----------------------------------------------------- How to find a serial in NetBus Pro ----------------------------------------------------- Cracker: stealthFIGHTER Target: NetBus Pro 2.10 Tools: SoftIce W32dasm Brain Where: http://www.netbus.org Sorry for my english, its not my mother language. ----------- Step 1: ----------- === Run NetBus, go to registration fill all boxes, press Register button =>oops, nothing happend (written in Delphi). === Open W32dasm and dissasemble Netbus.exe. Ready? Click SDR window and find the text: "Thanks for registering NetBus". Double click on it. You should be here: === * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004DE392(U) | :004DE384 8B45F8 mov eax, dword ptr [ebp-08] :004DE387 E8C04CF2FF call 0040304C :004DE38C C3 ret :004DE38D E96E53F2FF jmp 00403700 :004DE392 EBF0 jmp 004DE384 :004DE394 E8A754FFFF call 004D3840 <-- very important!!! :004DE399 84C0 test al, al :004DE39B 7414 je 004DE3B1 :004DE39D B940000000 mov ecx, 00000040 * Possible StringData Ref from Code Obj ->"Thanks" | :004DE3A2 BA30E44D00 mov edx, 004DE430 * Possible StringData Ref from Code Obj ->"Thanks for registering NetBus " ->"Pro and supporting Shareware software." === There is CALL that is IMPORTANT for us. This CALL "call" a sequence of REAL CODE generating. This CALL stands on the line #: 004DE394 <--- write this number down. (we will set a breakpoint on these line). === Start the progg again. Fill all boxes (I entered: iNFiNiTY as a name, World Wide Web as organization and 12345678 as a fake s/n.) Switch to SoftIce, set breakpoint on memory copy (bpx hmemcpy). Go back (F5) and press REGISTER. We are in SI. Press three times "F5", because we have 3 input boxes. Then press F11 to get to the caller. Then press F12(sometimes) to get to the 32-bit code. === When you´re in 32-bit code set breakpoint on CALL we´ve found. (bpx 004DE394). Ready? === Go back to NetBus and fill all boxes (for the last time). Go back to progg and push REGISTER button. B00M! We are in SoftIce. Now you should be right on the CALL, if you are not press one or two times "F5" till you land on the CALL. === 015F:004DE392 JMP 004DE384 015F:004DE394 CALL 004D3840 <--- our CALL 015F:004DE399 TEST AL, AL 015F:004DE39B JZ 004DE3B1 === If you´re at the CALL, trace in the call by pressing "F8" key. Now only trace the code by pressing "F10" key (about 20 - 30 times, i don´t know)(there are many CALLs and CMPs, but they are not important), till you get here: === 015F:004D38A7 8B95E8FEFFFF MOV EDX, 015F:004D38AD 8D85ECFEFFFF LEA EAX, 015F:004D38B3 B9FF000000 MOV ECX, 000000FF 015F:004D38B8 E87B06F3FF CALL 00403F38 015F:004D38BD 8D85ECFEFFFF LEA EAX, 015F:004D38C3 50 PUSH EAX 015F:004D38C4 5D85E8FDFFFF LEA EAX, 015F:004D38CA 8B55EC MOV EDX, 015F:004D38CD B9FF000000 MOV ECX, 000000FF 015F:004D38D2 E86106F3FF CALL 00403F38 015F:004D38D7 8D95EFDFFFF LEA EDX, 015F:004D38DD 8B45F8 MOV EAX, 015F:004D38E0 59 POP ECX 015F:004D38E1 E842F8FFFF CALL 004D3128 <--- call a real code 015F:004D38E6 85C0 TEST EAX, EAX <--- D EDX 015F:004D38E8 0F9445FF SETZ BYTE PTR [EBP-01] <--- start of shit code === When you´re at TEST EAX, EAX type "D EDX" - in our data is personal REGISTRATION #. I get something like this: === .$12345678.iNFiN iTY....................... ..w....... ........ ...... ......$@....w....$@ .$serialnumber....w. Y.w.................$12 345678.your_name* ********************* ********************* === Write the number down(without the dollar). Enter again. boo00OO00oom. === ------------------------------------- If i make a mistake, please e-mail me to: stealthfighter@another.com -------------------------------------;-- Increment said pointer.