--------------------------------------------------------------------------------
How to crack Formula Graphic Multimedia System (32 bit)
--------------------------------------------------------------------------------

Cracker: stealthFIGHTER 

Target: Formula Graphic Mutimedia System release 980301

Tools: W32dasm
       Hiew	
       Brain

Where: http://www.formulagraphic.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------
===
Run proggram, ABOUT -> HOW TO REGISTER -> enter
any s/n and push OK = b00m "Please update your reg. #".
Run W32Dasm, open file (fgx32.exe)  and click SDR window and find 
the message. Double click on it and you are here:
===



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AD67C(C)					<-------- here we go !!
|
:004AD6A9 6A00         		push 00000000

* Possible StringData Ref from Data Obj ->"NewRegistration"
                                  |
:004AD6AB 6830CC5600           	push 0056CC30

* Possible StringData Ref from Data Obj ->"MainWindow"
                                  |
:004AD6B0 6820CC5600         	push 0056CC20
:004AD6B5 E85845F5FF         	call 00401C12
:004AD6BA 85C0                 	test eax, eax
:004AD6BC 7407         		je 004AD6C5

* Possible StringData Ref from Data Obj ->"Please update your registration "
                                        ->"number"
                                  |
:004AD6BE 68244E5700              	push 00574E24	<------ we landed here
:004AD6C3 EB05                    	jmp 004AD6CA


===
In W32Dasm press "shift+F12" (goto code location) and enter 004AD67C.
We land here:
===


* Possible StringData Ref from Data Obj ->"REGISTER"
                                  |
:004AD664 68984E5700         	push 00574E98
:004AD669 8BCE                  mov ecx, esi
:004AD66B E8378DF5FF        	call 004063A7
:004AD670 83F802                cmp eax, 00000002
:004AD673 745F                  je 004AD6D4
:004AD675 E8495DF5FF        	call 004033C3	<--- a CALL
:004AD67A 85C0                  test eax, eax	<--- a TEST	
:004AD67C 742B                  je 004AD6A9	<--- badboy

* Possible StringData Ref from Data Obj ->"Your professional registration "
                                        ->"was successful!"
                                  |
:004AD67E 68604E5700              	push 00574E60

* Possible StringData Ref from Data Obj ->"Thankyou"


===
Execute the CALL (call 004033C3) and you are here:
===


* Referenced by a CALL at Addresses:
|:0041D82F   , :0049CE9A   , :004AD675   , :004E7852   , :004E7AE0   
|:004EFBE2   , :00512287   , :00512408   
|
:004033C3 E9689F0A00              jmp 004AD330		<--- execute this JUMP


===
Execute the JUMP (jmp 004AD330) and you are here:
===


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004033C3(U)					
|
:004AD330 E8FD87F5FF        	call 00405B32	<--- we need this 
:004AD335 50           		push eax		<--- and this too

* Possible StringData Ref from Data Obj ->"NewRegistration"
                                  |
:004AD336 6830CC5600              	push 0056CC30


===
Write down the offset of the CALL ( AC730)
Run Hiew set to decode mode, press F5 and write the offset.

Press F3 to edit and F2 to assembler and type:

MOV EAX, 1   [ENTER]    
RET	     [ENTER] 	
[ESC]

F9 to update. Run again. You donīt need enter any s/n.
At the bottom of the window you see Profesional registered version.


---------------------------------------
If i make a mistake, please e-mail 
me to: stealthfighter@another.com
--------------------------------------- - baseman.dll.</P>