Target Name: [WinFax Pro 9.0] Target Location: [Chip 3/99 cover CD, net] Target Size: [27 MB] Cracking Tools: [The Customizer, SoftIce debugger]
Introduction: WinFax is a fax service program. The protection stuff has been made with 'SalesAgent' (also known as 'Rsagent' - the commercial security programme).
Description: What is the reason for publishing this 'how to'? Well, most (all?) of the programmes mabe by $ymantec are protected this way & no-one in CrackPL even touched the problem. So, rock-n-roll :)
Newbies Note!
This procection scheme could be recognized by the library file 'rsagnt32.dll', which should be placed in the same directory with the target.
First let's play with the 'Faxmng32.exe' file. After just a closer look at it, we can recognize, that this is not the main file of the programme, but it only contains the registration stuff. 'Faxmng32.dl_' seems to be the main file, but it also seems to be crypted. So, what should we do with it? Well, let's run 'Faxmng32.exe', so we can get a nice dialog window with two nice buttons: 'Trial' & 'Cancel'.
Newbies Note!
Most of the programmes crypted with 'rsagent' should also have 'Buy Now' button.
Unfortunately, the authors of the protection were quite wise, and they knew how lame 'rsagent' is, so they resigned from the registration by the entering registration code. Seems like we have to do something with it. Let us start 'The Customizer' programme. A nice window should appear, with only one possible option to choose: 'Edit Window'. Then you should get another window with WindowDetails and some other stuff. Let's think a bit, what to do now. We want the missing 'Buy Now' button to appear.
As we can sumarize, the button is hidden, so first we have to do something with it. So, in 'Customizer', we hit on 'Show' and then - ON button. The cursor should turn itself in something really big. Now, in WinFax window, we have to find the place, where the button is hidden. We move the cursor over the window, and we can see, above the 'Trial' button - a reactangle in a size of our missing button! :) One more look at 'Customizer' and in the text field we can find the '&Buy Now' string! We got it!!! Now we click and the button should appear immediately. Now we can turn off the 'Customizer', by clicking the OFF button.
Oki, let us concentrate on the job.
Let's click on 'Buy Now' button and input a discret data. Than we click until the programme will ask about a credit card. And here we can find a serious bug (?) in the programme. As a serial no. we can just enter 12 zeros (0), decent expiration date eg. 9/99 and discret Name on card. The programme will accept it so we can go throught. when we reach the 'register by modem or internet' point, we can just cancel it.
Then the progremme will create 'Rsagent.ini' file in 'windows' directory.
Newbies Note!
Where the whole wisdom come from? I've red the doc from fravia.org about the 'Sales Agent' protection scheme. You can find a theoretical background in the doc. Here, I'd like to give you some more practical approach to the problem.
Let's see, that is in there.
Now, we click on 'Buy Now' button once again. WoW! The unlocking code window just appeard!!!
Well... from this point you should be able to go with it just by yourself! :)
\ \ \ \ \ \ \
Well... you are still here, so that means you couldn't do it...
We put eg. 121212 into the 'UnlockingCode' field and jump into SoftIce (ctrl+D).
Newbies Note!
In my winice.dat I have such a thing:
MACRO disp="d esp->8;pret " MACRO disp2="d esp->C;pret " MACRO tdial="bpx getwindowtexta do \"disp\"" MACRO tdial2="bpx getdlgitemtexta do \"disp2\"" MACRO brk="tdial;tdial2;"
This saves me a lot of work (setting up the breakpoints by hand and looking for entered data). Now we need only to type 'brk' and we have it all.
If you use such a MACRO, you can skip the next paragraph.
For those, who doesn't use the MACRO stuff.
We set breakpoint on 'bpx getdlgitemtexta'. Now hit F5. The programme will stop at 'getdlgitemtexta' function call. Now we hit F12 until we will get into the program code. We can recognize that by the 'rsagnt32.text+xxxx' string on the bar on the bottom. Now we look for entered serial number, by entering: s 0 l ffffffffff "121212".
Degugger should find our SN at the 10030f40 memory location.
For all: We are here:
10005672 mov edi, 10030F40 ----- move S/N memory location address into EDI register 10005677 or ecx, -1 1000567A xor eax, eax 1000567C repnz scasb ---------- counting number of characters in our S/N 1000567E not ecx 10005680 dec ecx 10005681 cmp ecx, 0A - compare number of characters of our S/N with 0Ah (=10 dec) 10005684 jz 100056C5
We can find our S/N under 10030f40 (look at data window - display it with 'wd' command) This address is taken by EDI register. Press F8 to skip line 1005672. We should put a breakpoint on 'memory location read/write action', because probably our programme will use it.
Let's type:
x bpr edi edi+6 rw
Why +6? Thst's becaouse our S/N contains 6 characters. Press F5. SoftICE will stop two lines later, on 'repnz scasb'. What's going on? Well, this code is repeated until it reach the zero value. This code should count the lenght of our S/N. After just a few F8 actions, we reach line: 1005681. If you take a look at ECX (use: '? ecx'), you can see it is equal to 00000006 - not 0Ah. That is the reason, why the jump will not occure - our S/N is too short! It should contain 10 characters! You also can notice 'call messageboxa'. This call will display a window with error S/N message.
Well, we can change Zero Flag with command:
'R fl Z'
and then the jump in line 10005684 will be executed. Now you can hit F5.
We find ourselves in this place:
1001F83C or al, al 1001F83E jz 1001F86E 1001F840 mov al, [esi] --- we are here 1001F842 inc esi 1001F843 mov ah, [edi] 1001F845 inc edi 1001F846 cmp ah, al 1001F848 jz 1001F93C
As you can see, in this procedure two values (in 'ah' & 'al') are compared. I would be nice to know, what do they contain. A value (byte, char) from the memory location pointed by the [esi] register is loaded to 'al' (take a look at line 1001f840). The question is: what is under the ESI reg? Let's type 'd esi'. In data window you should be able to see our fake serial number - 121212!. So... yes, your guess is right, your rihgt S/N is under EDI!!!
'd edi'
Congratulation! You've made it! Now, please write down and use your own S/N!
Don't forget to erase our breakpoints - bc *
If you are looking only for serial numbers, you are in the wrong place. All activities described here should only help you to analize program code and to master the protectiom scheme. If you want to use this programme for a longer period, you should BUY it! (it doesn't concern to M$ products). This will let the programmers to make better products and more intresting protection schemes.
[4.03.1999] by [Jo Joro] ([jojoro@friko2.onet.pl])