
-----------------------------------------------------
How to find a serial in NetBus Pro
-----------------------------------------------------

Cracker: iNFiNiTY 

Target: NetBus Pro 2.10
Tools: SoftIce
           W32dasm		
           Brain

Where: http://www.netbus.org

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run NetBus, go to registration fill all boxes, press Register
button =>oops, nothing happend (written in Delphi).
===
Open W32dasm and dissasemble Netbus.exe. Ready?
Click SDR window and find the text: "Thanks for registering NetBus".
Double click on it. You should be here:
===



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DE392(U)
|
:004DE384 8B45F8                  	mov eax, dword ptr [ebp-08]
:004DE387 E8C04CF2FF              	call 0040304C
:004DE38C C3                      		ret


:004DE38D E96E53F2FF              	jmp 00403700
:004DE392 EBF0                   		jmp 004DE384
:004DE394 E8A754FFFF              	call 004D3840	<-- very important!!!
:004DE399 84C0                    		test al, al
:004DE39B 7414                    		je 004DE3B1
:004DE39D B940000000              	mov ecx, 00000040

* Possible StringData Ref from Code Obj ->"Thanks"
                                  |
:004DE3A2 BA30E44D00              	mov edx, 004DE430

* Possible StringData Ref from Code Obj ->"Thanks for registering NetBus "
                                        ->"Pro and supporting Shareware software."



===
There is CALL that is IMPORTANT for us. This CALL "call"
a sequence of REAL CODE generating. This CALL stands on
the line #: 004DE394 <--- write this number down. (we will set 
a breakpoint on these line).
===
Start the progg again. Fill all boxes (I entered: iNFiNiTY as a name,
World Wide Web as organization and 12345678 as a fake s/n.)
Switch to SoftIce, set breakpoint on memory copy (bpx hmemcpy).
Go back (F5) and press REGISTER. We are in SI. 
Press three times "F5", because we have 3 input boxes. Then 
press F11 to get to the caller. Then press F12(sometimes) to get to the 32-bit code.
===
When youre in 32-bit code set breakpoint on CALL weve found.
(bpx 004DE394). Ready?
===
Go back to NetBus and fill all boxes (for the last time).
Go back to progg and push REGISTER button. B00M!
We are in SoftIce. Now you should be right on the CALL, if 
you are not press one or two times "F5" till you land on the CALL.
===


015F:004DE392		JMP 004DE384
015F:004DE394		CALL 004D3840	<--- our CALL
015F:004DE399		TEST AL, AL
015F:004DE39B		JZ 004DE3B1


===
If youre at the CALL, trace in the call by pressing "F8" key.
Now only trace the code by pressing  "F10" key 
(about 20 - 30 times, i dont know)(there are many CALLs and
CMPs, but they are not important), till you get here: 
===


015F:004D38A7	8B95E8FEFFFF	MOV EDX,
015F:004D38AD	8D85ECFEFFFF	LEA EAX, 
015F:004D38B3	B9FF000000	MOV ECX, 000000FF
015F:004D38B8	E87B06F3FF	CALL 00403F38
015F:004D38BD	8D85ECFEFFFF	LEA EAX, 
015F:004D38C3	50		PUSH EAX
015F:004D38C4	5D85E8FDFFFF	LEA EAX, 
015F:004D38CA	8B55EC		MOV EDX, 
015F:004D38CD	B9FF000000	MOV ECX, 000000FF
015F:004D38D2	E86106F3FF	CALL 00403F38
015F:004D38D7	8D95EFDFFFF	LEA EDX, 
015F:004D38DD	8B45F8		MOV EAX, 
015F:004D38E0	59		POP ECX
015F:004D38E1	E842F8FFFF	CALL 004D3128		<--- call a real code
015F:004D38E6	85C0		TEST EAX, EAX		<--- D EDX
015F:004D38E8	0F9445FF	SETZ BYTE PTR [EBP-01]	<--- start of shit code


===
When youre at TEST EAX, EAX type "D EDX" - in our data 
is personal REGISTRATION #. I get something like this:
===


.$12345678.iNFiN
iTY.......................
..w....... ........ ......
......$@....w....$@
.$C09618CE....w.
Y.w.................$12
345678.iNFiNiTY*
*********************
*********************

===
Yes. You are right. The "C09618CE" is the REAL CODE (without the dollar)
Write the number down. Enter again. boo00OO00oom.
===

---------------------------------------------------------------------------
---<<<:>>>--- We are registered user ---<<<:>>>----
---------------------------------------------------------------------------

=============================
If i make a mistake, please e-mail me 
to codewaster@crosswinds.net.
You can also find me on the web:
---===[   http://hop.to/nitrous   ]===---
=============================
=============================
Thanks to all crackers on the web !!!
=============================