redCourtesy of Fravia's page of reverse engineering
A very interesting example of BRW use 'on the field', slightly edited by fravia+
~
31 march 1998
student
Not Assigned


How to perform some magic reversing with good old BRW You shrink your target a million bytes, you rip all protections off... and it works! by -= F**KingKrazy =- 31 March 1998

I intended to begin this text with its title but I did not found a suitable one. I thought I could call it "When a Protection Scheme is Good For Nothing" or "The Easiest Crack I Ever Did" or "The Most Negligected Protected Program I Ever Saw". You choose. In this text, I will show how to reverse the protection scheme of a very useful OCR program called Cuneiform 1.31 (Jan'98). You can find it at http://www.ocr.com/html/west.html, of course you should pay for it if you intend to use it in real life. This kewl program uses a double protections scheme: use counter and registration password. The scheme cripples some functions after 30 days, that is: the target allows you to scan and save 30 pages as trial. After the trial is expired you may continue to scan and recognize documents but all the save, append and export functions will stay blocked until you enter the password for registration. I am going to use only one tool for this crack: BRW 4.5 which you can find everywhere on the web (for instance at http://www.st.rim.or.jp/~bela/). More about BRW? Read "An interesting tool: BRW (32-bit reverse engineering)" an essay by Fravia+. Ok, now that you have got the victim... er... the target and the tool, let's have fun. Install the program. During the installation you will be asked to enter names for user and company. Before you continue to read, explore the target, learn how to, and mainly, use it until the grace scanning counter expires. So, you scan and save...scan and append...scan and export... suddenly a "beg screen" shows up telling that your trial period expired and asking your datas for registration and password code to unlock the blocked functions. Ok, trial expired, cracking time, let's reverse the relevant code. Now snoop a bit the .EXEs and .DLLs to obtain info on compiler used to produce the proggie, export libraries, function names, etc. You can use quickview or a similar utility. This will help you to choose the easiest way to crack our little beast. You could also explore the Windoze registry, but I forward you that only three explicit reference to the program have been found there and are all worthless for the kind of crack we intend to do. At this point you could opt to: 1. Use the "traditional" method to defeat the protection: - run the program - go to main menu help option - activate the register screen - enter a fake password code - fire S-Ice - bpx GetWindowText (in this case better than hmemcpy or GetDialogItemText) - then click Ok, F11, severals F12, lots of F10 e somes F8 - feel the code - ...and, if you are a newbie - be lost - get fingers cramps - or worst, get a tendinitis 2. Use W32Dasm to generate dead list of all suspects .EXE and .DLL: - analise every routine that's worth - drink a lot of coffee - trace a lot of jumps and calls - fell asleep in front your computer - ...and, once again, if you are a newbie - get mad and lose your hair 3. Use BRW to snoop all the suspects .EXE and .DLL: - "see" the program resources - discover where is the weak link dialog (i.e. the beg screen) - rip off the weakness - ...and, if the program work after the crack - experience a feeling of great satisfaction Since the compiler of our target is Borland C++, I choose the last option due statistics on my own cracks, about 25-30% of protections schemes applied to programs that uses high level languages compilers with standard libraries can be broken this way (stranger than a bit huh?!). Ok, let's continue. 1. Run BRW - Load the first file to be snooped: CUNEI.EXE. BRW show us: BITMAP CUNEIFORM_LOGO // the splash screen logo, rip it off DIALOG ABOUT // if we rip this off, goodbye splash screen DIALOG_1 STRINGTABLE 22 ICON CUNEIICON Save the file (project), minimize BRW and run Cuneiform. Look! The splash screen is gone and the program still works. Humm...the CUNEI.EXE did not CRC check, has few resources visible, and seems to be a shuttle module only. 2. The next suspect CUNSDLL.EXE Resources shown by BRW: BITMAP BRIGHT_MASK : : PORTRAIT3_PICT MENU MAINMENU // has, inside HELP menu, the options we will never use after // the crack DIALOG 32 DIALOG SHOWING LICENSING // this will never appear after the crack, // so we can rip it off : Follows dialogs used by the program and should not be removed. Our interest is in the MAINMENU. Let's change it. POPUP "&Help" { MENUITEM "&Contents\tF1", 1794 MENUITEM SEPARATOR // not necessary anymore MENUITEM "How to &Register...",1810 // forget it dude MENUITEM "Tech &Support", 1812 // ask support for this // cracked version // if you dare MENUITEM "&Password and Registration", 1808 // what you think we are // trying to do MENUITEM "A&bout Cuneiform...", 1796 // we already know who // you are } So, we will stay with Contents F1 just to mantain the Windoze standard. Again, save the project, run it and test. If you did not messed up anything, the program is still running fine. Of course, you still can't save a scanned doc and the "beg screen" also shows up. At this point we know that no effort was made to protect the .EXEs against external modifications and it is clear that if we find the "weak link dialog" the chances to defeat the protection by ripping it off are almost 100%. 3. Now the .DLLs ACCUPAGE.DLL // Accupage driver for HP scanners APLIB1.DLL // not interesting for our purpose APLIB2.DLL // same BC30RTL.DLL // same BMP.DLL // worthless resources, but the program may check // if file exist For this .dll BRW shows: BITMAP 197 // publicity, rip it off 198 // same, rip it off 199 // same, rip it off DIALOG 93 // rip it off 95 // rip it off 98 // rip it off 99 // rip it off STRINGTABLE 401 // rip it off 416 // rip it off 800 // rip it off 820 // rip it off 900 // rip it off Save the project, run it and test. The program runs fine. CODCTC.DLL // not interesting for our purpose CUNCHECK.DLL // same CUNOLE.DLL // same CUNTWAIN.DLL // same C_COMMON.DLL // same C_PIXDF.DLL // same GROUP4.DLL // same HL.DLL // same OWLCTC31.DLL // same SCANHP.DLL // same SCANMK.DLL // same SCANPIX.DLL // same SG5W30.DLL // same TCLASS31.DLL // same TGCALL.DLL // bridge routines, but no resource in this file TIFF4.DLL // not interesting for our purpose TIFFDLL.DLL // same TIGER.DLL // humm...dangerous at first sight For this .dll BRW shows: CTC COPYRIGHT // Cognitive Technologies product number My intuition tells me not to remove this resource, but you can do a little experience yourself: - minimize BRW - backup this .DLL - maximize BRW - rip off the COPYRIGHT resource - save the project - run Cuneiform and... Huah hah hah hah!...You screwd up the program! Ok. Calm down, restore the .DLL using the backup you have done (didn't you?). The program is running fine again. Let's continue our scouting and snooping. TRESRC.DLL // yesss, finaly the resourse we are wanting For this .dll BRW shows: DIALOG 99 // rip off this damm thing STRINGTABLE 22 32 100 : : Save the project, run, test, test, test. Yesss, Yesss, Yesss! Unbelievable easy! And works! A program as good as Cuneiform deserves a better protection! Enough of ripping off. Let's compare the file size of the original files and changed ones. Before After CUNEI.EXE 109584 27648 CUNSDLL.EXE 531968 536080 BMP.DLL 316928 5632 TRESRC.DLL 12800 5632 Quite reasonable amount of disk space saving, so if you BOUGHT this program and are really and totally legally using it, as you should, you better CRACK IT NEVERTHELESS in order to spare all this wasted space on your own harddisk. This proves that no routine protected the critical files from being altered, no tricks, no traps, and despite of the supposed double protection scheme the program was easily cracked in a few minutes. I will not explain why the protection was broken so easily using BRW. Almost all good developers programming under Windoze API know very well why this happens. If you are newbie on Windoze API you may learn something about, using the tutorials you can find somewhere in the net. Final notes: - sometimes only one tool, well known and well used, can offer a miriad of possibilities to reverse engineering - you must "feel" the code, but must "see" the resources too - Windowze is lame, and IBM is one to blame because throwed the towel too early - Windowze is lame, and Apple is another to blame because was too ambitious and too pretentious, a deserved death.

redhomepage redlinks redanonymity red+ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?