Rsagnt32.dll, TurnKey and Me
Still not convinced? Well, then, friend programmer, pay your money to companies like this infamous 'Release software' and get 'protections' like the following one...
for trying to change the system from within.
I'm coming now, I'm coming to reward them...
In this essay we'll meet old friends (rsagnt32.dll 2.5) and new foes (TurnKey 1.2) and we'll see that it's possible to crack a whole commercial protection system without patching a single file.
What's this all about?
Our target is a commercial protection suite called SalesAgent 3.0 distributed by Release Software:
'It's an intelligent wrapper designed for electronic software distribution...' 'It protects a publisher's intellectual property by securely encrypting software until it has been paid for.' (Release Software)
Why it's a MAJOR TARGET?
1. Many companies protect their software using SalesAgent (e.g. Macromedia, Xing Tech., Cheyenne, Symantec, Netscape). All of them are responsible for these overbloated and/or overpriced and buggy apps we have to use nowadays. So we'll teach them a very useful, if a little bitter, lesson :-)
2. We are the knowledge hunters, aren't we? And there's a lot to learn hidden in SalesAgent's code.
3. It's a protection and a protection "needs" to be properly cracked!
On we go ...
W32dasm 8.x Softice 3.x Texteditor BRW
I've used Symantec's Norton Utilities 3.03 Trial which should be available everywhere on the net (Perform a ftp search for 'nu3trial.zip' 27.3MB!) or get it from Symantec's web pages.
Well, I assume that you've taken all obligatory precautions (backup the registry and such ...), installed our target and restarted Win95.
You also should have:
- taken a look into NU's directory,
- discovered that there are four files for EVERY main exe of NU (e.g. NORTON.EXE, NORTON.DL_, NORTOPOP.EXE, NOTOTKY.DLL),
- located RSAGNT32.DLL.
PART I - Look what the cat dragged in...
First you'll see how our target behaves.
Start the Norton Utilities Integrator (NORTON.EXE) which SYMANTEC dropped so gently onto your desktop.
You'll get the usual 'Time Trial' window.
We won't bother to 'Try first' head right to 'Buy now'.
Fill in some stuff and push 'Next' until you reach the 'Select Payment Method' window.
Now, do you have your credit card info handy?
If not, you should reverse our target to see which numbers are valid or visit some fancy hacker site and get a credit card generator (e.g. CreditMaster) or simply enter:
Card: American Express No.: 00000000 Exp.: 09/99 Name: Goth(Hey, lamers! This info CAN'T be used to access your beloved porn sites! So sorry!-)
Now, you could observe our target with trial period expired. But you all
know what will happen,
don't you? Yes, the 'Try first' button will vanish and it WON'T come back if you set your RTC back.
Well, it's a time trial. So at this point you could have the bright idea to fire up softice, bpx GetSystemTime, track down the bytes to patch in the exe/dll and ready you are.
(If you get NU to work this way, I'll wanna see your essay at Reverser's!)
What you'll do at this point is pushing 'Buy now' again. (Sometimes when I get these strange attacks of dumbness, I can't believe there's a 'Buy now' button but no way to enter any registration code or such and I'll try again... ;-)
You see all fields of your 'User Registration' window filled with information you've entered before. Close NU and start again. Info is still there.
PART II - The Anatomy of SalesAgent 3.0
You should now examine our target's files to get a rough overview of
what's going on.
Well, five should be more than enough I took a look at these:
Use BRW and/or W32dasm. Look at the import and export tables, resources,
headers and so on...
Check if they're encrypted/compressed. Use your imagination. What file can perform what task?
How does the scheme work?
Having felt enough you should come at least to these results:
- NORTON.EXE, SI32.EXE, NREGEDIT.EXE, ... have all the same size (243kb) -> can't be the real EXEs -> some kind of loader - ********.DL_s are encrypted -> the real EXEs -> will be loaded, decrypted, whatever... - *****POP.EXEs contain some resource saying 'Please wait while your software is being prepared.' and import CreateFileMapping -> this is the decryptor - *****TKY.DLLs not much here, you could even use it to buy Micro$oft Frontpage (see dialogs!) - RSAGNT32.DLL connects to internet server, contains resources for ENTERING REGISTRATION CODENow, how does our start process look like?
You start NU (NORTON.EXE) which uses RSAGNT32.DLL to check if you're in
your trial period and
then presents the 'NU for Win95 Trial' window.
If you push 'Try first' the NORTON.DL_ is being temporary decrypted and started.
If you push 'Buy now' NORTON.EXE uses RSAGNT32.DLL for getting user information, internet connection and REGISTRATION. After registration the *.DL_ files should be permanently decrypted.
So how do we get RSAGNT32.DLL to let us register?
PART III - Faking a mail/fax order
I've used W32Dasm to disassemble RSAGNT32.DLL.
First I examined it's import table to see what it is able to and to look for suspicious imports.
Huh, you'll find a lot. What should make your bells ring is that it's able to modify registry entries but also uses the absolete PrivateProfileString (*.INI) stuff.
This needs further investigation.
W32dasm finds the first appearance of GetPrivateProfileStringA here:
... * Reference To: KERNEL32.GetPrivateProfileStringA, Ord:0112h | :100015EE 8B35A8010210 mov esi, dword ptr [100201A8] * Possible StringData Ref from Data Obj ->"rsagent.ini" | ...Oops, it tries to read from a file called RSAGENT.INI And where are these *.ini thingies usually kept? Right, we'll find it in our 'windows' directory:
[ReleaseSoft] firstName=Goth lastName=Nosferatu company=! street1=! street2=! city=! state= zip=12345 country=United States geoType=110 phoneNum=! faxNum=! email=! personalCode= toneDial=1 callWait=0 needAccess=0 accessCode=9 intlPrefix= callWaitStr= mailStat-975135=0 ATTN=AT MTONEDIAL=T PULSEDIAL=P DIALTHIS=D WORDRESULT=V1 HANGUP=H0 ADDINIT=E0 ESCAPE=+++ OKAY=OK NOCARRIER=NO CARRIER CONNECTED=CONNECT NODIALTONE=NO DIALTONE BUSY=BUSYIt wasn't there right after the installation. So it must have been created while we tried to register the target in PART I.
PART IV - RSAGNT32.DLL's builtin KeyGenerator
We know that our 'Unlocking Code' will be recieved by dialog 2011. So
you should bpx
GetDlgItemTextA in Softice.
Enter a dummy unlock code (e.g. gothtog) and after pressing F12 Softice will popup here:
:10005612 mov edi, 10032E20 <= our unlocking code :10005617 or ecx, FFFFFFFF :1000561A xor eax, eax :1000561C repnz :1000561D scasb :1000561E not ecx :10005620 dec ecx :10005621 cmp ecx, 0000000A <= is it 10 chars long? :10005624 je 10005665 <= Yes! => Go for validation check! :10005626 lea edx, dword ptr [esp+10] No! => ... * Possible StringData Ref from Data Obj ->"Sorry, that unlocking code is" ->"not valid for this program." | :1000562A push 10023890 :1000562F push edx :10005630 call 10014590Step over the next instructions, toogle zero flag at 10005624 and step on till you reach:
:100056A8 push ecx :100056A9 push edx :100056AA push eax :100056AB call 1000B980 <= caculate the real code :100056B0 add esp, 0000000C :100056B3 lea ecx, dword ptr [esp+000000D8] :100056BA push 10032E20 <= our code :100056BF push ecx <= real code :100056C0 call 1001F5C0 <= compare :100056C5 add esp, 00000008 :100056C8 test eax, eax <= if compare fails (eax!=0) :100056CA jne 1000597C <= we'll get 'Sorry, that...' ...At 100056BA we dump ecx and get a perfect 10 chars long unlock code like: 'RQXKNKQJPP' (This code is only valid if your personal code was '1234567890'! Which btw can be reached if you modify your 'personalCode' entry and your 'mailStat-975135' in RSAGENT.INI!)
PART V - Summary and Additions
We won't have to deal with any encryption routines since SalesAgent 3.0
can be defeated
in less than 2 min:
- change 'personalCode=' to 'personalCode=1234567890' and 'mailStat-975135=0' to 'mailStat-975135=1' in RSAGENT.INI (If there's no RSAGENT.INI create one!)
- start the 'Buy now' procedure and
- enter 'RQXKNKQJPP' as unlock code.
Things left to do:
- a better investigation of SalesAgent's 'anatomy'
- a better reversing of RSAGNT32.DLL
- a keygenerator (Any volunteers?)
- a decoder for TurnKey encrypted EXEs
There's a hidden :-( entry in your registry like this:
After unlocking this entry changes... :-)
It won't be easy to patch the files 'cause they're doing extensive checksumming and stuff...
'It's an intelligent wrapper designed for electronic software
'It protects a publisher's intellectual property by securely encrypting software until it has been paid for.' (Release Software)
I'd like to thank reverser+ for maintaining his excellent site, +Natzgul, Stone and +Marigold for their very inspiring essays, +Aesculapius for taking the time to answer my mails and The Mage for being some kind of mentor in my AMIGA days (You'll never know where an ex-Iceman pops up!).
My best regards go to all those who still know the name of the Mad God. See ya all deep down Sinister Street! ;-)