Sept 1998
Rsagnt32.dll
How to debug with W32Dasm 8.9 II
Win '95 PROGRAM
Win Code Reversing
 
 
by VisualBB 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: KeyViewPro
Program Type: Multi File Viewer
Program Location:  http://www.keyview.com/
Program Size: 5,488,701(5.5mb)
 
   
Tools Used:
W32Dasm V8.9 - Disassembler
and W32DASM 8.9 ONLY 
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
KeyViewPro6
Written by VisualBB
 
 
 
Introduction
 
This program comes as a trial. It uses the RSAGNT.DLL file for protection. This file is CRC protected so no patches can be done. It creates a file called Keyview.exe that on running brings up the hated but/try dialog. The program is ok and allows file viewing though personally I prefer and use Quickview 4.5 that integrates seamlessly into Nortion File Manager (the best).
 
About this protection system
 
InstallShield registration number or installs as a 30 day trial with rsagnt.dll as the checking system. Files are CRC protected!
 
The Essay 
     
OK. Install the program and installshield comes up asking for a rego or else the install will be a 30 day DEMO!

For now install it as a 30 day demo. On running it we get the usual rsagnt nag dialog to either buy or try. Buy leads to various screens which we ignore for this

NOTE: This crack works for ALL rsagnt protected "Trials". I have successfully used it on ALL Macromedia trials eg. Dreamweaver,Fireworks, Aftershock etc.

Lets see what is in the install directory. We find of course rsagnt.dll so we are confirmed.
Keyview.exe - this is the "BAD" file which brings up the BUY /TRY screen

Hullo whats this? - KEYVIPOP.EXE

Lets run it. Comes up with a dialog showing files moving and then a dialog with the message that this program cannot continue at this point and to NOT delete this file as it will be needed. OK lets W32Dasm the sucker.

Lets look in the string ref's for our string - "You cannot run this application at this time."
Found it easily at the bottom. Double click on it and we see this code:

:00404C9E 83FEFF                  cmp esi, FFFFFFFF
:00404CA1 7504                    jne 00404CA7
:00404CA3 6A00                    push 00000000
:00404CA5 FFD3                    call ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CA1(C)
|

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00404CA7 8B3D88044300            mov edi, dword ptr [00430488]
:00404CAD 85F6                    test esi, esi <--Compare esi to 0
:00404CAF 752F                    jne 00404CE0 <-- Jump to continue making full ver

* Possible StringData Ref from Data Obj ->"You cannot run this application "<-- here is the string
                                        ->"at this time."
                                  |
:00404CB1 68F8D14100              push 0041D1F8
:00404CB6 68205B4200              push 00425B20
:00404CBB E870AF0000              call 0040FC30
:00404CC0 8B8C2418020000          mov ecx, dword ptr [esp+00000218]
:00404CC7 83C408                  add esp, 00000008

What brings us here? There is a check on the value of esi and a jump to regions unknown if esi is NOT 1, just before this string. What this means is that the proggy checks the value of esi and if 0 continues on and displays the dialog that you cannot run the app at this time etc.

Time to check this out. Lets run the sucker in W32Dasm and check this code out. Set a breakpoint at :00404CAD.
Now load and run the file. Up comes the copying file dialogbox and then we break at our breakpoint. Check the value of esi and it is 0
So the  You cannot run this application dialog box code will fire.

Lets change the value of esi to NONZERO or 1. Click modify data button, type 1 click the small button names "esi" and see that the value is now 1. Write this to memory by clicking the "MODIFY" button. Now run or press the F9 key.

Surprise, surprise the file copy continues and up pops the FULL version of Keyviewpro. Help about reveals the truth that this is the full version and is registered to the name you entered on installation.

WE ARE NOW FULLY REGISTERED.
 
The 'Crack' 
 
There is no crack needed as the program self upgrades you if you previously outlined steps are followed. Remember this works for ALL RSAGNT32.DLL protected programs. Get them and Crack them.
 
 
Final Notes 
 
I cannot believe that people pay to have such LAME protections for their expensively priced programs. This is a lesson to readers that to crack a program it is not always necessary to go the direct way. There is always a backdoor open a crack. The main difference is to find it and wedge it WIDE OPEN!!

Greets to The author of that great cracking tool W32DASM!
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
   

 
 
 Back to Students Essay's 
 

Essay by: VisualBB
Page Created:  12 Sept 1998