+HCU 1999

[The new +Hcukers]
[The solutions]
Strainer published in April 1998
Solutions published in October 1998
The STRAINER

A great strainer from Master +Aesculapius, I know that thousand (literally: I reckon I received lately more than 900 emailings about this!) future reversers and protectors all around the world are awaiting this with impatience. Once more: the +HCU is NOT a cracking group, it's a open university, open to ALL crackers, protectors and reversers alike... if capable. You may be in a group, you may be a lone wolf cracker, you may be an university professor for informatic or the CEO of your own software company, we couldn't care less: we want your knowledges, we'll give you our knowledges. You don't need to be a programmer, you need to understand code, it is NOT the same thing.
So, if we're not a group, why do we keep publishing our 'strainers for admission' every year? Well... we'll of course continue to teach openly (for everybody that wishes to read our essays) all the basic and advanced techniques, as we have always done, yet we need a "Kern" of dedicated and capable +crackers in order to imagine new solutions, devise new techniques, develop old and new team projects and understand very advanced (and new) reversing topics. That's the mission +ORC trusted us, that's what has changed dramatically the cracker scene in the last three years (everyone and is dog is now publishing essays, which is GOOD :-) and that's therefore the scope of our yearly strainers: to find the best among you and to commit them to teach (and understand) our wonderful trade: reversing.

As usual, all answers for +Aesculapius' 1999 strainer should be sent to us BEFORE end September 1998. Looks to you like a long time? You better be careful: think again. It's more than enough in order to do a good work, if you start working now.


	All answers should be directed to +Aesculapius 

		

aesculapius(at)stones(point)com

	or to any +HCU caretaker (+gthorne, fravia+, +Sync). All 

	answers will anyway land by +Aesculapius, who will have 

	the pleasure (and the responsability) to decide WHO among 

        the partecipants should be admitted to the +HCU's next 

	year's courses.

And, of course, all 'old +hands' are invited to partecipate as well: to reverse under the direction of a master +cracker is a rare pleasure and this below is a beautiful strainer indeed!


							fravia+


+HCU STRAINER 1999 By +Aesculapius Published on 4 May 1998 - Must be solved BEFORE 30 September 1998 +ORC, our great mentor, trusted in me the responsibility of releasing the +HCU Strainer for 1999. I regard myself as a "strict" educator, that is why this year the strainer will be quite a challenge, and only the worthy ones will succeed. I have selected four (4) endearing challenges to assure that you are the right person to enter our university. The strainer release is every year an highly awaited time for many. It is the time when all capable intermediate and advanced crackers have the opportunity to transform their abilities into an art. We don't want to teach you new techniques, we want YOU to create them. We don't want nor need imitators, we wish to find true capable revrsers, able to adapt and evolve in our complex rapidly changing world of protecting and cracking, capable to understand the true meanings hidden inside all the code (and all the "reality") that surround us. We don't want selfish persons, we want people with enough humility to teach what they know without any other expectation than the satisfaction of spreading their sound and deep knowledge. An small introduction will help you to understand the objectives of every challenge. You have to solve all four challenges of course, and even so, only the best answers will be accepted. I don't have to remind you, that any "more than casual" resemblance between answers from different crackers will result in the automatic elimination of both participants. Obviously, you cannot imitate my own techniques in order to solve any of these challenges either.
1
THE FIRST CHALLENGE: The objectives of this challenge is to probe that: 1. The participant is able to design new techniques to solve a cracking problem (main objective). 2. The participant knows assembly language coding. 3. The participant knows system memory manipulation. 4. The participant is capable of handling simple anti debugging techniques. 5. The participant is able to analyze complex encryption systems. Target: Terminate 5.0 32 bit. Description: Communication package. Considerations: Terminate is an awesome DOS based communication program. Its formidable encryption system has resisted the attacks of many crackers. The author uses several interesting tricks which are susceptible for the creation of the so called "new techniques". In resume, terminate 5.0 uses a key based protected scheme. The system accepts any key from an authentic terminate's 4.0 owner, but it won't accept any old cracked key. You could easily presume the encryption in terminate 5.0 has changed since version 4.0. Interestingly, that is not true. The encryption remains the same; however, terminate 5.0 keeps rejecting old false 4.0 keys and accepting old authentic 4.0 keys. To succeed in this challenge, you must: 1. Extensively analyze and explain Terminate's protection scheme. 2. Create a 16 bit assembly key generator for it. 3. Design a technique to assure that your generated key will be valid in any further version of terminate, if the encryption system remains the same. That is, your key generator must be able to bypass Terminate's author trick to recognize old keys.
2
THE SECOND CHALLENGE: The objectives of this challenge is to probe: 1. The participant is able to code his own Windows based 32 bit patcher (main objective). 2. The participant is able to code in different programming languages than assembly. 3. The participant is capable of coding Windows based applications Considerations: DOS is dead, thereby, new crackers have to probe they can adapt to more challenging 32 bit operating system tasks. Its amazing, that even now, when everybody is using a 32 bit operating system, most crackers still rely in good old DOS to create their byte patchers. The byte patcher is without any doubt a great symbol for any cracker. The first program, in any language, any of us probably coded was the traditional "Hello World!" which is featured in almost any programming teaching book. In the same way, the first program, in any language, any cracker probably coded was the traditional byte patcher. In fact, the byte patcher represents in many cases the edge between the casual cracker and the truly committed future reverser. Target: 32 bit Windows based byte patcher. Description: None. In this task, you'll have some help from me. DOS still rules in file patching among crackers, an incredible fact considering 32 bit patching using API functions is easier, quicker and provides the cracker with additional advantages never seen in 16 bit patching. I'm going to code a byte patcher calling win32 API functions. This is not the state of the art in file patching, because MFC goes beyond and encapsulates most Win32 API functions providing the coder with high flexibility in necessary API parameters and solving at the same time the terrible lack of functionality of C/C++ in string management tasks. To preserve tradition, I'll use assembly to do the job. You can use the language of your preference, but remember, the patcher must run in 32 bit Windows based environment. If you want to code a windows based application, all strings must be zero terminated (C style); API parameters must be pushed backwards (only applies to assembly). As you know, API parameters are gathered from the stack because that is the most efficient way to do the job. Almost every compiler will translate your high level language code in its most efficient assembly equivalent. Some API functions feature additional advantages if compared with its hardcore interrupt equivalent. For instance, OpenFile API function will fetch the desired file not only in the current path but also in \windows\system directory, which is a good thing if the patched file resides in that location. By the way, Openfile is not the more suited API to open a file in a 32 bit environment, CreateFile is the best choice. I used OpenFile because is easier and intuitive to understand. As you can see, all API parameters are pushed line-by-line to facilitate the learning process. Tasm permits to push everything at once whenever a function is called, but is harder to understand (and comment too) that way. Here you have my code: ;-------------------------------------------------------------------------- ; 32 bit Byte Patcher. ; Coded by +Aesculapius - 1998. ; Designed as part of the +HCU Strainer for 1999. ; Compile with Tasm32 & Tlink32 ; tasm32 -ml -m5 -q bytpat32 ; tlink32 -Tpe -aa -x -c bytpat32 ,,, import32 ; You'll need files: windows.inc and import32.lib provided with ; Tasm 5.0 full package. ;-------------------------------------------------------------------------- .386p ; 386 instruction set enable .model flat, stdCALL ; Linear addresing model ; Import several important API functions ; Some are not used, but I left them there ; in case you want to modify this program ; adding some other features EXTRN OpenFile:PROC EXTRN ReadFile:PROC EXTRN WriteFile:PROC EXTRN CloseFile:PROC EXTRN GetLastError:PROC EXTRN SetFileAtributes:PROC EXTRN CreateFile:PROC EXTRN SetFilePointer:PROC EXTRN CloseHandle:PROC EXTRN ExitProcess:PROC EXTRN MessageBoxA:PROC INCLUDE WINDOWS.INC ; Some useful includes ; Data segment begins .DATA HANDLE DD ? ; Holds target file handle FILENAME DB 'nero.exe',0 ; NOT resemblance mine, otherwise, you are automatically out of the game.
3
THE THIRD CHALLENGE: The objectives of this challenge is to probe: 1. The participant is able to combine both the live and dead listing approaches. 2. The participant is capable of defeat anti-cracker tricks. 3. The participant knows how to search&destroy hidden protections. 4. The participant understands the inner functioning of a good protection. Target: Brainsbreaker v. v. 2.1 (32 bit) by Juan Trujillo Tarradas. Description: Puzzle Creation Game. Considerations: From now on, all the work comes directly from the genius of +ORC himself. He proposed me to study Brainsbreaker and decide if it was good enough to be included in the strainer, as always, he wasn't wrong. Brainsbreaker is a puzzle creation game, so what could be better than a puzzle to challenge a cracker, whose daily work is dealing with reversing puzzles. I won't talk about the target itself because that will be your job. To succeed in this challenge, you must: 1. Completely explain the protection scheme used by this program.
Ultimate
THE ULTIMATE CHALLENGE: The objective of this challenge is to check that: 1. The participant understands the graphical part of demo-reversing. Target: Brainsbreaker v. 2.1 (32 bit) by Juan Trujillo Tarradas. Description: Puzzle Creation Game. Considerations: Once you run Brainsbreaker, a small graphical sparkle arises every so often (when you quit the game or successfully complete a puzzle). You job in the ultimate challenge is to code a program capable of reproducing this nice sparkle which remind us the '+' sign in our names used to distinct us from non-HCUkers. To succeed in this challenge, you must: 1. Code a program to reproduce the graphic effect of the sparkle featured in Brainsbreaker.
You have until September 30 1998 to send your answers. Finally, I can't do anything else but wish to all of the participants the best luck. +Aesculapius - 1998. aesculapius(at)stones(point)com
red

The new +Hcukers


Well, here they are, as decided by +Aesculapius on 4 October 1998

red

1) +Cruehead, complete solution.
2) +Q (his name is only this letter), complete solution.
3) +Mad, complete solution.
4) +iNT_03h, complete solution.
5) +Spath, Complete answer
6) +JaZZ, Complete solution
7) +Bogus, the answers are buggy but the solution is complete.
8?) Fatal+Exception complete solution (with partial source code) Fatal Exception's admission is still under discussion (He included some anti debugging tricks when sending his code-answers, which looks suspicious to +some :-)
Will be eventually admitted if cleared from the suspicion of having copied the answers.



red

The Solutions


Well, here they are, published on 4 October 1998

red

Have a look and download: one of the most intersting reversing project of this year: some VERY good reversers tackle some difficult protection schemes

WARNING: This is GREAT reading for advanced protectors and reversers only. The TONS of information that you'll find inside will keep you studying for a couple of weeks at least. You should by all means, in your +truly's opinion, first try to crack the strainer on your OWN. Even if you don't, because you'r simply too lazy and want only to leech, reading this material you'll anyway get deep insights in some of the most advanced protection and deprotection techniques. Enjoy!

Here you go!



redhomepage red links red anonymity +ORC redstudents' essays redacademy database
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?

red(c) Fravia+ & +Aesculapius 1998, All rights reserved