The Ticket Agent is Out to Lunch
Busting through the newest (6/99) rsagnt32.dll in order to "Purchase" Macromedia products
student
Not Assigned
21 June 1999
by Sojourner
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980621
Sojourner
0100
NA
PC
Well, I'm sure the nice people at Macromedia will enjoy reading this. Leaving that info on the splash screen is what lawyers would call a "culpa in vigilando", and protectors should take duly note of this aspect.
I just wonder, Sojourner, if it would not be worth to investigate a little more WHY the target refuses older editions of the rsagnt32.dll. I mean, would it not be interesting to compel this kind of targets to run on an older (and already fully reversed) copy of the rsagnt32.dll? In fact: I subscribe 100% to Sojourner's assertion: "We make a program do what we want, eventually that is, as soon as we find out what it really does want". That's exactly what reversers do, "cognitio rei per causas", if you allow me to use two latin sentences in the same introduction :-)
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
()Beginner (x )Intermediate ( )Advanced ( )Expert


"A good introduction to the newest line of Macromedia electronic purchasing .dll's
Beginner and intermediate reversers alike can see that not everything is black and white within the world of cracking / reversing. Although seemingly straightforward, getting this puppy to do my bidding was not simple under my circumstances. More below.
The Ticket Agent is Out to Lunch (rsagnt32.dll)

Written by Sojourner


Introduction
Everything I have learned on software reversing has been because this web site exists and provides needed info to wouldbe reversers. Things change, and we need to be alert and change as well, especially when the software companies change their methods. I'm grateful to all essays' writers and to +Orc, Fravia+ for all they have done and continue to do in the name of education and freedom. Please read over the whole essay first before really "doing" anything because sometimes I am going back and inserting snippets I may have initially forgotten to mention, and these may not necessarily be in the exact location where they should be.

Tools required

W32DASM 8.9

Borland Resource Workshop

Colored Markers

Target's URL/FTP
Download Flash 4 at www.macromedia.com to get the newest release of rsagnt32.dll.

Program History
This .dll has been used on all of Macromedia's downloaded software for quite some time and its basic function is to allow you to purchase their product "securely" in a variety of ways, including over the web, phone, and by snail mail with a variety of payment methods.

Essay
I love Macromedia products and appreciate them providing their software over the net for anyone who may want it. Usually, you can download a fully working trial that has a 30 day limit. Pretty good deal, huh? I mentioned above that this session was not that easy for me and the reason was because after I had downloaded the Flash 4 and installed it under Win98 I received an error message and the program wouldn't start.

Eventually I installed it under WinNT 4.0 and was able to get it running properly. Now the juicy part begins.

Go ahead and run the Flash 4 prog. If your installation was successful you'll get the Macromedia splash screen for Flash 4 and it will say that you have 30 days left on your trial. Now the prog will not advance until you you make a choice. On the right hand side of the splash screen you will have the opportunity to either Try the prog or even Buy it.

Go ahead and choose the Buy option and you will get to a screen that will take all kinds of info from you. I went ahead and used a credit card for the purchase and was sure that I was not connected to the Web. I just don't trust them, and my modem has the sound turned off, so I wouldn't know otherwise. Okay, sometime in the future I will go ahead and find a solution for all those who have no credit cards, but not today.

Oh, yes, before I forget: Make sure you write down the serial number that Macromedia gives you at the bottom of that initial splash screen. You'll need it later after you "buy" the prog and it unfolds to the full version. Also, thank Macromedia for being so generous with that very important number. Have you written it down? If you don't, you'll find that the number will disappear after you have bought the prog and that will take some time to recover, believe me. Yes, you probably could reinstall it, but I don't know for sure. Why take the chance?
1. Now, you need to disassemble both Flash 4 and the rsagnt32.dll located within Flash's directory. You should notice that there are 2 important Flash references in the directory where it is installed, Flash.exe and Flash.dl_, which eventually becomes the full executible. Just disassemble the small 252 kb flash.exe at this time.

I also looked into the progs with Borland Resource Workshop and did not find any references to strings that I needed. Now this was after I had looked into the guts of the progs from within W32DASM 8.9. Of course, there were many strings, but nothing helpful. So where's the code, already? Just hang onto your underwear. A thoughtful preamble can save you alot of online time friend.
Remember +ORC's old lessons- we need to use our most important asset carefully- our brain.
Did you go ahead and "buy" your program yet? You have probably seen that after you have printed out your receipt you can now go in and place your "unlock" code in the little space where it asks you for it. What you don't have an unlock code? Whatever was I thinking about? Did you get any messages when you input the wrong code? Did you even put in a fake unlock code? Come on. This is a learning experience. Put something in. I actually know the correct code, BUT, I didn't until I went into my search mode. You may be able to discover it as well, but it really doesn't matter. We make the program do what we want, eventually that is, when we find out what it really does want.
So let's fire up W32DASM and load the disassembled flash.exe and run the prog. Again, we're back at the same start up screen I mentioned early on. Since you've already "bought" the prog, we still have to "unlock" it now without further adieu.
Please go ahead and input some number in the "unlock" space provided and then push the "enter" key. You will see a little box come up and give you an error message - unless you hit the nail on the head first time... highly unlikely, my friend.

Remember, we're still in the Flash prog and there is nothing that is discernible that says otherwise. At this point, what would you do? Yes, go ahead and think about this for a minute while I go download some code for you to see.----------------------

That didn't take too long did it? Well, what did you come up with? Don't be shy. It's just you and me. Hopefully, I've already given you a big hint at the very beginning and you know we're delving into the rsagnt32.dll, and not really the Flash prog, even though, you'll end up with it anyway. You could not get the Flash prog without doing this other more important work. Since I have a good history with the rsagnt32.dll, I knew I had to load it up which I did. So go ahead and load the .dll to the running program. Just double click on it in the .dll window and it will ask you if you want to load the .dll- say yes. Now, the Flash will apparently be gone and replaced with the rsagnt32.dll.

rsagnt32.dll
We are where we need to be to actually start this lesson. If you haven't already done so, take some time to peruse the string listing. You really won't find much of any help here anymore. Yes, I say anymore, because the old rsagnt32.dll is no more- literally.
This newer .dll is much more clever than its predecessor. In the old .dll you could find gobs of useful string references which made the earlier .dll very easy to work around compared to its modern brother. I couldn't even cheat and put in the old .dll because the Flash prog recognized the difference and strictly refused to run.
So, what did you come up with? What do we do next? A couple of things come to mind. We might set a breakpoint for DialogBoxParamA, but we're already at the dialog box. Maybe we could set to User32.GetDlgItemTextA as we below. I actually set to break on any User32.MessageBoxA and this is the first that W32DASM caught
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
                                  |
:100059D8 8B1D4C120210            mov ebx, dword ptr [1002124C]
:100059DE 83C404                  add esp, 00000004
:100059E1 6A0B                    push 0000000B
:100059E3 68E4950210              push 100295E4
:100059E8 68BF010000              push 000001BF
:100059ED 55                      push ebp
:100059EE FFD3                    call ebx
:100059F0 BFE4950210              mov edi, 100295E4
:100059F5 83C9FF                  or ecx, FFFFFFFF
:100059F8 33C0                    xor eax, eax
:100059FA F2                      repnz
:100059FB AE                      scasb
:100059FC F7D1                    not ecx
:100059FE 49                      dec ecx
:100059FF 83F90A                  cmp ecx, 0000000A
:10005A02 7451                    je 10005A55
:10005A04 8D9424B8010000          lea edx, dword ptr [esp+000001B8]
:10005A0B 68FF0F0000              push 00000FFF
:10005A10 52                      push edx
:10005A11 6870010000              push 00000170
:10005A16 E885150100              call 10016FA0
:10005A1B 6A17                    push 00000017
:10005A1D E89E150100              call 10016FC0
:10005A22 83C410                  add esp, 00000010
:10005A25 8D8424B8010000          lea eax, dword ptr [esp+000001B8]
:10005A2C 6A30                    push 00000030
:10005A2E 680C220410              push 1004220C
:10005A33 50                      push eax
:10005A34 55                      push ebp
* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:10005A35 FF1548120210            Call dword ptr [10021248]
:10005A3B 8B0DB48D0210            mov ecx, dword ptr [10028DB4]
:10005A41 5F                      pop edi
:10005A42 5E                      pop esi
:10005A43 5D                      pop ebp
:10005A44 66C741040000            mov [ecx+04], 0000
:10005A4A 83C8FF                  or eax, FFFFFFFF
:10005A4D 5B                      pop ebx
:10005A4E 81C4A8110000            add esp, 000011A8
:10005A54 C3                      ret
As you can see, There just aren't a whole lot of words wasted here. So the question is, "Now that I'm here, What do I do?" It may have too late for you to catch what went on while you were arriving at this location. I mean, if you push the "Run" button in W32DASM, why you're just here. What I suggest you do this go round, since we can do this as often as you like without penalty here, is to set the code window to accept API's and then walk through the code watching the window as it changes and you will eventually see a watch window pop up that shows the MessageBoxA and what is in it. What is in it is a nasty message, "Invalid Unlocking Code." The problem for us is, we can't see it just by looking at the code ourselves, not until after the fact. Okay, logically, you may presume as I did, that I'll just look close by and see if I can't jump that bugger and that is exactly what I did. As you'll see, just above the MessageBoxA function about 15 lines, you'll see this type of jump. You can go ahead and change this to EB51 which forces it to jump over this junk. Now run it again and what do you get? "Invalid Unlocking Code" of course. Who said all of this would be easy?
So apparently we didn't solve the dilemma. But why? We jumped over this lousy MessageBoxA. Go back and examine the cmp directly in front of the je at 100059FF. Do you remember that I said to put any number you wanted to in the "Unlock" box? This compare checks that. You can see for yourself if you'll put a quick breakpoint at 10005A02 and run the prog again. Now check ecx, and depending on how many numbers you've typed in you'll see a corresponding hex code to that effect. I checked this a couple of times myself to be sure of this. So, if you have typed exactly 10 single-digit numbers you will easily jump this part without changing any code whatsoever.
This is great! But we still have the "Invalid Unlock Code" message.

What we need to do now is follow the jump from 10005A02 to 10005A55. Allow me to go get some more code for you to see.
* Referenced by a Jump at Address:10005A02(C)
|
:10005A55 BFD8950210              mov edi, 100295D8
:10005A5A 83C9FF                  or ecx, FFFFFFFF
:10005A5D 33C0                    xor eax, eax
:10005A5F 8D542410                lea edx, dword ptr [esp+10]
:10005A63 F2                      repnz
:10005A64 AE                      scasb
:10005A65 F7D1                    not ecx
:10005A67 2BF9                    sub edi, ecx
:10005A69 8BC1                    mov eax, ecx
:10005A6B 8BF7                    mov esi, edi
:10005A6D 8BFA                    mov edi, edx
:10005A6F 8B15B48D0210            mov edx, dword ptr [10028DB4]
:10005A75 C1E902                  shr ecx, 02
:10005A78 F3                      repz
:10005A79 A5                      movsd
:10005A7A 8BC8                    mov ecx, eax
:10005A7C 81C206010000            add edx, 00000106
:10005A82 83E103                  and ecx, 00000003
:10005A85 8D442410                lea eax, dword ptr [esp+10]
:10005A89 F3                      repz
:10005A8A A4                      movsb
:10005A8B 8D4C2444                lea ecx, dword ptr [esp+44]
:10005A8F 51                      push ecx
:10005A90 52                      push edx
:10005A91 50                      push eax
:10005A92 E8A96C0000              call 1000C740
:10005A97 8D4C2450                lea ecx, dword ptr [esp+50]
:10005A9B 68E4950210              push 100295E4
:10005AA0 51                      push ecx
:10005AA1 E81AA60100              call 100200C0
:10005AA6 83C414                  add esp, 00000014
:10005AA9 85C0                    test eax, eax
:10005AAB 0F85BE020000            jne 10005D6F
:10005AB1 8D9424B8000000          lea edx, dword ptr [esp+000000B8]
:10005AB8 68FF000000              push 000000FF
:10005ABD 52                      push edx
:10005ABE 6A71                    push 00000071
:10005AC0 55                      push ebp
:10005AC1 FFD3                    call ebx
:10005AC3 8DBC24B8000000          lea edi, dword ptr [esp+000000B8]
:10005ACA 83C9FF                  or ecx, FFFFFFFF
:10005ACD 33C0                    xor eax, eax
:10005ACF F2                      repnz
:10005AD0 AE                      scasb
:10005AD1 F7D1                    not ecx
:10005AD3 49                      dec ecx
:10005AD4 8BF1                    mov esi, ecx
:10005AD6 754B                    jne 10005B23
:10005AD8 8D8424B8010000          lea eax, dword ptr [esp+000001B8]
:10005ADF 68FF0F0000              push 00000FFF
:10005AE4 50                      push eax
:10005AE5 6A19                    push 00000019
:10005AE7 E8B4140100              call 10016FA0
:10005AEC 83C40C                  add esp, 0000000C
:10005AEF 8D8C24B8010000          lea ecx, dword ptr [esp+000001B8]
:10005AF6 6A30                    push 00000030
:10005AF8 680C220410              push 1004220C
:10005AFD 51                      push ecx
:10005AFE 55                      push ebp
* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:10005AFF FF1548120210            Call dword ptr [10021248]
:10005B05 6A71                    push 00000071
:10005B07 55                      push ebp
* Reference To: USER32.GetDlgItem, Ord:0102h
                                  |
:10005B08 FF1568120210            Call dword ptr [10021268]
:10005B0E 50                      push eax
* Reference To: USER32.SetFocus, Ord:022Fh
                                  |
:10005B0F FF15B8120210            Call dword ptr [100212B8]
:10005B15 5F                      pop edi
:10005B16 5E                      pop esi
:10005B17 5D                      pop ebp
:10005B18 83C8FF                  or eax, FFFFFFFF
:10005B1B 5B                      pop ebx
:10005B1C 81C4A8110000            add esp, 000011A8
:10005B22 C3                      ret
At 10005AAB you'll see another jne. If you set a breakpoint here you'll see that you may be thrown to that area which is another MessageBoxA with a bad message (push 1004220C). BUT- if we inc eax, dec eax (40,48) all the way through the code at 10005AAB, it will allow us to slide on down to 10005AD6 with another jne.
Set a breakpoint here and run the prog again. Be sure you either have changed the previous je at 10005A02 or put in the correct number of integers (10). Now Force the jne at 10005AD6 to a jump (EB4B)and single step to 10005B2D and you'll see the name you entered earlier on. Notice also that we are being set up for another MessageBoxA just a few lines further down, and also notice that that rotten message "Invalid Unlocking Code" does not appear in the pushes this time. Actually we're almost home now.

I've purposely left out the serial number that this program requires to finish unlocking the Flash 4 fully. There are actually 2 that it will accept and they are in plain view in the string listing for the rsagnt32.dll. After you get the correct serial number input and press enter, you will get a message saying that the program is being set up for use. Remember earlier I said that there were 2 references to Flash that were important? Well, this is where things change and the very small executible Flash (253kb) is erased to be replaced by a much larger executible Flash. "So?", you may say.
The reason is, W32DASM ceases to work with this prog you were running because it doesn't exist anymore. Just quit and shut down W32DASM and open your new Flash 4 and put in the Macromedia serial number required to run it. Hope you wrote it down like I mentioned earlier. I would recommend keeping this rsagnt32.dll somewhere safe because if you download any new Macromedia stuff you'll surely run into it again and there's no sense inventing the wheel again. Right?
* Referenced by a Jump at Address:10005AD6(C)
|
:10005B23 8D9424B8000000          lea edx, dword ptr [esp+000000B8]
:10005B2A 6A1D                    push 0000001D
:10005B2C 52                      push edx
:10005B2D 6884D30210              push 1002D384
:10005B32 E8491F0100              call 10017A80
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
                                  |
:10005B37 8B1D28120210            mov ebx, dword ptr [10021228]
:10005B3D 83C40C                  add esp, 0000000C
:10005B40 C605A1D3021000          mov byte ptr [1002D3A1], 00
:10005B47 6884D30210              push 1002D384
:10005B4C 6A71                    push 00000071
:10005B4E 55                      push ebp
:10005B4F FFD3                    call ebx
:10005B51 83FE1E                  cmp esi, 0000001E
* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:10005B54 8B3548120210            mov esi, dword ptr [10021248]
:10005B5A 7229                    jb 10005B85
:10005B5C 8D8424B8010000          lea eax, dword ptr [esp+000001B8]
:10005B63 68FF0F0000              push 00000FFF
:10005B68 50                      push eax
:10005B69 6A1A                    push 0000001A
:10005B6B E830140100              call 10016FA0
:10005B70 83C40C                  add esp, 0000000C
:10005B73 8D8C24B8010000          lea ecx, dword ptr [esp+000001B8]
:10005B7A 6A30                    push 00000030
:10005B7C 680C220410              push 1004220C
:10005B81 51                      push ecx
:10005B82 55                      push ebp
:10005B83 FFD6                    call esi    
Final Notes
You may email me if needed: jomamameister@yahoo.com

I will work on completing this reversing project for those of you who could not completely follow. Enjoy and use what you have learned. Also: share it! Others need you.

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjava-script wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?