+HCU 1999

[The new +Hcukers]
[The solutions]
Strainer published in April 1998
Solutions published in October 1998
The STRAINER

A great strainer from Master +Aesculapius, I know that thousand (literally: I reckon I received lately more than 900 emailings about this!) future reversers and protectors all around the world are awaiting this with impatience. Once more: the +HCU is NOT a cracking group, it's a open university, open to ALL crackers, protectors and reversers alike... if capable. You may be in a group, you may be a lone wolf cracker, you may be an university professor for informatic or the CEO of your own software company, we couldn't care less: we want your knowledges, we'll give you our knowledges. You don't need to be a programmer, you need to understand code, it is NOT the same thing.
So, if we're not a group, why do we keep publishing our 'strainers for admission' every year? Well... we'll of course continue to teach openly (for everybody that wishes to read our essays) all the basic and advanced techniques, as we have always done, yet we need a "Kern" of dedicated and capable +crackers in order to imagine new solutions, devise new techniques, develop old and new team projects and understand very advanced (and new) reversing topics. That's the mission +ORC trusted us, that's what has changed dramatically the cracker scene in the last three years (everyone and is dog is now publishing essays, which is GOOD :-) and that's therefore the scope of our yearly strainers: to find the best among you and to commit them to teach (and understand) our wonderful trade: reversing.

As usual, all answers for +Aesculapius' 1999 strainer should be sent to us BEFORE end September 1998. Looks to you like a long time? You better be careful: think again. It's more than enough in order to do a good work, if you start working now. 

	All answers should be directed to +Aesculapius 
		
aesculapius(at)stones(point)com
	or to any +HCU caretaker (+gthorne, fravia+, +Sync). All 
	answers will anyway land by +Aesculapius, who will have 
	the pleasure (and the responsability) to decide WHO among 
        the partecipants should be admitted to the +HCU's next 
	year's courses.

And, of course, all 'old +hands' are invited to partecipate as well: to reverse under the direction of a master +cracker is a rare pleasure and this below is a beautiful strainer indeed!

							fravia+





				+HCU STRAINER 1999
				 By +Aesculapius

        Published on 4 May 1998 - Must be solved BEFORE 30 September 1998
			
	
	+ORC, our great mentor, trusted in me the responsibility of 
releasing the +HCU Strainer for 1999. I regard myself as a "strict" 
educator, that is why this year the strainer will be quite a challenge, 
and only the worthy ones will succeed.
I have selected four (4) endearing challenges to assure that you are 
the right person to enter our university. 
The strainer release is every year an highly awaited time for many. 
It is the time when all capable intermediate and advanced crackers have 
the opportunity to transform their abilities into an art. We don't want to 
teach you new techniques, we want YOU to create them. We don't want nor need 
imitators, we wish to find true capable revrsers, able to adapt and evolve in 
our complex rapidly changing world of protecting and cracking, capable to 
understand the true meanings hidden inside all the code (and all the "reality")
that surround us. 
We don't want selfish persons, we want people with enough humility to teach 
what they know without any other expectation than the satisfaction of spreading 
their sound and deep knowledge. 

	An small introduction will help you to understand the objectives of 
every challenge. You have to solve all four challenges of course, and even so, 
only the best answers will be accepted. I don't have to remind you, that any 
"more than casual" resemblance between answers from different crackers will 
result in the automatic elimination of both participants. 
Obviously, you cannot imitate my own techniques in order to solve any of these 
challenges either.

1





THE FIRST CHALLENGE:

	The objectives of this challenge is to probe that:
	
	1. The participant is able to design new techniques to solve a 
           cracking problem (main objective).
	2. The participant knows assembly language coding.
	3. The participant knows system memory manipulation.
	4. The participant is capable of handling simple anti debugging 
           techniques.
	5. The participant is able to analyze complex encryption systems.
	 

	Target: Terminate 5.0 32 bit.
	Description: Communication package.
	
	Considerations: 

	Terminate is an awesome DOS based communication program. Its 
formidable encryption system has resisted the attacks of many crackers. 
The author uses several interesting tricks which are susceptible for the 
creation of the so called "new techniques". In resume, terminate 5.0 
uses a key based protected scheme. The system accepts any key from an 
authentic terminate's 4.0 owner, but it won't accept any old cracked key. 
You could easily presume the encryption in terminate 5.0 has changed since 
version 4.0. Interestingly, that is not true. The encryption remains the 
same; however, terminate 5.0 keeps rejecting old false 4.0 keys and 
accepting old authentic 4.0 keys. 

	To succeed in this challenge, you must:

	1. Extensively analyze and explain Terminate's protection scheme.
	2. Create a 16 bit assembly key generator for it.
	3. Design a technique to assure that your generated key will be 
valid in any further version of terminate, if the encryption system remains 
the same. That is, your key generator must be able to bypass Terminate's 
author trick to recognize old keys.

2





THE SECOND CHALLENGE:

	The objectives of this challenge is to probe:

	1. The participant is able to code his own Windows based 32 bit 
           patcher (main objective).
	2. The participant is able to code in different programming 
           languages than assembly.
	3. The participant is capable of coding Windows based applications

	Considerations: 

	DOS is dead, thereby, new crackers have to probe they can adapt to 
more challenging 32 bit operating system tasks. Its amazing, that even 
now, when everybody is using a 32 bit operating system, most crackers still 
rely in good old DOS to create their byte patchers. The byte patcher is 
without any doubt a great symbol for any cracker. The first program, in any 
language, any of us probably coded was the traditional "Hello World!" which 
is featured in almost any programming teaching book. In the same way, the 
first program, in any language, any cracker probably coded was the 
traditional byte patcher. In fact, the byte patcher represents in many 
cases the edge between the casual cracker and the truly committed 
future reverser. 


	Target: 32 bit Windows based byte patcher.
	Description: None.

	In this task, you'll have some help from me. DOS still rules in file 
patching among crackers, an incredible fact considering 32 bit 
patching using API functions is easier, quicker and provides the cracker 
with additional advantages never seen in 16 bit patching. I'm going to 
code a byte patcher calling win32 API functions. This is not the state of 
the art in file patching, because MFC goes beyond and encapsulates most 
Win32 API functions providing the coder with high flexibility in 
necessary API parameters and solving at the same time the terrible lack of 
functionality of C/C++ in string management tasks. To preserve tradition, 
I'll use assembly to do the job. You can use the language of your 
preference, but remember, the patcher must run in 32 bit Windows based 
environment.

	If you want to code a windows based application, all 
strings must be zero terminated (C style); API parameters must be pushed 
backwards (only applies to assembly). As you know, API parameters are 
gathered from the stack because that is the most efficient way to do the 
job. Almost every compiler will translate your high level language code in 
its most efficient assembly equivalent. Some API functions feature 
additional advantages if compared with its hardcore interrupt equivalent. 
For instance, OpenFile API function will fetch the desired file not only in 
the current path but also in \windows\system directory, which is a good 
thing if the patched file resides in that location. By the way, Openfile is 
not the more suited API to open a file in a 32 bit environment, CreateFile 
is the best choice. I used OpenFile because is easier and intuitive to 
understand. As you can see, all API parameters are pushed line-by-line to 
facilitate the learning process. Tasm permits to push everything at once 
whenever a function is called, but is harder to understand (and 
comment too) that way. 

	Here you have my code:

;--------------------------------------------------------------------------
; 32 bit Byte Patcher.
; Coded by +Aesculapius - 1998.
; Designed as part of the +HCU Strainer for 1999.

; Compile with Tasm32 & Tlink32

; tasm32 -ml -m5 -q bytpat32
; tlink32 -Tpe -aa -x -c bytpat32 ,,, import32
; You'll need files: windows.inc and import32.lib provided with
; Tasm 5.0 full package.
;--------------------------------------------------------------------------

.386p                           ; 386 instruction set enable
.model flat, stdCALL            ; Linear addresing model

                                ; Import several important API functions
                                ; Some are not used, but I left them there
                                ; in case you want to modify this program
                                ; adding some other features

EXTRN   OpenFile:PROC
EXTRN   ReadFile:PROC
EXTRN   WriteFile:PROC
EXTRN   CloseFile:PROC
EXTRN   GetLastError:PROC
EXTRN   SetFileAtributes:PROC
EXTRN   CreateFile:PROC
EXTRN   SetFilePointer:PROC
EXTRN   CloseHandle:PROC
EXTRN   ExitProcess:PROC
EXTRN   MessageBoxA:PROC

INCLUDE WINDOWS.INC             ; Some useful includes

                                ; Data segment begins
.DATA

HANDLE          DD ?            ; Holds target file handle
FILENAME        DB 'nero.exe',0 ; NOT resemblance mine, otherwise, you are automatically out 
	of the game.

3




	
THE THIRD CHALLENGE:

	The objectives of this challenge is to probe:

	1. The participant is able to combine both the live and dead listing 
           approaches.
	2. The participant is capable of defeat anti-cracker tricks.
	3. The participant knows how to search&destroy hidden protections.
	4. The participant understands the inner functioning of a good 
           protection.
	
	Target: Brainsbreaker v. v. 2.1 (32 bit) by Juan Trujillo Tarradas.
	Description: Puzzle Creation Game.

	Considerations:

	From now on, all the work comes directly from the genius of +ORC 
himself. He proposed me to study Brainsbreaker and decide if it was good 
enough to be included in the strainer, as always, he wasn't wrong. 
Brainsbreaker is a puzzle creation game, so what could be better than a 
puzzle to challenge a cracker, whose daily work is dealing with reversing 
puzzles. I won't talk about the target itself because that will be your job. 

	To succeed in this challenge, you must:


	1. Completely explain the protection scheme used by this program.

Ultimate





THE ULTIMATE CHALLENGE:

	The objective of this challenge is to check that:

	1. The participant understands the graphical part of demo-reversing.

	Target: Brainsbreaker v. 2.1 (32 bit) by Juan Trujillo Tarradas. 
	Description: Puzzle Creation Game.

	Considerations:

	Once you run Brainsbreaker, a small graphical sparkle arises every so 
often (when you quit the game or successfully complete a puzzle). You job in 
the ultimate challenge is to code a program capable of reproducing this 
nice sparkle which remind us the '+' sign in our names used to distinct us 
from non-HCUkers. 

	To succeed in this challenge, you must:

	1. Code a program to reproduce the graphic effect of the sparkle 
           featured in Brainsbreaker.



	You have until September 30 1998 to send your answers.

	Finally, I can't do anything else but wish to all of the 
participants the best luck.
								
						+Aesculapius - 1998.

aesculapius(at)stones(point)com
red

The new +Hcukers


Well, here they are, as decided by +Aesculapius on 4 October 1998

red

1) +Cruehead, complete solution.
2) +Q (his name is only this letter), complete solution.
3) +Mad, complete solution.
4) +iNT_03h, complete solution.
5) +Spath, Complete answer
6) +JaZZ, Complete solution
7) +Bogus, the answers are buggy but the solution is complete.
8?) Fatal+Exception complete solution (with partial source code) Fatal Exception's admission is still under discussion (He included some anti debugging tricks when sending his code-answers, which looks suspicious to +some :-)
Will be eventually admitted if cleared from the suspicion of having copied the answers.



red

The Solutions


Well, here they are, published on 4 October 1998

red

Have a look and download: one of the most intersting reversing project of this year: some VERY good reversers tackle some difficult protection schemes

WARNING: This is GREAT reading for advanced protectors and reversers only. The TONS of information that you'll find inside will keep you studying for a couple of weeks at least. You should by all means, in your +truly's opinion, first try to crack the strainer on your OWN. Even if you don't, because you'r simply too lazy and want only to leech, reading this material you'll anyway get deep insights in some of the most advanced protection and deprotection techniques. Enjoy!

Here you go!


redhomepage red links red anonymity +ORC redstudents' essays redacademy database
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?
red(c) Fravia+ & +Aesculapius 1998, All rights reserved