Hello, HCUkers. My name is Miguel Neto. Beeing the less than average cracker that I am, and therefore don't having to fear censors, I don't see why I should use a nicknname. I am going to introduce you to another commercial protection scheme, "tl32v20.dll style". This one is called rsagnt32.dll. As you will see, it is hardly more difficult to beat than the more widespread TimeLock.
The main program I am aware of that uses this "Sales Agent" is
Dreamweawer, a wiespread web-design and site-administration utility.
I apologize for the size of the target, I know it is very big, but most
commercial
applications are (IE4, NETSCAPE4, Norton's recent products, etc...).
Anyway,
it
shouldn't take all too much to download, even on a slow
connection, once you have ftpgetted it from the web (alternatively you'll
find it on many magazine covers published in the period April-July 1998).
Even though this target proved very easy to defeat, I thougt it would be
worth
sending
my essay to Fravia+ because of the protection it uses, which has been
made by a third party
company.
You will probably encounter the same scheme in many other products.
Ok, enough rambling, let's reverse!
First of all, install Dreamweawer. The installation asks you for a
serial number,
you don't have to enter one just yet. Ok, let's try and register it.
After
searching for a while, we conclude that there is no obvious way to
register
("This product is using a DEMO serial and does not need to be
registered").
The only protection appears to be the 30 day trial. Ok, so set your
clock one
month
forward to see what happpens. There you go! Dreamweaver expired! Now
reset
your clock
to it's original state and restart Dreamweaver. Doh! I doesn't work!
Dreamweaer
is gone
forever, at least until you reverse it... This must be one of those
"diode protections"
+ORC mentioned to us...
No matter, we won't go that way... Cracking a time trial is never a
*clean*
reverse,
the program is never 100% complete that way, you never know what can
happen 1 month
from later. So, start Dreamweaver and select buy. Quite a fancy screen
we
have here.
Doesn't look like it is really a part of Dreamweaer proper does it? No references to the
program or
to Macromedia whatsoever... Let's see where does this beautiful screen
live...
Fire up Soft-ice and set a breakpoint on getdlgitemtexta and on
getwindowtexta.
Enter some stuff to fill out the fields and press enter. Soft-ice fires
up in
Kernel32 (the dll where dlgitem and windowtext live), press F12 to go
back to
whatever
called that function, and you see that it rsagnt.
A new kid on the
block! Using
the Find feature of windows95, we discover that the correspondent dll
is on
Dreamweaver's directory (At least Macromedia had the decency of not
concealing
it in the
windows/system). Let's disassemble the babe! If you haven't prepared
your
drink and
set up your music yet, don't bother, because we are practically
finished...
Once Wdasm has finished disassembling, go to string references. Check
them.
Examine
each and every one of them. This is the most difficult part of the
cracking, even
if
it is always pretty easy. You will eventually find a "Thank You", which is
not bad at all as 'fishing point'...
but there is also a "This is a Demo. Unlocking", which is much better.
Double
click
that reference and you will end up here:
* Referenced by a CALL at Address:10003DF6 | :10003F40 81EC70020000 sub esp, 00000270 :10003F46 833DA8DD021000 cmp dword ptr [1002DDA8], 00000000 :10003F4D 53 push ebx :10003F4E 56 push esi :10003F4F 57 push edi :10003F50 55 push ebp :10003F51 7532 jne 10003F85; remember this!!! :10003F53 8B9C2484020000 mov ebx, dword ptr [esp+00000284] :10003F5A 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"SalesAgent Demo" | :10003F5C 688C500210 push 1002508C * Possible StringData Ref from Data Obj ->"This is a demo. Unlocking" | :10003F61 6858500210 push 10025058So, if at 3DF6 the program calls this, that means that it pretty much knows that everything is set, that the user has payed his 269$ (Oh my!), and that it can go on with the unlocking. So, let's see what happens at EDF6. Scroll up a bit and you will see:
* Referenced by a Jump at Address:10003DDA(C) | :10003DF1 8B742448 mov esi, dword ptr [esp+48] :10003DF5 56 push esi :10003DF6 E845010000 call 10003F40Haha! A conditional jump! So, if at 3DDA the program breaks, than the program will probably be registered! Fire up soft-ice, recreate or enable the breakpoint at getdlgitemtexta and select BUY from the Dreamweaver nag. Enter some text and press enter. Soft-Ice will break and you will be able to set the breakpoint at 10003DDA on rsagnt. Ok, now clear all breakpoints exept the last one, fill in the fields, and continue. We now have another screen asking us information about out credit card, just enter a bunch of keys for the credit card number, and some balloney info about yourself, and you are ready to go. There is no need to check for credit card info at this point, since you are still offline, so if you enter 13 numbers the program will probably accept them. If not, just enter your expired credit card info, don't worry, we'll never go online with it. Press enter and voilą! Soft-ice breaks at the conditional jump. Change the flag and the program will jump. Now, if you remember correctly, right before the "Unlocking" string showed up, there was a conditional jump, at 3F51. So we will have to trace the function and change this flag to. At this point, you can press F5 and you are ready to go! There is no need to patch since the program only checks this call once! The program is unlocked.
Now we start Dreamweaver, thinking that we are registered, only to discover that there is another serial number to be entered. Before I explaine this protection, there is something you must know. When I began writting this tutorial, I said to myself: "Miguel, you are just a begginer! So don't go around criticizing the way Dreamweaver or the protection is made, just reverse! You'll end up making a fool of yourself!" But now I find it impossible to contain myself. Just disassemble Dreamweaver yourself and you will see what I mean; God know why, Macromedia already gave you the first letters of the code, DWW100-. Now, if you look at the references, you will find a nice string like this: DWW100-07785-53546-55079.
"It can't be"-you
shout.
It
is.
It seems that the boys at Macromedia wanted to give us a taste of their
protection
skills, as well as a motif as why they chose this commercial
protection. It makes
me
laugh! THIS is the way a 269$ software is protected... Now, level with
me, you would not have
found yourself a more stupid way to protect than to hardcore the serial into the
file itself would have
you?
HA HA AH... My tummy hurts... My back hurts... ha ha ha...
Thank god this tutorial is finished!!
You now have another weapon in your arsenal, the knowledge to reverse SalesAgent, let's hope more and more software companies decide to buy this protection. Protections are getting easier each day my friend, people are getting more stupid each day, if you don't go with the flow, if you don't forget that knowledge is the Ultimate Weapon, we have nothing the fear, quite on the contratry... I would like to thank +Fravia for all his efforts. His site is the only one in the web that rises cracking to an art form, and I can only hope to become half the cracker he is.
|