An interesting tool: BRW(32-bit reverse engineering)

by Fravia+, MSRE, May 1997

HCU


Courtesy of fravia's page of reverse engineering
You should use Courier New 8 in order to view and print correctly this essay

What's all about
In this short essay I will show you how quickly you can individuate 
(and eventually crack) a protection scheme, or any other feature of a 
Windows 32 bit program using BRW, Borland Resource Workshop, a mighty
tool. 

The target: UEDIT32.EXE 560.640  13/02/96 
As "target" I have chosen for this essay a relatively "old" version 
of Ultraedit32, By Ian Mead: Version 3.10a, from 1996. Should be easy 
to find through the archies. Ultraedit is a fairly accettable Text editor, 
which has also hex mode editing, unix text mode conversion and other 
useful utilities. I'm not pirating anything at all of course: I have 
used the program (in order to crack it) only one day out of the 45 
allowed and have since deleted it from my hard disk, since I did not 
found it worth 30 dollars (I prefer other -much more old and much more 
powerful- programs for editing files). 
BTW I may add that on my computer you would not find a single pirated 
copy of software: there is no need for this! First of all I have a job, 
therefore if I really like and find really useful a program (which happens 
very seldom) I can afford to buy it, as I did with wdasm for instance, 
secondly, when I need something, I simply and quickly fetch the last version 
of it ftpmailed from the web (why download when you can ftpmail?).
I crack the eventual protection, of course, and yet I use the program mostly 
for less days than the allowed time (because usually this is more than enough 
to get already to the date of release of the next version :-)

The protection scheme
This program has an annoying "delayed" nagscreen at the beginning, a 
registration option of the usual name-code comparison algorithm and a 
"Cinderella" type of protection, set at 45 days.

How we could have cracked it
Obviously we could have easily and quickly cracked the nagscreen 
using +ORC's dead listing technique:

:004010E4 833D0CE0450000  cmp dword ptr [0045E00C], 0 ;check if flagged
:004010EB 7466            je 00401153		       ;0=not registered
:004010ED 6A09            push 9 ;"This copy of UltraEdit-32 is licensed to"
...
...
:00401153 6A08            push 8 ;"This is an unregistered copy of UltraEdit"
...

And we would also have quickly found the Cinderella protection as well, 
using the same method:

:00401E60 83F82D          cmp eax, 0000002D  ;0x2D = 45 :-)
:00401E63 7EA5            jle 00401E0A	     ;not yet 45, continue
:00401E65 E8E4F5FFFF      call 0040144E      ;check if registered
:00401E6A 833D0CE0450000  cmp dword ptr [0045E00C], 0 ;check if flagged
:00401E71 757F            jne 00401EF2	      ;it's a registered user!
:00401E73 6830200000      push 00002030	      ;it's a luser, therefore
:00401E78 682CE14600      push 0046E12C ;"45 Day Evaluation time has expired"

BTW, I checked the more recent 4.3 version of Ultraedit: the protection 
scheme is the same crap (lazy programmers):
cmp 47500C,0 ;holy flag
jne 004023E3 ;nagscreen
and
cmp eax, 0000002D  ;0x2D = 45 :-)

The aim of this script
But the aim of this essay is not to crack such a banale protection, but 
to teach you how to use ANOTHER powerful reverse engineering tool, very 
useful for windows programs disassembly: the "magical" BORLAND 
RESOURCE WORKSHOP.
I believe that a short digression about this tool is very well worth it:
The Whitewater Resource Toolkit, that came with Borland C++ 4, was a 
phantastic tool for windows (16 bit) 3.1 disassembling already, as all real 
crackers know. Alas, the development died! In 1994 appeared the last known 
version of it, ported to 32 bit and in the mean time called "Borland Resources 
Workshop" (Version 4,5 for Borland C++ 4,5, the one you should fetch). 

It's a sad world
Unfortunately this tool was TOO powerful and too good, so they of course 
simply killed it. Whitewater was on this purpose, bought by Symantec (Peter Norton) 
and the product was no more commercialized. Version 4,5 (GET IT!) is the last one 
I could find on the net, probably Borland had in 1994 still some rights on its 
code and was able to publish it, alas for the last time. 
It's a weird world, isn't it? Awful stupid and useless programs are updated 
every two months and this real (and very powerful) Juwel has been purposedly 
killed! 
That does not wonder me: as we very well know, they do not wont people to 
UNDERSTAND how a program works, they want only stupid morons that use their 
(bugged and poor) applications without questioning, understanding or ameliorating 
them.

Power at your fingers
Ok, fetch BRW.zip, it's a zipped 2,5 megabytes file, if you did not buy it (like 
I did short after this essay: it appeared with THE COMPLETE Borland C++ 4,5, on 
the CD-ROM of PCPlus n.38, a UK Computer magazine, August 1997 edition) anyway I 
had it already, thanks to a good miner friend of mine, and now anyway it's vastly 
available on the web.

This are BRW commands:
**	New Project: Ultraedit exe
**	Dialog 110: (you see it's 110, because it APPEARS in the right window when you click 110, but)

And this is the immediate answer from my beloved BRW:

110 DIALOG 100, 70, 210, 163
STYLE DS_MODALFRAME | WS_POPUP
FONT 8, "MS Sans Serif"
{
 CONTROL "This is an unregistered copy of UltraEdit-32.  Use of this program should be on a temporary basis (45 Days max) for evaluation purposes only.  If this program is to be used for purposes other than evaluation please register this program.", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 34, 18, 151, 55
 CONTROL "Details for registration can be found in the READ.ME file and in the 'About' dialog box on the help menu.", 128, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 76, 151, 35
 CONTROL 2, -1, "STATIC", SS_ICON | WS_CHILD | WS_VISIBLE, 5, 12, 18, 20
 CONTROL "You have", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 36, 115, 40, 12
 CONTROL "", 130, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_BORDER, 78, 114, 18, 12
 CONTROL "days left for evaluation.", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 103, 115, 89, 12
 CONTROL "Enter Authorization code", 1, "BUTTON", BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 49, 137, 113, 14
}
	  
You wont believe it
Well what do you think you can do now? You found the nagscreen, so what? 
You will not believe it: It's so easy that its scares me: just choose BRW option 
"DELETE" (YES!) and simply DELETE dialog 110... 
BRW recompiles the target on the fly and opla! There is no nagscreen there any more!
The target runs without annoying us!

Unbelivable? Try it... See? Now you begin to understand why BRW development has been 
deemed "not allowed" :-)

More options
You can apply of course the same trick to EVERY PROGRAM of this planet. 
As a matter of fact BRW is great fun for modifying all your software as you 
fancy, allowing you quite a palette of options, from puerile to serious reverse 
engineering of applications you do not have the source code of... 
My copy of MS-Exchange, for instance, has (obviously) "Micro$oft" with the $ sign 
and "fravia's own" all over it, various new functionalities that I have added 
and no secret whatsoever any more for me (BRW-recompiling is easy if you do not 
add functionalities and code and just hold to the same length of bytes... 
if you add code and patch yor targets you should use BRW AND a good recompiler 
at the same time).
I leave to the brain and the mood of the reader to imagine what a good combination 
between dead listing, eventual Winicing and BRWing windows 32 applications can 
offer us :-): 
TOTAL MASTERY OF ANY APPLICATION; 
INFINITE POSSIBILITIES OF RESTRUCTURING APPLICATIONS; 
IMMEDIATE DISCOVERY OF ANY BACKDOOR, HIDDEN TREASURE, ABORTED FUNCTIONS INSIDE 
ANY PROGRAM... 
and many many other related goodies. 
And since this awful stupid Windows95/97/NT Os will -illogically but unfortunately- 
spread and spread more and more, all future programs are -at least for a pretty 
long time being- at your feet as well as at mine, my dear fellow crackers :-)

Well, what d'you say? Did you like Fravia's little contribution to the cause?

later
fravia, MSRE (master of software reverse engineering :-)

Post scriptum:
I have been criticized for this, a reader telling me that in fact there are 
new versions of BRW...

	"Resource Workshop wasn't killed as you state.
	 Borland still offers it, but it has stopped being a stand alone
       product from them. Instead it is included in Borland c++...
	 Your conclusions are false"

And yet the best (stripped) version of it I could find or gather until now, even 
writing to Borland, is still version 4,5. 
If anyone has any newer version, please notify... but check first that it really is 
a "development" of BRW, not just another copy of what we already know. (The reader 
above apologized...)



You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms antismut CGI-scripts mailFraVia
Is reverse engineering illegal?