Cracking Tutorial for FreeHand 8.0.1
Coding a SalesAgent Generic Time Limit Cracker


Target Program: FreeHand 8.0.1
Protection: Time Limit / NAG
Tools needed: - SoftICE 3.2x
  - lcc Win32 c-compiler
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: ( )Beginner (X)Intermediate ( )Advanced ( )Expert

More and more Software authors decide to use SalesAgent by Release Soft for 'protecting' their programs. And as cracking SalesAgent's Time Limit and NAG is kinda easy, I decided to code a GENERiC SalesAgent cracker and use some of the saved time for teaching some more knowledge the crackers that need it. Back to the tutorial: I will use an easy method for cracking SalesAgent, since there is NO NEED in using a COMPLICATE ONE. We will code together a SalesAgent CRACK-LOADER in this tutorial!

First of all, make sure you have at least two SalesAgent programs ... I've chosen FireWorks and FreeHand ... but you can use any other program too. You will just find small modifications in the code snippet.

Start the program. As you can see a screen like the one for VBox pops up. Now you have three choices: BUY - TRY - ORDER. If you press on BUY nothing real happens. So we can assume that there's no way to register this program.

This dialog box seems to be an advanced one, so a BPX DialogBoxParamA will work. Exit FireWorks and restart it. SoftICE will pop up. This is at the DialogBoxParamA function. Press F10 to step over this CALL. Now the TRIAL SCREEN pops up. Press on TRY. SoftICE will pop up and after you've pressed F12 the following code snippet will be displayed:

  :00408B11  E8BAD3FFFF          CALL    00405ED0      ; check time limit and display NAG
  :00408B16  83F8FF              CMP     EAX,-01
  :00408B19  55                  PUSH    EBP
  :00408B1A  750B                JNZ     00408B27
  :00408B1C  FF15B8954400        CALL    [USER32!PostQuitMessage]
  :00408B22  E981000000          JMP     00408BA8
  :00408B27  8B742418            MOV     ESI,[ESP+18]
  :00408B2B  56                  PUSH    ESI
  :00408B2C  FF1598954400        CALL    [USER32!ShowWindow]
  :00408B32  56                  PUSH    ESI
  :00408B33  FF15A8954400        CALL    [USER32!UpdateWindow]
  :00408B39  55                  PUSH    EBP
  :00408B3A  55                  PUSH    EBP
  :00408B3B  68D08B4000          PUSH    00408BD0
  :00408B40  E8DB800100          CALL    00420C20

Now we can circumvent the time limit by just changing the JNZ instruction at 408B1A to a JMP instruction, right?
No! If your time limit has expired, the program will be quited before returning from that CALL. However we can bypass the NAG and time limit by just chaning one instruction. If you don't know why, think again ... then read on!

If we change the CALL 405ED0 at 408B11, where the NAG is generated, into JMP 408B27 then we will bypass the NAG and also the time limit check. Now we know that the memory address of our patch is 408B11 and that we want to execute JMP 408B27 there! So exit and restart the FreeHand. At 408B11, do the following:

     A <ENTER>
     JMP 408B27

SoftICE displayed EB14 as the code ... now we need to find some similarities between programs being 'protected' by SalesAgent, so look at the following code, I've ripped of from FireWorks 2.0, and compare it to the above one:

  :00408C53  E8E8D1FFFF          CALL    00405E40      ; check time limit and display NAG
  :00408C58  83F8FF              CMP     EAX,-01
  :00408C5B  55                  PUSH    EBP
  :00408C5C  750B                JNZ     00408C69
  :00408C5E  FF154C924200        CALL    [USER32!PostQuitMessage]
  :00408C64  E981000000          JMP     00408CEA
  :00408C69  8B7C2418            MOV     EDI,[ESP+18]
  :00408C6D  57                  PUSH    EDI
  :00408C6E  FF1534924200        CALL    [USER32!ShowWindow]
  :00408C74  57                  PUSH    EDI
  :00408C75  FF153C924200        CALL    [USER32!UpdateWindow]
  :00408C7B  55                  PUSH    EBP
  :00408C7C  55                  PUSH    EBP
  :00408C7D  68208D4000          PUSH    00408D20
  :00408C82  E8557F0100          CALL    00420BDC

What have you found out? Well before you read further, THINK AGAIN, since you might LEARN A LOT!

I've found out the following similarities:
1) The code to be patches is always located around address 408000 - 409000.
2) The code can always be patched with a simple EB 14.
3) FF FF 83 F8 FF always exists ONLY ONCE. This can be used for deciding whether this is the location to be patched or not.

Now we do need everything to code a Process Patcher that will crack all SalesAgent 'protected' programs. Following is the source code I've used. There were several things added, but you will fully understand it! My GENERiC CRACK works very well on evey target I've chosen till now to test. And someone told me that it also works on POLISH software also ... so I saved myself lots of time, I could spent by writing tutorials!

// * ================================================================== *
// * ================================================================== *


#include <windows.h>
#include <stdio.h>

void main(void)
char InfoText[] = "SalesAgent GENERiC TiME LiMiT CRACK by TORN@DO";
unsigned long i = 0;
unsigned long AddressOfPatch = 0;
char DataRead[8200] = {0};
char Message[200] = {0};
char* cl;

char FileName[256] = {0};

si.cb = sizeof(si);
cl = GetCommandLine();

if ((DATA_FILE = fopen("TSAGTLCT.INI", "r")) != NULL)
fread(FileName, sizeof(char), 256, DATA_FILE);
{MessageBox(NULL, "Couldn't read TSAGTLCT.INI! Create a TSAGTLCT.INI and write the complete name\n(including .EXE) of the EXE file in it! Check the INFO.HTML for an example!\n\nRemember: Both files must be stored at the program directory!",
InfoText, MB_OK);

if (CreateProcess(FileName, cl, NULL, NULL,FALSE, NORMAL_PRIORITY_CLASS,
NULL, NULL, &si, &pi))

ReadProcessMemory(pi.hProcess, (LPVOID) 0x408000, DataRead, 8192, NULL);

// ============================= Sales Agent 2.7.x Crack ===========================
for (i = 0; i <= 8192; i++)

if ((DataRead[i] == 0xFF) && (DataRead[i+1] == 0xFF) &&
(DataRead[i+2] == 0x83) && (DataRead[i+3] == 0xF8) &&
(DataRead[i+4] == 0xFF))
AddressOfPatch = 0x408000 + (i-3);


if (AddressOfPatch != 0)
WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x14", 2, NULL);

// ============================= Sales Agent 2.6.x Crack ===========================
if (AddressOfPatch == 0)

for (i = 0; i <= 8192; i++)
if ((DataRead[i] == 0xEB) && (DataRead[i+1] == 0x05) &&
(DataRead[i+2] == 0xB8) && (DataRead[i+3] == 0x01) &&
(DataRead[i+4] == 0x00) && (DataRead[i+7] == 0x83))
AddressOfPatch = 0x408000 + (i-7);

if (AddressOfPatch == 0)
MessageBox(NULL, "Either Release Software has changed SalesAgent a lot,\nor you have chosen the wrong EXE file!\n\nPlease contact me if this crack doesn't work any longer!",
InfoText, MB_OK);

CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);

WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x07", 2, NULL);

CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);


sprintf(Message, "%s not found! Check TSAGTLCT.INI and ensure that\nyou've executed the process patcher in the program directory!", FileName);
MessageBox(NULL, Message, InfoText, MB_OK);


Another target has been Reverse Engineerd. Any questions (no crack requests)

If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.