how to crack Nico's Commander v5.31 by FaT[BiT] \ TNT! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dedication: To all TNT!CRACK!TEAM! members and to all TNT!CRACK!TEAM! Fans all around the world ]-={ HAPPY ANIVERSERY }=-[ hi there and wellcome to my 5th tut !!! we will learn how to crack nico's commander v5.31 note : this tut is *only* and i repeat *only* for newbies like me !!!! and it's kinda long !!! god be with u !!! Program : Nico's Commander v5.31 Url : http://www.nico200.com Protection : Serial + Nag + TimeLimit + Packing !! Size : 388 Kb *Packed* ToolZ : ProcDump v1.6 * ( to dump the file!) Win32dasm v8.93 * ( for dead-listing!) hiew v6.16 * ( any version will do! ) R!SC's Patcher * ( for writing a loader !) any song by sting ( Shape of my heart ) * all of the above tools can be found at http://w3.to/protools expect the song Serach for it !!! o.k let the _crack_ _begin_ : 1) install nico's commander and run it !!! u will see the nag message telling that u have XX days remaining , and asks u if u want to enter a serial !!!! 2) click on No and exit the program !! hehehe !!! now run prodump and click on unpack and choose aspack v108.4 , and browse the file nc.exe !!! 3) ProcDump will start dumping the file and will give a message telling u to press o.k when the process is loaded , now its loaded click o.k nico's commander will pop so click No !!! then procdump should ask where u want to save the file and in what name , in my case i put ncdump.exe 4) now diasmble the file ncdump.exe with win32dasm and !!!! what !!!! what is all this shit !!!! no SDR !! and nothin' i can't see !!!!! o.k don't panic !!!!! 5) now back to ProcDump and click on Pe Editor and browse for the dumped file ncdump.exe now click on sections !! u should see all the section like .text , .rdata ...etc now all these sections have something in common in the characteristics filed !! yes they all have C0000040 <--- hmmm !!!! 6) now change the C0000040 to E0000040 in all the name filed u can do it by right clicking on the .text for example and choose edit section then change the C0000040 to E0000040 and the same for the rest !!! and apply the changes 7) now again dasm the file ncdump.exe and wait and wait !!! and then !! yes !!! all the SDR Ref. is enabled !!! kool 8) when the flag was C0000040 , it means that the "sections are marked like READABLE WRITEABLE and INITDATA.....and it refuse to make his work (win32dasm) if the CODE/TEXT section hasn't a EXECUTABLE flag too." <--- MaV3RiCk exact words (thanx man) 9) now let's see ,try to run the dumped file it works fine but there is no function is working !!!! right !!! hmmm !!! (keep that in mind !!!) 10) back to win32dasm and click on the SDR and look for the "Days left in evaluation period" , double click on it and u will be here : * Possible Reference to String Resource ID=04227: "Days left in evaluation period: " | :0045C5FF 6883100000 push 00001083 :0045C604 8D4DE4 lea ecx, dword ptr [ebp-1C] :0045C607 E897310500 call 004AF7A3 :0045C60C 8D9568FFFFFF lea edx, dword ptr [ebp+FFFFFF68] :0045C612 52 push edx :0045C613 8D45E4 lea eax, dword ptr [ebp-1C] 11) now scroll up just a little bit tell u see this : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045C5AD(C) <--- hmm !!! what is this | :0045C5CB 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68] :0045C5D1 E81A62FAFF call 004027F0 :0045C5D6 C645FC02 mov [ebp-04], 02 :0045C5DA 8B55F0 mov edx, dword ptr [ebp-10] :0045C5DD 2B9570FFFFFF sub edx, dword ptr [ebp+FFFFFF70] :0045C5E3 B81E000000 mov eax, 0000001E :0045C5E8 2BC2 sub eax, edx :0045C5EA 50 push eax * Possible StringData Ref from Data Obj ->"%d" :0045C5EB 6878714E00 push 004E7178 :0045C5F0 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68] :0045C5F6 51 push ecx :0045C5F7 E8658C0400 call 004A5261 :0045C5FC 83C40C add esp, 0000000C * Possible Reference to String Resource ID=04227: "Days left in evaluation period: " :0045C5FF 6883100000 push 00001083 12) now this code is excuted cuz of the jump at line 0045C5AD click on find text and enter 0045C5AD and u should see this : :0045C5AA 83F81D cmp eax, 0000001D <-- the period 1Dh = 29 :0045C5AD 7E1C jle 0045C5CB <-- if the period didn't expired jump * Possible Reference to String Resource ID=04228: "Evaluation period expired!" :0045C5AF 6884100000 push 00001084 :0045C5B4 8D4DE4 lea ecx, dword ptr [ebp-1C] :0045C5B7 E8E7310500 call 004AF7A3 :0045C5BC C7051C8D500001000000 mov dword ptr [00508D1C], 00000001 :0045C5C6 E99B000000 jmp 0045C666 <-- brings the dialog (do u want to enter a serial now if the evaluation period expired !! 13) now scroll up till u see this : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045C507(C) <-- first intresting thing :0045C537 83BD70FFFFFF00 cmp dword ptr [ebp+FFFFFF70], 00000000 :0045C53E 7409 je 0045C549 <-- 2nd interesting thing :0045C540 83BD70FFFFFF01 cmp dword ptr [ebp+FFFFFF70], 00000001 :0045C547 752F jne 0045C578 <-- 3rd intresting thing hmm !!!! 3 interesting things here but i can't understand what is happing !!! so !!! let's see the jump at 0045C507 14) scroll up a little bit , to here : :0045C501 3B0548674F00 cmp eax, dword ptr [004F6748] :0045C507 752E jne 0045C537 <-- hmm !!! nice one :0045C509 C70510684F0001000000 mov dword ptr [004F6810], 00000001 :0045C513 C78504FFFFFF00000000 mov dword ptr [ebp+FFFFFF04], 00000000 :0045C51D C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :0045C524 8D4DE8 lea ecx, dword ptr [ebp-18] :0045C527 E895250500 call 004AEAC1 :0045C52C 8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04] :0045C532 E972020000 jmp 0045C7A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045C507(C) :0045C537 83BD70FFFFFF00 cmp dword ptr [ebp+FFFFFF70], 00000000 :0045C53E 7409 je 0045C549 :0045C540 83BD70FFFFFF01 cmp dword ptr [ebp+FFFFFF70], 00000001 :0045C547 752F jne 0045C578 o.k !! now what can u tell from this code (nothin!!) , as far as i can tell that at 0045C501 it compares the entered code i think in the registry with the right one and if it's not equal it will jump to 0045C537 and from there it will check if the period has expired or not !!!! (i think so !!) 15) now at 0045C507 if we didn't jump then we will be registered why !! trace the code u will see at 0045C532 there is a jump so it will not expire and it will not display a message in other words it is registered !!!!! 16) so set the bar on 0045C507 write the offset ,open hiew change the jne --> je (75 --> 74) , F9 to update and run ncdump !!!! ahhh!! there is no nag message telling if u want to register or not, and if u click on help\about nico's commander u will see that there is no where to enter the serial !!!! this have only one Explanation !!! ------> it's REGISTERD <----- 17) but !! let's run nico's commander , try to run notepad or browse ur HD or anything !!!! it is not working !!!! i think the reason cuz we have unpacked it !!!!! 18) now the idea of loader might comes in handy i think !!! yeah !!! let's make a loader that patches the memory to make the program think that it is registered !!! 19) now as i told u in the begining u should have R!SC's patcher, read the help to now how to write a script in the mean time here is mine : ---------cut here------------- ;TNT!CRACK!TEAM! ;the output file O=tnt_nc.exe: ;file to be loaded F=nc.exe: ;address to be patch and what bytes to change P=45C507/75/74: ;to R!SC u have made a very lovly tool !!! $ ---------cut here------------- 20) now compile the script and copy the tnt_nc.exe file to the same Dir and run it !!! kool it worked and nico's commander is runnning !!! no nags no time expiry !!! and try the functions it is working !!! kool 21) now there is one thing more to do when u install nico's commander it will put a shortcut at ur desktop and offcourse at the programs menu !!! now !!! rightclick the shortcut in the desktop and click on the shortcut tab , in the target filed u should see something like this : "C:\Program Files\Nico's Commander\nc.exe" o.k !!! change it to this : "C:\Program Files\Nico's Commander\tnt_nc.exe" replace (tnt_nc) with the name of the loader !!! ( i think u got the pic ) and in the Start in filed write like this : "C:\Program Files\Nico's Commander" now u will see that the icon has changed , change back the icon to nico's commander icon !!! ( i think u know how to do it !!!) and do the same for the shortcut in the programms menu !!! 22) and u will have a fully registered nico's commander v5.31 WOW!!!!!! o.k !! i hope u got it !!! and i hope u have learned something out of this tut !!!! yeah !!! FaT[BiT]_FaTsO greets the following : tKC -------> ( ur tuts ROX!! , i have them all!!!!!) LW2000 ----> ( Thank u for showing me how to use my brain!!!! ) R!SC ------> ( if only ur tut is more compleX !! man !! u rox !!) XasX ------> ( ur toolz is great , best founder i have ever known !! ) karlitoxZ -> ( u r a true friend !!!) wishmaker--> ( u r good !!! keep it up ) BoneZ -----> ( thanx for ur support !! it ment alot !!) and specially to MaV3RiCk \ TNT! (man u RoX! i couldn't make this tut without ur tip !!! keep them comming !!!! ) and FUCK PSUCT !!! FOREVER !!! and 2 all TNT!CRACK!TEAM! members and 2 all the cracking groups in the world !!!! that's it enjoy !!!!! FaT[BiT] \ TNT! ---> FaT_BiT@ididitmyway.com written on 5/20/2k at 9:50 PM and remeber : 2 much cracking will K!LL u !!! *boom* eof ----------------------------or(green);