Program:
	Sentry 98

Description:
	Sentry is a security tool for creating profiles of users in Win9x, and to don't let anyone
	that's not in his database to logon windows, shutting him down as soon as a non authorized
	person has made logon.

Type of Protection:
	It has a restriction of use for 30 Days, it ha also the possibility to place a serial number
	in help menu.

Author:
	Tha Crow

Level:
	Very newbie

Tools used:
	w32dasm
	softice

Background Information:
	Sentry upon registration, saves a key in registry on \HKEY_LOCAL_MACHINE\Software\Sahalie\
	Crowd Control\ with the name of License, with the license number you entered, so creating a
	patch to skip serial compare after you select register on help menu, will lead us to patch
	also, the starting of sentry98 when he checks the license number from registry, so it leaves
	us with a second solution, the license number calculation, that afterall, it is REALLY simple
	i hope that the other passwords that he stores, have a so simple algo to encrypt them :\

Hands to work:

	Before entering softice and start debugging, i like to search for some text around the disassembled file, thus making us much more code aware, and leding us more close to the algo or check that he does. So, open w32dasm, and load the file.
	I've used "license" as search and i found lot's of references, but the important one was "Enter license, wich is issued upon purchase", this is the text that appeard on the text box that asks for the registration number.
	I usually look for some well known functions around for using them when i need that softice breaks, but in that code, none was showing, well let's try the most known, at least i know how code looks when i break into softice and put some brakpoints.
	SURPRISE!!!!, none of the know functions work, not even hmemcpy damn, i have to find a function call nearby that code to break into softice!!!
	Well after following some calls! i've notice it uses muldiv, well let's give it a try.
	Run sentry98, and press ctrl+d to enter into softice and type bpx muldiv, then go and register it, and right after you press the register menu, softice breaks, press F11 & F5 for 11 times (he calls muldiv often :)) ) on the 11th, press F10 always until the msg box for you to enter the license appears, after you type something, i always use something simple like 1234567890, you will be back again on softice, and you'll see something like this:

00452E89                 mov     edx, eax
00452E8B                 mov     ecx, esi
00452E8D                 mov     eax, edi
00452E8F                 mov     esi, [eax]
00452E91                 call    dword ptr [esi+80h]

always press F10 until you return, after you'll see this:

0048B136                 test    al, al 	
0048B138                 jz      loc_48B273
0048B13E                 mov     eax, [ebp+var_10]
0048B141                 call    sub_48B588      <--- Algo routine
0048B146                 test    al, al		 <--- Test if it is the right serial
0048B148                 jz      loc_48B21D	 <--- Jump if bad serial entered
0048B14E                 mov     [ebp+var_1], 1


after analysing the disassembled exe, we see that this last jz leads us to the bad proc, because it starts loading all the unwanted text that we see when we enter a wrong serial!!!, so the calculation routine it is inside that call 48b588.
Of course you should always to put some breakpoints on the code, i found that everyone has his way of using breakpoint, so use them as you wish, but they have to break along the code appearing here!
continuing, you then need to enter that call, by pressing t or F8 you'l enter in something like this:

0048B588                 push    ebp
0048B589                 mov     ebp, esp
0048B58B                 add     esp, 0FFFFFFF8h
0048B58E                 push    ebx
0048B58F                 xor     edx, edx

this is how it begins the procedure, it is just getting ready to make a call by the way it is pushing register's, and he also clears edx! All the following call's or merely checks, it will count the length of your serial, and if it is less than 4 digits it bails out, then it will find any chars and spaces, no alfabetical chars allowed and no spaces, and finaly th calculation. To get to the calculation routine follw these steps:

F10 through the procedure until you find this piece:

0048B5BB                 lea     edx, [ebp+var_8]
0048B5BE                 mov     eax, [ebp+var_4] <- your serial!
0048B5C1                 call    sub_48B470

then enter that call!
and keep pressing F10 step by step until you see this!
this is the algo routine!!
let's analyse!

0048B4D4                 mov     eax, 2			<- Loads eax with the value of 2

0048B4D9                 mov     edx, [ebp+var_10]	<- puts in edx the first 4 digits of your ser
0048B4DC                 xor     ebx, ebx		<- cleans ebx
0048B4DE                 mov     bl, [edx+eax-1]	<- puts on ebx the second digit
0048B4E2                 add     esi, ebx		<- add's ebx to esi (on the first time esi=0)
0048B4E4                 inc     eax			<- next digit (increments eax)
0048B4E5                 cmp     eax, 5			<- compares eax with 5
0048B4E8                 jnz     short loc_48B4D9	<- if not jumps to 0048b4d9

	this routine is very simple, adds the 2, 3 & 4 digit, the decimal part of his corresponding ascii, so if your serial is 123456, this routine will add 234 ascii values so:
	ascii of 2 is 50, the 3 is 51 and the 4 is 52, so we'll have 153 as result.

0048B4EA                 lea     esi, [esi+ebx+5]	<- in here it loads in esi, esi+ebx+5
0048B4EE                 mov     ebx, esi

	this is the last part of the algo, it just adds to esi (remember it has 153 for now) the value of ebx, that it is the 4th char and 5 so the 4th char is number 4 his ascii valu is 52, then 153+52+5 = 210.

	i found the algorith routine, a little bit by watching the disassembled, and watching the register contents on softice (always see what is the contents of the register, be curious!), i usualy use 1234567890 as serial for testing purposes, when i see a register holding the numer 1234210 i found that weird as that it isn't my usual number, i kept looking around, and it checks my numer with this one, well, that was the correct serial!

	So the keygen will be very simple, let's see it like this!

	4 letter word:
	abcd
	make calculations:
	(b+c+d)+d+5
	then just puts together the first 4 numbers and this result!

	below there is the source code in C for the key gen, this was a very simple algorithm, there are a lot worse ones!!!! (i've seen some)
	oh and if you plan on using this soft for more than 30 day, buy it ok!

----------------------------------------------------------------------------------------------------
		Sentry 98 Keygen.c
----------------------------------------------------------------------------------------------------

#include <stdio.h>
#include <stdlib.h>

main()
{
	char num[5];
	int length, i;
	unsigned long number;

	printf("**********************************\n");
	printf("*      Sentry 98 Keygen By       *\n");
	printf("* ThA CRoW featuring Brandon Lee *\n");
	printf("**********************************\n");

	printf("Choose 4 Numbers: ");
	gets(num);
	if(strlen(num) > 4){
		printf("I TOLD you just 4 numbers\n");
		exit(0);
	}
	length = strlen(num);
	number = 0;

	for(i=1; i<length; i++) {
		number = number + num[i];
	}
	number = number + num[i-1] + 5;

	printf("Serial: %s%d\n", num, number);
	return 0;
}

----------------------------------------------------------------------------------------------------

greeting to all crackers around there.