<name title="how to crack fundmanager" author="woody">
<font ns>
<font name verdana height 22 color 1>
<center>Crack fundmanager v4.6.218 by woody^drn</center>

<font name verdana height 12 color 0>
okay this program is pretty good for newbies, it's easy to crack
and no complications .. well not for me anyways ;) the program is at <link external="http://www.beiley.com">www.beiley.com</link><br>
<br>

First lets run the program and you'll see the Fund Manager (Unregistered),
lets get rid of that :) Load the file into w32dasm and find the string
in the string references.<br>

<pre><font name terminal height 12 color 3>
* Possible Reference to String Resource ID=00032: "Fund Manager"
                                  |
:0041B566 6A20                    push 00000020

* Reference To: USER32.GetSystemMetrics, Ord:012Ch
                                  |
:0041B568 8B3DA0A84E00            mov edi, dword ptr [004EA8A0]
:0041B56E FFD7                    call edi
:0041B570 8D1C4500000000          lea ebx, dword ptr [2*eax+00000000]

* Possible Reference to String Resource ID=00002: "Portfolio value - pie"
                                  |
:0041B577 6A02                    push 00000002
:0041B579 FFD7                    call edi
:0041B57B 03C3                    add eax, ebx

* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A21                    push 00000021
</pre><font name verdana height 12 color 0><br>

Take a look at 41B566, it pushes 020, and that's the text "Fund Manager" and
at 31B57D it pushes 021 which is the text "Fund Manager (Unregistered)".
So you probably know what to do now ;) You can either edit the text in the
.exe file or you can make it push 020. Since this is a string resource id
the text ain't in the .exe file in the normal way. It's done like this:<br>

<pre><font name terminal height 12 color 3>
Ascii: F  u  n  d     M  a  n  a  g  e  r     (  U  n  r  e  g  i  s  t  e  r  e  d  )
  hex: 46 75 6E 64 20 4D 61 6E 61 67 65 72 20 28 55 6E 72 65 67 69 73 74 65 72 65 64 29
</pre><font name verdana height 12 color 0><br>

In between every hex you have to add the hex 00 so the hex would be:<br>

<pre><font name terminal height 12 color 3>
46 00 75 00 6E 00 64 00 20 00 4D 00 61 00 6E
</pre><font name verdana height 12 color 0><br>

and so on ... so just search for the string "(Unreg" with 00 between like this<br>

28 00 55 00 6E 00 72 00 65 00 67<br>

easy right ? ;) now you can edit the file and write (Cracked) instead ;)
if you don't wish to edit the text, just patch the:<br>

<pre><font name terminal height 12 color 3>
* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A21                    push 00000021
</pre><font name verdana height 12 color 0><br>

to:<br>

<pre><font name terminal height 12 color 3>
* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0041B57D 6A20                    push 00000020
</pre><font name verdana height 12 color 0><br>

nice and easy ... If you don't edit the file you have to patch all the places
where it will push 021. So lets find the other places in the file. Double
click the text in the string references again, and it will goto the next place.<br>
<br>

<pre><font name terminal height 12 color 3>
:0042EDEF 7504                    jne 0042EDF5

* Possible Reference to String Resource ID=00032: "Fund Manager"
                                  |
:0042EDF1 6A20                    push 00000020
:0042EDF3 EB02                    jmp 0042EDF7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042EDEF(C)
|

* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0042EDF5 6A21                    push 00000021
</pre><font name verdana height 12 color 0><br>

Here you can do two things, you can either nop line 42EDEF or you can patch
line 42EDF5 so it pushes 020 instead. But what does it compare with since
it says jne 0042EDF5. Go back a little further:<br>

<pre><font name terminal height 12 color 3>
:0042EDE1 833D900E4C0001          cmp dword ptr [004C0E90], 00000001
</pre><font name verdana height 12 color 0><br>

It compares the offset [004C0E90] with 1, if the hex at this offset isn't
1 it will display the "Fund Manager (Unregistered)" text, so lets just nop
line 42EDEF. When I say nop it means (no operation) and the hex for that
is 90. So the line would be:<br>

<pre><font name terminal height 12 color 3>
:0042EDEF 9090                    Nop
(more precis)
:0042EDEF 90                      Nop
:0042EDF0 90                      Nop
</pre><font name verdana height 12 color 0><br>

Double click the text again to check if there is more ... and sure there is ;):<br>

<pre><font name terminal height 12 color 3>
* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:00431D95 6A21                    push 00000021
</pre><font name verdana height 12 color 0><br>

Patch it so it pushes 020 ... is there more ??<br>

<pre><font name terminal height 12 color 3><br>
* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:0044DE54 B921000000              mov ecx, 00000021
</pre><font name verdana height 12 color 0><br>

See ?? it's easier to change the text in the file, but the is a better way ..
but very slow ..Patch this one too ... and the last one ...:<br>

<pre><font name terminal height 12 color 3><br>
* Possible Reference to String Resource ID=00033: "Fund Manager (Unregistered)"
                                  |
:004B38A8 C70021000000            mov dword ptr [eax], 00000021
</pre><font name verdana height 12 color 0><br>

Patch it ... That's it .. now the text is gone .. <br>
So lets goto the next protection in this program, the program expires .. darn ;)
so we have to find the text "The evaluation period of Fund Manager has expired."<br>

Search through the string references until you find it .. found it ? cewl:<br>

<pre><font name terminal height 12 color 3>
:0049510C 83F801                  cmp eax, 00000001
:0049510F B800000000              mov eax, 00000000
:00495114 83D0FF                  adc eax, FFFFFFFF
:00495117 83E02D                  and eax, 0000002D
:0049511A 8D485A                  lea ecx, dword ptr [eax+5A]
:0049511D 3BCB                    cmp ecx, ebx
:0049511F 7F64                    jg 00495185
:00495121 BF40E94D00              mov edi, 004DE940

* Reference To: USER32.GetDesktopWindow, Ord:00F0h
                                  |
:00495126 FF15DCA84E00            Call dword ptr [004EA8DC]

* Possible Reference to String Resource ID=00048: "Could not save portfolio"
                                  |
:0049512C 6A30                    push 00000030
:0049512E 33F6                    xor esi, esi
:00495130 57                      push edi

* Possible Reference to String Resource ID=02684: "The evaluation period of Fund Manager has expired."
                                  |
:00495131 687C0A0000              push 00000A7C
</pre><font name verdana height 12 color 0><br>

okay he does some calculations to see if it's expired, but I don't really
care about this ;) all that I know is, that if it jumps at 49511F it doesn't
write the expire text. So we just patch this line to EB64 aka jmp 00495185.
So lets take a look at what's at 495185:<br>

<pre><font name terminal height 12 color 3>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049511F(C)
|
:00495185 83C032                  add eax, 00000032
:00495188 3BC3                    cmp eax, ebx
:0049518A 7F3D                    jg 004951C9

* Possible Reference to String Resource ID=00048: "Could not save portfolio"
                                  |
:0049518C 6A30                    push 00000030
:0049518E BE40E94D00              mov esi, 004DE940
:00495193 56                      push esi

* Possible Reference to String Resource ID=02684: "The evaluation period of Fund Manager has expired."
                                  |
:00495194 687C0A0000              push 00000A7C
</pre><font name verdana height 12 color 0><br>

Well it adds 32h to eax, then compares eax with ebx, if eax is greater than
ebx then it's not expired. So we just patch 49518A 7F3D to EB3D.<br>
<br>

Okay .. actually we're finished with this program now, but lets make it
display our name and serial when registering. (even though it isn't ;) heh)<br>
<br>

When you press help->about it says "UNREGISTERED EVALUATION COPY" and we don't
want it to say that .. but first we have to make it say "Thank for registering",
so it adds our info to the regbase. Press help->Register... write some info
and press OK. Then it says:<br>

<pre><font name terminal height 12 color 3>
"Invalid Registration.  (name and password are case sensitive)"
</pre><font name verdana height 12 color 0><br>

So lets find that text in string references ..:

<pre><font name terminal height 12 color 3>
:004559D2 7507                    jne 004559DB

* Possible Reference to String Resource ID=01662: "Invalid Registration.  (name and password are case sensitive)"
                                  |
:004559D4 687E060000              push 0000067E
:004559D9 EB05                    jmp 004559E0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004559D2(C)
|

* Possible Reference to String Resource ID=01633: "Thank you for registering!"
                                  |
:004559DB 6861060000              push 00000661
</pre><font name verdana height 12 color 0><br>

well it couldn't be easier ;) patch line 4559D2 so it jumps .. that's it ..<br>
<br>

The only thing we need now is to make it show our reg info instead of the
"UNREGISTERED EVALUATION COPY", so lets find that text ...

<pre><font name terminal height 12 color 3>
:004117B8 741F                    je 004117D9

* Possible Reference to Menu: MenuID_00C8 
                                  |
:004117BA 68C8000000              push 000000C8
:004117BF 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:004117C5 50                      push eax

* Possible Reference to String Resource ID=02685: "UNREGISTERED EVALUATION COPY"
                                  |
:004117C6 687D0A0000              push 00000A7D
:004117CB FF35345F4E00            push dword ptr [004E5F34]

* Reference To: USER32.LoadStringA, Ord:0183h
                                  |
:004117D1 FF15FCA84E00            Call dword ptr [004EA8FC]
:004117D7 EB1F                    jmp 004117F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004117B8(C)
|
:004117D9 A104514C00              mov eax, dword ptr [004C5104]
:004117DE 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]
:004117E4 50                      push eax
:004117E5 68D0504C00              push 004C50D0

* Possible StringData Ref from Data Obj ->"Registered To: %s"
                                  |
:004117EA 6830FB4B00              push 004BFB30
</pre><font name verdana height 12 color 0><br>

wow that looks hard ;) heh not! patch line 4117B8 then it jump directly to line
4117EA.<br>
<br>

That's all for now ..<br>
<br>

-wOODY^dRN<br>
<br>

