Reverse engineering Academy
hcu97 Founded by +ORC in April 1996 hcu98

Advanced cracking series
Advanced Cracking
Updated October 1999

A very important attempt to systematise our essays! I hope you'll all work a little on this!
+HCU's taxonomy - Advanced Cracking - started in October 1997

Please note that MANY essays that have been already published (I mean, before this section started) would indeed have deserved to be listed here. I still don't know if I'll have the time to do it, I hope so. Anyway: any reader can email me a COMPLETE LIST pointing out which ones (among the hundreds of essays published until now) deserve in his (humble :-) opinion to be listed here. Hope he has really read them before opening his mouth, hope he understands what we are talking about (not all do, in fact). We'll see.
Here you have THE BEST (recent) essays IMHO.
PHASE 1 by Quine:

Cracking THE tool of the trade (bye bye Wdasm), 19 October 1997
(Interactive Disassembler Pro v3.7)

Well, this is SERIOUS ADVANCED CRACKING. You better read and UNDERSTAND each point of this beautiful essay by Quine, which shines methodologically and has a relevance that encompasses almost all fields of our trade. There are things inside here, like patching pointers and Boundchecker API-intercepting, which clearly are NOT FOR NEWBYES, and the whole essay is GOLD worth for all serious reverse engineers. This essay has been added to the +HCU didactic material (pending Quine's authorisation) and will from now on be distributed to all +HCUkers that begin the courses together with the other main files.
I'm proud and happy to host such a well written and interesting essay, I like VERY MUCH the approach that Quine utilises, and hope that he will be so kind to send us MANY MORE essays.
You may find interesting to read ZeeZee's comments to Quine's PHASE 1

PHASE 2 by Frog's Print:

SOURCER 7, 29 October 1997
(efficiency of a well positioned BPINT under DOS)

Well, back to DOS! Was about time! Contrarly to what some still choose to believe, dos reversing is far from being an obsolete activity: many very important programs are working under DOS, because Windoze simply does not give enough power, and as +ORC told us long ago in his tut, many of the older DOS protections are much more tougher and interesting than the banal cmp eax, 1 tricks inside "compiled" windoze targets...
There is another very nice lesson teached here by Frog's Pint: let's not be lazy! Almost anyone uses a "ready cracked" (read "stolen") Sourcer 7 version which comes with a pirated serial number inside it: the whole Web is polluted with all pirated versions of this important tool, and noone seems to care about the only thing that is really fascinating in our opinion: how to reverse this reverser program 'par excellence'. And Frog's Print does exactly this, and he writes:
As we are crackers, let's throw away this serial number and crack Sourcer 7.0

Right! And if you add to these 'strategic' thoughts the whole cursor bpinting, you'll agree with me that this essay deserves to be posistioned among the prestigious "Advanced cracking series". Enjoy!
PHASE 3 by Quine:

Interactive Disassembler Pro v3.7 Demo (II), 30 October 1997
(How to load the previous databases)

Well, this is SERIOUS ADVANCED CRACKING once more. Once more a fundamental tool of the trade (IDA). Once more a function reenabling work (the loading of the previous databases, i.e. one of the most important crippled functions of the crippled version: you do not want to start everything anew every time you use IDA, do you?). Once more something we all need: new knowledge that you can at once apply to other targets and reverse engineering endeavours.
Quine is getting us used to this kind of well-crafted essays. I'm afraid newbyes will not understand much here, please read the 'basic' essays first, and peruse the other +HCU page (where you'll find a lot of help for newbyes) before delving in this.
This said, here you have a real reverse engineering essay in all its glory... enjoy!
PHASE 4 by chown:

Cracking OpenNT 2.0 - object oriented cracking, 1 November 1997
(The temporary DLL trick)

Well, a VERY interesting Unix-school essay, that I'm happy to host on my site. Object oriented cracking! A very nice definition indeed! I have included this essay in the advanced section because I believe it well deserves a place there. You'll notice that there is a lot to learn for any reverser inside this... even if this (good) author seems to be only at his 'first steps' in windows programming... yet, this notwithstanding, this is NOT for newbyes. Newbyes should pheraphs have first a look at +gthorne's OTHER +HCU page first.
I find the part where chown describes is first programming experiences with windows programming particularly amusing... in fact I believe that any good cracker can indeed often program better than a 'real' programmer because he can CRACK the compiler into doing whatever he fancies if needs be! Enjoy!

InstallSHIELD Script Cracking, 22 November 1997
(Object oriented cracking: INSTALL WIZARDS CRACKING)

Well, a very interesting essay. Here we have a very "sound" approach to Installshield cracking. Read and enjoy!
PHASE 6 by +ReZiDeNt:

Cracking the Corel/Elan commercial protection scheme, 24 November 1997
(A 'brute force' parameter interception approach :-)

This essay describes an interesting "parameter interception" method: As +ReZiDeNt writes: "So we can simply locate these pushes and 'hardwire' our own dates into the push instructions instead"... yet so simple all this was not... a good reason to insert this essay among our "advanced cracking series" selection! Enjoy!
PHASE 7 by Uncle Van:

Encoded selfmodifying targets, 01 January 1998
(bypassing the WriteProcessMemory - creating our tools)

you'll find a lot more inside this VERY GOOD essay by Uncle Van: self-correcting, real code hiding, how to adjust the PE header, Uncle Van's 'precracking', bypassing the WriteProcessMemory and a lot of other goodies... you'll have a couple of days work just to understand what Uncle Van is explaining you... and that's the nice part of our trade! To learn! Enjoy!
PHASE 8 by Hackmore Readrite:

How To Crack A Ferret, 07 January 1998
(a clever, beautiful protection: wars between keys and the FFFFFFF8 monster)

An incredibly clever and 'sturdy' reversing of a difficult and intelligent protection. I don't use this kind of programs, and I hate people that throw me advertisement rubbish without asking, yet after having seen this, I admit that I respect the programmer that devised this protection, he deserves recognition! As sign of respect we will never again reverse (publicly) his future protection schemes (yet we'll seek and await them eagerly for our private cracking sessions: they are delicious!), I anyway wont publish any more on my sites any essay about Ferret's clever protection schemes, this one is the first and the last, yet what for an essay! Read, head and enjoy this BEAUTIFUL essay by Hackmore. My congratulations, Hackmore, Good work! I love your style: not much code and a lot of explanations! And your image of the FFFFFFF8 Monster lying in ambush is really great!
PHASE 9 by Quine:

Pushing the Envelope with HASP, 20 January 1998
(De-Hasping and other marvels)

I'm not going to comment this essay: Quine is a Master Cracker, and this essay is not even advanced, it's expert. I have not only learned a lot myself (this I do every time I get a good essay from all +friends) but I have learned things I did not ever suppose!
For sure I understand now the curiosity that +ORC himself has repeatedly manifested for Quine (after having read Quine's first essay on IDA +he ordered me to pass +him at once all emails from Quine).
This is definitely NOT FOR BEGINNERS! You better leave this alone if you're not an advanced cracker yourself (or a very 'steady' beginner cracker, prepared to invest A LOT of time and fatigue on your own advancing)... anyway, whoever you are... you better read (and follow) this essay MORE than a couple of times, believe me it is worth any minute you'll invest on it: you'll gain a WEALTH of incredible information!
My respects and unconditional admiration to +Quine!
PHASE A by Quine:

Extending the IDA Script Language, 27 January 1998
(A First Stab)

This present essay by Quine is -once more- the kind of work anyone is expecting from us: ameliorating and exstending the functionalities of our targets... just reversing protected proggies is getting dull, if we don't add anything.
Life is development, and development is progress (based on history and sound knowledge of the past... else it would be frills instead of progress :-) and progress is building for free on each others shoulders, out of the commercial dead ends where "they" want to push us.
You'll find here an ADDITION to the already incredible IDA disassembler (and if you are still just cracking with wdasm -believe me- you don't know what you are loosing) addition that will work immediatly if you have IDA's 'Quined' version, will require some fumbling if you -instead- have stolen the full regged one from the Web. Which suites us, since we want you to reverse engineer targets, not to steal them... man, it should be obvious!

PHASE B by Frog's Print:

Dongle Bashing: end of the dongle old aera ~ Dongles bye bye, 29 January 1998
(How a single +HCU reverser can easily blow a whole commercial sector out of history)

Oh my... the dongle old aera is finished. Out.
That's it, nothing more to add... let's hope we get a new dongle aera to work on.
Awesome essay. Frog's Print's incredible work should be printed and sipped slowly, it's 'cracking for conoisseurs', fravia's vintage 1998 "grand reserve"!
Bye bye to all the idiots that wanted to do quick bucks selling hardware protections that were NOT protections at all. This is good, nobody will mourn the disappearing of smoke-sellers and bogus protectors. Bye bye to all those that never studied assembly. This is good. Bye bye to all the creations of the poor programmers that blindly trusted commercial (and THEREFORE bogus) dongle protections to defend their valuable software instead of writing their own much more solide protections. Tsch Tsch.
You had better read +ORC's students essays first next time. And learn. And now don't come to the idea to blame Frog's Print... blame those dilettante that have sold you smoke


InstallSHIELD Script Cracking, A tutorial, 12 February 1998
(Zen cracking and other reversing beauties)

Well, NaTzGUL is a GREAT cracker, as anybody that has read is previous essay: InstallSHIELD Script Cracking, from 22 November 1997, can testify. He now 'deepens' his previous essay and with this tutorial shows us the 'guts' of Installshield protection... it's a great and beautiful reversing reading!

How to access the memory of a process, a Tutorial, 17 February 1998
(Deep into windows)

NaTzGUL: a great cracker (as Quine pointed out long ago). This essay-tutorial is a valuable contribution to the "Our tools" section, since what you'll learn here will be of paramount importance when working in the 'guts' of this awful operating system the world is compelled to live with. Yes, dear reader, you'll slowly learn how to program (in the most REAL sense of the word) in windows... in order to bend this overbloated operating system to your twisted purposes :-) Enjoy! It's fundamental 'required' reading... read it twice (at least) and then work on this... you'll be a much more powerful wizard when you are finished with this...
(May be a little less help files next time, NaTzGUL? :-)
PHASE E by -bajunny:

Undocumented HASP - Part I, 26 February 1998
(what d'you think of all the hype about HASP?)

Well, whoever -bajunny, this great reverser is, here you have a funny, well written, astonishing, great anti-hasp tutorial... when I receive this kind of good contributions I "feel" the might of Internet... we are nothing alone, but once we send a snowball rolling downhill... neither Bill himself nor all King's horses will ever be able to stop it! :-) Yes, dear -bajunny, by all means! Send your next essays! Send whatever your cleverness will put together for us...
I have NOT edited your work, because it's a great reading as it is... your text is humorous, interesting and refreshing... I even left your somewhat 'private' post header on the essay, because of the (very sound) Lanaki's tip... avec espoir et sans regret, dear -bayunny, I have always thought (especially after having seen IDA) that Russian reversers are a race apart!
PHASE F by Jack of Shadows:

Reversing +Aesculapius, 28 February 1998
(A complete explanation of a very good assembler protection)

Oh my, we have awakened a 'dormient' mighty cracker as it seems! :-)
Judging from this work I can only hope that Jack of Shadows' re-awakened passion for reversing will produce MANY more capable works like this one!
I hope to receive soon Aesculapius' observations about this... and I have to confess that I myself was playing with this crack, yet I was still inside the 'convolute' xorings when Jack's solution came... and now, with hindsight, everything seems easy... THEREFORE AN ADVICE TO MY MOST CAPABLE READERS: DO NOT READ THIS if you have not already started working on Aesculapius' protection! You would spoil a very nice learning chance if you do...
Once you have already had a couple of cracking sessions on Aesculapius' protection, on the countrary, you'll sip this beautiful essay as it should be done: chill, refreshing, at the correct mind 'temperature'
PHASE 10 by The Owl:

beta release 3 of the winice dumper, 28 February 1998
This material is not for newbyes. If you are a beginner come back later. Real reverser will immediately understand how important this is... (and let's hope we'll get the relevant essay soon :-) here what The Owl wrote me:
1. it is for winice for win95 v3.22 ONLY, 2. the patcher needs an UNPATCHED winice.exe of said version (or you can patch the patcher of course ;-) 3. the syntax of the dumper command is: PAGEIN <start> <length> <file> where <address> and <length> can be ANY expressions that can be evaluated in winice. furthermore, <address> has to evaluate to a flat 32 bit address, one should check it with '? <address>' if in doubt 4. the dumper itself is not expert material at all, everyone with half brain can use it (provided he was able to install winice, but i really can't help that ;-). of course, the essay will be at a somewhat different level...

SiuL+Hacky's redLinux GUIs. The Chances. (Advanced Linux cracking)
by SiuL+Hacky
01 March 1998
Well, an amazing essay by SiuL+Hacky, who seems to be the mightiest Linux wizard reverser of this planet (if others are there, I have never noticed their signs of life on the Web)
Enjoy this great essay, that carries FUNDAMENTAL teachings for linux reversers (of course) but also for anyone of +us!

madmax!'s redCracking using KERNEL32.DLL (Amazing how things dont change!)
by madmax!
04 March 1998
Tsch tsch, madmax! Playing with kernel!
And THAT is exactly what makes the difference between master crackers and beginners!
What does a real reverser do? He reverses, of course :-)
Now, see, we have this windows overbloated world we must all swim inside... huge, heavy, slow applicationosauriers, stupidly chewing routines on the code planes... and look! The great reverser hunters come! Approaching swift, from beneath the codetrees! Man, that's an unfair match for the dick overbloated windoze protectors!
The reversers are CLEVER! They use TOOLS! They use dos and unix knowledge, and sharp assembly knives... and so the stupid, almost brainless applicationosurus lays dead... reversed in a pool of bloody code... have a good meal! burp!
PHASE 13 by -bajunny:

Undocumented HASP - Part II, 12 March 1998
"xDEAD:xBEEF: extending HASP manufacturer's services"

Another great contribution by bajunny. Hasp misteries and vagaries are tackled and resolved. A must reading for all dongle interested researchers!
PHASE 14 by Stone:

In memory patching: three approaches, 20 March 1998
"how to introduce breakpoints in an automated debugger and other marvels"

A very good essay by Stone, a great cracker and one of the few fine reversers around that produces his own VERY GOOD TOOLS.
This essay has a very high theoretical value and should IMO be read by ALL reversers: you'll find inside it matters like "how it's possible to introduce breakpoints in an automated debugger", "making the target load a DLL for me"... and other marvels. Stone intends to update this work in fieri, therefore your contributions on all these matters are welcomed. Enjoy! (Beginners shouldn't touch this stuff IMO)
PHASE 15 by anormal/kindergarten

A short essay about usign a new type of protections: design your own cpu, 27 April 1998

PHASE 16 by Marigold

Opening a Vbox full of worms: PreviewParadise lost, 04 May 1998

11 May 98 JaZZ ~ crlvent7.htm Corel Ventura 7 trial: Crack it the hard way advanced ~fra_0119
11 May 98 Iceman ~ iceext1.htm "Extending Softice serie" ("Zauberreversing") advanced
27 May 98 Bajunny ~ bayu3.htm Undocumented HASP 3 (no more security through obscurity) advanced
proj 3
10 July 98 SiuL+Hacky ~ siullin2.htm Ltrace. The Tool (Linux disassembling) advanced
06 Sep 98 PNA ~ pna3.htm How to hook any API function in kernel32.dll advanced
06 Sep 98 SiuL+Hacky ~ siulflex.htm Linux advanced cracking: flexlm advanced
30 Oct 98 The+Q ~ cft_pro.htm CuteFTP KeyFile Protection advanced ~ fra_0161
30 Oct 98 adq ~ laste_09.htm isDcc: An installshield Decompiler advanced
~ fra_0162
30 Oct 98 Lone runner ~ fragas1.htm WIN32 Api Hooks, The stub approach advanced ~ fra_0165
12 Nov 98 Jean-Marc ~ enh_ida.htm An IDA enhancer (patching the IDA.WLL) advanced
~ fra_0167
12 Nov 98 Marigold ~ marigo_4.htm VBox The Hellraiser or the "paper tiger" by PreviewSystems advanced
~ fra_016A
25 Nov 98 Pedro ~ securom1.htm Securom's clever protection scheme debunked advanced ~ fra_016B
25 Nov 98 Victor Porguen ~ redirect.htm Defeating File Integrity Checks Through Redirection advanced ~ fra_016D
12 Dec 98 The_Owl ~ owlimpo.htm HWINFO Defeated: Cracking the impossible advanced ~ fra_0173
12 Dec 98 Tomboy ~ everlock.htm Everlock by Az-Tech: Reversing a Commerical Copy Protection Scheme - Part 1 advanced ~ fra_0176
23 Dec 98 SiuL+Hacky ~ siul_333.htm Linux cracking: About Introducing Your Own Code advanced ~ fra_0179
20 Jan 99 McLallo ~ cdromcla.htm CD-Cops ~ Another ready-made protection annihilated advanced
proj 4
~ fra_0183
June 99 +Spath ~ Theory and practice of menus reversing An essay to understand how menus and messages work, to be able to efficiently reverse function-disabled programs. advanced
~ ****
July 99 Black Check ~ C-Dilla Safedisc Another commercial Protection defeated advanced ~ ****
September 99 +Spath ~ Attacks against the BEST encryption algorithm chaos is definitely not randomness advanced
~ ****
September 99 LaZaRuS ~ Adding functionality to the Windows Calculator A small example of the most interesting part of reverse engineering: Adding functionality to a program advanced
~ ****
September 99 Nolan Blender ~ Reversing Globetrotter's Flexcrypt Key Extraction and Encryption Algorithm Reversing advanced ~ ****
September 99 NeuRaL_NoiSE ~ How to crack Conseal PC Firewall in an 'unusual' way Hooking API calls via IAT advanced ~ ****
September 99 NeuRaL_NoiSE ~ Reversing, functions addition, modifications in the existing code Classic cracking of a typical M$-target: notepad.exe advanced ~ ****
October 99 Staier ~ A paranoic protection: Remote administrator viewer Some tips for advanced IDA users advanced ~ ****

homepage links red anonymity +ORC students' essays academy database
tools counter measures cocktails redantismut CGI-scripts search_forms mail_fravia
Is reverse engineering legal?