Net-It Now v1.6 - Tutorial

http://www.net-it.com - Webpage.

Another tutorial once again. Net-It Now is another one of these web tools marketed to management for their web sites. For us reversers it offers up the possibility of examining in greater detail a protection based solely on mathematics, although the fact that this program uses the MFC's also offers up some learning possibilities.

Starting the application will confront you almost instantly with a license agreement, the option to trial the software is frankly not appealing as each of the pages you construct will be spoiled by a Net-It Now logo. Our attention is therefore turned towards the serial number registration option. You'll find the program helpfully enables the Accept button with a code of length 14.

A >bpx GetWindowTextA will gain you an entry point inside mfc42.dll. Stepping from here is just not an option so use your F12 key to good effect. I recall pushing F12 something of the order of 42 times. Just a small tip here, when you elect to F12 your way through a target its a good idea to find out where the error message is so that you can refine your next intrusion with that information in mind. Here's our critical code (if you use F12 the entry point will be at address 0040820E).

:00408253 CALL 00408586 <-- Key function call.
:00408258 ADD ESP,08 <-- Correct stack.
:0040825B TEST EAX,EAX <-- Check EAX for 0.
:0040825D JNZ 004082A3 <-- Good_jump.

This code above is our real check. Note that not jumping here calls function 00460A7E, which eventually displays the bad guy message box. So we need to do some tracing inside 00408586 remembering that EAX must be returned non-zero, examine this next code snippet and marvel at the incompetence.

:0040858E MOV EDI, 0001E9DF <-- The_hard_coded_in_default.
:00408593 PUSH EDI <-- Stack_it_for_a_function.
:0040859A CALL 00461B70 <-- The_function.
:0040859F CMP EAX, 0000FDD0 <-- Compare_result_with_another_default.
:004085A4 JNZ 004085D5 <-- A_real_check.
:004085C8 MOV EAX,00000001 <-- Good_guy.
:004085D5 XOR EAX,EAX <-- Bad_guy.

This is obviously an easy place to patch, our result FDD0 is not required so simply rendering the JNZ 004085D5 ineffective should do the trick, alternatively perform a more elegant patch by fixing the compare result. If you feel the need try reversing the maths behind the protection, you'll need to examine CALL 00408499 which uses values from the input serial number. Obviously you'll also need to examine 00461B70 which performs the final division to check the result.

Patch

Of course the result 00005209 was obtained using a serial number of 12345678901234, you can of course fix this value should you have an alternative preference. Being a Windows 95 application, this patch works permanently because the information is written to the registry and verified using the same function call.