Bypassing Ready made Commercial Protection Schemes (RSAgent32)
(Cracking Xing Technology’s Mpeg Player)
XingMpeg player can be found at:
Tools you need:
Any hex editor of your choice
RSAgent is another ready made commercial protection program that lazy
programmers can use to allow ‘instant’ unlocking of their programs.
Basically, you enter your credit card number and the program dials up
a remote server and will send you an ‘unlocking code’ that will remove
the annoying nags and time limits.
The target we are cracking is Xing Technology’s Mpeg Player.
The program is free to download for 14 days.
In addition to the time limit, every time you start the program, a
message pops up reminding you this is a demo, and gives
you the option to either register, or evaluate.
To crack this program, we have three choices. We can attempt to bypass
the time limit, but will still be left with the nag screens, and
potentially other problems with redundant checks in other files etc…
Not a good method. Two, we can try to crack rsagnt32.dll directly to obtain
the correct registration code, or we can simply modify the main program to
avoid using rsagnt32.dll in the first place.
I am choosing to show you the last method mainly because after examining
rsagnt32.dll I decided it would be a shorter and cleaner crack to simply
crack the main executable.
To begin, fire up Xmplayer.exe and observe the nags. When cracking
time limited programs, I like to expire them, and then examine the message
I get once they are expired, so let’s set our clock ahead a month or so,
and restart Xmplayer.
Notice, you don’t get any message, it simply pops up the purchase
window, (which by the way, resides in rsagnt32.dll. Take a look at it
with Borland Resource Workshop if you want…) and if you hit cancel now,
the program ends.
Go ahead and set your clock back now, and try running Xmplayer again.
Ahh, same purchase window! A hidden registry entry or file, no doubt.
No matter what, no matter where… we’ll get it! Ok, now since we want
to bypass rsagnt altogether, let’s have a look at our dead listing.
Since, rsagnt32 is a dll, it has to get loaded before it can be
used, so let’s look for Kernel32.LoadLibraryA. It occurs only once, and
here it is:
* Referenced by a CALL at Addresses:0040E02C, :0041AF7C, :0041C1A0
:0041B1F0 56 push esi
:0041B1F1 E86AFEFFFF call 0041B060
:0041B1F6 6818314500 push 00453118 ;->"rsagnt32.dll"
:0041B1FB FF1530294600 Call dword ptr  ;LoadLibraryA
:0041B201 8BF0 mov esi, eax
:0041B203 68F86A4500 push 00456AF8
:0041B208 A1BC6C4500 mov eax, dword ptr [00456CBC]
:0041B20D 50 push eax
:0041B20E E8B14F0000 Call 004201C4 ;rsagnt32.startSalesAgent
:0041B213 83C408 add esp, 00000008
:0041B216 56 push esi
You can see here that this routine loads rsagnt32 and then calls
rsagnt32.startSalesAgent, which is the purchase window I referred to
Also notice that this section of code is called from three different
locations, so let’s take a look at them:
:0040E01C 8B461C mov eax, dword ptr [esi+1C]
:0040E01F 50 push eax
:0040E020 E83BCD0000 call 0041AD60 ;Check reg. status
:0040E025 83C404 add esp, 00000004
:0040E028 85C0 test eax, eax ;eax == 0 if not regged
:0040E02A 7533 jne 0040E05F ;Good guy if not zero,
:0040E02C E8BFD10000 call 0041B1F0 ;otherwise, buy me!
:0041AF71 E8A1010200 call 0043B117 ;Check status again
:0041AF76 837DA801 cmp dword ptr [ebp-58], 1 ;Another flag
:0041AF7A 7505 jne 0041AF81 ;Use freely, else
:0041AF7C E86F020000 call 0041B1F0 ;Buy me!
:0041C194 E8C7EBFFFF call 0041AD60 ;Identical to the first
:0041C199 83C404 add esp, 00000004 ;one…
:0041C19C 85C0 test eax, eax
:0041C19E 751A jne 0041C1BA ;Have fun, else
:0041C1A0 E84BF0FFFF call 0041B1F0 ;C’mon, buy me!
At this point, we can begin to crack. Change the jne instructions to
jmp always, and we’ll bypass rsagnt32 altogether!
Change at offset:
(1B59E) 751A to EB1A
(1A37A) 7505 to EB05
(D42A) 7533 to EB33
Now, run Xmplayer again, and presto, we’re in. Try playing an mpeg
file. What? The purchase window again? How can that be?
Ok, check your dead listing again for references to rsagnt32.
You’ll notice that all references MUST pass through
the locations we patched, so there is no way that this new nag it’s
getting loaded from Xmplayer.exe.
Let’s think and see where it could be getting called from. In the
xmplayer directory there are 5 other dlls.
We could check each one for references to rsagnt, and we would eventually
find the culprit, but there is any easier way.
Now, I use Wdasm for debugging simply because I like it, and those
of you who prefer SoftIce can easily follow along the following using
SoftIce, (just make sure that you have loaded the relevant exports…)
Fire up Wdasm and load Xmplayer.exe. Make sure, under "debugger options"
(Debug/Debugger Options) that the box ‘Debug only this Process’ is
Once that the target is loaded, in the lower left debugging window, there
is a list of all of the active dlls. Find rsagnt32.dll and double click
on it. This will load rsagnt32 into memory, but also keep Xmplayer active.
We know that the function which starts the purchase procedure is called
startSalesAgent (see above), so let’s find it.
It is an exported function and occurs once:
Exported fn(): startSalesAgent – Ord:000Fh
:10006080 81EC28020000 sub esp, 00000228
:10006086 A138EA0210 mov eax, dword ptr [1002EA38]
:1000608B 53 push ebx
:1000608C 56 push esi
:1000608D 57 push edi
:1000608E 6A05 push 00000005
:10006090 68D1070000 push 000007D1
:10006095 50 push eax
Set a break point at :10006080. Now, hit the ‘run’ button in the lower
right debugging window. Once Xmplayer is started, try opening an mpeg.
Wdasm will then break at our suspect function.
To see where this function was called from, take a look at the sp register
A brief assembly comment for those new to assembly language: When a
procedure, like startSalesAgent, is called, the return address (where
the procedure was called from) is placed on the stack. So, immediately
after the call, the stack pointer will point to that address. Get it?
It contains the address 100020DE. If you click on the [SP] register
button in the lower left debugging window, then look in the data display
area, (make sure the ‘disp 1’ button to the left of this area is checked)
it will tell you that this address is in the module Xmdriver.dll.
Aha! Here it is. So, go ahead and terminate the process, and get a dead
listing of Xmdriver.dll. The relevant code section looks like this:
* Referenced by a CALL at Address:100062D0
:100020C0 56 push esi
:100020C1 E88AFEFFFF call 10001F50
:100020C6 683C810110 push 1001813C ; ->"rsagnt32.dll"
:100020CB FF1524440210 Call dword ptr  ;KERNEL32.LoadLibraryA
:100020D1 8BF0 mov esi, eax
:100020D3 68A8B10110 push 1001B1A8
:100020D8 A16CB30110 mov eax, dword ptr [1001B36C]
:100020DD 50 push eax
* Reference To: rsagnt32.startSalesAgent, Ord:000Eh
:100020DE E8655F0000 Call 10008048 ;Here is where we were.
:100020E3 83C408 add esp, 00000008
:100020E6 56 push esi
This code is only called from one place, and it is here:
:100062BE A120820110 mov eax, dword ptr 
:100062C3 50 push eax
:100062C4 E857BAFFFF call 10001D20 ;Check your status
:100062C9 83C404 add esp, 00000004
:100062CC 85C0 test eax, eax ;Same type of check as before
:100062CE 7526 jne 100062F6 ;Play on…
:100062D0 E8EBBDFFFF call 100020C0 ;Buy me, sneaky cracker!
:100062D5 85C0 test eax, eax
:100062D7 751D jne 100062F6
As before, let’s change the jne to a jmp always, and skip rsagnt32.
Change at offset:
(56BC) 7538 to EB38
Ok, go ahead and try out Xmplayer. It works now, and no more nags, nor
time limits, nor rsagnt32! So, yet another company takes the lazy way
out. What good is an expensive 3rd party protection scheme, when you can
just walk right around it?
I’ve seen other programs ‘protected’ (so to say) with rsagnt, but haven’t
yet tried cracking them. I imagine that this technique, although possibly
slightly different, would probably work on them too.