How
to completely remove a SalesAgent protection.
Bye bye SalesAgent.
|
||
Generic 30s crack written by CapaC.
Published by Tsehp, August 2000
|
capac@gmx.net
|
|
3 July
2000.
|
How a memory patch invokes a
harddisk patch!
|
General. This is my first reverse essay, i hope that everything will be clear. Sorry for my bad english, i did my very best. Target. SalesAgent is a commercial(?) protection system.(www.releasesoft.com). With this essay you can easly defeat all programs boxed by SalesAgent. As target i will use Macromedia Dreamweaver 3, the good html editor. (www.macromedia.com) Idea. If you purchase a program boxed with salesagent, and entered the right serials and all other stuff then you see the following window: This mains that routines from the salesagent protection are busy to clean up the salesagent protection from the boxed program. It also mains that these routines dwells somewhere in the code of the program. At the end you have the original program as compiled by the maker of the program, with the salesagent protection completely removed! The approach of this essay is to use these cleanup routines directly without entering anything at all, in an easy way and in a short time, let say 30 seconds. Tools used. Softice 4.05 , the ultimate tool. (All versions of sice are good). It's the only tool you need to crack this commercial(?) protection. At work. Install the program.(Install Macromedia Dreamweaver 3 trial version.) Go with Window$ Exploder to the program directory, in this case C:\Program Files\Macromedia\Dreamweaver 3\.. In every salesagent boxed program directory you find a file of the format xxxxxpop.exe or xxxxxpop.tty. If you have only xxxxxpop.tty in your directory then rename this file to xxxxxpop.exe. In the directory of dreamweaver we see the file Dreampop.tty after renaming it, Dreampop.exe. In this file dwells the decryption code to remove the protection, in some cases they tray to mask that it's executable trough the extention tty. If we start this file directly without modifications then we see an error message: you do not have the right to start this file and ...exit bad boy! Examples of the xxxxxpop.tty/exe files:
Program
|
Cleanup program
|
Freehand 9
|
Freehpop.exe or Freehpop.tty
|
Flash 4
|
Flashpop.exe or Flashpop.tty
|
Dreamweaver 3
|
Dreampop.exe or Dreampop.tty
|
XingMPEG encoder 2.0
|
Xmcodpop.exe
|
While the explorer is open we hit CTRL-D and softice pops up. Now set a breakpoint on Kernel32!SleepEx by enter bpx sleepex, CTRL-D again and softice is gone. Now we start the executable xxxxxpop.exe (dreampop.exe) by doubleclikking on the file. We see the encoding window, showed at the begin of this essay, after a while softice pops up halted at Kernel32!SleepEx code. If softice didn't pop up and you see the error message then start the file a second time ,it happen that it not work the first time. Now we push F12 (equal to p ret) and we're in dreampop code. We clear all breakpoints by typing bc *. We see the following code: 00401921 E8 7A FE FF FF call sub_4017A0 00401926 6A 00 push 0 00401928 6A 00 push 0 0040192A 68 E0 22 40 00 push offset loc_4022E0 0040192F E8 3A 86 01 00 call __beginthread 00401934 83 C4 0C add esp, 0Ch 00401937 6A 00 push 0 00401939 68 D0 07 00 00 push 7D0h 0040193E FF 15 48 31 42 00 call ds:SleepEx 00401944 E8 57 FE FF FF call sub_4017A0 <-We're here. 00401949 E8 B2 F7 FF FF call sub_401100 <-BAD BOY,EXIT CODE. 0040194E 8B F0 mov esi, eax 00401950 83 FE FF cmp esi, 0FFFFFFFFh 00401953 75 16 jnz short loc_40196B 00401955 6A 00 push 0 00401957 FF 15 DC 31 42 00 call ds:PostQuitMessage When we scroll down (not execute) a half page in softice at address 401944 (after the return from SleepEx) then we always came at a call FindWindowExA, as we see below: 004019DF 68 58 52 42 00 push offset aTurnkexeSS ; "Turnkexe%s%s" 004019E4 51 push ecx 004019E5 E8 5D 81 01 00 call _sprintf 004019EA 83 C4 10 add esp, 10h 004019ED 8D 54 24 0C lea edx, [esp+0Ch] 004019F1 6A 00 push 0 004019F3 52 push edx 004019F4 6A 00 push 0 004019F6 6A 00 push 0 004019F8 FF 15 E8 31 42 00 call ds:FindWindowExA 004019FE 85 C0 test eax, eax 00401A00 74 49 jz short loc_401A4B <- Here xxxxxx ! 00401A02 68 86 01 00 00 push 186h 00401A07 E8 E4 09 00 00 call sub_4023F0 00401A0C A1 E4 BC 42 00 mov eax, dword_42BCE4 00401A11 8D 8C 24 10 01 00+ lea ecx, [esp+110h] 00401A18 50 push eax 00401A19 68 28 3C 43 00 push offset unk_433C28 Write down the address xxxxxx of the jz xxxxxx 2 lines below the FindWindowExA. In this case xxxxxx is equal to 401A4B. We give the a command (at 401944) in softice and enter: jmp xxxxxx, with xxxxxxx the address we have found above (in this case jmp 401A4B) + 2 x enter. With this jump we go directly to the decrypt routines without checking if we're good or bad! Now we enter d PostQuitMessage in softice,in the dump window we see the start address of PostQuitMessage (Top left corner of the dump window). Enter in softice r ebx yyyyyy with yyyyyy the start address of PostQuitMessage. This last step is necessary because later in the code there is call to PostQuitMessage trough a Call ebx, if we skip this step the encoding will work but w'll get a error message. CTRL-D, and we see the unbox window again, at the end of this routine, dreamweaver starts. The salesagent protection is now fully removed of the program! This document is created with Macromedia Dreamweaver 3.0, protected with SalesAgent a commerial(?) protection! Final notes. While reversing salesagent, i've came across two versions of salesagent ,this essay works on both of them! Don't make this modifications directly on the harddisk and don't set breakpoints with bpx in the program code, because the xxxxxpop.tty or xxxxxpop.exe program contains CRC check routines. If anyone need info or the crack for these CRC routines send me a e-mail (capac@gmx.net), i will then make another essay on these CRC routines. I've used this method to remove salesagent from the following programs: Macromedia Director 7 Macromedia Flash 4 Macromedia Dreamweaver 3 Macromedia Dreamweaver Developer 3 Macromedia Fireworks 3 Macromedia Freehand 9 XingMPEG encoder 2.0
The end.
|