Rsagnt32.dll
How to reverse another commercial "ready made" protection
timelock
Timelock
25 July 1998
by Miguel Neto
Courtesy of Fravia's page of reverse engineering
slightly edited
by Fravia+
fra_00xx
989715
Miguel Neto
1100
NA
PC
Well well, old timelock never dies... "Sales Agent" what for an ugly commercial oriented name. We'll have to build our own 'Sales antiagents' bots... Hey, why not? C'mon, let's have our "freedom agents" or -even better- "poetry agents"! I mean: what about our own simple perl robots roaming around and nuking automatically -for instance- all web sites where 'commerce' dominates and where there are no rhimes and no poetry at all? :-)
Ok, I'm dreaming (am I? :-) anyway just have fun with this simple protection scheme!
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

This is an essay aimed at begginers and intermediate crackers alike; it will hopefully teach you how to reverse another commercial "already made" protection, Sales Agent (Time Lock protection style)
How to reverse Sales Agent
An example: Macromedia Dreamweaver
Written by Miguel Neto


Introduction

Hello, HCUkers. My name is Miguel Neto. Beeing the less than average cracker that I am, and therefore don't having to fear censors, I don't see why I should use a nicknname. I am going to introduce you to another commercial protection scheme, "tl32v20.dll style". This one is called rsagnt32.dll. As you will see, it is hardly more difficult to beat than the more widespread TimeLock.

The main program I am aware of that uses this "Sales Agent" is Dreamweawer, a wiespread web-design and site-administration utility.
I apologize for the size of the target, I know it is very big, but most commercial applications are (IE4, NETSCAPE4, Norton's recent products, etc...).
Anyway, it shouldn't take all too much to download, even on a slow connection, once you have ftpgetted it from the web (alternatively you'll find it on many magazine covers published in the period April-July 1998).

Even though this target proved very easy to defeat, I thougt it would be worth sending my essay to Fravia+ because of the protection it uses, which has been made by a third party company.
You will probably encounter the same scheme in many other products.
Ok, enough rambling, let's reverse!

Tools required
Soft-Ice 3.2 Wdasm, any version should do

Target's URL/FTP
ftp://ftp.pcworld.com/pub/internet/html_editors/dreamweaver.exe Get it here

The version I am using is 1.0, because I already had it on my hard disk. I don't know if more recent versions still have the same protection scheme. The setup file for version 1.0 is 5.5 mb and is called dreamweaver.exe
Essay

First of all, install Dreamweawer. The installation asks you for a serial number, you don't have to enter one just yet. Ok, let's try and register it. After searching for a while, we conclude that there is no obvious way to register ("This product is using a DEMO serial and does not need to be registered").
The only protection appears to be the 30 day trial. Ok, so set your clock one month forward to see what happpens. There you go! Dreamweaver expired! Now reset your clock to it's original state and restart Dreamweaver. Doh! I doesn't work!
Dreamweaer is gone forever, at least until you reverse it... This must be one of those "diode protections" +ORC mentioned to us...
No matter, we won't go that way... Cracking a time trial is never a *clean* reverse, the program is never 100% complete that way, you never know what can happen 1 month from later. So, start Dreamweaver and select buy. Quite a fancy screen we have here.
Doesn't look like it is really a part of Dreamweaer proper does it? No references to the program or to Macromedia whatsoever... Let's see where does this beautiful screen live...
Fire up Soft-ice and set a breakpoint on getdlgitemtexta and on getwindowtexta.
Enter some stuff to fill out the fields and press enter. Soft-ice fires up in Kernel32 (the dll where dlgitem and windowtext live), press F12 to go back to whatever called that function, and you see that it rsagnt.
A new kid on the block! Using the Find feature of windows95, we discover that the correspondent dll is on Dreamweaver's directory (At least Macromedia had the decency of not concealing it in the windows/system). Let's disassemble the babe! If you haven't prepared your drink and set up your music yet, don't bother, because we are practically finished...
Once Wdasm has finished disassembling, go to string references. Check them.
Examine each and every one of them. This is the most difficult part of the cracking, even if it is always pretty easy. You will eventually find a "Thank You", which is not bad at all as 'fishing point'... but there is also a "This is a Demo. Unlocking", which is much better.
Double click that reference and you will end up here:

* Referenced by a CALL at Address:10003DF6
|
:10003F40 81EC70020000            sub esp, 00000270
:10003F46 833DA8DD021000          cmp dword ptr [1002DDA8], 00000000
:10003F4D 53                      push ebx
:10003F4E 56                      push esi
:10003F4F 57                      push edi
:10003F50 55                      push ebp
:10003F51 7532                    jne 10003F85; remember this!!!
:10003F53 8B9C2484020000          mov ebx, dword ptr [esp+00000284]
:10003F5A 6A40                    push 00000040

* Possible StringData Ref from Data Obj ->"SalesAgent Demo"
                                  |
:10003F5C 688C500210              push 1002508C

* Possible StringData Ref from Data Obj ->"This is a demo. Unlocking"
                                  |
:10003F61 6858500210              push 10025058
So, if at 3DF6 the program calls this, that means that it pretty much knows that everything is set, that the user has payed his 269$ (Oh my!), and that it can go on with the unlocking. So, let's see what happens at EDF6. Scroll up a bit and you will see:
* Referenced by a Jump at Address:10003DDA(C)
|
:10003DF1 8B742448                mov esi, dword ptr [esp+48]
:10003DF5 56                      push esi
:10003DF6 E845010000              call 10003F40
Haha! A conditional jump! So, if at 3DDA the program breaks, than the program will probably be registered! Fire up soft-ice, recreate or enable the breakpoint at getdlgitemtexta and select BUY from the Dreamweaver nag. Enter some text and press enter. Soft-Ice will break and you will be able to set the breakpoint at 10003DDA on rsagnt. Ok, now clear all breakpoints exept the last one, fill in the fields, and continue. We now have another screen asking us information about out credit card, just enter a bunch of keys for the credit card number, and some balloney info about yourself, and you are ready to go. There is no need to check for credit card info at this point, since you are still offline, so if you enter 13 numbers the program will probably accept them. If not, just enter your expired credit card info, don't worry, we'll never go online with it. Press enter and voilą! Soft-ice breaks at the conditional jump. Change the flag and the program will jump. Now, if you remember correctly, right before the "Unlocking" string showed up, there was a conditional jump, at 3F51. So we will have to trace the function and change this flag to. At this point, you can press F5 and you are ready to go! There is no need to patch since the program only checks this call once! The program is unlocked.

Now we start Dreamweaver, thinking that we are registered, only to discover that there is another serial number to be entered. Before I explaine this protection, there is something you must know. When I began writting this tutorial, I said to myself: "Miguel, you are just a begginer! So don't go around criticizing the way Dreamweaver or the protection is made, just reverse! You'll end up making a fool of yourself!" But now I find it impossible to contain myself. Just disassemble Dreamweaver yourself and you will see what I mean; God know why, Macromedia already gave you the first letters of the code, DWW100-. Now, if you look at the references, you will find a nice string like this: DWW100-07785-53546-55079.

"It can't be"-you shout.
It is.
It seems that the boys at Macromedia wanted to give us a taste of their protection skills, as well as a motif as why they chose this commercial protection. It makes me laugh! THIS is the way a 269$ software is protected... Now, level with me, you would not have found yourself a more stupid way to protect than to hardcore the serial into the file itself would have you?
HA HA AH... My tummy hurts... My back hurts... ha ha ha... Thank god this tutorial is finished!!

Final Notes
You now have another weapon in your arsenal, the knowledge to reverse
SalesAgent,
let's hope more and more software companies decide to buy this
protection.
Protections are getting easier each day my friend, people are getting
more
stupid
each day, if you don't go with the flow, if you don't forget that
knowledge is the
Ultimate Weapon, we have nothing the fear, quite on the contratry...

I would like to thank +Fravia for all his efforts. His site is the only
one in the
web that rises cracking to an art form, and I can only hope to become
half
the cracker he is.
  


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redhttp://Fravia.org/ideale.htm">antismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?

Message - Download
- Prev | Next Back to Inbox

Copyright © 1997-98 Yahoo! Inc. All rights reserved.