
                         Nico's Commander 5.01
			 ~~~~~~~~~~~~~~~~~~~~~
                             Tutor by Put
                             ~~~~~~~~~~~~

How to enter a random serial!
Sorry for my bad grammatic, but i hope u will under stand it anyway... :P
This tutorial is made by a newbie to another!!

http://members.theglobe.com/ncuppen/ncuk.exe

Tools: W32Dasm Ver 8.93
~~~~~~ Hiew 6.03

1.  When u start the program, u get an ugly message. Here u say YES to enter a 
    registration number!

2.  Enter a random serial, and press OK, damn u get a message too that says:
    Invalid registration number! ??? we can't have that, can we? nope, so let's
    fire up W32Dasm.

3.  Note: it is a VERY good idea to make a copy of nc.exe into nc.w32 so that u
    have nc loaded all the time... But that it up to ur self.
    When u have disassembled the file (this WILL take a while) look for the 
    Invalid reg... in the SDR window.

4.  Found it? Cool.. then u will see something like this....

    * Referenced by a (U)nconditional ot (C)onditional Jump at Address:


 |:0044BF84(C) <--- this one is the mother!!!!!
 |
 * Possible Reference to String Resource ID=04229: "Invalid registration number!"

 :0044BF9F 6885100000                push 00001085
 :0044BFA4 E83D6B0000                call 00452AE6
 :0044BFA9 83C404                    add esp, 00000004
 :0044BFAC 833D34EC560000            cmp dword ptr [0056EC34], 00000000
 :0044BFB3 740E                      je 0044BFC3

5.  Now what is we going to use?? that right it is the: 44BF84, click on the 
    Goto Code

    Location, and write the 44BF84 and click ok, then u will see:

    :0044BF79 55                        push ebp
    :0044BF7A 8BEC                      mov ebp, esp
    :0044BF7C 51                        push ecx
    :0044BF7D 894DFC                    mov dword ptr [ebp-04], ecx
    :0044BF80 837D0801                  cmp dword ptr [ebp+08], 00000001
    :0044BF84 7519                      jne 0044BF9F  <---- yep it is here.

6.  So now u only need to get a offset to patch, so make sure that the green 
    bar is standing  on the line u need (:0044BF84 7519jne 0044BF9F) the offset
    is: 4B384 and we need to change it to 74 (75 = jne - jump if not equal, 
    74 = je - jump if equal)

7.  Fire up Hiew and load the nc.exe file press F5 and enter 4B384, press F3 
    and type 74, press F9 to save, and F10 to quit. Start Nico's Commander 
    again, enter a serial and YEAH it takes the code... BUT almost every 
    programmers make a check at the start up, so lets see if this program has 
    one to... close Nico's Commander and start it again, does it have a check? 
    yep it does, well that it is NOT good right? so look for some thing in 
    that about box... found something? cool: "Days left in evaluation period: 
    " lets go to W32Dasm again and look for it. when u have found it, u dubble 
    click on it and u'll see this:
 :0044A87F E99B000000                jmp 0044A91F

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 
 |:0044A866(C)
 |
 :0044A884 8D8D68FFFFFF              lea ecx, dword ptr [ebp+FFFFFF68]
 :0044A88A E873110B00                call 004FBA02
 :0044A88F C645FC02                  mov [ebp-04], 02
 :0044A893 8B55F0                    mov edx, dword ptr [ebp-10]
 :0044A896 2B9570FFFFFF              sub edx, dword ptr [ebp+FFFFFF70]
 :0044A89C B81E000000                mov eax, 0000001E
 :0044A8A1 2BC2                      sub eax, edx
 :0044A8A3 50                        push eax

 *Possible StringData Ref from Data Obj ->"%d"

 :0044A8A4 68B0415400                push 005441B0
 :0044A8A9 8D8D68FFFFFF              lea ecx, dword ptr [ebp+FFFFFF68]
 :0044A8AF 51                        push ecx
 :0044A8B0 E8FEA70A00                call 004F50B3
 :0044A8B5 83C40C                    add esp, 0000000C 


* Possible Reference to String Resource ID=04227: "Days left in evaluation period: "

 :0044A8B8 683100000                 push 00001083

8.  So what do u think that we need? If u look at the line:

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:

 |:0044A866(C)

 Now u knwo what to do!!! - yeah that's right, click on the Goto Code Location 
 and write 44A866, and u will see this:  :0044A863 83F81D                    cmp eax, 0000001D
 :0044A866 7E1C                      jle 0044A884

  if u scroll some lines up (about 10-15) u will see:

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:

 |:0044A800(C)

 Try to search for this one in the GCL (Goto Code Location) write the 44A800 in
 the GCL and u will see this:

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:

 |:0044A7C0(C)
 |

 :0044A7F0 83BD70FFFFFF00            cmp dword ptr [ebp+FFFFFF70], 00000000
 :0044A7F7 7409                      je 0044A802
 :0044A7F9 83BD70FFFFFF01            cmp dword ptr [ebp+FFFFFF70], 00000001
 :0044A800 752F                      jne 0044A831

9.  So what will u do here? u have a jne and a je and the line |:0044A7C0(C)
    u have 3 opportunities, i don't know what to do!!! :P but yeah it is 
    right... we simply need to use the GCL *again* so write 44A7C0 and click ok

10. Then u will have this:

 :0044A7BA 3B055CC65500              cmp eax, dword ptr [0055C65C]
 :0044A7C0 752E                      jne 0044A7F0  <---- THIS IS IT!!!!!!!!!!!
 :0044A7C2 C70528C7550001000000      mov dword ptr [0055C728], 00000001

11. Cool now we have come to a final thing... hehe lets see what offset we have
    to change here:

    49BC0 -> 74 (and i know that u know why!!!!!)

12. Fire up good old Hiew again and load the nc.exe file, press F5 enter 49BC0,
    press enter, press F3, type 74, hit F9 to save, f10 to quit, and start 
    Nico's Commander again, and there is NO nag screen........ So u did it *again*!!!! cool isnt it?

Greets goes to: BuL-LeT, tKC, WildFire1, and every one else that i know.. :P

-=Put=-