how to crack Nico's Commander v5.31 by FaT[BiT] \ TNT!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dedication:
To all TNT!CRACK!TEAM! members and to all
TNT!CRACK!TEAM! Fans all around the world
]-={ HAPPY ANIVERSERY }=-[
hi there and wellcome to my 5th tut !!!
we will learn how to crack nico's commander v5.31
note : this tut is *only* and i repeat *only* for newbies
like me !!!! and it's kinda long !!! god be with u !!!
Program : Nico's Commander v5.31
Url : http://www.nico200.com
Protection : Serial + Nag + TimeLimit + Packing !!
Size : 388 Kb *Packed*
ToolZ : ProcDump v1.6 * ( to dump the file!)
Win32dasm v8.93 * ( for dead-listing!)
hiew v6.16 * ( any version will do! )
R!SC's Patcher * ( for writing a loader !)
any song by sting ( Shape of my heart )
* all of the above tools can be found at http://w3.to/protools
expect the song Serach for it !!!
o.k let the _crack_ _begin_ :
1) install nico's commander and run it !!!
u will see the nag message telling that u have XX days
remaining , and asks u if u want to enter a serial !!!!
2) click on No and exit the program !! hehehe !!!
now run prodump and click on unpack and choose
aspack v108.4 , and browse the file nc.exe !!!
3) ProcDump will start dumping the file and will
give a message telling u to press o.k when the
process is loaded , now its loaded click o.k
nico's commander will pop so click No !!!
then procdump should ask where u want to save the
file and in what name , in my case i put ncdump.exe
4) now diasmble the file ncdump.exe with win32dasm
and !!!! what !!!! what is all this shit !!!!
no SDR !! and nothin' i can't see !!!!!
o.k don't panic !!!!!
5) now back to ProcDump and click on Pe Editor
and browse for the dumped file ncdump.exe
now click on sections !! u should see all the
section like .text , .rdata ...etc
now all these sections have something in common
in the characteristics filed !! yes they all have
C0000040 <--- hmmm !!!!
6) now change the C0000040 to E0000040 in all the name filed
u can do it by right clicking on the .text for example
and choose edit section then change the C0000040 to E0000040
and the same for the rest !!! and apply the changes
7) now again dasm the file ncdump.exe and wait and wait !!!
and then !! yes !!! all the SDR Ref. is enabled !!! kool
8) when the flag was C0000040 , it means that the
"sections are marked like READABLE WRITEABLE
and INITDATA.....and it refuse to make his work (win32dasm)
if the CODE/TEXT section hasn't a EXECUTABLE
flag too." <--- MaV3RiCk exact words (thanx man)
9) now let's see ,try to run the dumped file it works
fine but there is no function is working !!!! right !!!
hmmm !!! (keep that in mind !!!)
10) back to win32dasm and click on the SDR and look for the
"Days left in evaluation period" , double click on it
and u will be here :
* Possible Reference to String Resource ID=04227: "Days left in evaluation period: "
|
:0045C5FF 6883100000 push 00001083
:0045C604 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0045C607 E897310500 call 004AF7A3
:0045C60C 8D9568FFFFFF lea edx, dword ptr [ebp+FFFFFF68]
:0045C612 52 push edx
:0045C613 8D45E4 lea eax, dword ptr [ebp-1C]
11) now scroll up just a little bit tell u see this :
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045C5AD(C) <--- hmm !!! what is this
|
:0045C5CB 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68]
:0045C5D1 E81A62FAFF call 004027F0
:0045C5D6 C645FC02 mov [ebp-04], 02
:0045C5DA 8B55F0 mov edx, dword ptr [ebp-10]
:0045C5DD 2B9570FFFFFF sub edx, dword ptr [ebp+FFFFFF70]
:0045C5E3 B81E000000 mov eax, 0000001E
:0045C5E8 2BC2 sub eax, edx
:0045C5EA 50 push eax
* Possible StringData Ref from Data Obj ->"%d"
:0045C5EB 6878714E00 push 004E7178
:0045C5F0 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68]
:0045C5F6 51 push ecx
:0045C5F7 E8658C0400 call 004A5261
:0045C5FC 83C40C add esp, 0000000C
* Possible Reference to String Resource ID=04227: "Days left in evaluation period: "
:0045C5FF 6883100000 push 00001083
12) now this code is excuted cuz of the jump at line 0045C5AD
click on find text and enter 0045C5AD and u should see this :
:0045C5AA 83F81D cmp eax, 0000001D <-- the period 1Dh = 29
:0045C5AD 7E1C jle 0045C5CB <-- if the period didn't expired jump
* Possible Reference to String Resource ID=04228: "Evaluation period expired!"
:0045C5AF 6884100000 push 00001084
:0045C5B4 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0045C5B7 E8E7310500 call 004AF7A3
:0045C5BC C7051C8D500001000000 mov dword ptr [00508D1C], 00000001
:0045C5C6 E99B000000 jmp 0045C666 <-- brings the dialog (do u want
to enter a serial now if the
evaluation period expired !!
13) now scroll up till u see this :
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045C507(C) <-- first intresting thing
:0045C537 83BD70FFFFFF00 cmp dword ptr [ebp+FFFFFF70], 00000000
:0045C53E 7409 je 0045C549 <-- 2nd interesting thing
:0045C540 83BD70FFFFFF01 cmp dword ptr [ebp+FFFFFF70], 00000001
:0045C547 752F jne 0045C578 <-- 3rd intresting thing
hmm !!!! 3 interesting things here but i can't understand what is
happing !!! so !!! let's see the jump at 0045C507
14) scroll up a little bit , to here :
:0045C501 3B0548674F00 cmp eax, dword ptr [004F6748]
:0045C507 752E jne 0045C537 <-- hmm !!! nice one
:0045C509 C70510684F0001000000 mov dword ptr [004F6810], 00000001
:0045C513 C78504FFFFFF00000000 mov dword ptr [ebp+FFFFFF04], 00000000
:0045C51D C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0045C524 8D4DE8 lea ecx, dword ptr [ebp-18]
:0045C527 E895250500 call 004AEAC1
:0045C52C 8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04]
:0045C532 E972020000 jmp 0045C7A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045C507(C)
:0045C537 83BD70FFFFFF00 cmp dword ptr [ebp+FFFFFF70], 00000000
:0045C53E 7409 je 0045C549
:0045C540 83BD70FFFFFF01 cmp dword ptr [ebp+FFFFFF70], 00000001
:0045C547 752F jne 0045C578
o.k !! now what can u tell from this code (nothin!!) , as far
as i can tell that at 0045C501 it compares the entered code
i think in the registry with the right one and if it's not equal
it will jump to 0045C537 and from there it will check if the
period has expired or not !!!! (i think so !!)
15) now at 0045C507 if we didn't jump then we will be registered
why !! trace the code u will see at 0045C532 there is a jump
so it will not expire and it will not display a message in other
words it is registered !!!!!
16) so set the bar on 0045C507 write the offset ,open hiew change
the jne --> je (75 --> 74) , F9 to update and run ncdump !!!!
ahhh!! there is no nag message telling if u want to register
or not, and if u click on help\about nico's commander u will see
that there is no where to enter the serial !!!!
this have only one Explanation !!!
------> it's REGISTERD <-----
17) but !! let's run nico's commander , try to run notepad
or browse ur HD or anything !!!! it is not working !!!!
i think the reason cuz we have unpacked it !!!!!
18) now the idea of loader might comes in handy i think !!!
yeah !!! let's make a loader that patches the memory
to make the program think that it is registered !!!
19) now as i told u in the begining u should have R!SC's
patcher, read the help to now how to write a script in the
mean time here is mine :
---------cut here-------------
;TNT!CRACK!TEAM!
;the output file
O=tnt_nc.exe:
;file to be loaded
F=nc.exe:
;address to be patch and what bytes to change
P=45C507/75/74:
;to R!SC u have made a very lovly tool !!!
$
---------cut here-------------
20) now compile the script and copy the tnt_nc.exe file to the same
Dir and run it !!! kool it worked and nico's commander is
runnning !!! no nags no time expiry !!! and try the functions
it is working !!! kool
21) now there is one thing more to do
when u install nico's commander it will put a shortcut
at ur desktop and offcourse at the programs menu !!!
now !!! rightclick the shortcut in the desktop and click
on the shortcut tab , in the target filed u should see
something like this :
"C:\Program Files\Nico's Commander\nc.exe"
o.k !!! change it to this :
"C:\Program Files\Nico's Commander\tnt_nc.exe"
replace (tnt_nc) with the name of the loader !!!
( i think u got the pic )
and in the Start in filed write like this :
"C:\Program Files\Nico's Commander"
now u will see that the icon has changed , change
back the icon to nico's commander icon !!!
( i think u know how to do it !!!)
and do the same for the shortcut in the programms menu !!!
22) and u will have a fully registered nico's commander v5.31
WOW!!!!!!
o.k !! i hope u got it !!! and i hope u have learned something
out of this tut !!!! yeah !!!
FaT[BiT]_FaTsO greets the following :
tKC -------> ( ur tuts ROX!! , i have them all!!!!!)
LW2000 ----> ( Thank u for showing me how to use my brain!!!! )
R!SC ------> ( if only ur tut is more compleX !! man !! u rox !!)
XasX ------> ( ur toolz is great , best founder i have ever known !! )
karlitoxZ -> ( u r a true friend !!!)
wishmaker--> ( u r good !!! keep it up )
BoneZ -----> ( thanx for ur support !! it ment alot !!)
and specially to MaV3RiCk \ TNT!
(man u RoX! i couldn't make this tut without ur tip !!!
keep them comming !!!! )
and FUCK PSUCT !!! FOREVER !!!
and 2 all TNT!CRACK!TEAM! members and 2 all the cracking
groups in the world !!!!
that's it enjoy !!!!!
FaT[BiT] \ TNT! ---> FaT_BiT@ididitmyway.com
written on 5/20/2k at 9:50 PM
and remeber : 2 much cracking will K!LL u !!!
*boom* eof ----------------------------or(green);