Crack fundmanager v4.6.218 by woody^drn okay this program is pretty good for newbies, it's easy to crack and no complications .. well not for me anyways ;) the program is at www.beiley.com

First lets run the program and you'll see the Fund Manager (Unregistered), lets get rid of that :) Load the file into w32dasm and find the string in the string references.


* Possible Reference to String Resource ID=00032: "Fund Manager"
                                  |
:0041B566 6A20                    push 00000020

* Reference To: USER32.GetSystemMetrics, Ord:012Ch
                                  |
:0041B568 8B3DA0A84E00            mov edi, dword ptr [004EA8A0]
:0041B56E FFD7                    call edi
:0041B570 8D1C4500000000          lea ebx, dword ptr [2*eax+00000000]

* Possible Reference to String Resource ID=00002: "Portfolio value - pie"
                                  |
:0041B577 6A02                    push 00000002
:0041B579 FFD7                    call edi
:0041B57B 03C3                    add eax, ebx

* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A21                    push 00000021

Take a look at 41B566, it pushes 020, and that's the text "Fund Manager" and at 31B57D it pushes 021 which is the text "Fund Manager (Unregistered)". So you probably know what to do now ;) You can either edit the text in the .exe file or you can make it push 020. Since this is a string resource id the text ain't in the .exe file in the normal way. It's done like this:


Ascii: F  u  n  d     M  a  n  a  g  e  r     (  U  n  r  e  g  i  s  t  e  r  e  d  )
  hex: 46 75 6E 64 20 4D 61 6E 61 67 65 72 20 28 55 6E 72 65 67 69 73 74 65 72 65 64 29

In between every hex you have to add the hex 00 so the hex would be:


46 00 75 00 6E 00 64 00 20 00 4D 00 61 00 6E

and so on ... so just search for the string "(Unreg" with 00 between like this
28 00 55 00 6E 00 72 00 65 00 67
easy right ? ;) now you can edit the file and write (Cracked) instead ;) if you don't wish to edit the text, just patch the:


* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A21                    push 00000021

to:


* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A20                    push 00000020

nice and easy ... If you don't edit the file you have to patch all the places where it will push 021. So lets find the other places in the file. Double click the text in the string references again, and it will goto the next place.


:0042EDEF 7504                    jne 0042EDF5

* Possible Reference to String Resource ID=00032: "Fund Manager"
                                  |
:0042EDF1 6A20                    push 00000020
:0042EDF3 EB02                    jmp 0042EDF7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042EDEF(C)
|

* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0042EDF5 6A21                    push 00000021

Here you can do two things, you can either nop line 42EDEF or you can patch line 42EDF5 so it pushes 020 instead. But what does it compare with since it says jne 0042EDF5. Go back a little further:


:0042EDE1 833D900E4C0001          cmp dword ptr [004C0E90], 00000001

It compares the offset [004C0E90] with 1, if the hex at this offset isn't 1 it will display the "Fund Manager (Unregistered)" text, so lets just nop line 42EDEF. When I say nop it means (no operation) and the hex for that is 90. So the line would be:


:0042EDEF 9090                    Nop
(more precis)
:0042EDEF 90                      Nop
:0042EDF0 90                      Nop

Double click the text again to check if there is more ... and sure there is ;):


* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:00431D95 6A21                    push 00000021

Patch it so it pushes 020 ... is there more ??



* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0044DE54 B921000000              mov ecx, 00000021

See ?? it's easier to change the text in the file, but the is a better way .. but very slow ..Patch this one too ... and the last one ...:



* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:004B38A8 C70021000000            mov dword ptr [eax], 00000021

Patch it ... That's it .. now the text is gone ..
So lets goto the next protection in this program, the program expires .. darn ;) so we have to find the text "The evaluation period of Fund Manager has expired."
Search through the string references until you find it .. found it ? cewl:


:0049510C 83F801                  cmp eax, 00000001
:0049510F B800000000              mov eax, 00000000
:00495114 83D0FF                  adc eax, FFFFFFFF
:00495117 83E02D                  and eax, 0000002D
:0049511A 8D485A                  lea ecx, dword ptr [eax+5A]
:0049511D 3BCB                    cmp ecx, ebx
:0049511F 7F64                    jg 00495185
:00495121 BF40E94D00              mov edi, 004DE940

* Reference To: USER32.GetDesktopWindow, Ord:00F0h
                                  |
:00495126 FF15DCA84E00            Call dword ptr [004EA8DC]

* Possible Reference to String Resource ID=00048: "Could not save portfolio"
                                  |
:0049512C 6A30                    push 00000030
:0049512E 33F6                    xor esi, esi
:00495130 57                      push edi

* Possible Reference to String Resource ID=02684: "The evaluation period of Fund Manager has expired."
                                  |
:00495131 687C0A0000              push 00000A7C

okay he does some calculations to see if it's expired, but I don't really care about this ;) all that I know is, that if it jumps at 49511F it doesn't write the expire text. So we just patch this line to EB64 aka jmp 00495185. So lets take a look at what's at 495185:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049511F(C)
|
:00495185 83C032                  add eax, 00000032
:00495188 3BC3                    cmp eax, ebx
:0049518A 7F3D                    jg 004951C9

* Possible Reference to String Resource ID=00048: "Could not save portfolio"
                                  |
:0049518C 6A30                    push 00000030
:0049518E BE40E94D00              mov esi, 004DE940
:00495193 56                      push esi

* Possible Reference to String Resource ID=02684: "The evaluation period of Fund Manager has expired."
                                  |
:00495194 687C0A0000              push 00000A7C

Well it adds 32h to eax, then compares eax with ebx, if eax is greater than ebx then it's not expired. So we just patch 49518A 7F3D to EB3D.

Okay .. actually we're finished with this program now, but lets make it display our name and serial when registering. (even though it isn't ;) heh)

When you press help->about it says "UNREGISTERED EVALUATION COPY" and we don't want it to say that .. but first we have to make it say "Thank for registering", so it adds our info to the regbase. Press help->Register... write some info and press OK. Then it says:


"Invalid Registration.  (name and password are case sensitive)"

So lets find that text in string references ..:


:004559D2 7507                    jne 004559DB

* Possible Reference to String Resource ID=01662: "Invalid Registration.  (name and password are case sensitive)"
                                  |
:004559D4 687E060000              push 0000067E
:004559D9 EB05                    jmp 004559E0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004559D2(C)
|

* Possible Reference to String Resource ID=01633: "Thank you for registering!"
                                  |
:004559DB 6861060000              push 00000661

well it couldn't be easier ;) patch line 4559D2 so it jumps .. that's it ..

The only thing we need now is to make it show our reg info instead of the "UNREGISTERED EVALUATION COPY", so lets find that text ...


:004117B8 741F                    je 004117D9

* Possible Reference to Menu: MenuID_00C8 
                                  |
:004117BA 68C8000000              push 000000C8
:004117BF 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:004117C5 50                      push eax

* Possible Reference to String Resource ID=02685: "UNREGISTERED EVALUATION COPY"
                                  |
:004117C6 687D0A0000              push 00000A7D
:004117CB FF35345F4E00            push dword ptr [004E5F34]

* Reference To: USER32.LoadStringA, Ord:0183h
                                  |
:004117D1 FF15FCA84E00            Call dword ptr [004EA8FC]
:004117D7 EB1F                    jmp 004117F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004117B8(C)
|
:004117D9 A104514C00              mov eax, dword ptr [004C5104]
:004117DE 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]
:004117E4 50                      push eax
:004117E5 68D0504C00              push 004C50D0

* Possible StringData Ref from Data Obj ->"Registered To: %s"
                                  |
:004117EA 6830FB4B00              push 004BFB30

wow that looks hard ;) heh not! patch line 4117B8 then it jump directly to line 4117EA.

That's all for now ..

-wOODY^dRN