Macromedia's Drumbeat 2000 There's Bugs in the Woodwork Rsagnt32.dll upgrade August 1999	Not Assigned
8 october 99	by Sojourner
	Courtesy of Fravia's page of reverse engineering	slightly edited by Fravia+
fra_00xx 981008 Sojourner 0100 NA PC	The first impression you'll get reading this is that it is quite a messy essay. Yes, but the second time you read it, especially if you are experimenting 'on line' with the target at the same time, is that it is a very clever essay as well. Sojourner will lead you through dark codewoods, and at the end you'll be out, under the sun, on the other side of the codeforest... This essay is quite important for protectors as well, I believe: what's the point of creating a protection scheme monster like this one if one actually just needs ole wdasm to reverse it? I also like Sojourner's approach of NOT giving a "ready-made" cracking solution for the zombies out there. Only one question for Sojourner: would it have been possible, par chance, to land inside this protection scheme -as well- through the "lstrcmpiA" call?
	There is a crack, a crack in everything That's how the light gets in
Rating	()Beginner (X )Intermediate ( )Advanced ( )Expert

Introduction

Wow! Macromedia really took me by surprise with this new product line. Yes, I know that Drumbeat is not new but for Macromedia, but it is a new acquisition for them. One thing is for sure in this industry, you can not sit on your laurels thinking you've got it made. See more below in main text.

Tools required

 Trusty ole w32dasm 8.9 or whatever version you care to work with--Nothing else is needed--hard to believe isn't it?

Program History

There is a significant history with Macromedia and especially rsagnt32.dll. You may see some of my other works here on Fravia's site. :-)

Please don't hesitate to try some of the older stuff. It's a lot easier to play with and learn. I already checked the web site, there's plenty to play with.

Essay

These programmers surprised me with a couple of new twists this time round. Let's go ahead and start. After you have downloaded the trial version of Drumbeat 2000 and installed on your system, go ahead and run it a few times to see what it looks like inside. You'll see the familiar Macromedia splash screen with its Buy Me/Try Me option. You can do whatever you want to start with until you're tired of piddling around with it. Are you ready to go now? Start your w32dasm v8.9 and load the drumbeat.exe (208kb) Not very big is it? That's good for us because it only takes a very short while to decompile. As usual, save right away and then have a look around the string listings and look for any goodies. Did you see anything useful? Now have a look in the imported function section, note especially in the Kernel 32.dll section--you will see DebugBreak. Please a note of the locations where these are found, 'cause they will come back to haunt you. This is one of the new updates Macromedia has made in regards to its software. It proved daunting to me at first. I just finished a paper back in June on the "Flash 4", with an update in the rsagnt32.dll, and I did not encounter this kind of api call then.
So this is a very recent change in their programming direction. Keep heart though fellow +HCU students, because "There is a crack, a crack in everything That's how the light gets in." We'll do the same to this schema that we have done to many more in the past. Are you writing all this down? Do keep a notebook--it will help you tremendously. This stuff is not going away. As you can see, there is increased complexity in the market. This is most interesting for Fravias! Our notes will ever increase. Now go ahead and actually run the Drumbeat 2000 through w32dasm. Wasn't that fun? Kicked your A** right on out of there didn't it? You didn't even really get a chance there did you? Alright, go ahead and try again, and again. You're going to find it most difficult to break through in there although you may be able to nop some calls to the DebugBreak to help you eventually. It really isn't necessary, though.

Okay- I spent quite a few frustrating hours messing with this stuff before I got the light. Part of the problem is having to restart your session from scratch every time you're booted out. It's just plain time-consuming. Fortunately for us, w32dasm allows us to break in on a process that's already running. I like that a lot! So we'll be a little bit sneaky with this prog and try the back or side door. Before we do that though, you need to stop and go get the rsagnt32.dll and decompile it in w32dasm. You do want to buy this, don't you? I thought so. I mean, it's not everyday you get to go out and get a new ASP tool right? You might be wondering how come we don't need any hex editor this time. Wellllll---- to answer that you need to go ahead and make a few changes to one of the .dlls, like maybe rsagnt32.dll.. BUT PLEASE, make a copy of it first. You may also want to make a clean copy of the Drumbeat.exe before we might accidentally ruin it, too. Wheew, glad to have that done. Sorry I didn't mention that earlier. I routinely do that before I start to work. I've inadvertently messed up several goods progs before I got into that habit. If you went ahead and made those changes as suggested earlier, then you can go ahead and run Drumbeat 2000 outside of w32dasm. You probably noticed it gave you an error message while trying to load the .dll you changed. So it has internal CRC check somewhere. I must admit that this is another new feature. Didn't I tell you some things have changed? I didn't bother with the error checking routine actually. As you will see it all becomes a moot point soon, so it won't matter.

Alright, are you finished messing now? We've got to get back to work. Remember, we were fixing to go through the side door. First we'll check to see if it's open. Be sure Drumbeat 2000 is running outside of w32dasm on its own. Go ahead and tell them you want to buy it this time. You'll get a screen setup that wants a bunch of personal stuff and purchase info. I told you in the not too far past that I would help you bypass the credit card requirement on the rsagnt32.dll. Lo and behold, I don't have. Isn't that funny? Here is another neat feature. Just tell them you want to pay by mail and you will get a completion screen with a thank you and the oppportunity to print your file to send it to them. You really don't have to print the acknowledgement, but you can if you want to. Just finish the transaction. Any debugger bullcrap? Not on your life friend. Now wasn't that the easiest you ever bought a piece of killer software. If only it was that easy---well it almost is fellow HCUer. You can go back now and choose buy again and you'll get a new screen that wants you're Unlock Code. Just for your own info, once you enter in whatever you want, don't go about changing the stuff and then go for a new registration. The reason is you'll be reassigned a new "Personal Code." This code in conjunction with 2 other internal variables-- PQYZMERUOA--which is at 1000c957 and JIKLICBXZC- which is at 1000c98b, calculates whether you're input string is right or wrong. This will become clearer a little later on. By the way these variables are very old and have been in several versions of rsagnt32.dll from years ago. Some you out there may have the necessary skill to create a keygen from this section of code. Additionally, you can see the variables in the decompiled listing from inside w32dasm along with the actual serial numbers-there are two to choose from- that you will need later to finally complete the purchase process. These variables really don't help that much as you can't manipulate them without creating a little tension in the program. Remember what +ORC mentioned in some of his earlier essays, if you don't need to change it, then don't. Leave it alone. If all it takes is a one bit change don't go around changing whole words. One increases the chances for error that way. Go ahead and write down the personal code that shows up grayed out on the left side of the screen. You will only use this for reference now, but those keymakers out there may find it more than passing useful. Fire up w32dasm and load in rsagnt32.dll and run it as attached to Drumbeat.exe which is already running. I always check the inhibit override and start. W32dasm immediately loads the drumbeat.exe., you will also get a DebugBreak msg. Only step ONCE to clear this. In w32dasm load the rsagnt32.dll now so it is in the active part and you can see the listing of code. Before you do anything else you need to put breakpoints at 2 places only- they are both calls to DebugBreak--one is at 10005AA2 and the other is at 10005B30. You may continue running the prog now and after you have input some string into the Unlock Code space you'll break at one of these two calls. You must nop these two calls and then may run pretty much with impunity in this faked out system. Hah, I love it !!! Just for your info--this little bit cost me muchos hours of work plus my spouse bugging me, 'cause I spend too much time on the system--anybody ever see "The Matrix" or read "Neuromancer" by William Gibson. There you go. You know exactly what I mean. I say "Keep on keeping on." This is a part of my life. You may have it heard it said you are what you eat, I say, you are what you do. Enough philosophia.

Did your code work? Of course not! Try it again. No luck. I knew it. I told you I already spent countless hours on this new junk and it was not easy. Did you find any string listings for that lousy MessageBoxA that said, "Invalid Code?" No, you didn't, of course I knew it wouldn't be there either. Macromedia got rid of that stuff a couple of renditions ago. Oh me. What do we do. Well, I said MessageBoxA a second ago. Go ahead and put some breaks to find out where you're going in this high-speed lane. By the way, conservatively speaking, I did a quick calculation to give a hint as to how many times I might have to input this unknown code to just find it by random. It comes to something like 1:1,000,000,000,000,000,000. As you can see, that's a fairly large sum. I wouldn't want to spend the rest of my eternity doing that. Would you? I didn't think so. You are way too---anyway, let's move on. We can find this out with a little help from our friends. You'll see that everything will be revealed if we persevere. I'll load a little code for you now (the "return" hyperlinks will be useful when you'll be reading the second part of this essay, after the code, below)

* Referenced by a CALL at Address: 10005643 |  

:10005A20 55 push ebp
:10005A21 8BEC mov ebp, esp  
:10005A23 6AFF push FFFFFFFF
:10005A25 68F00A0210 push 10020AF0
:10005A2A 64A100000000 mov eax, dword ptr fs:[00000000]
:10005A30 50 push eax
:10005A31 64892500000000 mov dword ptr fs:[00000000], esp
:10005A38 51 push ecx
:10005A39 B8D4110000 mov eax, 000011D4
:10005A3E E8CD160100 call 10017110
:10005A43 53 push ebx
:10005A44 56 push esi
:10005A45 57 push edi
:10005A46 8965F0 mov dword ptr [ebp-10], esp
:10005A49 C68570FFFFFF00 mov byte ptr [ebp+FFFFFF70], 00
:10005A50 B90C000000 mov ecx, 0000000C
:10005A55 33C0 xor eax, eax
:10005A57 8DBD71FFFFFF lea edi, dword ptr [ebp+FFFFFF71]
:10005A5D F3 repz
:10005A5E AB stosd
:10005A5F AA stosb
:10005A60 C6853CFFFFFF00 mov byte ptr [ebp+FFFFFF3C],00
:10005A67 B90C000000 mov ecx, 0000000C
:10005A6C 33C0 xor eax, eax
:10005A6E 8DBD3DFFFFFF lea edi, dword ptr [ebp+FFFFFF3D]
:10005A74 F3 repz
:10005A75 AB stosd
:10005A76 AA stosb
:10005A77 C6852CFEFFFF00 mov byte ptr [ebp+FFFFFE2C],00
:10005A7E B93F000000 mov ecx, 0000003F
:10005A83 33C0 xor eax, eax
:10005A85 8DBD2DFEFFFF lea edi, dword ptr [ebp+FFFFFE2D]
:10005A8B F3 repz
:10005A8C AB stosd
:10005A8D 66AB stosw
:10005A8F C645B000 mov [ebp-50], 00
:10005A93 B90F000000 mov ecx, 0000000F
:10005A98 33C0 xor eax, eax
:10005A9A 8D7DB1 lea edi, dword ptr [ebp-4F]
:10005A9D F3 repz
:10005A9E AB stosd
:10005A9F 66AB stosw
:10005AA1 AA stosb
:10005AA2 E859040000 call 10005F00 RETURN
:10005AA7 6A1B push 0000001B
:10005AA9 E8E20D0100 call 10016890
:10005AAE 83C404 add esp, 00000004
:10005AB1 6A0B push 0000000B
:10005AB3 68CC8F0210 push 10028FCC
:10005AB8 68BF010000 push 000001BF
:10005ABD 8B5D08 mov ebx, dword ptr [ebp+08]
:10005AC0 53 push ebx
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
:10005AC1 FF1570120210 Call dword ptr [10021270]
:10005AC7 BFCC8F0210 mov edi, 10028FCC RETURN
:10005ACC 83C9FF or ecx, FFFFFFFF
:10005ACF 33C0 xor eax, eax
:10005AD1 F2 repnz
:10005AD2 AE scasb
:10005AD3 F7D1 not ecx
:10005AD5 49 dec ecx
:10005AD6 83F90A cmp ecx, 0000000A RETURN
:10005AD9 7455 je 10005B30
:10005ADB 68FF0F0000 push 00000FFF
:10005AE0 8D852CEEFFFF lea eax, dword ptr [ebp+FFFFEE2C]
:10005AE6 50 push eax
:10005AE7 6870010000 push 00000170
:10005AEC E87F0D0100 call 10016870
:10005AF1 6A17 push 00000017
:10005AF3 E8980D0100 call 10016890
:10005AF8 83C410 add esp, 00000010
:10005AFB 6A30 push 00000030
:10005AFD 6830230410 push 10042330 RETURN
:10005B02 8D8D2CEEFFFF lea ecx, dword ptr [ebp+FFFFEE2C]
:10005B08 51 push ecx
:10005B09 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10005B0A FF1558120210 Call dword ptr [10021258]
:10005B10 8B1594870210 mov edx, dword ptr [10028794]
:10005B16 66C742040000 mov [edx+04], 0000
* Referenced by a Jump at Addresses: 10005C8A(U), 10005D60(U), 10005E51(U)
|
:10005B1C 83C8FF or eax, FFFFFFFF
:10005B1F 8B4DF4 mov ecx, dword ptr [ebp-0C]
:10005B22 64890D00000000 mov dword ptr fs:[00000000], ecx
:10005B29 5F pop edi
:10005B2A 5E pop esi
:10005B2B 5B pop ebx
:10005B2C 8BE5 mov esp, ebp
:10005B2E 5D pop ebp
:10005B2F C3 ret
* Referenced by a Jump at Address: 10005AD9(C)
|
:10005B30 E83BBBFFFF call 10001670 RETURN
:10005B35 8D953CFFFFFF lea edx, dword ptr [ebp+FFFFFF3C]
:10005B3B BFC08F0210 mov edi, 10028FC0 RETURN
:10005B40 83C9FF or ecx, FFFFFFFF
:10005B43 33C0 xor eax, eax
:10005B45 F2 repnz
:10005B46 AE scasb
:10005B47 F7D1 not ecx
:10005B49 2BF9 sub edi, ecx
:10005B4B 8BC1 mov eax, ecx
:10005B4D 8BF7 mov esi, edi
:10005B4F 8BFA mov edi, edx
:10005B51 C1E902 shr ecx, 02
:10005B54 F3 repz
:10005B55 A5 movsd
:10005B56 8BC8 mov ecx, eax
:10005B58 83E103 and ecx, 00000003
:10005B5B F3 repz
:10005B5C A4 movsb
:10005B5D 8D8D70FFFFFF lea ecx, dword ptr [ebp+FFFFFF70]
:10005B63 51 push ecx
:10005B64 8B1594870210 mov edx, dword ptr [10028794]
:10005B6A 81C206010000 add edx, 00000106
:10005B70 52 push edx
:10005B71 8D853CFFFFFF lea eax, dword ptr [ebp+FFFFFF3C]
:10005B77 50 push eax
:10005B78 E8D36D0000 call 1000C950 RETURN
:10005B7D 83C40C add esp, 0000000C
:10005B80 33F6 xor esi, esi
:10005B82 89B538FFFFFF mov dword ptr [ebp+FFFFFF38], esi
:10005B88 68CC8F0210 push 10028FCC
:10005B8D 8D8D70FFFFFF lea ecx, dword ptr [ebp+FFFFFF70]
:10005B93 51 push ecx
* Reference To: KERNEL32.lstrcmpiA, Ord:02FFh
|
:10005B94 FF15C8100210 Call dword ptr [100210C8]
:10005B9A 8BC8 mov ecx, eax
:10005B9C 83CFFF or edi, FFFFFFFF
:10005B9F 8975FC mov dword ptr [ebp-04], esi
:10005BA2 B86F0D0000 mov eax, 00000D6F
:10005BA7 898528EEFFFF mov dword ptr [ebp+FFFFEE28], eax
:10005BAD 99 cdq

:10005BAE F7F9 idiv ecx
:10005BB0 898528EEFFFF mov dword ptr [ebp+FFFFEE28], eax
* Possible StringData Ref from Data Obj ->"&*$@^!"
|
:10005BB6 68EC360210 push 100236EC
:10005BBB 56 push esi
:10005BBC 56 push esi
:10005BBD 56 push esi
* Reference To: KERNEL32.CreateEventA, Ord:0031h
|
:10005BBE FF1518110210 Call dword ptr [10021118]
:10005BC4 898538FFFFFF mov dword ptr [ebp+FFFFFF38], eax
:10005BCA 8B1594870210 mov edx, dword ptr [10028794]
:10005BD0 66897204 mov word ptr [edx+04], si
:10005BD4 68FF0F0000 push 00000FFF
:10005BD9 8D852CEEFFFF lea eax, dword ptr [ebp+FFFFEE2C]
:10005BDF 50 push eax
:10005BE0 6870010000 push 00000170
:10005BE5 E8860C0100 call 10016870
:10005BEA 6A17 push 00000017
:10005BEC E89F0C0100 call 10016890
:10005BF1 83C410 add esp, 00000010
:10005BF4 6A30 push 00000030
:10005BF6 6830230410 push 10042330
:10005BFB 8D8D2CEEFFFF lea ecx, dword ptr [ebp+FFFFEE2C]
:10005C01 51 push ecx
:10005C02 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh RETURN
|
:10005C03 FF1558120210 Call dword ptr [10021258]
:10005C09 E9BE020000 jmp 10005ECC
:10005C0E 6AFF push FFFFFFFF
:10005C10 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:10005C16 52 push edx
* Reference To: KERNEL32.WaitForSingleObject, Ord:02CEh
|
:10005C17 FF151C110210 Call dword ptr [1002111C]
:10005C1D 68FF000000 push 000000FF
:10005C22 8D852CFEFFFF lea eax, dword ptr [ebp+FFFFFE2C]
:10005C28 50 push eax
:10005C29 6A71 push 00000071
:10005C2B 8B7508 mov esi, dword ptr [ebp+08]
:10005C2E 56 push esi
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:10005C2F FF1570120210 Call dword ptr [10021270]
:10005C35 8DBD2CFEFFFF lea edi, dword ptr [ebp+FFFFFE2C]
:10005C3B 83C9FF or ecx, FFFFFFFF
:10005C3E 33C0 xor eax, eax
:10005C40 F2 repnz
:10005C41 AE scasb
:10005C42 F7D1 not ecx
:10005C44 49 dec ecx
:10005C45 8BF9 mov edi, ecx
:10005C47 7546 jne 10005C8F
:10005C49 68FF0F0000 push 00000FFF
:10005C4E 8D8D2CEEFFFF lea ecx, dword ptr [ebp+FFFFEE2C]
:10005C54 51 push ecx
:10005C55 6A19 push 00000019
:10005C57 E8140C0100 call 10016870
:10005C5C 83C40C add esp, 0000000C
:10005C5F 6A30 push 00000030
:10005C61 6830230410 push 10042330
:10005C66 8D952CEEFFFF lea edx, dword ptr [ebp+FFFFEE2C]
:10005C6C 52 push edx
:10005C6D 56 push esi
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10005C6E FF1558120210 Call dword ptr [10021258]
:10005C74 6A71 push 00000071
:10005C76 56 push esi
* Reference To:USER32.GetDlgItem, Ord:0102h
|
:10005C77 FF156C120210 Call dword ptr [1002126C]
:10005C7D 50 push eax
* Reference To: USER32.SetFocus, Ord:022Fh
|
:10005C7E FF158C120210 Call dword ptr [1002128C]
:10005C84 B81C5B0010 mov eax, 10005B1C
:10005C89 C3 ret

In reference to the above code, this area begins the major check point for us. If you set that breakpoint a bit ago on the MessageBox A you'll find it here. There are several variables that are important to us in this study. One of them is 10042330 and will always bring up the "Invalid Unlock Code" message. You will find it scattered about, especially directly in front of the two MessageBoxA calls above. One is at 10005AFD. Another interesting variable is 10028FCC at 10005AC7. This one is our "Unlock Code." Right or wrong this is the baby that we put in. Another variable is the computer generated "Personal Code" at 10005B3B and is 10028FC0.

In perusing the code above you will notice that there is a cmp ecx at 10005AD6. But what is it comparing? It's the same cmp we've had in several other rsagnt32.dll's. It is comparing the length of the input string. If you don't have 10 of something in there it will drop you down through the "bad" variable, 10042330 at 10005AFD. Ah, you say, that was too easy and indeed it is, with a little help. Look to the south of where you are now though, to that other MessageBoxA that we've already encountered at 10005C03. Examine all that code in between from 10005B30 - 10005C03. How do you get around this guy? Well, if you keep putting in the wrong code, you'll never get around it. There is no jump around this baby! This area is the heart of the monster and the call at 10005B78 takes us right to the variables I mentioned earlier, PQYZMERUOA--which is at 1000c957 and JIKLICBXZC- which is at 1000c98b. Remember those twins? You'll, of course, see them in the register listings along with, but not in the same place as the "REAL" code that we need to unlock this proggy. Unfortunately, and yet ultimately for your benefit, your codes will most likely be very different from my own, hence I will not provide mine to you. I will tell you this much though, ALL of the input string will be capitalized letters of the length = 10. If you start examining the code closely, and I mean step through this stuff slowly, you will see the evolution in the register listings as mentioned earlier. Check them all though. There are many subtle clues left out, but I must give you one more big mega-dose of help- when you finally have the correct code and input it in the "Unlock Code" area, w32dasm may give you an error message dealing with a divide by zero. At this point you may get out of the running prog and go directly to Drumbeat 2000 and input the data field and watch the flower unfold. After the unfolding, the old Drumbeat.exe has been magically replaced with a new larger executible and w32dasm won't be working any longer on the old prog, and at the same time the new, larger executible asks you for the Macromedia serial number to input and thusly allow your program to be fully usable. We didn't talk about that, did we? Well, we weren't there yet. You can crack the prog if you want to, but there is no need for it. The serial number has been graciously provided for us in the new Drumbeat.exe. If you decompile it in w32dasm after quitting you'll be able to find it easy enough. It starts with BDA100- As always, I am totally available to advise and help some, but you must read this stuff and try to absorb it. "Luke, do or do not, there is no try!" Yoda to Luke Skywalker while the master was training the young Jedi Knight. Sojourner

Oh Duh

homepage links search_forms +ORC students' essays academy database

reality cracking how to search java-script wars

tools anonymity academy cocktails antismut CGI-scripts mail_Fravia

Is reverse engineering legal?