SalesAgent 3.0
Rsagnt32.dll, TurnKey and Me
progcor
Programmers
21 May 98
by Goth
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
98xxxx
handle
1100
NA
PC
Antother commercial protection scheme byte the dust... how long will we have to repeat it? Any protection scheme made for fun (and for free) and explained thoroughly by a real reverser (see the ones made by +HCUkers on the programmer's corner part of this site) will allow you after a small adaption to protect your own software FAR better than ANY protection scheme devised for greed by a couple of underpaid, commercial oriented programmers... man, it's so easy to understand! Look at how pathetical is the windoze operating system (slow, buggy, crash-prone, messy, overbloated, a real pain in the belly), made for greed by a greedy company and look how elegant and agile is in comparison whatever version of Linux you'll install (which is completely free, AND quicker, AND solider, AND 1000 times better than Windoze, just try it and you'll see :-)
Still not convinced? Well, then, friend programmer, pay your money to companies like this infamous 'Release software' and get 'protections' like the following one...
They sentenced me to twenty years of boredom
for trying to change the system from within.
I'm coming now, I'm coming to reward them...
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

All +crackers are HIGHLY encouraged to contribute their comments and/or own essays on this topic!

SalesAgent 3.0
Rsagnt32.dll, TurnKey and Me
Written by Goth


Introduction

In this essay we'll meet old friends (rsagnt32.dll 2.5) and new foes (TurnKey 1.2) and we'll see that it's possible to crack a whole commercial protection system without patching a single file.

What's this all about?

Our target is a commercial protection suite called SalesAgent 3.0 distributed by Release Software:

'It's an intelligent wrapper designed for electronic software distribution...' 'It protects a publisher's intellectual property by securely encrypting software until it has been paid for.' (Release Software)

Why it's a MAJOR TARGET?

1. Many companies protect their software using SalesAgent (e.g. Macromedia, Xing Tech., Cheyenne, Symantec, Netscape). All of them are responsible for these overbloated and/or overpriced and buggy apps we have to use nowadays. So we'll teach them a very useful, if a little bitter, lesson :-)

2. We are the knowledge hunters, aren't we? And there's a lot to learn hidden in SalesAgent's code.

3. It's a protection and a protection "needs" to be properly cracked!

On we go ...


Tools required

W32dasm 8.x

Softice 3.x

Texteditor

BRW


Target's URL/FTP

I've used Symantec's Norton Utilities 3.03 Trial which should be available everywhere on the net (Perform a ftp search for 'nu3trial.zip' 27.3MB!) or get it from Symantec's web pages.


Essay

Well, I assume that you've taken all obligatory precautions (backup the registry and such ...), installed our target and restarted Win95.

You also should have:
- taken a look into NU's directory,
- discovered that there are four files for EVERY main exe of NU (e.g. NORTON.EXE, NORTON.DL_, NORTOPOP.EXE, NOTOTKY.DLL),
- located RSAGNT32.DLL.

PART I - Look what the cat dragged in...
----------------------------------------

First you'll see how our target behaves.
Start the Norton Utilities Integrator (NORTON.EXE) which SYMANTEC dropped so gently onto your desktop.
You'll get the usual 'Time Trial' window.
We won't bother to 'Try first' head right to 'Buy now'.
Fill in some stuff and push 'Next' until you reach the 'Select Payment Method' window.
Now, do you have your credit card info handy?
If not, you should reverse our target to see which numbers are valid or visit some fancy hacker site and get a credit card generator (e.g. CreditMaster) or simply enter:


Card: American Express

No.:  00000000

Exp.: 09/99

Name: Goth

(Hey, lamers! This info CAN'T be used to access your beloved porn sites! So sorry!-)
and push 'Next' until you get to the 'Select Communication Methods" window.
For various reasons it's necessary to make sure you CAN'T connect to anything, switch off your modem, cut your cable or whatever and push 'Next'.
Oops, unable to connect and so on. Cancel the whole 'Buy now' thing.

Now, you could observe our target with trial period expired. But you all know what will happen,
don't you? Yes, the 'Try first' button will vanish and it WON'T come back if you set your RTC back.

Well, it's a time trial. So at this point you could have the bright idea to fire up softice, bpx GetSystemTime, track down the bytes to patch in the exe/dll and ready you are.

NO YOU DON'T!

(If you get NU to work this way, I'll wanna see your essay at Fravia's!)

What you'll do at this point is pushing 'Buy now' again. (Sometimes when I get these strange attacks of dumbness, I can't believe there's a 'Buy now' button but no way to enter any registration code or such and I'll try again... ;-)

You see all fields of your 'User Registration' window filled with information you've entered before. Close NU and start again. Info is still there.

SalesAgent stores user info somewhere!

PART II - The Anatomy of SalesAgent 3.0
---------------------------------------

You should now examine our target's files to get a rough overview of what's going on.
Well, five should be more than enough I took a look at these:

1: NORTON.EXE
2: NORTON.DL_
3: NORTOPOP.EXE
4: NORTOTKY.DLL
5: RSAGNT32.DLL

Use BRW and/or W32dasm. Look at the import and export tables, resources, headers and so on...
Check if they're encrypted/compressed. Use your imagination. What file can perform what task?
How does the scheme work?
FEEL it...

Having felt enough you should come at least to these results:


- NORTON.EXE, SI32.EXE, NREGEDIT.EXE, ... have all the same size (243kb) 

  -> can't be the real EXEs -> some kind of loader

- ********.DL_s are encrypted -> the real EXEs -> will be loaded, decrypted, 

  whatever...

- *****POP.EXEs contain some resource saying 'Please wait while your 

  software is being prepared.' and import CreateFileMapping -> this is 

  the decryptor

- *****TKY.DLLs not much here, you could even use it to buy Micro$oft Frontpage (see dialogs!)

- RSAGNT32.DLL connects to internet server, contains resources 

  for ENTERING REGISTRATION CODE

Now, how does our start process look like?

You start NU (NORTON.EXE) which uses RSAGNT32.DLL to check if you're in your trial period and then presents the 'NU for Win95 Trial' window.
If you push 'Try first' the NORTON.DL_ is being temporary decrypted and started.
If you push 'Buy now' NORTON.EXE uses RSAGNT32.DLL for getting user information, internet connection and REGISTRATION. After registration the *.DL_ files should be permanently decrypted.

So how do we get RSAGNT32.DLL to let us register?

PART III - Faking a mail/fax order
----------------------------------

I've used W32Dasm to disassemble RSAGNT32.DLL.
First I examined it's import table to see what it is able to and to look for suspicious imports.
Huh, you'll find a lot. What should make your bells ring is that it's able to modify registry entries but also uses the absolete PrivateProfileString (*.INI) stuff.
This needs further investigation.

W32dasm finds the first appearance of GetPrivateProfileStringA here:


...



* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:0112h

                                  |

:100015EE 8B35A8010210            mov esi, dword ptr [100201A8]



* Possible StringData Ref from Data Obj ->"rsagent.ini"

                                  |

...

Oops, it tries to read from a file called RSAGENT.INI And where are these *.ini thingies usually kept? Right, we'll find it in our 'windows' directory:

[ReleaseSoft]

firstName=Goth

lastName=Nosferatu

company=!

street1=!

street2=!

city=!

state=

zip=12345

country=United States

geoType=110

phoneNum=!

faxNum=!

email=!

personalCode=

toneDial=1

callWait=0

needAccess=0

accessCode=9

intlPrefix=

callWaitStr=

mailStat-975135=0

ATTN=AT

MTONEDIAL=T

PULSEDIAL=P

DIALTHIS=D

WORDRESULT=V1

HANGUP=H0

ADDINIT=E0

ESCAPE=+++

OKAY=OK

NOCARRIER=NO CARRIER

CONNECTED=CONNECT

NODIALTONE=NO DIALTONE

BUSY=BUSY

It wasn't there right after the installation. So it must have been created while we tried to register the target in PART I.
Examine it. Look for something that could help us to register. Well, till 'email=!' (Yes, I'm a lazy bastard. I entered all these '!') nothing of importance. But wait, 'personalCode='!
Where have we seen this before? If you did as I told you in PART II you would know where.
Use BRW. Look at dialog 2011! What is this dialog's title? 'Complete Mail / Fax Payment'!
Hm, Mail?, Fax? can't remember any Mail / Fax order opportunity during 'Buy now' procedure.
Take a look at dialog 2001. Our old friend from PART I 'Select Communication Method' but this dialog allows ordering by phone and mail/fax. So it should be possible to get to dialog 2011 without completing the internet/modem connection!
All entries are pretty self explainary but what's about this 'mailStat-975135=0' entry?
Let's change it to 1, restart NU and try 'Buy now' procedure again. Anything changed?
Of course! We are finally at dialog 2011. There we have a 'Personal Code' and what we haven't is an 'Unlocking Code'. But not for long ...

PART IV - RSAGNT32.DLL's builtin KeyGenerator
---------------------------------------------

We know that our 'Unlocking Code' will be recieved by dialog 2011. So you should bpx GetDlgItemTextA in Softice.
Enter a dummy unlock code (e.g. gothtog) and after pressing F12 Softice will popup here:

:10005612 mov edi, 10032E20  <= our unlocking code

:10005617 or ecx, FFFFFFFF

:1000561A xor eax, eax

:1000561C repnz

:1000561D scasb

:1000561E not ecx

:10005620 dec ecx

:10005621 cmp ecx, 0000000A  <= is it 10 chars long?

:10005624 je 10005665   <= Yes! => Go for validation check!

:10005626 lea edx, dword ptr [esp+10]      No! => ...



* Possible StringData Ref from Data Obj ->"Sorry, that unlocking code is"

                                        ->"not valid for this program."

           |

:1000562A push 10023890

:1000562F push edx

:10005630 call 10014590
Step over the next instructions, toogle zero flag at 10005624 and step on till you reach:
:100056A8 push ecx

:100056A9 push edx

:100056AA push eax

:100056AB call 1000B980    <= caculate the real code

:100056B0 add esp, 0000000C

:100056B3 lea ecx, dword ptr [esp+000000D8]

:100056BA push 10032E20    <= our code

:100056BF push ecx                              <= real code

:100056C0 call 1001F5C0                         <= compare

:100056C5 add esp, 00000008

:100056C8 test eax, eax    <= if compare fails (eax!=0)

:100056CA jne 1000597C    <= we'll get 'Sorry, that...'



...

At 100056BA we dump ecx and get a perfect 10 chars long unlock code like: 'RQXKNKQJPP' (This code is only valid if your personal code was '1234567890'! Which btw can be reached if you modify your 'personalCode' entry and your 'mailStat-975135' in RSAGENT.INI!)
Leave Softice (F5). Enter the unlock code and we get a 'Enter your serial' window. (Weird!) Here we enter our unlock code again and it's done!

PART V - Summary and Additions
------------------------------

We won't have to deal with any encryption routines since SalesAgent 3.0 can be defeated in less than 2 min:

- change 'personalCode=' to 'personalCode=1234567890' and 'mailStat-975135=0' to 'mailStat-975135=1' in RSAGENT.INI (If there's no RSAGENT.INI create one!)
- start the 'Buy now' procedure and
- enter 'RQXKNKQJPP' as unlock code.

Things left to do:
- a better investigation of SalesAgent's 'anatomy'
- a better reversing of RSAGNT32.DLL
- a keygenerator (Any volunteers?)
- a decoder for TurnKey encrypted EXEs

Hints:
------

There's a hidden :-( entry in your registry like this:
[HKEY_CLASSES_ROOT\ultxfile\Format\MSHVEM0E]
After unlocking this entry changes... :-)
It won't be easy to patch the files 'cause they're doing extensive checksumming and stuff...

Remember this:
--------------

'It's an intelligent wrapper designed for electronic software distribution...'
'It protects a publisher's intellectual property by securely encrypting software until it has been paid for.' (Release Software)


Final Notes

I'd like to thank fravia+ for maintaining his excellent site, +Natzgul, Stone and +Marigold for their very inspiring essays, +Aesculapius for taking the time to answer my mails and The Mage for being some kind of mentor in my AMIGA days (You'll never know where an ex-Iceman pops up!).

My best regards go to all those who still know the name of the Mad God. See ya all deep down Sinister Street! ;-)



Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

progcor
Back to programmers corner



redhomepageredlinks redsearch_formsred+ORCredstudents' essaysredacademy database
redreality crackingredhow to searchredjavascript wars
redtoolsredanonymity academy redcocktailsredantismut CGI-scriptsredmail_fravia+
redIs reverse engineering legal?