Courtesy of Fravia's page
of reverse engineering
A very interesting example of BRW use 'on the field', slightly edited by Fravia+
31 march 1998
How to perform some magic reversing with good old BRW
You shrink your target a million bytes, you rip all protections off...
and it works!
by -= F**KingKrazy =-
31 March 1998
I intended to begin this text with its title but I did not found a
suitable one. I thought I could call it "When a Protection Scheme is
Good For Nothing" or "The Easiest Crack I Ever Did" or "The Most
Negligected Protected Program I Ever Saw". You choose.
In this text, I will show how to reverse the protection scheme of a
very useful OCR program called Cuneiform 1.31 (Jan'98).
You can find it at http://www.ocr.com/html/west.html, of course you
should pay for it if you intend to use it in real life.
This kewl program uses a double protections scheme: use counter and
registration password. The scheme cripples some functions after 30
days, that is: the target allows you to scan and save 30 pages as trial.
After the trial is expired you may continue to scan and recognize documents
but all the save, append and export functions will stay blocked until you
enter the password for registration.
I am going to use only one tool for this crack: BRW 4.5 which you can find
everywhere on the web (for instance at http://www.st.rim.or.jp/~bela/).
More about BRW? Read "An interesting tool: BRW (32-bit reverse engineering)"
an essay by Fravia+.
Ok, now that you have got the victim... er... the target and the tool, let's
Install the program. During the installation you will be asked to enter
names for user and company.
Before you continue to read, explore the target, learn how to, and mainly,
use it until the grace scanning counter expires.
So, you scan and save...scan and append...scan and export... suddenly a
"beg screen" shows up telling that your trial period expired and asking
your datas for registration and password code to unlock the blocked
Ok, trial expired, cracking time, let's reverse the relevant code.
Now snoop a bit the .EXEs and .DLLs to obtain info on compiler used to produce
the proggie, export libraries, function names, etc. You can use quickview
or a similar utility.
This will help you to choose the easiest way to crack our little beast.
You could also explore the Windoze registry, but I forward you that only three
explicit reference to the program have been found there and are all worthless
for the kind of crack we intend to do.
At this point you could opt to:
1. Use the "traditional" method to defeat the protection:
- run the program
- go to main menu help option
- activate the register screen
- enter a fake password code
- fire S-Ice
- bpx GetWindowText (in this case better than hmemcpy or
- then click Ok, F11, severals F12, lots of F10 e somes F8
- feel the code
- ...and, if you are a newbie
- be lost
- get fingers cramps
- or worst, get a tendinitis
2. Use W32Dasm to generate dead list of all suspects .EXE and .DLL:
- analise every routine that's worth
- drink a lot of coffee
- trace a lot of jumps and calls
- fell asleep in front your computer
- ...and, once again, if you are a newbie
- get mad and lose your hair
3. Use BRW to snoop all the suspects .EXE and .DLL:
- "see" the program resources
- discover where is the weak link dialog (i.e. the beg screen)
- rip off the weakness
- ...and, if the program work after the crack
- experience a feeling of great satisfaction
Since the compiler of our target is Borland C++, I choose the last option due
statistics on my own cracks, about 25-30% of protections schemes applied
to programs that uses high level languages compilers with standard libraries
can be broken this way (stranger than a bit huh?!).
Ok, let's continue.
1. Run BRW
- Load the first file to be snooped: CUNEI.EXE.
BRW show us:
CUNEIFORM_LOGO // the splash screen logo, rip it off
ABOUT // if we rip this off, goodbye splash screen
Save the file (project), minimize BRW and run Cuneiform.
Look! The splash screen is gone and the program still works.
Humm...the CUNEI.EXE did not CRC check, has few resources visible, and seems
to be a shuttle module only.
2. The next suspect CUNSDLL.EXE
Resources shown by BRW:
MAINMENU // has, inside HELP menu, the options we will never use after
// the crack
32 DIALOG SHOWING LICENSING // this will never appear after the crack,
// so we can rip it off
Follows dialogs used by the program and should not be removed.
Our interest is in the MAINMENU. Let's change it.
MENUITEM "&Contents\tF1", 1794
MENUITEM SEPARATOR // not necessary anymore
MENUITEM "How to &Register...",1810 // forget it dude
MENUITEM "Tech &Support", 1812 // ask support for this
// cracked version
// if you dare
MENUITEM "&Password and Registration", 1808 // what you think we are
// trying to do
MENUITEM "A&bout Cuneiform...", 1796 // we already know who
// you are
So, we will stay with Contents F1 just to mantain the Windoze standard.
Again, save the project, run it and test.
If you did not messed up anything, the program is still running fine.
Of course, you still can't save a scanned doc and the "beg screen" also
At this point we know that no effort was made to protect the .EXEs against
external modifications and it is clear that if we find the "weak link dialog"
the chances to defeat the protection by ripping it off are almost 100%.
3. Now the .DLLs
ACCUPAGE.DLL // Accupage driver for HP scanners
APLIB1.DLL // not interesting for our purpose
APLIB2.DLL // same
BC30RTL.DLL // same
BMP.DLL // worthless resources, but the program may check
// if file exist
For this .dll BRW shows:
197 // publicity, rip it off
198 // same, rip it off
199 // same, rip it off
93 // rip it off
95 // rip it off
98 // rip it off
99 // rip it off
401 // rip it off
416 // rip it off
800 // rip it off
820 // rip it off
900 // rip it off
Save the project, run it and test.
The program runs fine.
CODCTC.DLL // not interesting for our purpose
CUNCHECK.DLL // same
CUNOLE.DLL // same
CUNTWAIN.DLL // same
C_COMMON.DLL // same
C_PIXDF.DLL // same
GROUP4.DLL // same
HL.DLL // same
OWLCTC31.DLL // same
SCANHP.DLL // same
SCANMK.DLL // same
SCANPIX.DLL // same
SG5W30.DLL // same
TCLASS31.DLL // same
TGCALL.DLL // bridge routines, but no resource in this file
TIFF4.DLL // not interesting for our purpose
TIFFDLL.DLL // same
TIGER.DLL // humm...dangerous at first sight
For this .dll BRW shows:
COPYRIGHT // Cognitive Technologies product number
My intuition tells me not to remove this resource, but you can do a little
- minimize BRW
- backup this .DLL
- maximize BRW
- rip off the COPYRIGHT resource
- save the project
- run Cuneiform and...
Huah hah hah hah!...You screwd up the program!
Ok. Calm down, restore the .DLL using the backup you have done (didn't you?).
The program is running fine again.
Let's continue our scouting and snooping.
TRESRC.DLL // yesss, finaly the resourse we are wanting
For this .dll BRW shows:
99 // rip off this damm thing
Save the project, run, test, test, test.
Yesss, Yesss, Yesss! Unbelievable easy! And works!
A program as good as Cuneiform deserves a better protection!
Enough of ripping off. Let's compare the file size of the original files and
CUNEI.EXE 109584 27648
CUNSDLL.EXE 531968 536080
BMP.DLL 316928 5632
TRESRC.DLL 12800 5632
Quite reasonable amount of disk space saving, so if you BOUGHT this program
and are really and totally legally using it, as you should, you better
CRACK IT NEVERTHELESS in order to spare all this wasted space on your own
This proves that no routine protected the critical files from being altered,
no tricks, no traps, and despite of the supposed double protection scheme
the program was easily cracked in a few minutes.
I will not explain why the protection was broken so easily using BRW.
Almost all good developers programming under Windoze API know very well why
If you are newbie on Windoze API you may learn something about, using the
tutorials you can find somewhere in the net.
- sometimes only one tool, well known and well used, can offer
a miriad of possibilities to reverse engineering
- you must "feel" the code, but must "see" the resources too
- Windowze is lame, and IBM is one to blame because throwed
the towel too early
- Windowze is lame, and Apple is another to blame because was too
ambitious and too pretentious, a deserved death.
Is reverse engineering legal?