Finding a serial for Networkspy 1.4 Eval
By Crudd [TeX]

Program : Network Spy 1.4 Eval
Location : http://www.sumitbirla.com/netspy
Tools : Softice 3.2+, Pascal 7.0 or some other programing language(for the keygen), some binary and asm knowlage(i'll help a little with this), some beer.

Hello boys and girls this is my second tut and my first keygen(woohoo).  I have tried to make this as newbiew friendly as possible, i hope i did well.So lets get started.

First start Internet Maniac. Go to Help and select Register.  Enter your shit.
Name: Crudd
Serial : 12345666
But before you hit 'Register' enter Softice (from now on SI) with Ctrl-D.  Were gonna set our breakpoints first.

bpx getwindowtexta  : Used to read text from a textbox (32-bit)
bpx getwindowtext   : Used to read text from a textbox (16-bit) 
bpx getdlgitemtexta : Same as above but from a dialogbox (32-bit)
bpx getdlgitemtext  : Same as above but from a dialogbox (16-bit)

Now hit F5 to exit SI and click 'Register'.  Boom your in SI.  'Break due to BPX USER32!GetDlgItemTextA'.  Cool.  So hit F5 because we want it to read the serial and the name.  The first one only read the name.  Now were in USER32 so hit F12 to get into our programs code, and we see this...

:0040512D 8D542448         lea edx, dword ptr [esp+48]	; Puts our name in EDX
:00405131 8D442408         lea eax, dword ptr [esp+08]	; Puts our serial in EAX
:00405135 52               push edx			; Puts EDX on the stack 	
:00405136 50               push eax			; Puts EAX on the stack	 
:00405137 E8142E0000       call 00407F50		; Some Call 
:0040513C 83C408           add esp, 00000008		; Dont know?
:0040513F 85C0             test eax, eax		; Test if eax is 0
:00405141 744A             jz 0040518D			; Jump if 0

So if we step through this (using F10) we don't get anything.  Our code ins't shown in any of the registers after the call so hit F5 and will take a look at that call at :00405137.  So hit 'Register' again. F5. F12. So hit F10 five times and F8 when we get to the call and we're here...


:00407F50 83EC20           sub esp, 00000020		; These
:00407F53 56               push esi			; four
:00407F54 8B742428         mov esi, dword ptr [esp+28]	; lines are
:00407F58 56               push esi                  	; unimportant

:00407F59 FF1560104100     Call [KERNEL32!lstrlen]	; Puts the our name's length in EAX
:00407F5F 83F804           cmp eax, 00000004 		; Is our name 4 or more char long?
:00407F62 7D07             jge 00407F6B			; Jump if it is

:00407F64 33C0             xor eax, eax			; If your name is less than 
:00407F66 5E               pop esi			; 4 char then
:00407F67 83C420           add esp, 00000020		; leave the
:00407F6A C3               ret				; procedure

:00407F6B 0FBE4601         movsx eax, byte ptr [esi+01]	; EAX gets the second letter of our Name
:00407F6F 0FBE4E02         movsx ecx, byte ptr [esi+02] ; ECX gets third letter of our Name
:00407F73 D1E0             shl eax, 1			; for now this takes the EAX * 2
:00407F75 50               push eax			; Put it on the stack
:00407F76 0FBE4603         movsx eax, byte ptr [esi+03]	; EAX gets the fourth letter of our Name
:00407F7A C1E102           shl ecx, 02			; for now ECX * 2
:00407F7D 51               push ecx			; Put on the stack
:00407F7E B90A000000       mov ecx, 0000000A		; ECX = A (10 in decimal)
:00407F83 99               cdq				; Set up EDX for IDIV
:00407F84 F7F9             idiv ecx			; Divides EAX by ECX : EDX = Remainder
:00407F86 B8A0C634FA       mov eax, FA34C6A0		; Puts FA34C6A0 in EAX
:00407F8B 8BCA             mov ecx, edx			; Puts EDX in ECX (the answer from IDIV)
:00407F8D D3E0             shl eax, cl			; Complicated...see my notes
:00407F8F 8D4C240C         lea ecx, dword ptr [esp+0C]	
:00407F93 50               push eax
:00407F94 68383B4100       push 00413B38
:00407F99 51               push ecx                             
:00407F9A FF1544114100     Call [USER32!wsprintfA]	; What this does i have no idea
:00407FA0 8B542440         mov edx, dword ptr [esp+40]	; But if you type
:00407FA4 83C414           add esp, 00000014		; D ESP after this line is exeucuted
:00407FA7 8D442404         lea eax, dword ptr [esp+04]	; it shows you our serial
:00407FAB 52               push edx			; for me its 419776270-468228
:00407FAC 50               push eax			; see notes
:00407FAD FF1544104100     Call [KERNEL32.lstrcmp]	
:00407FB3 F7D8             neg eax			
:00407FB5 1BC0             sbb eax, eax			
:00407FB7 5E               pop esi			
:00407FB8 40               inc eax
:00407FB9 83C420           add esp, 00000020
:00407FBC C3               ret

Notes on SHL:
	SHift logica Left....what this really does is moves the binary numbers so many to the left or multiplies it by two(SHL EAX, CL moves EAX however many places to the left that are in CL(this is where the binary knowlage comes in)).

Ex.
SHL 2,0 = 2	Binary : 0010 moved 0 places = 0010
SHL 2,1 = 4	Binary : 0010 moved 1 place = 0100

Simple.  Right.	So...
					     Binary for ;  F    A    3    4    C    6    A    0
:00407F86 B8A0C634FA       mov eax, FA34C6A0		; 1111 1010 0011 0100 1100 0110 1010 0000
:00407F8B 8BCA             mov ecx, edx			; EAX MOD ECX = EDX = ECX
:00407F8D D3E0             shl eax, cl			; Shift EAX however many places in ECX

so FA34C6A0 SHL ECX =

ECX		Binary value			   EAX after SHift	Crdinal Value of EAX	

0	1111 1010 0011 0100 1100 0110 1010 0000	     FA34C6A0		4197762720
1	1111 0100 0110 1001 1000 1101 0100 0000	     F4698D40		4100558144
2	1110 1000 1101 0011 0001 1010 1000 0000	     E8D31A80		3906148992
4	1101 0001 1010 0110 0011 0101 0000 0000	     D1A63500		3517330688	
4	1010 0011 0100 1100 0110 1010 0000 0000      A34C6A00		2739694080
5	0100 0110 1001 1000 1101 0100 0000 0000      4698D400		1184420864
6	1000 1101 0011 0001 1010 1000 0000 0000	     8D31A800		2368841728
7	0001 1010 0110 0011 0101 0000 0000 0000	     1A635000		0442716160
8	0011 0100 1100 0110 1010 0000 0000 0000	     34C6A000		0885432320
9	0110 1001 1000 1101 0100 0000 0000 0000	     698D4000		1770864640

Thees 0-9 because we divided by 10 so we cant have more than 9 left right?  I hope i make sense.  To figure this out you can use the calculator that comes with windows(you have to put it in scientific mode).  Put it in hex mode type in FA34C6A0.  Now you can switch betwwen binary and decimal to see the numbers i got up top.  Now go back to hex and multiply our number by 2.  You see how the numbers change and where i got the other numbers...  I hope this helps.

Notes on the serial
Mine is 419776270-468228. 
hmmm... 
ascii value for 'd' is 100. 100 MOD 10(line 00407FD8) is 0
0 = 419776270
first part of the key gen
then '-'
cool so we have 41977627-
468?....remember when it took the third char in our name times 4(00407F7A)
ascii value of 'u' is 117.  117 * 4 = 468
now we ot 41977627-468
and the 2 char in our name times 2(00407F73) so..
ascii value 0f 'r' = 114.  114*2 = 228
and we have our serial...woohoo
41977627-468228


Pascal code for keygen
----------------------

Program Crudd;
Uses
    Crt;

Var
   A : Integer;
   B : Integer;
   C : Integer;
   Name : String;
   Bob : String[10];

Begin
  Clrscr;
  Writeln('Net Spy 1.4 Keygen by Crudd');
  Write('Enter your name : ');
  Readln(Name);
  A := ord(Name[2])*2;
  B := ord(Name[3])*4;
  C := ord(Name[4]) mod 10;
  if c = 0 then
     Bob := '4197762720';
  if c = 1 then
     Bob := '4100558144';
  if c = 2 then
     Bob := '3906148992';
  if c = 3 then
     Bob := '3517330688';
  if c = 4 then
     Bob := '2739694080';
  if c = 5 then
     Bob := '1184420864';
  if c = 6 then
     Bob := '2368841728';
  if c = 7 then
     Bob := '0442716160';
  if c = 8 then
     Bob := '0885432320';
  if c = 9 then
     Bob := '1770864640';

  Writeln('Serial Number : ',bob,'-',b,a);
  Writeln('Crudd[TeX] 1999');
End.

-------------
If anyone has any questions about this or anything else feel free to email me and ill see if i can help....CruddFLife@netzero.net

I hope this helped everyone out....
Greets to : L!M!T and all of [TeX], REaP, and everyone who has helped me along the way...
Peace
Crudd