|
The Ticket Agent is Out to Lunch
Busting through the newest (6/99) rsagnt32.dll in order
to "Purchase" Macromedia products
|
Not Assigned
|
|
21 June 1999
|
by Sojourner
|
|
 |
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by fravia+ |
fra_00xx
980621
Sojourner
0100
NA
PC
|
Well, I'm sure the nice people at Macromedia will enjoy reading this. Leaving that info on the splash screen
is what lawyers would call a "culpa in vigilando", and protectors should
take duly note of this aspect.
I just wonder, Sojourner, if it would not be worth to investigate
a little more WHY the target refuses older editions of the rsagnt32.dll. I mean, would
it not be interesting to compel this kind of targets to run
on an older (and already fully reversed) copy of the rsagnt32.dll? In fact: I subscribe
100% to Sojourner's assertion: "We make a program do what we want,
eventually that is, as soon as
we find out
what it really does want". That's exactly what reversers do, "cognitio rei per causas", if
you allow me to
use two latin sentences in the same introduction :-)
Enjoy!
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
|
Rating
|
()Beginner
(x )Intermediate ( )Advanced ( )Expert
|
|
"A good introduction to the newest line of Macromedia electronic purchasing .dll's
Beginner and intermediate reversers alike can see that not everything is black and
white within the world of cracking / reversing. Although seemingly straightforward, getting
this puppy to do my bidding was not simple under my circumstances. More
below.
The Ticket Agent is Out to
Lunch (rsagnt32.dll)
Written by Sojourner
Everything I have learned on software reversing has been because this web site exists and
provides needed info to wouldbe reversers.
Things change, and we need to be alert and change as well, especially when the software companies
change
their methods. I'm grateful to all essays' writers and to +Orc, Fravia+ for all they have done
and continue to do in
the name of education and freedom. Please read over the whole essay first before
really "doing" anything because
sometimes I am going back and inserting snippets I may have initially forgotten to mention,
and these may not necessarily
be in the exact location where they should be.
W32DASM 8.9
Borland Resource Workshop
Colored Markers
Download Flash
4 at www.macromedia.com to get the newest
release of rsagnt32.dll.
This .dll has been used on
all of Macromedia's downloaded software for quite some time and its basic function
is to allow you to purchase their product "securely" in a
variety of ways, including over the web, phone, and by snail mail with a variety
of payment methods.
I love Macromedia products and appreciate them providing their software over the net for anyone
who may want
it. Usually, you can download a fully working trial that has a 30 day limit. Pretty good deal,
huh?
I mentioned above that this session was not that easy for me and the reason was because after I
had downloaded
the Flash 4 and installed it under Win98 I received an error message and the program wouldn't
start.
Eventually I installed it under WinNT 4.0 and was able to get it running properly. Now the juicy
part begins.
Go ahead and run the Flash 4 prog. If your installation was successful you'll get the Macromedia
splash screen
for Flash 4 and it will say that you have 30 days left on your trial. Now the prog will not
advance until you
you make a choice. On the right hand side of the splash screen you will have the opportunity to
either Try the
prog or even Buy it.
Go ahead and choose the Buy option and you will get to a screen that will take all kinds of info
from you.
I went ahead and used a credit card for the purchase and was sure that I was not connected to
the
Web. I just
don't trust them, and my modem has the sound turned off, so I wouldn't know otherwise. Okay,
sometime in the
future I will go ahead and find a solution for all those who have no credit cards,
but not today.
Oh, yes,
before I forget:
Make sure you write down the serial number that Macromedia gives you at the
bottom of that
initial splash screen. You'll need it later after you "buy" the prog
and it unfolds to
the full version. Also,
thank Macromedia for being so generous with that very important number. Have you
written it down?
If you don't,
you'll find that the number will disappear after you have bought the prog and that will take some
time to
recover, believe me. Yes, you probably could reinstall it, but I don't know for sure. Why take
the chance?
1. Now, you need to disassemble both Flash 4 and the rsagnt32.dll located within Flash's
directory. You should
notice that there are 2 important Flash references in the directory where it is installed,
Flash.exe and
Flash.dl_, which eventually becomes the full executible.
Just disassemble the small 252 kb flash.exe at this time.
I also looked into the progs with Borland Resource Workshop and did not find any references to
strings that I
needed. Now this was after I had looked into the guts of the progs from within W32DASM 8.9. Of
course, there
were many strings, but nothing helpful. So where's the code, already? Just hang onto your
underwear. A
thoughtful preamble can save you alot of online time friend.
Remember +ORC's old lessons- we
need to use our
most important asset carefully- our brain.
Did you go ahead and "buy" your program yet? You have probably seen that after you have
printed out your
receipt you can now go in and place your "unlock" code in the little space where it
asks you for it. What you
don't have an unlock code? Whatever was I thinking about? Did you get any messages when you input
the wrong
code? Did you even put in a fake unlock code? Come on. This is a learning experience. Put
something in. I
actually know the correct code, BUT, I didn't until I went into my search mode. You may be able
to discover it
as well, but it really doesn't matter. We make the program do what we want,
eventually that is, when
we find out
what it really does want.
So let's fire up W32DASM and load the disassembled flash.exe and run
the prog.
Again, we're back at the same start up screen I mentioned early on. Since you've already
"bought" the prog,
we still have to "unlock" it now without further adieu.
Please go ahead and input some
number in the "unlock"
space provided and then push the "enter" key. You will see a little box come up and
give you an error
message - unless you hit the nail on the head first time... highly unlikely, my friend.
Remember, we're still in the Flash prog and there is nothing that is discernible that says
otherwise. At this
point, what would you do? Yes, go ahead and think about this for a minute while I go download
some code for you
to see.----------------------
That didn't take too long did it? Well, what did you come up with? Don't be shy. It's just you
and me.
Hopefully, I've already given you a big hint at the very beginning and you know we're delving
into the
rsagnt32.dll, and not really the Flash prog, even though, you'll end up with it anyway. You could
not get the
Flash prog without doing this other more important work. Since I have a good history with the
rsagnt32.dll, I
knew I had to load it up which I did. So go ahead and load the .dll to the running program. Just
double click
on it in the .dll window and it will ask you if you want to load the .dll- say yes. Now, the
Flash will
apparently be gone and replaced with the rsagnt32.dll.
rsagnt32.dll
We are where we need to be to actually
start this
lesson. If you haven't already done so, take some time to peruse the string listing. You really
won't find much
of any help here anymore. Yes, I say anymore, because the old rsagnt32.dll is no more- literally.
This newer
.dll is much more clever than its predecessor. In the old .dll you could find gobs of useful
string references
which made the earlier .dll very easy to work around compared to its modern brother. I couldn't
even cheat and
put in the old .dll because the Flash prog recognized the difference and strictly refused to run.
So, what did you come up with? What do we do next? A couple of things come to mind. We might set
a breakpoint
for DialogBoxParamA, but we're already at the dialog box. Maybe we could set to
User32.GetDlgItemTextA as we
below. I actually set to break on any User32.MessageBoxA and this is the first that W32DASM caught
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:100059D8 8B1D4C120210 mov ebx, dword ptr [1002124C]
:100059DE 83C404 add esp, 00000004
:100059E1 6A0B push 0000000B
:100059E3 68E4950210 push 100295E4
:100059E8 68BF010000 push 000001BF
:100059ED 55 push ebp
:100059EE FFD3 call ebx
:100059F0 BFE4950210 mov edi, 100295E4
:100059F5 83C9FF or ecx, FFFFFFFF
:100059F8 33C0 xor eax, eax
:100059FA F2 repnz
:100059FB AE scasb
:100059FC F7D1 not ecx
:100059FE 49 dec ecx
:100059FF 83F90A cmp ecx, 0000000A
:10005A02 7451 je 10005A55
:10005A04 8D9424B8010000 lea edx, dword ptr [esp+000001B8]
:10005A0B 68FF0F0000 push 00000FFF
:10005A10 52 push edx
:10005A11 6870010000 push 00000170
:10005A16 E885150100 call 10016FA0
:10005A1B 6A17 push 00000017
:10005A1D E89E150100 call 10016FC0
:10005A22 83C410 add esp, 00000010
:10005A25 8D8424B8010000 lea eax, dword ptr [esp+000001B8]
:10005A2C 6A30 push 00000030
:10005A2E 680C220410 push 1004220C
:10005A33 50 push eax
:10005A34 55 push ebp
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10005A35 FF1548120210 Call dword ptr [10021248]
:10005A3B 8B0DB48D0210 mov ecx, dword ptr [10028DB4]
:10005A41 5F pop edi
:10005A42 5E pop esi
:10005A43 5D pop ebp
:10005A44 66C741040000 mov [ecx+04], 0000
:10005A4A 83C8FF or eax, FFFFFFFF
:10005A4D 5B pop ebx
:10005A4E 81C4A8110000 add esp, 000011A8
:10005A54 C3 ret
As you can see, There just aren't a whole lot of words wasted here. So the question is, "Now
that I'm here,
What do I do?" It may have too late for you to catch what went on while you were arriving at
this location.
I mean, if you push the "Run" button in W32DASM, why you're just here. What I suggest
you do this go round,
since we can do this as often as you like without penalty here, is to set the code window to
accept API's
and then walk through the code watching the window as it changes and you will eventually see a
watch window
pop up that shows the MessageBoxA and what is in
it. What is in it is a nasty message, "Invalid Unlocking
Code." The problem for us is, we can't see it just by looking at the code ourselves, not
until after the
fact. Okay, logically, you may presume as I did, that I'll just look close by and see if I can't
jump that
bugger and that is exactly what I did. As you'll see, just above the MessageBoxA function about
15 lines,
you'll see this type of jump. You can go ahead
and change this to EB51 which forces it to jump over this junk.
Now run it again and what do you get? "Invalid Unlocking Code" of course. Who said all
of this would be easy?
So apparently we didn't solve the dilemma. But why? We jumped over this lousy MessageBoxA. Go
back and examine
the cmp directly in front of the je at 100059FF. Do you remember that I said
to put any number you wanted to
in the "Unlock" box? This compare checks that. You can see for yourself if you'll put a
quick breakpoint at
10005A02 and run the prog again. Now check ecx, and depending on how many numbers you've typed in
you'll see a
corresponding hex code to that effect. I checked this a couple of times myself to be sure of
this. So, if you
have typed exactly 10 single-digit numbers you will easily jump this part without changing any
code whatsoever.
This is great! But we still have the "Invalid Unlock Code" message.
What we need to do now is follow the jump from 10005A02 to 10005A55. Allow me to go get some more
code for
you to see.
* Referenced by a Jump at Address:10005A02(C)
|
:10005A55 BFD8950210 mov edi, 100295D8
:10005A5A 83C9FF or ecx, FFFFFFFF
:10005A5D 33C0 xor eax, eax
:10005A5F 8D542410 lea edx, dword ptr [esp+10]
:10005A63 F2 repnz
:10005A64 AE scasb
:10005A65 F7D1 not ecx
:10005A67 2BF9 sub edi, ecx
:10005A69 8BC1 mov eax, ecx
:10005A6B 8BF7 mov esi, edi
:10005A6D 8BFA mov edi, edx
:10005A6F 8B15B48D0210 mov edx, dword ptr [10028DB4]
:10005A75 C1E902 shr ecx, 02
:10005A78 F3 repz
:10005A79 A5 movsd
:10005A7A 8BC8 mov ecx, eax
:10005A7C 81C206010000 add edx, 00000106
:10005A82 83E103 and ecx, 00000003
:10005A85 8D442410 lea eax, dword ptr [esp+10]
:10005A89 F3 repz
:10005A8A A4 movsb
:10005A8B 8D4C2444 lea ecx, dword ptr [esp+44]
:10005A8F 51 push ecx
:10005A90 52 push edx
:10005A91 50 push eax
:10005A92 E8A96C0000 call 1000C740
:10005A97 8D4C2450 lea ecx, dword ptr [esp+50]
:10005A9B 68E4950210 push 100295E4
:10005AA0 51 push ecx
:10005AA1 E81AA60100 call 100200C0
:10005AA6 83C414 add esp, 00000014
:10005AA9 85C0 test eax, eax
:10005AAB 0F85BE020000 jne 10005D6F
:10005AB1 8D9424B8000000 lea edx, dword ptr [esp+000000B8]
:10005AB8 68FF000000 push 000000FF
:10005ABD 52 push edx
:10005ABE 6A71 push 00000071
:10005AC0 55 push ebp
:10005AC1 FFD3 call ebx
:10005AC3 8DBC24B8000000 lea edi, dword ptr [esp+000000B8]
:10005ACA 83C9FF or ecx, FFFFFFFF
:10005ACD 33C0 xor eax, eax
:10005ACF F2 repnz
:10005AD0 AE scasb
:10005AD1 F7D1 not ecx
:10005AD3 49 dec ecx
:10005AD4 8BF1 mov esi, ecx
:10005AD6 754B jne 10005B23
:10005AD8 8D8424B8010000 lea eax, dword ptr [esp+000001B8]
:10005ADF 68FF0F0000 push 00000FFF
:10005AE4 50 push eax
:10005AE5 6A19 push 00000019
:10005AE7 E8B4140100 call 10016FA0
:10005AEC 83C40C add esp, 0000000C
:10005AEF 8D8C24B8010000 lea ecx, dword ptr [esp+000001B8]
:10005AF6 6A30 push 00000030
:10005AF8 680C220410 push 1004220C
:10005AFD 51 push ecx
:10005AFE 55 push ebp
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10005AFF FF1548120210 Call dword ptr [10021248]
:10005B05 6A71 push 00000071
:10005B07 55 push ebp
* Reference To: USER32.GetDlgItem, Ord:0102h
|
:10005B08 FF1568120210 Call dword ptr [10021268]
:10005B0E 50 push eax
* Reference To: USER32.SetFocus, Ord:022Fh
|
:10005B0F FF15B8120210 Call dword ptr [100212B8]
:10005B15 5F pop edi
:10005B16 5E pop esi
:10005B17 5D pop ebp
:10005B18 83C8FF or eax, FFFFFFFF
:10005B1B 5B pop ebx
:10005B1C 81C4A8110000 add esp, 000011A8
:10005B22 C3 ret
At 10005AAB you'll see another jne. If you set a breakpoint here you'll see
that you may be thrown to that area
which is another MessageBoxA with a bad message (push 1004220C). BUT- if we inc eax, dec eax
(40,48) all the
way through the code at 10005AAB, it will allow us to slide on down to 10005AD6 with another jne.
Set a
breakpoint here and run the prog again. Be sure you either have changed the previous je at
10005A02 or put in
the correct number of integers (10). Now Force the jne at 10005AD6 to a jump (EB4B)and single
step to 10005B2D
and you'll see the name you entered earlier on. Notice also that we are being set up for another
MessageBoxA
just a few lines further down, and also notice that that rotten message "Invalid Unlocking
Code" does not
appear in the pushes this time. Actually we're almost home now.
I've purposely left out the
serial number that
this program requires to finish unlocking the Flash 4 fully. There are actually 2 that it will
accept and they
are in plain view in the string listing for the rsagnt32.dll. After you get the correct serial
number input
and press enter, you will get a message saying that the program is being set up for use.
Remember
earlier I
said that there were 2 references to Flash that were important? Well, this is where things
change and the very
small executible Flash (253kb) is erased to be replaced by a much larger executible Flash. "So?",
you may say.
The
reason is, W32DASM ceases to work with this prog you were running because it doesn't exist anymore.
Just quit and
shut down W32DASM and open your new Flash 4 and put in the Macromedia serial number required to
run it. Hope you
wrote it down like I mentioned earlier. I would recommend keeping this rsagnt32.dll somewhere
safe because if
you download any new Macromedia stuff you'll surely run into it again and there's no sense
inventing the wheel
again. Right?
* Referenced by a Jump at Address:10005AD6(C)
|
:10005B23 8D9424B8000000 lea edx, dword ptr [esp+000000B8]
:10005B2A 6A1D push 0000001D
:10005B2C 52 push edx
:10005B2D 6884D30210 push 1002D384
:10005B32 E8491F0100 call 10017A80
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
|
:10005B37 8B1D28120210 mov ebx, dword ptr [10021228]
:10005B3D 83C40C add esp, 0000000C
:10005B40 C605A1D3021000 mov byte ptr [1002D3A1], 00
:10005B47 6884D30210 push 1002D384
:10005B4C 6A71 push 00000071
:10005B4E 55 push ebp
:10005B4F FFD3 call ebx
:10005B51 83FE1E cmp esi, 0000001E
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10005B54 8B3548120210 mov esi, dword ptr [10021248]
:10005B5A 7229 jb 10005B85
:10005B5C 8D8424B8010000 lea eax, dword ptr [esp+000001B8]
:10005B63 68FF0F0000 push 00000FFF
:10005B68 50 push eax
:10005B69 6A1A push 0000001A
:10005B6B E830140100 call 10016FA0
:10005B70 83C40C add esp, 0000000C
:10005B73 8D8C24B8010000 lea ecx, dword ptr [esp+000001B8]
:10005B7A 6A30 push 00000030
:10005B7C 680C220410 push 1004220C
:10005B81 51 push ecx
:10005B82 55 push ebp
:10005B83 FFD6 call esi
You may email me if needed: jomamameister@yahoo.com
I will work on completing this reversing project for those of you who could not
completely follow. Enjoy and use what
you have learned. Also: share it! Others need you.
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll
find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
students'
essays
academy
database
reality
cracking
how to
search
java-script
wars
tools
anonymity
academy
cocktails
antismut
CGI-scripts
mail_fravia+
Is reverse
engineering legal?