Cracking Tutorial [FreeHand 8.0.1]

Cracking Tutorial for FreeHand 8.0.1
Coding a SalesAgent Generic Time Limit Cracker

Target Program:	FreeHand 8.0.1
Location:	http://www.macromedia.com
Protection:	Time Limit / NAG
Tools needed:	- SoftICE 3.2x
	- lcc Win32 c-compiler
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software! If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:	Brand and product names are trademarks or registered trademarks of their respective holders.
Level:	( )Beginner (X)Intermediate ( )Advanced ( )Expert

More and more Software authors decide to use SalesAgent by Release Soft for 'protecting' their programs. And as cracking SalesAgent's Time Limit and NAG is kinda easy, I decided to code a GENERiC SalesAgent cracker and use some of the saved time for teaching some more knowledge the crackers that need it. Back to the tutorial: I will use an easy method for cracking SalesAgent, since there is NO NEED in using a COMPLICATE ONE. We will code together a SalesAgent CRACK-LOADER in this tutorial!

First of all, make sure you have at least two SalesAgent programs ... I've chosen FireWorks and FreeHand ... but you can use any other program too. You will just find small modifications in the code snippet.

Start the program. As you can see a screen like the one for VBox pops up. Now you have three choices: BUY - TRY - ORDER. If you press on BUY nothing real happens. So we can assume that there's no way to register this program.

This dialog box seems to be an advanced one, so a BPX DialogBoxParamA will work. Exit FireWorks and restart it. SoftICE will pop up. This is at the DialogBoxParamA function. Press F10 to step over this CALL. Now the TRIAL SCREEN pops up. Press on TRY. SoftICE will pop up and after you've pressed F12 the following code snippet will be displayed:

:00408B11 E8BAD3FFFF CALL 00405ED0 ; check time limit and display NAG :00408B16 83F8FF CMP EAX,-01 :00408B19 55 PUSH EBP :00408B1A 750B JNZ 00408B27 :00408B1C FF15B8954400 CALL [USER32!PostQuitMessage] :00408B22 E981000000 JMP 00408BA8 :00408B27 8B742418 MOV ESI,[ESP+18] :00408B2B 56 PUSH ESI :00408B2C FF1598954400 CALL [USER32!ShowWindow] :00408B32 56 PUSH ESI :00408B33 FF15A8954400 CALL [USER32!UpdateWindow] :00408B39 55 PUSH EBP :00408B3A 55 PUSH EBP :00408B3B 68D08B4000 PUSH 00408BD0 :00408B40 E8DB800100 CALL 00420C20

Now we can circumvent the time limit by just changing the JNZ instruction at 408B1A to a JMP instruction, right?
No! If your time limit has expired, the program will be quited before returning from that CALL. However we can bypass the NAG and time limit by just chaning one instruction. If you don't know why, think again ... then read on!

If we change the CALL 405ED0 at 408B11, where the NAG is generated, into JMP 408B27 then we will bypass the NAG and also the time limit check. Now we know that the memory address of our patch is 408B11 and that we want to execute JMP 408B27 there! So exit and restart the FreeHand. At 408B11, do the following:

     A <ENTER>
     JMP 408B27
     <ENTER>

SoftICE displayed EB14 as the code ... now we need to find some similarities between programs being 'protected' by SalesAgent, so look at the following code, I've ripped of from FireWorks 2.0, and compare it to the above one:

:00408C53 E8E8D1FFFF CALL 00405E40 ; check time limit and display NAG :00408C58 83F8FF CMP EAX,-01 :00408C5B 55 PUSH EBP :00408C5C 750B JNZ 00408C69 :00408C5E FF154C924200 CALL [USER32!PostQuitMessage] :00408C64 E981000000 JMP 00408CEA :00408C69 8B7C2418 MOV EDI,[ESP+18] :00408C6D 57 PUSH EDI :00408C6E FF1534924200 CALL [USER32!ShowWindow] :00408C74 57 PUSH EDI :00408C75 FF153C924200 CALL [USER32!UpdateWindow] :00408C7B 55 PUSH EBP :00408C7C 55 PUSH EBP :00408C7D 68208D4000 PUSH 00408D20 :00408C82 E8557F0100 CALL 00420BDC

What have you found out? Well before you read further, THINK AGAIN, since you might LEARN A LOT!

I've found out the following similarities:
1) The code to be patches is always located around address 408000 - 409000.
2) The code can always be patched with a simple EB 14.
3) FF FF 83 F8 FF always exists ONLY ONCE. This can be used for deciding whether this is the location to be patched or not.

Now we do need everything to code a Process Patcher that will crack all SalesAgent 'protected' programs. Following is the source code I've used. There were several things added, but you will fully understand it! My GENERiC CRACK works very well on evey target I've chosen till now to test. And someone told me that it also works on POLISH software also ... so I saved myself lots of time, I could spent by writing tutorials!

// * ================================================================== * // * MANY THANKS TO Gi0 FOR RELEASING HIS PROCESS PATCHER SOURCE CODE!! * // * IT SAVED ME THE TIME FOR CODING MY ONE! * // * ================================================================== * // THE SALES AGENT GENERIC TIME LIMIT CRACK by TORN@DO // => TSAGTLCT.INI #include <windows.h> #include <stdio.h> void main(void) { STARTUPINFO si; char InfoText[] = "SalesAgent GENERiC TiME LiMiT CRACK by TORN@DO"; unsigned long i = 0; unsigned long AddressOfPatch = 0; char DataRead[8200] = {0}; char Message[200] = {0}; char* cl; PROCESS_INFORMATION pi; FILE* DATA_FILE; char FileName[256] = {0}; ZeroMemory(&si,sizeof(si)); si.cb = sizeof(si); cl = GetCommandLine(); if ((DATA_FILE = fopen("TSAGTLCT.INI", "r")) != NULL) { fread(FileName, sizeof(char), 256, DATA_FILE); fclose(DATA_FILE); } else {MessageBox(NULL, "Couldn't read TSAGTLCT.INI! Create a TSAGTLCT.INI and write the complete name\n(including .EXE) of the EXE file in it! Check the INFO.HTML for an example!\n\nRemember: Both files must be stored at the program directory!", InfoText, MB_OK); exit(-1); } if (CreateProcess(FileName, cl, NULL, NULL,FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { ReadProcessMemory(pi.hProcess, (LPVOID) 0x408000, DataRead, 8192, NULL); // ============================= Sales Agent 2.7.x Crack =========================== for (i = 0; i <= 8192; i++) { if ((DataRead[i] == 0xFF) && (DataRead[i+1] == 0xFF) && (DataRead[i+2] == 0x83) && (DataRead[i+3] == 0xF8) && (DataRead[i+4] == 0xFF)) { AddressOfPatch = 0x408000 + (i-3); break; } } if (AddressOfPatch != 0) WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x14", 2, NULL); // ============================= Sales Agent 2.6.x Crack =========================== if (AddressOfPatch == 0) { for (i = 0; i <= 8192; i++) { if ((DataRead[i] == 0xEB) && (DataRead[i+1] == 0x05) && (DataRead[i+2] == 0xB8) && (DataRead[i+3] == 0x01) && (DataRead[i+4] == 0x00) && (DataRead[i+7] == 0x83)) { AddressOfPatch = 0x408000 + (i-7); break; } } if (AddressOfPatch == 0) { MessageBox(NULL, "Either Release Software has changed SalesAgent a lot,\nor you have chosen the wrong EXE file!\n\nPlease contact me if this crack doesn't work any longer!", InfoText, MB_OK); CloseHandle (pi.hProcess); CloseHandle (pi.hThread); } WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x07", 2, NULL); } CloseHandle (pi.hProcess); CloseHandle (pi.hThread); } else { sprintf(Message, "%s not found! Check TSAGTLCT.INI and ensure that\nyou've executed the process patcher in the program directory!", FileName); MessageBox(NULL, Message, InfoText, MB_OK); exit(-1); } }

Another target has been Reverse Engineerd. Any questions (no crack requests)?

If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT.