Program: Sentry 98 Description: Sentry is a security tool for creating profiles of users in Win9x, and to don't let anyone that's not in his database to logon windows, shutting him down as soon as a non authorized person has made logon. Type of Protection: It has a restriction of use for 30 Days, it ha also the possibility to place a serial number in help menu. Author: Tha Crow Level: Very newbie Tools used: w32dasm softice Background Information: Sentry upon registration, saves a key in registry on \HKEY_LOCAL_MACHINE\Software\Sahalie\ Crowd Control\ with the name of License, with the license number you entered, so creating a patch to skip serial compare after you select register on help menu, will lead us to patch also, the starting of sentry98 when he checks the license number from registry, so it leaves us with a second solution, the license number calculation, that afterall, it is REALLY simple i hope that the other passwords that he stores, have a so simple algo to encrypt them :\ Hands to work: Before entering softice and start debugging, i like to search for some text around the disassembled file, thus making us much more code aware, and leding us more close to the algo or check that he does. So, open w32dasm, and load the file. I've used "license" as search and i found lot's of references, but the important one was "Enter license, wich is issued upon purchase", this is the text that appeard on the text box that asks for the registration number. I usually look for some well known functions around for using them when i need that softice breaks, but in that code, none was showing, well let's try the most known, at least i know how code looks when i break into softice and put some brakpoints. SURPRISE!!!!, none of the know functions work, not even hmemcpy damn, i have to find a function call nearby that code to break into softice!!! Well after following some calls! i've notice it uses muldiv, well let's give it a try. Run sentry98, and press ctrl+d to enter into softice and type bpx muldiv, then go and register it, and right after you press the register menu, softice breaks, press F11 & F5 for 11 times (he calls muldiv often :)) ) on the 11th, press F10 always until the msg box for you to enter the license appears, after you type something, i always use something simple like 1234567890, you will be back again on softice, and you'll see something like this: 00452E89 mov edx, eax 00452E8B mov ecx, esi 00452E8D mov eax, edi 00452E8F mov esi, [eax] 00452E91 call dword ptr [esi+80h] always press F10 until you return, after you'll see this: 0048B136 test al, al 0048B138 jz loc_48B273 0048B13E mov eax, [ebp+var_10] 0048B141 call sub_48B588 <--- Algo routine 0048B146 test al, al <--- Test if it is the right serial 0048B148 jz loc_48B21D <--- Jump if bad serial entered 0048B14E mov [ebp+var_1], 1 after analysing the disassembled exe, we see that this last jz leads us to the bad proc, because it starts loading all the unwanted text that we see when we enter a wrong serial!!!, so the calculation routine it is inside that call 48b588. Of course you should always to put some breakpoints on the code, i found that everyone has his way of using breakpoint, so use them as you wish, but they have to break along the code appearing here! continuing, you then need to enter that call, by pressing t or F8 you'l enter in something like this: 0048B588 push ebp 0048B589 mov ebp, esp 0048B58B add esp, 0FFFFFFF8h 0048B58E push ebx 0048B58F xor edx, edx this is how it begins the procedure, it is just getting ready to make a call by the way it is pushing register's, and he also clears edx! All the following call's or merely checks, it will count the length of your serial, and if it is less than 4 digits it bails out, then it will find any chars and spaces, no alfabetical chars allowed and no spaces, and finaly th calculation. To get to the calculation routine follw these steps: F10 through the procedure until you find this piece: 0048B5BB lea edx, [ebp+var_8] 0048B5BE mov eax, [ebp+var_4] <- your serial! 0048B5C1 call sub_48B470 then enter that call! and keep pressing F10 step by step until you see this! this is the algo routine!! let's analyse! 0048B4D4 mov eax, 2 <- Loads eax with the value of 2 0048B4D9 mov edx, [ebp+var_10] <- puts in edx the first 4 digits of your ser 0048B4DC xor ebx, ebx <- cleans ebx 0048B4DE mov bl, [edx+eax-1] <- puts on ebx the second digit 0048B4E2 add esi, ebx <- add's ebx to esi (on the first time esi=0) 0048B4E4 inc eax <- next digit (increments eax) 0048B4E5 cmp eax, 5 <- compares eax with 5 0048B4E8 jnz short loc_48B4D9 <- if not jumps to 0048b4d9 this routine is very simple, adds the 2, 3 & 4 digit, the decimal part of his corresponding ascii, so if your serial is 123456, this routine will add 234 ascii values so: ascii of 2 is 50, the 3 is 51 and the 4 is 52, so we'll have 153 as result. 0048B4EA lea esi, [esi+ebx+5] <- in here it loads in esi, esi+ebx+5 0048B4EE mov ebx, esi this is the last part of the algo, it just adds to esi (remember it has 153 for now) the value of ebx, that it is the 4th char and 5 so the 4th char is number 4 his ascii valu is 52, then 153+52+5 = 210. i found the algorith routine, a little bit by watching the disassembled, and watching the register contents on softice (always see what is the contents of the register, be curious!), i usualy use 1234567890 as serial for testing purposes, when i see a register holding the numer 1234210 i found that weird as that it isn't my usual number, i kept looking around, and it checks my numer with this one, well, that was the correct serial! So the keygen will be very simple, let's see it like this! 4 letter word: abcd make calculations: (b+c+d)+d+5 then just puts together the first 4 numbers and this result! below there is the source code in C for the key gen, this was a very simple algorithm, there are a lot worse ones!!!! (i've seen some) oh and if you plan on using this soft for more than 30 day, buy it ok! ---------------------------------------------------------------------------------------------------- Sentry 98 Keygen.c ---------------------------------------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> main() { char num[5]; int length, i; unsigned long number; printf("**********************************\n"); printf("* Sentry 98 Keygen By *\n"); printf("* ThA CRoW featuring Brandon Lee *\n"); printf("**********************************\n"); printf("Choose 4 Numbers: "); gets(num); if(strlen(num) > 4){ printf("I TOLD you just 4 numbers\n"); exit(0); } length = strlen(num); number = 0; for(i=1; i<length; i++) { number = number + num[i]; } number = number + num[i-1] + 5; printf("Serial: %s%d\n", num, number); return 0; } ---------------------------------------------------------------------------------------------------- greeting to all crackers around there.