TNT! | Fast Essay http://kickme.to/tnt ------------------------------------------------------------------------- THE "NEW" RSAGENT 3.1.2 ---A COMMERCIAL PROTECTION WICH IS STILL USED BY MACROMEDIA AND I DON'T KNOW WHY...-- by +DzA kRAker sorry for my BAD english,i hope u will understand something http://www.releasenow.com -visit just for laughs. target:Macromeda Dreamweaver 3,wrapped using this shity protection tools :Softice 3-4.x +hexeditor (i used hacker's view 6.0) Well , Macromedia made a hobby from protecting their software with Rsagent,even if other commercial protections (like vbox2) r much better... Looking in target's directory ,we see that the old rsagnt.dll has been renamed (and not only , there r some new features 2) in rsagnt32.tty ,xpop.exe has been renamed in xpop.tty (in our case dreampop.tty),also they added some new files:SpyEx.tty (this one thinks he is the agent 007...hum , i don't know what this one does),xtky.tky- in my case dreamtky.tky (this is not a PE file,but is encrypted,this file may contain the trial parameters-i'm not sure,but we won't use it in the crack),and Dreamweaver.tty wich is our wrapped executable... Dreamweaver.exe is, of course the loader ,if u delete dreamweaver.tty and try to run the loader , a error message pops:"ERROR LOADING PROCESS". Our goal is to eliminate the nag,kill the 30days time limit,and also force the loader to run without the *NOT NEEDED* files: spyex.tty,rsagnt32.tty,dreampop.tty. 1.ELIMINATING THE NAG. Have softice for windows loaded....press ctrl+d,now we r in softice,we put a breakpoint on dialogboxparama (bpx dialogboxparama). Now run our target (dreamweaver.exe),and softice will break (bcoz rsagent uses dialogboxparama to create the nag),we press F11, now back in face of the ugly nag ,press cancel,and softice breaks again...u will land exactly in dreamweaver.exe , when he makes the call to dialogboxparama (user32).Now , u see that push eax right before the call...what happens if we replace the register? what happens if we replace push eax (50) with push ecx (51) or whatever....(just don't try nop)...well,the dialog box won't show anymore and we solved the nag problem.Now we done that in memory, and it works fine,let's make that permanent...go in your favourite hex editor and replace 50 with 51.Now try to run the modifyed loader...oops! a general protection fault... this is the file checksum...let's see if my old trick works on this new version of rsagent ....enter softice and type faults on, so it will break were the protection fault occurs...u will land in a piece of code like this one: xxxx xxxxxx test eax,eax xxxx xxxxxx pop edi xxxx xxxxxx pop esi xxxx xxxxxx mov xxxxxxxx ---> this is the interesting part xxxx xxxxxx jz xxxxxxx It looks like the author didn't changed the file checksum... Good for us...u will see that the checksum is made in "almost" all the exe...if we change something in the loader , the program just crashes (at the same adress).... The solution: the checksums are IDENTICAL ,and can be defeated by noping JUST the mov before the conditional jump... load the executable in your hexeditor , do 6 nops to eliminate that mov: xxxx xxxxxxtest eax,eax xxxx xxxxxx pop edi xxxx xxxxxx pop esi xxxx xxxxxx nop xxxx xxxxxx nop xxxx xxxxxx nop xxxx xxxxxx nop xxxx xxxxxx nop xxxx xxxxxx nop xxxx xxxxxx jz xxxxxxx Noping the mov will bypass the respective checksum.... After i patched 1 byte (50 to 51) in my dreamweaver.exe,i bypassed 2 checksums and then the modifyed dreamweaver.exe runed perfectly without the ugly nag. 2.The 30 days time limit The time limit is very easy to defeat... Let's make dreamweaver expire...(set your clock with 1 month forward ,or whatever)...we run our modifyed exe,and another nag pops,this time with the try button disabled... 30 days trial over. An easy way to deafeat this: bpx sleep So enter softice , type bpx sleep,exit softice,run dreaweaver,softice breaks BEFORE the nag...now nop the je after the call to kernel sleep.Patch it in hexeditor, there will be some other checksum,bypass them. (if softice does not break at the right adress,disaSsemble the loader -in our case dreamweaver.exe -with win32dasm and do a search for "sleep" , the right call is always at adress 402xxx,and modify the jump after the call-i think this mettod is better) 3.Forcing the loader to run without the *NOT NEEDED* files: spyex.tty,rsagnt32.tty,dreampop.tty. Our loader does not need these fileS,but if we delete them, the loader pops the error message:"IMPORTANT APLLICATION FILES ARE MISSING OR CORRUPTED". Well ,this is a regular messagebox,so enter softice and put a breakpoint on messageboxa (bpx messageboxa) Run dreamweaver.exe,softice breaks,F11,press ok...now softice breaks again at the called.Now scrool in up with ctrl+up until u see a conditional jump....write down the adress of the jump, and reverse it using the hexeditor. Now our target runs just fine without those files....kewl! I've tried this technique with Fireworks3,Dreamweaver3,Flash4r12,Director7, and worked perfectly....in 2 minutes (REALLY) u can crack any of these expensive proggies. Well,i think every decent cracker could crack this stupid protection,but the target of my tutorial is to show a easyer (i think) way of defeating rsagent 3.1.2. the serial number start's with "RKS-"