RSAGENT - cracking  Written by The Hobgoblin      

Greetings to all crackers out there.

Every now and then I see newbies post questions related to programs protected by the rsagent system. I have taken the liberty to compile some stuff about how to crack this kind of protection. Some of this stuff is tecniques I have learned from more experienced crackers, some is self taught and self experienced.

My thanks goes to McCodeman, VisualBB, +Indian for learning me something about this protection system. Without their tutorials this one would not have been written.

I also extend my thanks to +Sandman, +Fravia (and all the rest of you dedicated crackers out there)for keeping  information about code reversing and the necessasry tools available.

The RSAGENT system is a protection system that's used to ensure that programs expire after 30 days and become useless unless you register the shareware program. It has a characteristic opening nagscreen, easy to recognize. Anyone who has ever tried out a Macromedia trial product has seen it. I don't know too much about it, really. Actually, I know more about how to crack it than it's history. Besides, the main  purpose with this tutorial/compilation is not to give an in-depth expalination on how the RSAGENT protection is build. The purpose is to show that it can be cracked in several different ways.
Some programs protected by rsagent are: Norton Antivirus, Norton Utilities, Adobe ImageStyler, Adobe ImageReady, KeyViewPro, all the Macromedia products and some others I donÆt remember the name of.

 Approach no.1. û manipulation of the àpop.exe û file.

All the programs protected by rsagent use àpop.exe û files. After installing the programs you will see filenames like this (I use Fireworks 2.0 as an example. You will find this files in the folder named fireworks2 after you have installed Fireworks 2 on your computer):

Fireworks2.dl_

Firewpop.exe

Fireworks2.exe

The fireworks2.dl_ is a big file, and the two others rather small files. Now, this is how it looks while the program is unregistered and in the trial period. After entering the correct serial(s) or after cracking/manipulating the firewpop.exe û file, the fireworks2.dl_ and the fireworks2.exe merges into one big file named fireworks2.exe.

This happens with all programs using the rsagent protection system. The only difference is that the filenames varies from program to program. (As you will see in the next example, in Dreamweaver 2 the names are dreamweaver.dl_, dreamweaver.exe and dreampop.exe).

The file that runs the process of merging the files into one, is the àpop.exe û files. When you doubleclick on this file, youÆll see a messagebox popping up. It first says:   ô Please wait while your software is being prepared..ö, and then it says:öYou cannot run this aplication at this time.ö

Now, if you had entered the correct serial, and the program was asking for only one serial (this is the case with Norton Antivirus, Norton Utilities, Keyview and a couple of other program I have seen), you would have seen the first of this messages and then the program would have installed itself as registered. So the question here is how can we crack the àpop.exe û file so it goes on as registered and merges the two files?

I will use Fireworks as an example on how we can crack the àpop.exe û file by using Wdasm and a hexeditor. The first example show how we can patch the firewpop.exe ûfile.

Disassemble the firewpop.exe in wdasm, and then open up the string reference dialogbox. Trace down until you find the the words ôYou cannot run this applicationö, and doubleclick on that line. You will end up here (I have listed all the code that I think it's necessary to understand before the patching is made):

:00404C0E FF1564A04100            Call dword ptr [0041A064]

:00404C14 E8D7F9FFFF              call 004045F0

:00404C19 83F8FF                  cmp eax, FFFFFFFF

:00404C1C 7513                    jne 00404C31

:00404C1E 6A00                    push 00000000

* Reference To: USER32.PostQuitMessage, Ord:01E0h

                                  |

:00404C20 FF15D8A14100            Call dword ptr [0041A1D8]

:00404C26 33C0                    xor eax, eax

:00404C28 81C440050000            add esp, 00000540

:00404C2E C21000                  ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00404C1C(C)

|

:00404C31 85C0                    test eax, eax

:00404C33 7542                    jne 00404C77

* Possible StringData Ref from Data Obj ->"You cannot run this application "

                                        ->"at this time."

                                  |

:00404C35 6804C24100              push 0041C204

:00404C3A 68802E4200              push 00422E80

:00404C3F E874BF0000              call 00410BB8

:00404C44 8B8C244C050000          mov ecx, dword ptr [esp+0000054C]

:00404C4B 83C408                  add esp, 00000008

:00404C4E 6830000100              push 00010030

* Possible StringData Ref from Data Obj ->"WARNING"

                                  |

:00404C53 68FCC14100              push 0041C1FC

:00404C58 68802E4200              push 00422E80

:00404C5D 51                      push ecx

* Reference To: USER32.MessageBoxA, Ord:01BEh

                                  |

:00404C5E FF150CA24100            Call dword ptr [0041A20C]

:00404C64 6A00                    push 00000000

* Reference To: USER32.PostQuitMessage, Ord:01E0h

                                  |

:00404C66 FF15D8A14100            Call dword ptr [0041A1D8]

:00404C6C 33C0                    xor eax, eax

:00404C6E 81C440050000            add esp, 00000540

:00404C74 C21000                  ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00404C33(C)

|

:00404C77 83F801                  cmp eax, 00000001

:00404C7A 0F855F010000            jne 00404DDF

:00404C80 8B15402E4200            mov edx, dword ptr [00422E40]

:00404C86 68C06B4200              push 00426BC0

:00404C8B 83C232                  add edx, 00000032

:00404C8E 8D842404010000          lea eax, dword ptr [esp+00000104]

:00404C95 52                      push edx

* Possible StringData Ref from Data Obj ->"Turnkexe%s%s"

                                  |

:00404C96 68ECC14100              push 0041C1EC

:00404C9B 50                      push eax

:00404C9C E817BF0000              call 00410BB8

:00404CA1 83C410                  add esp, 00000010

:00404CA4 8D8C2400010000          lea ecx, dword ptr [esp+00000100]

Okey. The text is written in the box by the call at 00404C3F. Take a look at the conditional jump at 00404C33. If the program jumps here, it will continue down to 00404C77. Take another good look at 00404C96. Here starts the process of merging the two files. So we really want the program to come here, donÆt we? If we only change the conditional jump at 00404C33 so it always jumps to 00404C77, then we have to manipulate the jump at 00404C7A as well. This is a possible way to crack it, but I like to do it another way. At both conditional jumps, the program jumps if the value in eax=1. So why not check out the call(s) before the first jump?

Take a look at this:

:00404C14 E8D7F9FFFF              call 004045F0

:00404C19 83F8FF                  cmp eax, FFFFFFFF

:00404C1C 7513                    jne 00404C31

If you check out the adress at 00404C33 you will see that the comparison before this conditional jump is a result of a conditional jump at 00404C1C.

Check out the call at adress at 00404C14. If we can get that call to return eax=1, the program will make the necessary jumps and continue as we want it to. If you check out the call, you will see that itÆs only called once. So, why not change the code at 00404C14 from

00404C14 E8D7F9FFFF          call 004045F0

to

00404C14 B801000000          mov eax, 00000001

Make the patch, and then doubleclick on the firewpop.exe û file. Crack done? NOT SO!       An ugly dialogbox pops up saying: General protection fault bl.a bl.a bl. (or something similar to that). Now, click on details, and write down the address reference you see. This is what I wrote down:  00403D11

When I checked this adress in wdasm, I saw this code:

00403D11 C70064000000  mov dword ptr [eax], 00000064

The program apparantly does some calculation/checking to see whether some code has been changed or not. Well, try to nop it out, and try to doubleclick on the file again. Same thing happens! Check out the adress in the dialogbox you now see, and do the same thing all over again. What happens now?

Ah, program cracked...

If you search the disassembled code for the occurences of mov dword ptr [eax], 00000064 you will find several occurences (six I think), but only two of them matters for us.

All rsagent protected program can be cracked by using this method. (I found some changes in the Flash 4 from Macromedia though. The programmers have changed the code slightly. In Flash 4 you will not find the textstring ôYou cannot run this applicationö. Just look for the string ô* Possible StringData Ref from Data Obj ->"Turnkexe%s%s" and scroll upwards from there, and youÆll see the code youÆll have to patch.

Approach no.2.

In this approach we will use the debugger in wdasm to get the ...pop.exe û file to merge the two files together. I will use Fireworks2 as an example here too. Load wdasm with firewpop.exe, and find the place listed above. Now, start up the debugger in wdasm, and put a breakpoint on the adress 00404C31. Then push F9 (run program). You will see the messagebox again, and then the program halts at the breakpoint. Now, open up the modify data dialogbox in wdasm, and check out the z check box at the top. It has the value of zero, change that to 1 by clicking once on it. Click on modify, and then close. Now, click on F7, and you will see the program jumps as we want it to do. Continue to click on F7 and you'll see that the same thing happens at 00404C7A. No jump, exactly as we want it. Hit the run button and see what happens.

Well, well, well....

The two files merges nicely, and the program is cracked. What we actually did here was to change the value of eax in memory, and then run the program. The changes we made will be valid until we close down the wdasm debugger again. The nice thing about this protection system, is that after the files are merged together,it doesn't matter if we close the debugger we use and thereby erase what we did in memory. The program is permanently cracked. We could also have used Softice here.

This approach also works for all the programs protected with rsagent. But beware, sometimes the first comparison and conditional jump looks different than this one. Sometimes the program compares the values stored in edi instead of eax. Then you have to change the values in edi instead of eax when you run the wdasm debugger.

Approach no.3 

Another way to crack these programs is by tracing and finding the crucial places to patch in the code by using the Softice loader.This time I will use the Dreamweaver 2 as an example.Start up the loader, and open up dreamweaver.exe in it. After some tracing you will end up here (when you trace, use F10, weÆre looking for the call(s) that invoke the opening nag screen, and we will for the moment avoid some ôendlessö tracing):

:00408CB4 E817D2FFFF              call 00405ED0

:00408CB9 83F8FF                  cmp eax, FFFFFFFF

:00408CBC 55                      push ebp

:00408CBD 750B                    jne 00408CCA

* Reference To: USER32.PostQuitMessage, Ord:01B3h

                                  |

:00408CBF FF15B8A54400            Call dword ptr [0044A5B8]

:00408CC5 E981000000              jmp 00408D4B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00408CBD(C)

:00408CCA 8B742464                mov esi, dword ptr [esp+64]

When I F10Æd over the call at 00408CB4, the nag was invoked. I put a breakpoint on the adress, and after re-running the program I did a r eip eip+5. Softice jumped to 00408CB9. When I hit F5, the program ended. I then entered dreamweaver.exe in wdasm to take a look at the routined called from 00408CB4. IÆm not going to list it, it was quite long. But the interesting thing was that itÆs only called from the adress above. And the routine contained all the stringreferences you will see when the program expires etc. You will also find the checkpoint for the time (cmp eax, 1E), and the dialogboxparama call that determins how the nagscreen is going to look like after the return of the routine.(By the way, can you see the similarity between the code listed here, and the code listed under approach no.1?)

So I ran the program in softice again, and traced through the routine several times, changing the register values and altering the conditional jumps, just to get a feeling on how the program reacted towards various ways of manipulation.

Okey, I noticed that when the program is within the 30 day trial, the call returns eax=1. And that when the returned value in eax was 1, the program jumped at 00408CBD to avoid the start of the quitting routine.

So, why not patch the call.

I changed

00408CB4 E817D2FFFF      call 00405EDO

to

00408CB4 B801000000      mov eax, 00000001

Now, this wasnÆt enough. When I tried to run the program after patching it, I experienced the same error messages as described in approach no.1. If you just follow the same routine here, getting the adresses to be patched from the error messagebox, youÆre home free. You will also here get two error messages. The code you have to patch is exactly the same.

Program cracked.

I have successfully cracked Dreamweaver 2 and Fireworks 2 this way. I will be really surprised if you canÆt crack other rsagent protected programs the same way.

You can of course also patch the routine itself, for instance the timecheck code. Or as I learned from reading a tutorial written by +Indian (at fraviaÆs site), patch the dialogboxparama code snippet so it always runs as in a trial period. Then you have to patch some code before and after the call to the dialogboxparama-routine.

An interresting thing here is that after patching the program this way, it doesnÆt merge the two files as earlier described.

Approach no.4

You can also sniff out the serial(s) by using Softice and the windows registry(!)

I will use Dreamweaver 2 as an example. When you run the program, the first you see is the trial nag. When you click on the buy button, you will see a quite big registration form that is to be filled out and mailed to the company that made the program. Now, we donÆt need that. What we want is the registration form were we can fill in a serial.

Okey. Do a search on your computer for a file called rsagent.ini. YouÆll find it your c:\windows\ folder. Open it up and look for strings like this:

Mailstat û 391842=0

The numbers varies from program to program. Replace the 0 with 1. Do that in all the mailstat strings. (If you have installed more than one rsagent protected program, you will find more than one). Save it and close it. When you try to run Dreamweaver again, and push the buy button in the opening nag, you will see a different registration form. Check first out the check box to the lower left. If itÆs greyed out and contains a number, thatÆs okey. If not open rsagent.ini again, and fill out the string called personalcode with ten digits. ItÆs important that itÆs ten. Now, fill the name boxes, and then fill the serial box. IMPORTANT! Use ten letters, and it has to be capital letters. If you fill in something other than ten letters, the program jumps over the place where we can find the first serial.

Now, open softice, do a bpx getdlgitemtexta, exit Softice and hit ok.

Softice will break in at :10005B42 (in the rsagent32.dll file). At :10005B51 you will see that the serial you entered is compared with A (=10). If they are equal, the program jumps to :10005B95. Now, if you trace down a little bit (in Dreamweaver hit F10 26 times), then do d ecx, and you will see a ten letter serial in capital letters. This is the correct serial.

Now, exit Softice, fill in the serial (and you have to do it twice), and see what happens. ThatÆs right, youÆre asked to fill in a second serial.

(Before we move on, take a look at the files we work with here. The two important files have now been merged, and still we have to fill another serial).

Well, why not use Softice and wdasm to crack the final serial check. (We do not find the correct serial this way, but we manipulate the program to accept whatever serial we enter. We can find the correct serial an easy way, though. When we have installed the trial version, and BEFORE we enter our first ten letter serial, just open the windows registry, go to HKEY_LOCAL_MACHINE\MACROMEDIA\DREAMWEAVER\2\REGISTRATION and youÆll see the correct serial. (This is for Dreamweaver 2). But once you have open the program with the first serial, the original serial is replaced with the one you have entered). Quite strange, actually.

Well, open softice, put a bpx on messageboxa, exit softice and fill in the fake serial and hit ok. Softice breaks, and you land at adress 005B6743. Hit F11 once, push the button on the wrong serial nag and youÆre back in softice. Hit F12 twice, and you should be at this adress: 005B4045. Now, scroll upwards untill you reach the call at 005B3CE1. If you study the code you will see why this call looks interesting. If this call returns eax=1, the program eventually jumps over the call to the wrong serial nag screen.Enter the call and scroll down to the second call at 0041103D. Enter it and scroll down until you reach 00411164 8BC6 mov eax, esi. If you check the eax register now it says 0. Cool!

Just change

00411164 8BC6 mov eax, esi

to

00411164 40 inc eax

00411165 90 nop

This way the program always returns eax=1 in the call made at 005B3CE1. Now, whatever serial you now enter, the program will become registered.                                                    Program cracked.

Regarding serials: I cracked an earlier version of Dreamweaver earlier this year, and then I found the serial hardcoded in the disassembled text. I didnÆt bother looking this time. Check it out your self.

A nice touch: when you crack the Macromedia programs using the ...pop.exe-file methode, check out the about box. If I recall this right, you will then see what your second serial is supposed to be.

There are differences between the programs that uses the rsagent protection system. All Macromedia products requires a second serial. If you try to crack Norton Antivirus, Norton Utilities and KeyViewPro, for instance, you only need the first serial. And if I recall it right, the Adobe Image Styler and Adobe Image Ready have no buy button in the trial nag screen. (I might be wrong about this. Anyway, thatÆs not a problem. You can easily manipulate the program to show you the buy button too).

Okey, folks, thatÆs all.

I sincerely hope this can be helpful for some newbies out there.

At least some more crackers now understand how you can get around the rsagent system. (Hopefully!).

Finally, I totally agree with the following statement:

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.