-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

Software Reverse Engineering - Nico's Commander v4.03a - Enter Any Registration
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	Before I begin, I should tell you to PLEASE pay for this program.  This guy has
put a lot of hard work into this excellent program.  Why didn't he do the same for the
registration routine?

	This crack isn't to find a serial number, or a registration code, we'll make the
program "think" we registered it.

---------------------------------------------------------------------------------------------
Target:  Nico's Commander (nc.zip) - 373,673 bytes.  Download this at:

	    http://www.geocities.com/SiliconValley/Way/2686/nc.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
		HIEW - recommended (or hex editor of your choice)
		PMTK - recommended (or patcher of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Unzip Nico's Commander and run it (nc.exe).  A nag screen will pop up telling you the 
copy is unregistered, and how many days are left in your evaluation period.  You'll also see
a button to click so you can "enter your registration now".  Click this button, and enter some
test data in the box.  Click "Ok", and a message box will pop up saying "Invalid registration
number".  Write this down!

Starting The Crack:

	First make a copy of nc.exe in a different directory.  Fire up Wdasm, and disassemble 
nc.exe ("Disassembler", "Open file to disassemble", "nc.exe").  This will take a bit, so relax.  
When the file is finished disassembling, open the SDR (String Data References) window ("Refs", 
"String Data References").  There's lots of strings listed here, but let's see if we can find 
the one we wrote down "Invalid registration number".  We'll see this string towards the top of 
the list, and the string "Congratulations.  Your copy is now registered" right underneath it.  
Very promising!  Double-click on it, and shut the SDR window.  You'll land in the following code:

---------------------------------------------------------------------------------------------
* Possible Reference to String Resource ID=04229: "Invalid RegistrationNumber!"
				  |
:00422CE4 6885100000          push 00001085
:00422CE9 E8E0580000          call 004285CE
---------------------------------------------------------------------------------------------

	Scroll up for a bit, and you'll see the string "Contratulations. Yor copy is now
registered".  Scroll up even further, and you'll see the string "REGISTRATE" - the beginning 
of the registration routine?  Looks that way!  We now know (or have a good idea) that we're 
right in the middle of the routine.  Right where we want to be.  Let's scroll back down until
we see a jump where the data we entered will be pushed.  You'll find it at the following piece
of code:

---------------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422C97(C)
|
:00422CBE 817DE4DC9A28A2      cmp dword ptr [ebp-1C], A2289ADC