Software Reverse Engineering - Nico's Commander v4.03a - Enter Any Registration
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	Before I begin, I should tell you to PLEASE pay for this program.  This guy has
put a lot of hard work into this excellent program.  Why didn't he do the same for the
registration routine?

	This crack isn't to find a serial number, or a registration code, we'll make the
program "think" we registered it.

---------------------------------------------------------------------------------------------
Target:  Nico's Commander (nc.zip) - 373,673 bytes.  Download this at:

	    http://www.geocities.com/SiliconValley/Way/2686/nc.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
		HIEW - recommended (or hex editor of your choice)
		PMTK - recommended (or patcher of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Unzip Nico's Commander and run it (nc.exe).  A nag screen will pop up telling you the 
copy is unregistered, and how many days are left in your evaluation period.  You'll also see
a button to click so you can "enter your registration now".  Click this button, and enter some
test data in the box.  Click "Ok", and a message box will pop up saying "Invalid registration
number".  Write this down!

Starting The Crack:

	First make a copy of nc.exe in a different directory.  Fire up Wdasm, and disassemble 
nc.exe ("Disassembler", "Open file to disassemble", "nc.exe").  This will take a bit, so relax.  
When the file is finished disassembling, open the SDR (String Data References) window ("Refs", 
"String Data References").  There's lots of strings listed here, but let's see if we can find 
the one we wrote down "Invalid registration number".  We'll see this string towards the top of 
the list, and the string "Congratulations.  Your copy is now registered" right underneath it.  
Very promising!  Double-click on it, and shut the SDR window.  You'll land in the following code:

---------------------------------------------------------------------------------------------
* Possible Reference to String Resource ID=04229: "Invalid RegistrationNumber!"
				  |
:00422CE4 6885100000          push 00001085
:00422CE9 E8E0580000          call 004285CE
---------------------------------------------------------------------------------------------

	Scroll up for a bit, and you'll see the string "Contratulations. Yor copy is now
registered".  Scroll up even further, and you'll see the string "REGISTRATE" - the beginning 
of the registration routine?  Looks that way!  We now know (or have a good idea) that we're 
right in the middle of the routine.  Right where we want to be.  Let's scroll back down until
we see a jump where the data we entered will be pushed.  You'll find it at the following piece
of code:

---------------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422C97(C)
|
:00422CBE 817DE4DC9A28A2      cmp dword ptr [ebp-1C], A2289ADC  <compare our code with real
:00422CC5 751D                jne 00422CE4                      <jump if not equal
:00422CC7 A180294800          mov eax, dword ptr [00482980]     <move code to some location

* Possible Reference to String Resource ID=04230: Congratulations. Your copy is now registered."
                                  |
:00422CCC 6886100000          push 00001086                     <push the code
---------------------------------------------------------------------------------------------

	Can you see where we need to patch?  We need to patch so that the routine jumps if IS
equal.  We need to patch line ":00422CC5 751D                jne 00422CE4".  Highlight the 
code, and check the offset below.  Should be 000220C5 (220C5).

---------------------------------------------------------------------------------------------
Making the Crack:
---------------------------------------------------------------------------------------------

Open nc.exe with HIEW ( c:\whatever\hiew c:\wherever\nc.exe )
Press F4 to go to hex view
Press F7 to search
Enter your search string: 220C5
Press enter
Press F3 to edit the code
Change jne to je
Press F9 to update
Press F10 to quit
Rename your patched program nc.bak
Move your other copy of nc.exe into the same directory as nc.bak

You can now enter any registration number!
(note: if you rename the program, you'll lose your registered status, because the file name
is stored in the registry.  You can, however, just enter a new registration, and you'll be
registered again.

---------------------------------------------------------------------------------------------
Making a Patcher
---------------------------------------------------------------------------------------------

Make sure your patched program, and your backup are in the same directory
Make the patcher with PMTK (c:\whatever\pmtk nc.exe nc.bak
Save your patch as binary, asm or com file (com file for an executable)
Name your patch file (nc.com for mine)
Insert a logo if you want
You're finished! You now have a patcher for nc.exe

-Volatility-