Dreamweaver3 Trial / Rsagent v3.1.2
by Freddy K

Published by +Tsehp April 2000

Best viewed 1024x768, NS 4.1+

crackz@freddyk.cjb.net
http://freddyk.cjb.net

 

Target: Dreamweaver3 Time Limited Trial [30 day] http://www.macromedia.com
Difficulty: Easy
Method: Bypass SICE check, wander through code and get the matching registration
Tools used: Soft Ice (how surprising...) v4.0
Ultra Edit 32 v7.00a
Procdump v1.60
Date: Apr 2000
SICE Protection: BCHK (boundschecker interface)

Dreamweaver 2 when it came out was a revelation to the Web community - and has continued to be a great web package. When you download and install DW3, you get full functionality of the program, for a limited number of days (in this case 30). At the end of that, thanks for coming either buy it or go away.

WHAT IS THE PROTECTION SYSTEM

The Macromedia trial software uses a digital ecommerce encryption system called Sales Agent, from a company called ReleaseNow.com. It turns any standard software into trial software with a fairly good try-before-you-buy system. When you install it, have a look in the Dreamweaver directory, and you'll see a few strange files that don't seem to fit :

I can't rember what extension DW2 used for its files (or more correctly the previous Sales Agent) but this one (v3.1.2) uses .tty as its extension. The file rsagent32.tty is actually rsagent32.dll, the protection program. The file dreamweaver.tty is the actual DW3 program (the true one), with the first 1000h bytes of the .text section encrypted (learn more about encytption and sections with my unpack1 tute). What happens when you run dreamweaver in its trial state is :

1. The loader runs (which is pretending to be the real dreamweaver)
2. It loads up the routines from rsagent (it is compressed too)
3. If you use trial, it un-encrypts the text section of dreamweaver.tty and runs it, so you can use the program like it should be, OR
4. If you register it, it permanently un-encrypts the file on disk, deletes itself, and renames dreamweaver.tty to dreamweaver.exe, giving you the original program back

HOW ARE WE GOING TO BYPASS IT

We'll be taking advantage of fact 4 - by getting past reg once, it will be forever!
Fire up SICE, run DW3, choose "Buy Now" [ lets pay!, or is that play :-) ]. Run through all the screens, putting whatever you want in. Choose "Go Offline" for payment method (then we don't have to worry 'bout a legit card number). Choose "phone", and you'll be presented with a screen to put in a challenge-response number. Now in sice use :

BPX GetDlgItemTextA

punch in any number, and click "OK". F12 out of kernel32 so you get back in DW3 (the fake one...), and you should end up at line 0040F106.

* Reference To: USER32.GetDlgItemTextA, Ord:0104h |
:0040F100 FF15B8C24200 Call dword ptr [0042C2B8]
:0040F106 BF90B24400 mov edi, 0044B290 < ------------- POP IN HERE, EDI=SERIAL NUMBER ENTERED
:0040F10B 83C9FF or ecx, FFFFFFFF
:0040F10E 33C0 xor eax, eax
:0040F110 F2 repnz
:0040F111 AE scasb
:0040F112 F7D1 not ecx
:0040F114 49 dec ecx < --------- UP TO HERE CALCS HOW MANY CHAR IN YOUR S/N

Take a close look at the following compare - > 0Ah=10 in decimal

:0040F115 83F90A cmp ecx, 0000000A
:0040F118 7440 je 0040F15A < ------------- this jumps off to a "wrong s/n" routine if =10 char


:0040F11A 8D442408 lea eax, dword ptr [esp+08]
:0040F11E 68FF0F0000 push 00000FFF
:0040F123 50 push eax
:0040F124 6881010000 push 00000181
:0040F129 E8B2EDFFFF call 0040DEE0 < ------- these calc our good s/n
:0040F12E 6882010000 push 00000182
:0040F133 E8C8EDFFFF call 0040DF00 < ------- ^^^^^^^^^^^^^^^^^^

OK now our s/n has been calculated - we just have to read it (EAX) -> "d eax" in sice and we have our unlock code for RSAgent.
We actually don't end up here if our number is correct, but as ours isn't initially, we will!

:0040F138 83C410 add esp, 00000010
:0040F13B 8D4C2408 lea ecx, dword ptr [esp+08]
:0040F13F 6A30 push 00000030

For some win32 fun, we can make our s/n even easier to read - we can make it appear in the error box when we put in the wrong code. Change the line below in sice ("a" when you get to it) to be "push 112C640" (this will only work for this VER of DW3 - the variable changes with different programs). Then ctrl-D, watch the error box come up, and there's your unlock code in the heading! Certainly not necessary, but cool.

:0040F141 68E07B4400 push 00447BE0
:0040F146 51 push ecx
:0040F147 56 push esi

* Reference To: USER32.MessageBoxA, Ord:01BEh |
:0040F148 FF1564C24200 Call dword ptr [0042C264] < ----------- ERROR WRONG CODE! Msg.
:0040F14E 5F pop edi
:0040F14F 83C8FF or eax, FFFFFFFF
:0040F152 5E pop esi
:0040F153 81C400100000 add esp, 00001000
:0040F159 C3 ret

When you put in your right code, RSAgent will remove itself and DW3 will run as if its the first time you installed it - then you'll need a DW3 code to get in. Any will do :

DWW300-69119-97280-19336

BTW if you want a keygen for it there are many around - just check out CORE/Hambo for them.
As a final note, and I rarely say this, this program IS actually worth buying. It's only a few hundred dollars, and makes the whole web process a lot easier. I DID buy the program after cracking and using it a few months, and have to say it is worth the bucks.

See you next tute. Any comments or questions (if they are legitimate and you've actually TRIED yourself....) send them to my email at the top, or go to the web site.
l8tr.
Freddy K
Main http://freddyk.cjb.net
Link http://freddyk.tsx.org