An interesting tool: BRW(32-bit reverse engineering)
by Fravia+, MSRE
(May 1997) Re-edited december 2000
Courtesy of fravia's searchlores.org, December 2000
I have re-published this old essay of mine since it is linked from my introduction
to Mammon_'s very interesting [Customizing Netscape's buttons
and menus], which is in turn linked by the more recent
[Some "improving" thoughts
on Opera version 5] contributions... besides it can be still useful
But re-reading it I was rather disappointed by myself. Mann-o-mann,
you get the creeps if you think that everything
you put on the web will
survive centuries: re-reading
the snotty tone I used three years ago I felt quite ashamed (therefore I have
re-edited this doc :-)...
(you know, what really disturbs me, is that I fear I'll probably say the
same in a couple of years about my current writings... bear with me, gentle reader :-)
What's all about
In this short essay I will show you how quickly you can individuate
(and eventually reverse) a protection scheme, or any other feature of a
Windows 32 bit program using BRW, Borland Resource Workshop, a mighty
The target: [ultraedit] uedit310.zip, 574641 bytes: Ultraedit version 3.10, by Ian Mead: BEST texteditor for windoze, higly recommended, incredibly powerful,
this is an old, yet powerful enough version: 13/02/96
As "target" I have chosen for this essay a relatively "old" version
of Ultraedit32, By Ian Mead: Version 3.10a, from 1996. Should be easy
to find through the archies. Ultraedit is a very good Text editor,
which has also hex mode editing, unix text mode conversion and other
useful utilities. I'm not pirating anything at all of course: it would be
extremely easy (and banal) to find NEWER registered versions of Ultraedit on the
web for anyone that wants to steal software, besides I prefer other, much
older and (therefore?) more
powerful, programs for editing files, like psedit.
If you know how to search, I may add, you don't need to "crack" anything at all:
when you need something, you simply and quickly fetch
the last version of it from the web ("ftpmailed"...why download when you
can ftpmail?). It never tooks longer than 5-10 minutes to find and have ftpmailed
whatever program or game or image you may need
on this web of ours.
You may reverse the eventual protection, of course, and yet you'll
most probably use the
program for a number of days inferior to the "allowed" time (because usually
this timespan is more than enough to arrive to the date of release of
the next version :-)
The protection scheme
This program has an annoying "delayed" nagscreen at the beginning, a
registration option of the usual name-code comparison algorithm and a
"Cinderella" type of protection, set at 45 days.
How we could have reversed it
Obviously we could have easily and quickly eliminated the nagscreen
using +ORC's dead listing technique:
:004010E4 833D0CE0450000 cmp dword ptr [0045E00C], 0 ;check if flagged
:004010EB 7466 je 00401153 ;0=not registered
:004010ED 6A09 push 9 ;This copy of UltraEdit-32 is licensed to
:00401153 6A08 push 8 ;This is an unregistered copy of UltraEdit
And we would also have quickly found the Cinderella protection as well,
using the same method:
:00401E60 83F82D cmp eax, 2D ;0x2D = 45 :-)
:00401E63 7EA5 jle 00401E0A ;not yet 45, continue
:00401E65 E8E4F5FFFF call 0040144E ;check if registered
:00401E6A 833D0CE0450000 cmp dword ptr [0045E00C], 0 ;check if flagged
:00401E71 757F jne 00401EF2 ;it's a registered user!
:00401E73 6830200000 push 00002030 ;it's a luser, therefore
:00401E78 682CE14600 push 0046E12C ;45 Days... expired
BTW, I checked the more recent 4.3 version of Ultraedit: the protection
scheme is the same crap (lazy programmers):
cmp 47500C,0 ;holy flag
jne 004023E3 ;nagscreen
cmp eax, 2D ;0x2D = 45 :-)
The aim of this script
But the aim of this essay is not to reverse such a banale protection, but
to teach you how to use ANOTHER powerful reverse engineering tool, very
useful for windows programs disassembly: the "magical" BORLAND
I believe that a short digression about this tool is very well worth it:
The Whitewater Resource Toolkit, that came with Borland C++ 4, was a
phantastic tool for windows (16 bit) 3.1 disassembling already, as all real
reversers know. Alas, the development died! In 1994 appeared the last known
version of it, ported to 32 bit and in the mean time called "Borland
Resources Workshop" (Version 4,5 for Borland C++ 4,5, the one you
It's a sad world
Unfortunately this tool was TOO powerful and too good, so they of course
simply killed it. Whitewater was on this purpose, bought by Symantec
(Peter Norton) and the product was no more commercialized. Version 4,5
(GET IT!) is the last one I could find on the net, probably Borland
had, in 1994, still some rights on its
code and was able to publish it, alas for the last time.
It's a weird world, isn't it? Awful stupid and useless programs are updated
every two months and this real (and very powerful) Juwel has been purposedly
That does not wonder me: as we very well know, they do not wont people to
UNDERSTAND how a program works, they want only stupid morons that use their
(bugged and poor) applications without questioning, understanding or
Power at your fingers
Ok, fetch BRW.zip, it's a zipped 2,5 megabytes file, if you did not
buy it (like I did short after this essay: it appeared with THE COMPLETE
Borland C++ 4,5, on the CD-ROM of PCPlus n.38, a UK Computer magazine,
August 1997 edition) and now anyway it's vastly available on the web.
This are BRW commands:
** New Project: Ultraedit exe
** Dialog 110: (you see it's 110, because it APPEARS in the right
window when you click 110, but)
And this is the immediate answer from my beloved BRW:
110 DIALOG 100, 70, 210, 163
STYLE DS_MODALFRAME | WS_POPUP
FONT 8, "MS Sans Serif"
CONTROL "This is an unregistered copy of UltraEdit-32.
Use of this program should be on a temporary basis (45 Days max)
for evaluation purposes only. If this program is to be used for purposes
other than evaluation please register this program.", -1, "STATIC",
sSS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 34, 18, 151, 55
CONTROL "Details for registration can be found in the READ.ME file
and in the 'About' dialog box on the help menu.", 128,
"STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 76, 151, 35
CONTROL 2, -1, "STATIC", SS_ICON | WS_CHILD | WS_VISIBLE, 5, 12, 18, 20
CONTROL "You have", -1, "STATIC", SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 36, 115, 40, 12
CONTROL "", 130, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD |
WS_VISIBLE | WS_DISABLED | WS_BORDER, 78, 114, 18, 12
CONTROL "days left for evaluation.", -1, "STATIC", SS_LEFT |
WS_VISIBLE | WS_GROUP, 103, 115, 89, 12
CONTROL "Enter Authorization code", 1, "BUTTON", BS_DEFPUSHBUTTON |
WS_VISIBLE | WS_TABSTOP, 49, 137, 113, 14
You wont believe it
Well what do you think you can do now? You found the nagscreen, so what?
You will not believe it: It's so easy that its scares me: just choose
BRW option "DELETE" (YES!) and simply DELETE dialog 110...
BRW recompiles the target on the fly and opla! There is no nagscreen
there any more! The target runs without annoying us!
Unbelivable? Try it... See? Now you begin to understand why BRW
development has been deemed "not allowed" :-)
You can apply of course the same trick to EVERY PROGRAM of this planet.
As a matter of fact BRW is great fun for modifying all your software
as you fancy, allowing you quite a palette of options, from puerile
to serious reverse engineering of applications you do not happen to
have the source code of... (BRW-recompiling is easy if you do not add
functionalities and code and just hold to the same length of bytes...
if you add code and patch yor targets you should use BRW AND a good
recompiler at the same time).
I leave to the brain and the mood of the reader to imagine what a good
combination between dead listing, eventual Winicing and BRWing windows
32 applications can offer us :-):
TOTAL MASTERY OF ANY APPLICATION;
INFINITE POSSIBILITIES OF RESTRUCTURING APPLICATIONS;
IMMEDIATE DISCOVERY OF ANY BACKDOOR, HIDDEN TREASURE,
ABORTED FUNCTIONS INSIDE ANY PROGRAM...
and many many other related goodies.
And since this awful stupid Windows95/97/NT Os will -illogically but
unfortunately- spread and spread more and more, all future programs
are -at least for a pretty long time being- at your feet as well as
at mine, my dear fellow reversers :-)
I have been criticized ... a reader telling me that in fact there are
new versions of BRW...
"Resource Workshop wasn't killed as you state.
Borland still offers it, but it has stopped being a stand alone
product from them. Instead it is included in Borland c++...
Your conclusions are false"
And yet the best (stripped) version of it I could find or gather until now,
even writing to Borland, is still version 4,5.
If anyone has any newer version, please notify... but check first that it
really is a "development" of BRW, not just another copy of what
we already know. (The reader I spoke of above apologized... afterwards)
You are deep inside fravia's searchlores.org
(c) 2000: [fravia+], all rights