June 99
Cracking NetBus Pro 2.01
Win '95 Program
Win Code Reversing
 
 
by ViPeR 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: NetBus Pro v2.01 (nbpro201.exe)
Program Type: Remote administration and spy tool.
Program Location: Here 
Program Size: 1.7 meg
 
   
Tools Used:
W32DasmV8.9 - Disassembler
Softice V3.2 - Debugger
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
  
 
NetBus Pro 2.01
'Find the registration key'
Written by ViPeR
 
 
Introduction
 
What's NetBus Pro? NetBus Pro is a remote administration and spy tool. With its easy installation and user-friendly interface you’ll be able to administrate computers with NetBus Pro in minutes. NetBus Pro has many features for remote administration like the File manager, Registry manager and Application Redirect. In addition, NetBus Pro brings you features like Capture screen, Listen keyboard and Capture camera image for "spying." All these features, among several others, have migrated into a single package.
 
About this protection system
 
You need to enter name, company and key in order to register this program.
 
The Essay 
     
(1) It begins here.... ===============================================================================
Let's get right to the topic -- cracking. Run the program, from the menu, click Help, then Register. The registration box will pup up. Enter whatever you want for the name, company and key. Notice that the key should be at least 8 chars long. (you will see why later). Ok, in my case, I enter the following info:
Name : ProfViper
Company : Home
Key : 54545454

Fire up soft-ice(Ctrl-D) and set a break point on hmemcpy (bpx hmemcpy). Click the "Register" button and *BOOM*, you are back into Soft-Ice. Type x, enter, x enter and press F11 to go back to the caller. Press F12 7 times and F10 23 times (you will hit several "RET") until you are in the following code:

:004DB9E4 E8C76BF5FF              call 004325B0
:004DB9E9 8B45F4                  mov eax, dword ptr [ebp-0C] ;  <-- You are here
:004DB9EC 50                      push eax
:
:
:
Press F10 several times and you land here,
:004DBA1C E8FB57FFFF              call 004D121C ; You are here now.
:
:
:
Step inside this call by pressing F8. Then, keep pressing F10,
:004D121C 55                      push ebp
:004D121D 8BEC                    mov ebp, esp
:004D121F 81C4E8FDFFFF            add esp, FFFFFDE8
:004D1225 33C0                    xor eax, eax
:004D1227 8985E8FEFFFF            mov dword ptr [ebp+FFFFFEE8], eax
:004D122D 8D45EC                  lea eax, dword ptr [ebp-14]
:004D1230 8B15DC0F4D00            mov edx, dword ptr [004D0FDC]
:004D1236 E8A532F3FF              call 004044E0
:004D123B 33C0                    xor eax, eax
:004D123D 55                      push ebp
:004D123E 680C134D00              push 004D130C
:004D1243 64FF30                  push dword ptr fs:[eax]
:004D1246 648920                  mov dword ptr fs:[eax], esp
:004D1249 8D45EC                  lea eax, dword ptr [ebp-14]
:004D124C E897FEFFFF              call 004D10E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D11DC(C)
|
:004D1251 33C9                    xor ecx, ecx
:004D1253 B201                    mov dl, 01
:004D1255 A1F4034D00              mov eax, dword ptr [004D03F4]
:004D125A E8D5F9FFFF              call 004D0C34
:004D125F 8945F8                  mov dword ptr [ebp-08], eax
:004D1262 33C0                    xor eax, eax
:004D1264 55                      push ebp
:004D1265 68DE124D00              push 004D12DE
:004D126A 64FF30                  push dword ptr fs:[eax]
:004D126D 648920                  mov dword ptr fs:[eax], esp
:004D1270 8D85E8FEFFFF            lea eax, dword ptr [ebp+FFFFFEE8]
:004D1276 8B4DF0                  mov ecx, dword ptr [ebp-10] ;
:004D1279 BA24134D00              mov edx, 004D1324
Until you are at 004D1279. If you d ecx, you will see the fake key '54545454' in the data window, and d edx, you will see '$'.
:004D127E E8252DF3FF              call 00403FA8
:004D1283 8B95E8FEFFFF            mov edx, dword ptr [ebp+FFFFFEE8]
Type d edx and edx now contains '$54545454'. Notice that the length of this string is 9. Let's keep tracing the code.

:004D1289 8D85ECFEFFFF            lea eax, dword ptr [ebp+FFFFFEEC]
:004D128F B9FF000000              mov ecx, 000000FF
:004D1294 E89F2CF3FF              call 00403F38 ; copy '$54545454' to a new address
                                                ; d edx and you will see it.
:004D1299 8D85ECFEFFFF            lea eax, dword ptr [ebp+FFFFFEEC]
:004D129F 50                      push eax
:004D12A0 8D85E8FDFFFF            lea eax, dword ptr [ebp+FFFFFDE8]
:004D12A6 8B55EC                  mov edx, dword ptr [ebp-14] ; edx contains Name
:004D12A9 B9FF000000              mov ecx, 000000FF
:004D12AE E8852CF3FF              call 00403F38 ; calculate the length of 'ProfViper'
:004D12B3 8D95E8FDFFFF            lea edx, dword ptr [ebp+FFFFFDE8] ; edx contains Name
:004D12B9 8B45F8                  mov eax, dword ptr [ebp-08] 
:004D12BC 59                      pop ecx ; ecx contains the fake key
:004D12BD E846F8FFFF              call 004D0B08 ; this is the call we need to step in.
:
:
:
(2)The door to the key generating roution ===============================================================================
* Referenced by a CALL at Address:
|:004D12BD   
|
:004D0B08 53                      push ebx
:004D0B09 56                      push esi
:004D0B0A 57                      push edi
:004D0B0B 83C4C0                  add esp, FFFFFFC0
:004D0B0E 8BF1                    mov esi, ecx
:004D0B10 8D3C24                  lea edi, dword ptr [esp]
:004D0B13 33C9                    xor ecx, ecx
:004D0B15 8A0E                    mov cl, byte ptr [esi]
:004D0B17 80F909                  cmp cl, 09 ; 8 chars of fake reg. code + 1)
                                             ; from here, we know the key should
                                             ;  be at least 8 chars.                                              
:004D0B1A 7202                    jb 004D0B1E
:004D0B1C B109                    mov cl, 09 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B1A(C)
|
:004D0B1E 880F                    mov byte ptr [edi], cl
:004D0B20 46                      inc esi
:004D0B21 47                      inc edi
:004D0B22 F3                      repz
:004D0B23 A4                      movsb
:004D0B24 8BF2                    mov esi, edx
:004D0B26 8D7C240A                lea edi, dword ptr [esp+0A]
:004D0B2A 33C9                    xor ecx, ecx
:004D0B2C 8A0E                    mov cl, byte ptr [esi]
:004D0B2E 80F932                  cmp cl, 32
:004D0B31 7202                    jb 004D0B35
:004D0B33 B132                    mov cl, 32

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B31(C)
|
:004D0B35 880F                    mov byte ptr [edi], cl
:004D0B37 46                      inc esi
:004D0B38 47                      inc edi
:004D0B39 F3                      repz
:004D0B3A A4                      movsb
:004D0B3B 8BD8                    mov ebx, eax
:004D0B3D 33D2                    xor edx, edx
:004D0B3F 8A54240A                mov dl, byte ptr [esp+0A]
:004D0B43 42                      inc edx
:004D0B44 83FA32                  cmp edx, 00000032
:004D0B47 7F0E                    jg 004D0B57
:004D0B49 8D44140A                lea eax, dword ptr [esp+edx+0A]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B55(C)
|
:004D0B4D C6002A                  mov byte ptr [eax], 2A
:004D0B50 42                      inc edx
:004D0B51 40                      inc eax
:004D0B52 83FA33                  cmp edx, 00000033
:004D0B55 75F6                    jne 004D0B4D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D0B47(C)
|
:004D0B57 8BCC                    mov ecx, esp
:004D0B59 8D54240A                lea edx, dword ptr [esp+0A]
:004D0B5D 8BC3                    mov eax, ebx
:004D0B5F E8FCFEFFFF              call 004D0A60 ; call the real-key calculation
                                                ;  routine.
:
:								
At this point, you have two choice:

(i) if you step through the call 004D0A60, you will see the key in the data window. Actually, this is the second valid key for you to register this program. (you will see it later soon).In my case, it shows $D3712ECE. Note that only 'D3712ECE' is the registration key. Enter this key and you are registered.

(ii) step inside the call 004D0A60 and see what happen.

(3) Another key you can use ===============================================================================

Nothing interesting until 004D0AAA.

:
:
:004D0AA1 50                      push eax
:004D0AA2 8BCB                    mov ecx, ebx
:004D0AA4 8D54240E                lea edx, dword ptr [esp+0E] ; edx contains Name
:004D0AA8 8BC6                    mov eax, esi
:004D0AAA E805FEFFFF              call 004D08B4 ; here, it generate '9AC65A60'.
                                                ; If you enter this key, you will
                                                ; see the thank you messagebox.
                                                ; if you are interested in writing
                                                ; a key generator you should check
                                                ;  this routine.

:004D0AAF 8D442440                lea eax, dword ptr [esp+40] 
Do a d eax at this point, you will see '$9AC65A60' in the data window. Actually, this is your first registration key. You may exit Soft-Ice and enter 9AC65A60 to register and see the thank you message box.

:004D0AB3 8BD4                    mov edx, esp
:004D0AB5 33C9                    xor ecx, ecx
:004D0AB7 8A08                    mov cl, byte ptr [eax]
:004D0AB9 41                      inc ecx
:004D0ABA E85921F3FF              call 00402C18 ; comparision routine
                                                ;
:004D0ABF 0F94C0                  sete al
:004D0AC2 84C0                    test al, al
:004D0AC4 7538                    jne 004D0AFE ; if the fake key is not the same as the first
                                               ; real key, continue to generate the second
											   ; real key and compare them.                                               
:004D0AC6 B301                    mov bl, 01
:004D0AC8 889E75030000            mov byte ptr [esi+00000375], bl
:004D0ACE 8D442440                lea eax, dword ptr [esp+40]
:004D0AD2 50                      push eax
:004D0AD3 8BCB                    mov ecx, ebx
:004D0AD5 8D54240E                lea edx, dword ptr [esp+0E]
:004D0AD9 8BC6                    mov eax, esi
:004D0ADB E8D4FDFFFF              call 004D08B4 ; this routine generate another key. 
                                                ; In my case, it gives 'D3712ECE' 
                                                ; if you are interested in writing 
                                                ; a key generator you should check
                                                ;  this routine.

:004D0AE0 8D442440                lea eax, dword ptr [esp+40]
:004D0AE4 8BD4                    mov edx, esp
:004D0AE6 33C9                    xor ecx, ecx
:004D0AE8 8A08                    mov cl, byte ptr [eax]
:004D0AEA 41                      inc ecx
:004D0AEB E82821F3FF              call 00402C18 ; compare the real key 'D3712ECE' 
                                                ; with fake key.
:004D0AF0 0F94C0                  sete al
:004D0AF3 3C01                    cmp al, 01
:004D0AF5 7507                    jne 004D0AFE
:004D0AF7 C6867503000001          mov byte ptr [esi+00000375], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D0AC4(C), :004D0AF5(C)
|
:004D0AFE 83C44C                  add esp, 0000004C
:004D0B01 5F                      pop edi
:004D0B02 5E                      pop esi
:004D0B03 5B                      pop ebx
:004D0B04 C3                      ret

(4) Comparision routine =============================================================================== The following code is the comparision routine after the real key is been generated. See the comments for the details.


* Referenced by a CALL at Addresses:
|:00403642   , :004D0ABA   , :004D0AEB   
|
:00402C18 53                      push ebx
:00402C19 56                      push esi
:00402C1A 51                      push ecx
:00402C1B 89CE                    mov esi, ecx
:00402C1D C1EE02                  shr esi, 02
:00402C20 7426                    je 00402C48

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402C3E(C)
|
:00402C22 8B08                    mov ecx, dword ptr [eax] 
:00402C24 8B1A                    mov ebx, dword ptr [edx] 

In our case,
ecx=33442409 which is the ASCII of .$37 in .$D3712ECE
ebx=34352409 which is the ASCII of .$54 in .$54545454
:00402C26 39D9                    cmp ecx, ebx ; do the comparision
:00402C28 7545                    jne 00402C6F ; not equel? bad cracker.
:00402C2A 4E                      dec esi
:00402C2B 7415                    je 00402C42
:00402C2D 8B4804                  mov ecx, dword ptr [eax+04] 
:00402C30 8B5A04                  mov ebx, dword ptr [edx+04] 

Take the next four real key values and next four fake key values and compare them.
:00402C33 39D9                    cmp ecx, ebx ; do the comparision
:00402C35 7538                    jne 00402C6F ; not equal? bad cracker.
:00402C37 83C008                  add eax, 00000008 ; adjust eax (coz we have 
                                                    ; compared 8 chars.)
:00402C3A 83C208                  add edx, 00000008 ; adjust edx
:00402C3D 4E                      dec esi
:00402C3E 75E2                    jne 00402C22
:00402C40 EB06                    jmp 00402C48

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402C2B(C)
|
:00402C42 83C004                  add eax, 00000004
:00402C45 83C204                  add edx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402C20(C), :00402C40(U)
|
:00402C48 5E                      pop esi
:00402C49 83E603                  and esi, 00000003
:00402C4C 7436                    je 00402C84
:00402C4E 8A08                    mov cl, byte ptr [eax] ; cl='C'
:00402C50 3A0A                    cmp cl, byte ptr [edx] ; compare '5' with 'C'
:00402C52 7530                    jne 00402C84 ;  not equal? bad cracker
:00402C54 4E                      dec esi
:00402C55 7413                    je 00402C6A
:00402C57 8A4801                  mov cl, byte ptr [eax+01] ; similar to above.
:00402C5A 3A4A01                  cmp cl, byte ptr [edx+01]
:00402C5D 7525                    jne 00402C84
:00402C5F 4E                      dec esi
:00402C60 7408                    je 00402C6A
:00402C62 8A4802                  mov cl, byte ptr [eax+02]
:00402C65 3A4A02                  cmp cl, byte ptr [edx+02]
:00402C68 751A                    jne 00402C84

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402C55(C), :00402C60(C)
|
:00402C6A 31C0                    xor eax, eax
:00402C6C 5E                      pop esi
:00402C6D 5B                      pop ebx
:00402C6E C3                      ret


 
Final Notes 

I didn't really trace the code that generate the registration key. If you are interested in writing a key generator your own, you may check the code at location 004D08B4. (if you do, could you send me one copy of it?)

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
 
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
   

 

Essay by: ViPeR
Page Created: 2nd June 1999