-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+
-----------------------------------------------------
How to find a serial in NetBus Pro
-----------------------------------------------------
Cracker: stealthFIGHTER
Target: NetBus Pro 2.10
Tools: SoftIce
W32dasm
Brain
Where: http://www.netbus.org
Sorry for my english, its not my mother language.
-----------
Step 1:
-----------
===
Run NetBus, go to registration fill all boxes, press Register
button =>oops, nothing happend (written in Delphi).
===
Open W32dasm and dissasemble Netbus.exe. Ready?
Click SDR window and find the text: "Thanks for registering NetBus".
Double click on it. You should be here:
===
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DE392(U)
|
:004DE384 8B45F8 mov eax, dword ptr [ebp-08]
:004DE387 E8C04CF2FF call 0040304C
:004DE38C C3 ret
:004DE38D E96E53F2FF jmp 00403700
:004DE392 EBF0 jmp 004DE384
:004DE394 E8A754FFFF call 004D3840 <-- very important!!!
:004DE399 84C0 test al, al
:004DE39B 7414 je 004DE3B1
:004DE39D B940000000 mov ecx, 00000040
* Possible StringData Ref from Code Obj ->"Thanks"
|
:004DE3A2 BA30E44D00 mov edx, 004DE430
* Possible StringData Ref from Code Obj ->"Thanks for registering NetBus "
->"Pro and supporting Shareware software."
===
There is CALL that is IMPORTANT for us. This CALL "call"
a sequence of REAL CODE generating. This CALL stands on
the line #: 004DE394 <--- write this number down. (we will set
a breakpoint on these line).
===
Start the progg again. Fill all boxes (I entered: iNFiNiTY as a name,
World Wide Web as organization and 12345678 as a fake s/n.)
Switch to SoftIce, set breakpoint on memory copy (bpx hmemcpy).
Go back (F5) and press REGISTER. We are in SI.
Press three times "F5", because we have 3 input boxes. Then
press F11 to get to the caller. Then press F12(sometimes) to get to the 32-bit code.
===
When you re in 32-bit code set breakpoint on CALL we ve found.
(bpx 004DE394). Ready?
===
Go back to NetBus and fill all boxes (for the last time).
Go back to progg and push REGISTER button. B00M!
We are in SoftIce. Now you should be right on the CALL, if
you are not press one or two times "F5" till you land on the CALL.
===
015F:004DE392 JMP 004DE384
015F:004DE394 CALL 004D3840 <--- our CALL
015F:004DE399 TEST AL, AL
015F:004DE39B JZ 004DE3B1
===
If you re at the CALL, trace in the call by pressing "F8" key.
Now only trace the code by pressing "F10" key
(about 20 - 30 times, i don t know)(there are many CALLs and
CMPs, but they are not important), till you get here:
===
015F:004D38A7 8B95E8FEFFFF MOV EDX,
015F:004D38AD 8D85ECFEFFFF LEA EAX,
015F:004D38B3 B9FF000000 MOV ECX, 000000FF
015F:004D38B8 E87B06F3FF CALL 00403F38
015F:004D38BD 8D85ECFEFFFF LEA EAX,
015F:004D38C3 50 PUSH EAX
015F:004D38C4 5D85E8FDFFFF LEA EAX,
015F:004D38CA 8B55EC MOV EDX,
015F:004D38CD B9FF000000 MOV ECX, 000000FF
015F:004D38D2 E86106F3FF CALL 00403F38
015F:004D38D7 8D95EFDFFFF LEA EDX,
015F:004D38DD 8B45F8 MOV EAX,
015F:004D38E0 59 POP ECX
015F:004D38E1 E842F8FFFF CALL 004D3128 <--- call a real code
015F:004D38E6 85C0 TEST EAX, EAX <--- D EDX
015F:004D38E8 0F9445FF SETZ BYTE PTR [EBP-01] <--- start of shit code
===
When you re at TEST EAX, EAX type "D EDX" - in our data
is personal REGISTRATION #. I get something like this:
===
.$12345678.iNFiN
iTY.......................
..w....... ........ ......
......$@....w....$@
.$serialnumber....w.
Y.w.................$12
345678.your_name*
*********************
*********************
===
Write the number down(without the dollar). Enter again. boo00OO00oom.
===
-------------------------------------
If i make a mistake, please e-mail me
to: stealthfighter@another.com
-------------------------------------