MessageBoxA ; Close file handle EXIT: PUSH HANDLE CALL CloseHandle PUSH NULL ; Terminate program CALL ExitProcess END START ;------------------------------------------------------------------------- To succeed in this challenge, you must: 1. Create a Windows based 32 bit byte patcher for any target you wish, using any programming language. Remember one thing: if you use assembly to build your patcher, your code must NOT resemblance mine, otherwise, you are automatically out of the game.
THE THIRD CHALLENGE: The objectives of this challenge is to probe: 1. The participant is able to combine both the live and dead listing approaches. 2. The participant is capable of defeat anti-cracker tricks. 3. The participant knows how to search&destroy hidden protections. 4. The participant understands the inner functioning of a good protection. Target: Brainsbreaker v. v. 2.1 (32 bit) by Juan Trujillo Tarradas. Description: Puzzle Creation Game. Considerations: From now on, all the work comes directly from the genius of +ORC himself. He proposed me to study Brainsbreaker and decide if it was good enough to be included in the strainer, as always, he wasn't wrong. Brainsbreaker is a puzzle creation game, so what could be better than a puzzle to challenge a cracker, whose daily work is dealing with reversing puzzles. I won't talk about the target itself because that will be your job. To succeed in this challenge, you must: 1. Completely explain the protection scheme used by this program.
THE ULTIMATE CHALLENGE: The objective of this challenge is to check that: 1. The participant understands the graphical part of demo-reversing. Target: Brainsbreaker v. 2.1 (32 bit) by Juan Trujillo Tarradas. Description: Puzzle Creation Game. Considerations: Once you run Brainsbreaker, a small graphical sparkle arises every so often (when you quit the game or successfully complete a puzzle). You job in the ultimate challenge is to code a program capable of reproducing this nice sparkle which remind us the '+' sign in our names used to distinct us from non-HCUkers. To succeed in this challenge, you must: 1. Code a program to reproduce the graphic effect of the sparkle featured in Brainsbreaker.
You have until September 30 1998 to send your answers. Finally, I can't do anything else but wish to all of the participants the best luck. +Aesculapius - 1998. aesculapius(at)stones(point)com

The new +Hcukers

Well, here they are, as decided by +Aesculapius on 4 October 1998


1) +Cruehead, complete solution.
2) +Q (his name is only this letter), complete solution.
3) +Mad, complete solution.
4) +iNT_03h, complete solution.
5) +Spath, Complete answer
6) +JaZZ, Complete solution
7) +Bogus, the answers are buggy but the solution is complete.
8?) Fatal+Exception complete solution (with partial source code) Fatal Exception's admission is still under discussion (He included some anti debugging tricks when sending his code-answers, which looks suspicious to +some :-)
Will be eventually admitted if cleared from the suspicion of having copied the answers.


The Solutions

Well, here they are, published on 4 October 1998


Have a look and download: one of the most intersting reversing project of this year: some VERY good reversers tackle some difficult protection schemes

WARNING: This is GREAT reading for advanced protectors and reversers only. The TONS of information that you'll find inside will keep you studying for a couple of weeks at least. You should by all means, in your +truly's opinion, first try to crack the strainer on your OWN. Even if you don't, because you'r simply too lazy and want only to leech, reading this material you'll anyway get deep insights in some of the most advanced protection and deprotection techniques. Enjoy!

Here you go!

redhomepage red links red anonymity +ORC redstudents' essays redacademy database
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?

red(c) Reverser+ & +Aesculapius 1998, All rights reserved