Finding a serial for Networkspy 1.4 Eval
By Crudd [TeX]
Program : Network Spy 1.4 Eval
Location : http://www.sumitbirla.com/netspy
Tools : Softice 3.2+, Pascal 7.0 or some other programing language(for the keygen), some binary and asm knowlage(i'll help a little with this), some beer.
Hello boys and girls this is my second tut and my first keygen(woohoo). I have tried to make this as newbiew friendly as possible, i hope i did well.So lets get started.
First start Internet Maniac. Go to Help and select Register. Enter your shit.
Name: Crudd
Serial : 12345666
But before you hit 'Register' enter Softice (from now on SI) with Ctrl-D. Were gonna set our breakpoints first.
bpx getwindowtexta : Used to read text from a textbox (32-bit)
bpx getwindowtext : Used to read text from a textbox (16-bit)
bpx getdlgitemtexta : Same as above but from a dialogbox (32-bit)
bpx getdlgitemtext : Same as above but from a dialogbox (16-bit)
Now hit F5 to exit SI and click 'Register'. Boom your in SI. 'Break due to BPX USER32!GetDlgItemTextA'. Cool. So hit F5 because we want it to read the serial and the name. The first one only read the name. Now were in USER32 so hit F12 to get into our programs code, and we see this...
:0040512D 8D542448 lea edx, dword ptr [esp+48] ; Puts our name in EDX
:00405131 8D442408 lea eax, dword ptr [esp+08] ; Puts our serial in EAX
:00405135 52 push edx ; Puts EDX on the stack
:00405136 50 push eax ; Puts EAX on the stack
:00405137 E8142E0000 call 00407F50 ; Some Call
:0040513C 83C408 add esp, 00000008 ; Dont know?
:0040513F 85C0 test eax, eax ; Test if eax is 0
:00405141 744A jz 0040518D ; Jump if 0
So if we step through this (using F10) we don't get anything. Our code ins't shown in any of the registers after the call so hit F5 and will take a look at that call at :00405137. So hit 'Register' again. F5. F12. So hit F10 five times and F8 when we get to the call and we're here...
:00407F50 83EC20 sub esp, 00000020 ; These
:00407F53 56 push esi ; four
:00407F54 8B742428 mov esi, dword ptr [esp+28] ; lines are
:00407F58 56 push esi ; unimportant
:00407F59 FF1560104100 Call [KERNEL32!lstrlen] ; Puts the our name's length in EAX
:00407F5F 83F804 cmp eax, 00000004 ; Is our name 4 or more char long?
:00407F62 7D07 jge 00407F6B ; Jump if it is
:00407F64 33C0 xor eax, eax ; If your name is less than
:00407F66 5E pop esi ; 4 char then
:00407F67 83C420 add esp, 00000020 ; leave the
:00407F6A C3 ret ; procedure
:00407F6B 0FBE4601 movsx eax, byte ptr [esi+01] ; EAX gets the second letter of our Name
:00407F6F 0FBE4E02 movsx ecx, byte ptr [esi+02] ; ECX gets third letter of our Name
:00407F73 D1E0 shl eax, 1 ; for now this takes the EAX * 2
:00407F75 50 push eax ; Put it on the stack
:00407F76 0FBE4603 movsx eax, byte ptr [esi+03] ; EAX gets the fourth letter of our Name
:00407F7A C1E102 shl ecx, 02 ; for now ECX * 2
:00407F7D 51 push ecx ; Put on the stack
:00407F7E B90A000000 mov ecx, 0000000A ; ECX = A (10 in decimal)
:00407F83 99 cdq ; Set up EDX for IDIV
:00407F84 F7F9 idiv ecx ; Divides EAX by ECX : EDX = Remainder
:00407F86 B8A0C634FA mov eax, FA34C6A0 ; Puts FA34C6A0 in EAX
:00407F8B 8BCA mov ecx, edx ; Puts EDX in ECX (the answer from IDIV)
:00407F8D D3E0 shl eax, cl ; Complicated...see my notes
:00407F8F 8D4C240C lea ecx, dword ptr [esp+0C]
:00407F93 50 push eax
:00407F94 68383B4100 push 00413B38
:00407F99 51 push ecx
:00407F9A FF1544114100 Call [USER32!wsprintfA] ; What this does i have no idea
:00407FA0 8B542440 mov edx, dword ptr [esp+40] ; But if you type
:00407FA4 83C414 add esp, 00000014 ; D ESP after this line is exeucuted
:00407FA7 8D442404 lea eax, dword ptr [esp+04] ; it shows you our serial
:00407FAB 52 push edx ; for me its 419776270-468228
:00407FAC 50 push eax ; see notes
:00407FAD FF1544104100 Call [KERNEL32.lstrcmp]
:00407FB3 F7D8 neg eax
:00407FB5 1BC0 sbb eax, eax
:00407FB7 5E pop esi
:00407FB8 40 inc eax
:00407FB9 83C420 add esp, 00000020
:00407FBC C3 ret
Notes on SHL:
SHift logica Left....what this really does is moves the binary numbers so many to the left or multiplies it by two(SHL EAX, CL moves EAX however many places to the left that are in CL(this is where the binary knowlage comes in)).
Ex.
SHL 2,0 = 2 Binary : 0010 moved 0 places = 0010
SHL 2,1 = 4 Binary : 0010 moved 1 place = 0100
Simple. Right. So...
Binary for ; F A 3 4 C 6 A 0
:00407F86 B8A0C634FA mov eax, FA34C6A0 ; 1111 1010 0011 0100 1100 0110 1010 0000
:00407F8B 8BCA mov ecx, edx ; EAX MOD ECX = EDX = ECX
:00407F8D D3E0 shl eax, cl ; Shift EAX however many places in ECX
so FA34C6A0 SHL ECX =
ECX Binary value EAX after SHift Crdinal Value of EAX
0 1111 1010 0011 0100 1100 0110 1010 0000 FA34C6A0 4197762720
1 1111 0100 0110 1001 1000 1101 0100 0000 F4698D40 4100558144
2 1110 1000 1101 0011 0001 1010 1000 0000 E8D31A80 3906148992
4 1101 0001 1010 0110 0011 0101 0000 0000 D1A63500 3517330688
4 1010 0011 0100 1100 0110 1010 0000 0000 A34C6A00 2739694080
5 0100 0110 1001 1000 1101 0100 0000 0000 4698D400 1184420864
6 1000 1101 0011 0001 1010 1000 0000 0000 8D31A800 2368841728
7 0001 1010 0110 0011 0101 0000 0000 0000 1A635000 0442716160
8 0011 0100 1100 0110 1010 0000 0000 0000 34C6A000 0885432320
9 0110 1001 1000 1101 0100 0000 0000 0000 698D4000 1770864640
Thees 0-9 because we divided by 10 so we cant have more than 9 left right? I hope i make sense. To figure this out you can use the calculator that comes with windows(you have to put it in scientific mode). Put it in hex mode type in FA34C6A0. Now you can switch betwwen binary and decimal to see the numbers i got up top. Now go back to hex and multiply our number by 2. You see how the numbers change and where i got the other numbers... I hope this helps.
Notes on the serial
Mine is 419776270-468228.
hmmm...
ascii value for 'd' is 100. 100 MOD 10(line 00407FD8) is 0
0 = 419776270
first part of the key gen
then '-'
cool so we have 41977627-
468?....remember when it took the third char in our name times 4(00407F7A)
ascii value of 'u' is 117. 117 * 4 = 468
now we ot 41977627-468
and the 2 char in our name times 2(00407F73) so..
ascii value 0f 'r' = 114. 114*2 = 228
and we have our serial...woohoo
41977627-468228
Pascal code for keygen
----------------------
Program Crudd;
Uses
Crt;
Var
A : Integer;
B : Integer;
C : Integer;
Name : String;
Bob : String[10];
Begin
Clrscr;
Writeln('Net Spy 1.4 Keygen by Crudd');
Write('Enter your name : ');
Readln(Name);
A := ord(Name[2])*2;
B := ord(Name[3])*4;
C := ord(Name[4]) mod 10;
if c = 0 then
Bob := '4197762720';
if c = 1 then
Bob := '4100558144';
if c = 2 then
Bob := '3906148992';
if c = 3 then
Bob := '3517330688';
if c = 4 then
Bob := '2739694080';
if c = 5 then
Bob := '1184420864';
if c = 6 then
Bob := '2368841728';
if c = 7 then
Bob := '0442716160';
if c = 8 then
Bob := '0885432320';
if c = 9 then
Bob := '1770864640';
Writeln('Serial Number : ',bob,'-',b,a);
Writeln('Crudd[TeX] 1999');
End.
-------------
If anyone has any questions about this or anything else feel free to email me and ill see if i can help....CruddFLife@netzero.net
I hope this helped everyone out....
Greets to : L!M!T and all of [TeX], REaP, and everyone who has helped me along the way...
Peace
Crudd