How To Crack
Release Software Corporation's SalesAgent


You'll need:
Softice, a sheed of paper a pen and a programming language


1. What is the SalesAgent?
2. Identifying SalesAgent?
3. Let's crack it
3.1 Creating the rsagent.ini file
3.2 Differences between v2,6,0,0 and v2,7,01
3.3 Programing the keymaker
4.0 Getting the Serial Number <g>

5.0 SalesAgent Registry entry


1.What is the SalesAgent?

SalesAgent is a program that allows to register a 30 day evaluation program via Internet, Fax and Telephone. After you've registered the program you'll receive an Unlocking code and sometimes additionally a serial number. After you entered the Unlock Code the program mutates to the unlimited full version!

Right now, I know two famous software developers which are using the SalesAgent:
It's
Symantec and Macromedia!



2. Identifying SalesAgent

If you start a prog. and there is a "BUY NOW" button it's possibly the SalesAgent.
To make it sure go into the program's directory and look for the files rsagnt32.dll and rsdll.dll.
I'll call this two DLL's simply the Sales Agent DLL's.



3.1. Creating the rsagent.ini file

Just to make sure delete the file \windows\rsagent.ini (if there is one)
Click the "BUY NOW" button and fill out the form click next till you've been asked for your creditcard. Now click cancel. Open \windows\rsagent.ini.
Search for the entry "mailStat-xxxxxx=0" (x = any number ) change = 0 to = 1



3.2. Differences between v2,6,0,0 and v2,7,01

OK! SalesAgent generated the rsagent.ini in this .ini it wrote the Personal Code (e. g. personalCode=1004433422). Depending on the Personal Code it may generate the Unlock Code!!

With SalesAgent 2,6,0,0 things were easy! The so called Personal Code wasn't personal! That means you just had to release the rsagent.ini file with the Unlock Code.
Try this: "personalCode =Magic_Mike"
Then run App! If the prog. reports the
Personal Code has changed you know it's >v2,6

SalesAgent v2,7,0,1 really creates a
Personal Code! That means when you copy the rsagent.ini to a other PC and click "BUY NOW" Sales Agent tells you that the Personal Code has changed - but that's no prob. It's just important to know!



3.3 Get the Unlock Code

Run program then click the "BUY NOW" button and you'll be asked for a Unlock Code!
Set breakpoint to "bpx GetDlgItmTextA" w/o the ".
Enter 10 chars into the textbox and click OK. Whoops Softice pops up press F11 and we're here:


:10005602 BF400E0310
:10005607 83C9FF
:1000560A 33C0
:1000560C F2
:1000560D AE
:1000560E F7D1
:10005610 49
:10005611 83F90A
:10005614 743F
:10005616 8D542410
mov edi, 10030E40
or ecx, FFFFFFFF
xor eax, eax
repnz
scasb
not ecx
dec ecx
cmp ecx, 0000000A
; 10 chars entered?
je 10005655
; Good Boy
lea edx, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"Sorry, that unlocking code is "
->"not valid for this program."

.
.
.
:10005655 BF60B00210
:1000565A 83C9FF
:1000565D 33C0
:1000565F 8D94240C010000
:10005666 F2
:10005667 AE
:10005668 F7D1
:1000566A 2BF9
:1000566C 8BC1
:1000566E 8BF7
:10005670 8BFA
:10005672 8B15D4170310
:10005678 C1E902
:1000567B F3
:1000567C A5
:1000567D 8BC8
:1000567F 81C206010000
:10005685 83E103
:10005688 8D84240C010000
:1000568F F3
:10005690 A4
:10005691 8D8C24D8000000
:10005698 51
:10005699 52
:1000569A 50
:1000569B E8B0620000
:100056A0 83C40C
:100056A3 8D8C24D8000000
:100056AA 68400E0310
:100056AF 51
:100056B0 E8FBA30100
:100056B5 83C408
:100056B8 85C0
:100056BA 0F85AC020000
mov edi, 1002B060 ; EDI = PersonalCode
or ecx, FFFFFFFF
xor eax, eax
lea edx, dword ptr [esp+0000010C]
repnz
scasb
not ecx
sub edi, ecx
mov eax, ecx
mov esi, edi
mov edi, edx
mov edx, dword ptr [100317D4]
shr ecx, 02
repz
movsd
mov ecx, eax
add edx, 00000106
and ecx, 00000003
lea eax, dword ptr [esp+0000010C]
repz
movsb
lea ecx, dword ptr [esp+000000D8]
push ecx
push edx
push eax
call 1000B950
; Unlock Code will Generated in here
add esp, 0000000C
lea ecx, dword ptr [esp+000000D8]
;ECX = UnlockCode
push 10030E40
push ecx
call 1001FAB0
add esp, 00000008
test eax, eax
jne 1000596C
.
.
.
.

OK the rest is easy! All you need is a piece of paper and a pen!
Set breakpoints at
:1000565A and :100056AA
When softice stops at
:100565A do this:

Type "d edi" (you'll see the Personal Code in the data window - if not enter wd 5)
ed (change the
Personal Code to 0000000000)
Ctrl+D

Softice stops at :100056AA do this

Type "d ecx" (you'll see the Unlock Code for 0000000000)
write it down.

Proceed by changing Personal Code from 1111111111 till 9999999999 and write each Unlock Code down!


Now we could program the keymaker we have the matrix!!


Here an example of a possible matrix:

Personal Code Unlock Code
0000000000 = ABCDEFGHIJ
1111111111 = KLMNOPQRST
..  
9999999999 = ??????????

Let's assume our
Personal Code is: 1001001001
Then the
Unlock Code would be: KBCNEFQHIT



4.0 Getting the Serial Number <g>

After you've succesfully unlocked the program a dialog-box pops up asking for the Serial Number.
You can enter whatever you want and the box dissapears.

For Symantec programs we're done. But Macromedia programs asks you for the serial no. again!

Let's take Macromedia's Fireworks 1.0 for example:

It will show you the first diggits of the s/n like: FWW100-
so let's enter some crap and press enter - of course the s/n is wrong :-( but now we could search the memory for the key:


S DS:0 LFFFFFFFF "FWW100-"

Enter S to search for the next match until you found it.


This little trick doesn't work w\ the new version of Fireworks (v2.0) !

Hehe but The SalesAgent Guyz made a mistake!!
Originally when you install fireworks the fireworks.exe is very small - and the .exe is protected by the Sales Agent DLL's which are called by fireworks.exe.

If you'll patch fireworks.exe the program won't run. Maybe you could defeat this protection but I found out when you unlock fireworks successfully the fireworks.exe becomes bigger and it doesn't call the Sales Agent DLL's anymore.

That means that we only have to patch the
unlocked fireworks.exe to bypass the S/N.


5.0 SalesAgent Registry entry

I found out that the SalesAgent modifies a registry-key after a successful unlock! It might be possible that the unlocking procedure fails or that you want to crack the program again in a different way or whatever.


Go to: HKEY_CLASSES_ROOT\ultxfile\FORMAT


There are directories like MSH0OF3E. Each directory contains SalesAgent informations for one program.
To figure out which directory you've to delete use
Win-eXpose Registry (HINT: Set the filter to open keys).
If you delete a directory you'll have to reinstall the program to run it in trial mode.

Do you have more informations about this? Then mail it to me for completing this doc.


eMail me for Questions - Suggestions - Feedback


Thanx to Mystic Elf for Grammar/Spell-checking


Magic Mike 8, char12, temp7, temp5, temp6,