Recette 99 v3.1.1 Retreiving a valid serial and algorithm explained. by L!M!T [The Exterminators] April 1999 ------------------------------------------------------------- Program info for Recette 99: Available @ : http://www.infradev.com/recette/ Size : 2.3 Mb Language : Swedish Tutorial level : Easy ------------------------------------------------------------- Tools used: SmartCheck v6.01 ------------------------------------------------------------- The First Encounter ------------------- Recette is a recipe database program that contains 150 complete dinners together with drinks. You can search for a dinner through using the search criterias ingredients, cooking-time and name. When you start it up, we'll see a splash screen and then a screen will appear saying that this proggy is shareware, and you should register it. Anyway, push the middle button, with the text 'Jag accepterar...' and you are allowed to try it out for 20 days. Ok, now push the 'Registrera!' menu and a dialog box appears where you are supposed to enter your name and your password. Do so and press enter. Oh no... Our password was invalid! Well... We're gonna solve that one now. The Dissecting -------------- Close Recette down and start SmartCheck up. Once started, open Recette.exe and push F5 to get the show running. Now, do the same thing again... press 'Jag accepterar...', push the 'Registrera!' menu and enter L!M!T [TEX] as your name and 1212 as your bogus password. Now, you should be at the messagebox telling you that is was wrong. Return to Smartcheck. Check that 'Show Errors and specific events' are checked under the 'View' menu in Smartcheck. If it isn't, then check it. In the left pane in Smartcheck is the program thread, it's here you'll see what actions are executed. What has happened while we were starting Recette and trying to register it? Let's see... Draft from Smartcheck; ........ Thread 0 [thread id:4290937205 (0xFFC28175)] ........ Event reporting.... ........ ............................... [snipped] ........ ............................... [snipped] ........ frmSplash (Form) created ........ [+] frmSplash_Load ........ ............................... [snipped] ........ ............................... [snipped] ........ Huvud (MDIForm) created ........ ............................... [snipped] ........ ............................... [snipped] ........ [+] Huvud_Load ........ ............................... [snipped] ........ ............................... [snipped] ........ [+] mnuREG_Click ........ [+] Command1_Click *EOF* This is the thread, or the 'flow' of the program. We can see what happened when we clicked the 'Jag accepterar...' button, when we clicked the 'Registrera!' menu and most important, what happened when we clicked the 'Ok' button at the register window! So... click the plus sign next to the Command1_Click procedure. Draft from Smartcheck; ........ text1.Text ........ text2.Text ........ Len(String"1212") returns LONG:4 ........ text1.Text ........ (1) UCase$(String:"L!M!T [TEX]") ........ ............................... [snipped] ........ ............................... [snipped] ........ (2) Mid(VARIANT:String:"L!M!T [TEX]", long:6, long:1073741823, VARIANT:String:"A") ........ ............................... [snipped] ........ ............................... [snipped] ........ (3) Left$(String:"L!M!TA[TEX]", long:10) ........ Integer (0) --> String ("0") ........ Integer (1) --> Long (1) ........ (4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing) ........ (5) Asc(String:"L!M!TA[TEX"), returns Integer:76 ........ (6) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing) ........ (7) Asc(String:"L!M!TA[TEX"), returns Integer:76 ........ ............................... [snipped] ........ (8) Double (5776) --> String ("5776") ........ Integer (2) --> Long (2) ........ (9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing) ........(10) Asc(String:"!M!TA[TEX") returns Integer:33 ........(11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing) ........(12) Asc(String:"L!M!TA[TEX") returns Integer:76 ........(13) String ("5776") --> Double (5776) ........(14) Double (8284) --> String ("8284") ........ ............................... [snipped] ........ ............................... [snipped] ........ ............................... [snipped] *EOF* This is the calculation routine for the password. This snippet you see above is for the first two characters in your name. There are actually a lot more lines, but these are enough to explain the algorithm so to spare your eyes we'll end the calculation routine snippets here. Ok, check the positions in the code and my explanations to it. Here we go; (1) UCase$(String:"L!M!T [TEX]") Convert the whole string (your username) to UPPERCASE. (2) Mid(VARIANT:String"L!M!T [TEX]", long:6... Check the string for any spaces. If there are any, replace those with capital A. (L!M!T [TEX] = L!M!TA[TEX]) (3) Left$(String:"L!M!TA[TEX]", long:10) Trim the string 10 chars from the left. (L!M!TA[TEX) Trims the length of your username to 10 characters (i.e. EXTERMINATORS = EXTERMINAT) (4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing) Take the first character (long:1) and (5) Asc(String:"L!M!TA[TEX") returns Integer:76 get the ASCII value for it (returns Integer:76) (6) Repeat step 4 (7) Repeat step 5 (8) Double (5776) --> String ("5776") The result from ASCII value from char 1 * ASCII value from char 1 (9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing) Take the second character (long:2) and (10) Asc("!M!TA[TEX") returns Integer:33 get the ASCII value for it (returns Integer:33) (11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing) Step 4 repeated... (12) Asc(String:"L!M!TA[TEX") returns Integer:76 Step 5 repeated (13) String ("5776") --> Double (5776) Convert string 5776 to double value (14) Double (8284) --> String ("8284") Convert double value 8284 to a string All these steps are executed for the entire username, after it's trimmed down to 10 chars and every (if there are any) space in the username been replaced with A. The sum of every new multiplication is added to the sum of the prior multiplication, ending in the final sum, also known as our password. You can see this comparation further down in the thread listing. Your bogus password (1212) will be compared to the correct one just before the messagebox appears. Just step down to the end of the 'Command1_Click' routine and you can see the correct password being compared to our bogus one. The Algorithm ------------- Actually, you already seen it. It's there, above this text. Here I'll explain the algorithm in words. Take the entire username and convert it to uppercase. Replace all eventual spaces with A. * This one is new; If the length of the username is less than 10, copy the string to itself so it will meet this demand. I.e (MR USA = MRAUSAMRUS) We didn't see this before 'coz our username was 11 chars. The red line going through the entire algorithm is the ASCII value for char number 1 in the username. This ASCII value is multiplied with itself, then it's multiplied with the ASCII values for the other char's. Like this; ASCII value char 1 = x ASCII value char 2 = x2 ASCII value char 3 = x3 ....................... ....................... ASCII value char 10 = x10 -------------------------- Sum of x * x = Sum1 Sum of x * x2 = Sum2 Sum of x * x3 = Sum3 ..................... ..................... Sum of x * x10 = Sum10 -------------------------- The password calculation Password = Sum1 + Sum2 + Sum3 + Sum4 + Sum5 + Sum6 + Sum7 + Sum8 + Sum9 + Sum10 Done. We've just retreived our valid serial and we've dissected the algorithm... Final words ----------- Try to enter a space as username and click OK... You could also change to the 'Show All Events' in the 'View' menu in Smartcheck to expand your view... Fool around a bit with it and try different usernames etc. to see what happens and how the prog reacts... 'Knowledge is neither given nor taken. It is earned.' Regards, L!M!T [TEX]