http://www.xingtech.com - Webpage.
xme220t.exe - (1.83Mb)
Welcome again, in this tutorial I'm going to demonstrate just how greedy today's application developers have become and why software vendors should use Release Software Corporation's Sales Agent at their own peril.
I chose XingMPEG Encoder as an example of a good product with this poor protection, so without further ado lets take a look. When you first launch the program you'll be confronted with several options, so lets select Buy Now, at this point you'll have to fill in a registration form so disconnect your modem immediately, usually when you find these forms the most sophisticated thing you can do with them is print out a *.txt file.
However, this form is actually very useful (from here we can enable our product), so fill in your details and select yes to buy $249.00 worth of retail, then you'll get more options. Read them carefully, you'll realise the only option of interest to you is Order by Phone. Now, your going to have to find some credit card details, use one of the ubiquitous number generators available on the net if you haven't one of your own, your never going to actually dial Xing anyhow.
So at the next screen you are asked to input your unlock code (immediately you should be setting those breakpoints) >bpx GetDlgItemTextA works well.
:1000B2CC MOV EDI,1002B460 <-- Serial entered in EDI.
:1000B2D1 OR ECX,-01 <-- ECX=-1.
:1000B2D4 XOR EAX,EAX <-- EAX=0.
:1000B2D6 REPNZ SCASB <-- Repeat not zero and scan byte.
:1000B2D8 NOT ECX <-- Invert ECX.
:1000B2DA DEC ECX <-- String length routine, place result in ECX.
:1000B2DB CMP ECX,0A <-- Was the string 10.
:1000B2DE JZ 1000B31B <-- Jump_good_buyer.
.....
:1000B32D PUSH 1002B510 <-- Push a generated code, which seems to do nothing.
:1000B332 CALL 1000B8D0 <-- Calculate another code.
:1000B337 ADD ESP,0C <-- Stack tidy.
:1000B33A PUSH 1002B460 <-- Push Serial entered here.
:1000B33F PUSH 1002B530 <-- Push New Good Code (letters) here.
:1000B344 CALL 1001FA10 <-- Compare your_code with good_code.
:1000B349 ADD ESP,08 <-- Tidy stack.
:1000B34C TEST EAX,EAX <-- Test EAX for 0.
:1000B34E JNZ 1000B32B <-- Jump_bad_buyer.
Well, note the REPNZ SCASB instruction from this code. Its a classic string length checking routine. Note that all of this code is inside the file rsagnt32.dll, here I have v1,6,0,0 (length 537,088 bytes) and also note the number generated by the program. I didn't investigate whether this code is actually generated from the credit card number or other details, in other versions of the dll this value is never calculated, perhaps someone would like too check out the various dll versions and post a note on it.
On a wider discussion, the Sales Agent protection is incredibly weak and all of the programs that I have seen work on code very similar to the above example, I would guess there are a fair few versions of the dll out there. I can only implore software developers to stop using this product, in fact each time I find an application which uses this protection I am going to name and shame it on my linked page to this tutorial, I'll also show how much money the respective developer is losing by using a scheme which can be defeated in under 3 minutes.