General.
This is my first reverse essay, i hope that everything will be clear.
Sorry for my bad english, i did my very best.

Target.
SalesAgent is a commercial(?) protection system.(www.releasesoft.com).
With this essay you can easly defeat all programs boxed by SalesAgent.
As target i will use Macromedia Dreamweaver 3, the good html editor.
(www.macromedia.com)

Idea.
If you purchase a program boxed with salesagent, and entered the right
serials and all other stuff then you see the following window:



This mains that routines from the salesagent protection are busy to
clean up the salesagent protection from the boxed program. It also
mains that these routines dwells somewhere in the code of the program.
At the end you have the original program as compiled by the maker of
the program, with the salesagent protection completely removed!

The approach of this essay is to use these cleanup routines directly
without entering anything at all, in an easy way and in a short
time, let say 30 seconds. 

Tools used.
Softice 4.05 , the ultimate tool. (All versions of sice are good). 
It's the only tool you need to crack this commercial(?) protection.

At work.
Install the program.(Install Macromedia Dreamweaver 3 trial version.) 
Go with Window$ Exploder to the program directory, in this case 
C:\Program Files\Macromedia\Dreamweaver 3\..

In every salesagent boxed program directory you find a file of 
the format xxxxxpop.exe or xxxxxpop.tty. If you have only xxxxxpop.tty 
in your directory then rename this file to xxxxxpop.exe. In the directory 
of dreamweaver we see the file Dreampop.tty after renaming it, Dreampop.exe.
In this file dwells the decryption code to remove the protection, in some
cases they tray to mask that it's executable trough the extention tty.
If we start this file directly without modifications then we see an error
message: you do not have the right to start this file and ...exit bad boy!

Examples of the xxxxxpop.tty/exe files:

While the explorer is open we hit CTRL-D and softice pops up. 
Now set a breakpoint on Kernel32!SleepEx by enter bpx sleepex, 
CTRL-D again and softice is gone.

Now we start the executable xxxxxpop.exe (dreampop.exe) by doubleclikking
on the file. We see the encoding window, showed at the begin of this essay,
after a while softice pops up halted at Kernel32!SleepEx code. If softice
didn't pop up and you see the error message then start the file a second time
,it happen that it not work the first time.

Now we push F12 (equal to p ret) and we're in dreampop code. 
We clear all breakpoints by typing bc *.

We see the following code:

00401921 E8 7A FE FF FF			   call	   sub_4017A0
00401926 6A 00				   push	   0
00401928 6A 00				   push	   0
0040192A 68 E0 22 40 00			   push	   offset loc_4022E0
0040192F E8 3A 86 01 00			   call	   __beginthread
00401934 83 C4 0C			   add	   esp,	0Ch
00401937 6A 00				   push	   0
00401939 68 D0 07 00 00			   push	   7D0h
0040193E FF 15 48 31 42	00		   call	   ds:SleepEx
00401944 E8 57 FE FF FF			   call	   sub_4017A0	<-We're here.
00401949 E8 B2 F7 FF FF			   call	   sub_401100	<-BAD BOY,EXIT CODE.
0040194E 8B F0				   mov	   esi,	eax
00401950 83 FE FF			   cmp	   esi,	0FFFFFFFFh
00401953 75 16				   jnz	   short loc_40196B
00401955 6A 00				   push	   0
00401957 FF 15 DC 31 42	00		   call	   ds:PostQuitMessage

When we scroll down (not execute) a half page in softice at address 401944 
(after the return from SleepEx) then we always came at a call FindWindowExA,
as we see below: 

004019DF 68 58 52 42 00			   push	   offset aTurnkexeSS ;	"Turnkexe%s%s"
004019E4 51				   push	   ecx
004019E5 E8 5D 81 01 00			   call	   _sprintf
004019EA 83 C4 10			   add	   esp,	10h
004019ED 8D 54 24 0C			   lea	   edx,	[esp+0Ch]
004019F1 6A 00				   push	   0
004019F3 52				   push	   edx
004019F4 6A 00				   push	   0
004019F6 6A 00				   push	   0
004019F8 FF 15 E8 31 42	00		   call	   ds:FindWindowExA
004019FE 85 C0				   test	   eax,	eax
00401A00 74 49				   jz	   short loc_401A4B	<- Here xxxxxx !
00401A02 68 86 01 00 00			   push	   186h
00401A07 E8 E4 09 00 00			   call	   sub_4023F0
00401A0C A1 E4 BC 42 00			   mov	   eax,	dword_42BCE4
00401A11 8D 8C 24 10 01	00+		   lea	   ecx,	[esp+110h]
00401A18 50				   push	   eax
00401A19 68 28 3C 43 00			   push	   offset unk_433C28

Write down the address xxxxxx of the jz xxxxxx 2 lines below the FindWindowExA.
In this case xxxxxx is equal to 401A4B.
      
We give the a command (at 401944) in softice and enter: jmp xxxxxx, 
with xxxxxxx the address we have found above (in this case jmp 401A4B) 
+ 2 x enter. With this jump we go directly to the decrypt routines without
checking if we're good or bad!

Now we enter d PostQuitMessage in softice,in the dump window we see the 
start address of PostQuitMessage (Top left corner of the dump window). 
Enter in softice r ebx yyyyyy with yyyyyy the start address of PostQuitMessage. 
This last step is necessary because later in the code there is call to 
PostQuitMessage trough a Call ebx, if we skip this step the encoding will work
but w'll get a error message. 
       
CTRL-D, and we see the unbox window again, at the end of this routine, 
dreamweaver starts. 

The salesagent protection is now fully removed of the program!
             
This document is created with Macromedia Dreamweaver 3.0, protected with 
SalesAgent a commerial(?) protection!

Final notes.
While reversing salesagent, i've came across two versions of salesagent
,this essay works on both of them!

Don't make this modifications directly on the harddisk and don't set breakpoints
with bpx in the program code, because the xxxxxpop.tty or xxxxxpop.exe program 
contains CRC check routines. If anyone need info or the crack for these
CRC routines send me a e-mail (capac@gmx.net), i will then make another essay 
on these CRC routines.

I've used this method to remove salesagent from the following programs:

	Macromedia Director 7
	Macromedia Flash 4
	Macromedia Dreamweaver 3
	Macromedia Dreamweaver Developer 3
	Macromedia Fireworks 3
	Macromedia Freehand 9
	XingMPEG encoder 2.0