http://www.xingtech.com
- Webpage (1.83Mb).
CapaC's method (August 2000).
Welcome again, in this tutorial I'm going to demonstrate just how greedy today's application developers have become and why software vendors should use Release Software Corporation's SalesAgent at their peril. I chose XingMPEG Encoder as an example of a very good product with this very poor protection, so without further ado lets take a look. When you first launch the program you'll be confronted with several options, so lets select Buy Now, at this point you'll have to fill in a registration form so disconnect your modem immediately, usually when you find these forms sometimes the most sophisticated thing you can do with them is print out a *.txt file.
However, this form is actually very useful (from here we can enable our product), so fill in your details and select yes to buy $249.00 worth of retail, then you'll get more options. Read them carefully, you'll realise the only option of interest to you is Order by Phone. Now, your going to fill in your credit card details, illegal users might well use one of the ubiquitous number generators available on the net, else prepare to dial Xing now (pinch of salt taken I hope). So at the next screen you are asked to input your unlock code (immediately you should be setting those breakpoints) >bpx GetDlgItemTextA works well.
:1000B2CC MOV EDI,1002B460 <-- Serial entered in EDI.
:1000B2D1 OR ECX,-01 <-- ECX=-1.
:1000B2D4 XOR EAX,EAX <-- EAX=0.
:1000B2D6 REPNZ SCASB <-- Repeat not zero and scan byte.
:1000B2D8 NOT ECX <-- Invert ECX.
:1000B2DA DEC ECX <-- String length routine, place result in
ECX.
:1000B2DB CMP ECX,0A <-- Was the string 10.
:1000B2DE JZ 1000B31B <-- Jump_good_buyer.
.....
:1000B32D PUSH 1002B510 <-- Push a generated code, which seems
to do nothing.
:1000B332 CALL 1000B8D0 <-- Calculate another code.
:1000B337 ADD ESP,0C <-- Stack tidy.
:1000B33A PUSH 1002B460 <-- Push Serial entered here.
:1000B33F PUSH 1002B530 <-- Push New Good Code (letters) here.
:1000B344 CALL 1001FA10 <-- Compare your_code with good_code.
:1000B349 ADD ESP,08 <-- Tidy stack.
:1000B34C TEST EAX,EAX <-- Test EAX for 0.
:1000B34E JNZ 1000B32B <-- Jump_bad_buyer.
Well, note the REPNZ SCASB instruction from this code. Its a classic string length checking routine. Note that all of this code is inside the file rsagnt32.dll, here I have v1,6,0,0 (length 537,088 bytes) and also note the number generated by the program. I didn't investigate whether this code is actually generated from the credit card number or other details, in other versions of the dll this value is never calculated, perhaps someone would like too check out the various dll versions and post a note on it.
On a wider discussion, the SalesAgent protection is incredibly weak and all of the programs that I have seen work on code very similar to the above example, I would guess there are a fair few versions of the dll out there which ironically is CRC protected. I can only implore software developers to stop using this product, in fact each time I find an application which uses this protection I am going to name and shame it (see below), I'll also show how much money the respective developer is losing by using a scheme which can be defeated in under 3 minutes.
I took this post from a message board, quite ironic is it not that removing registered status is harder than obtaining it :-) :-
Q. I've installed the 30-day demo of Macromedia's Drumbeat 2000 and after tracing RSAgent I converted it to a retail installation. I needed to run some more traces on it so I uninstalled the program and deleted the serial from the registry. After re-installing the demo I found out that it still behaves registered. It doesn't ask to be bought or tried out and such. What gives?.
A. There's a hidden entry in your registry like this :-
[HKEY_CLASSES_ROOT\ultxfile\Format\MSHVEM0E]
After unlocking this entry changes :-).
As I promised, here is a current list of some of the programs that I am aware of which use Release Software Corporation's Sales Agent, the seemingly easy way to identify these programs is by their 7-day trial feature.
http://www.the1vision.com - 1Disk v1.0.8 - $49.95.
http://www.emblaze.com - Emblaze Audio v1.0x - $249.95.
http://www.xingtech.com - XingMPEG Player v3.xx - $29.95.
http://www.egghead.com - Many other vendors software (all using SalesAgent), sadly includes Norton AntiVirus 5.0.
http://softrack.releasesoft.com/origin/900000/utilities/webstore.html - Yet more utilities.
Should any of my readers happen upon their travels to encounter any more software using this protection would they please drop me a little e-mail so that I can add to this "Hall of Shame".
SalesAgent is a commercial protection system. With this essay you can easily defeat all programs boxed by SalesAgent. As a target I will use Macromedia Dreamweaver 3, a good HTML editor (http://www.macromedia.com). If you purchase a program boxed with SalesAgent and enter the right serial # then you see the following window :-
This means that routines from the SalesAgent protection are busy removing the SalesAgent protection from the program. It also means that these routines dwell somewhere in the code of the program. At the end you have the original program as compiled by the maker of the program, with the SalesAgent protection completely removed!. The approach of this essay is to use these cleanup routines directly without entering anything at all.
Install the program (Macromedia DreamWeaver 3). Go with Windows Explorer to the program directory, in this case C:\Program Files\Macromedia\Dreamweaver 3\.. In every SalesAgent boxed program directory you find a file of the format xxxxxpop.exe or xxxxxpop.tty. If you have only xxxxxpop.tty in your directory then rename this file to xxxxxpop.exe. In the directory of DreamWeaver we see the file Dreampop.tty after renaming it, Dreampop.exe. In this file dwells the decryption code to remove the protection, in some cases they try to mask that it's executable through the extension tty.
If we start this file directly without modifications then we see an error message : "you do not have the right to start this file and ...exit bad boy!". Examples of the xxxxxpop.tty/exe files :-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Set a breakpoint on Kernel32!SleepEx. Now we start the executable xxxxxpop.exe (dreampop.exe) by double clicking on the file. We see the encoding window, shown at the beginning of this essay, after a while SoftICE pops up halted at Kernel32!SleepEx. Now we push F12 and we're in dreampop code. We see the following :-
:00401921 CALL sub_4017A0
:00401926 PUSH 0
:00401928 PUSH 0
:0040192A PUSH offset loc_4022E0
:0040192F CALL __beginthread
:00401934 ADD ESP, 0Ch
:00401937 PUSH 0
:00401939 PUSH 7D0h
:0040193E CALL ds:SleepEx
:00401944 CALL sub_4017A0 <-- We're here.
:00401949 CALL sub_401100 <-- BAD BOY, EXIT CODE.
:0040194E MOV ESI, EAX
:00401950 CMP ESI, 0FFFFFFFFh
:00401953 JNZ short loc_40196B
:00401955 PUSH 0
:00401957 CALL ds:PostQuitMessage
When we scroll down (not execute) half a page in SoftICE at address 401944 (after the return from SleepEx) we always see a call FindWindowExA as below :-
:004019DF PUSH offset aTurnkexeSS ; "Turnkexe%s%s"
:004019E4 PUSH ECX
:004019E5 CALL _sprintf
:004019EA ADD ESP, 10h
:004019ED LEA EDX, [ESP+0Ch]
:004019F1 PUSH 0
:004019F3 PUSH EDX
:004019F4 PUSH 0
:004019F6 PUSH 0
:004019F8 CALL ds:FindWindowExA
:004019FE TEST EAX, EAX
:00401A00 JZ short loc_401A4B <-- Here!.
:00401A02 PUSH 186h
:00401A07 CALL sub_4023F0
:00401A0C MOV EAX, dword_42BCE4
:00401A11 LEA ECX, [ESP+110h]
:00401A18 PUSH EAX
:00401A19 PUSH offset unk_433C28
Write down the address of the jz xxxxxx 2 lines below the FindWindowExA. In this case xxxxxx is equal to 401A4B. We give the a command (at 401944) in SoftICE and enter :- jmp xxxxxx, with xxxxxx the address we found above. With this jump we go directly to the decrypt routines without checking if we're good or bad!. Now we enter d PostQuitMessage in SoftICE, in the dump window we see the start address of PostQuitMessage (top left corner of the dump window). Enter in SoftICE r ebx yyyyyy with yyyyyy the start address of PostQuitMessage.
This last step is necessary because later in the code there is call to PostQuitMessage through a CALL EBX, if we skip this step the decoding will work but w'll get an error message. While reversing SalesAgent, I've come across two versions, this essay works on both of them!. Don't make these modifications directly on the hard disk and don't set breakpoints with bpx in the program code, because the xxxxxpop.tty or xxxxxpop.exe program contains CRC check routines.
If anyone needs information or the crack for these CRC routines send me an e-mail (capac@gmx.net), I will then write another essay on these CRC routines.