
		  Recette 99 v3.1.1
   
   Retreiving a valid serial and algorithm explained.

		          by
                 
		        L!M!T 

		  [The Exterminators]

		      April 1999
                
-------------------------------------------------------------
Program info for Recette 99:

Available @    :    http://www.infradev.com/recette/
Size           :    2.3 Mb
Language       :    Swedish

Tutorial level :    Easy
-------------------------------------------------------------
Tools used:

SmartCheck v6.01

-------------------------------------------------------------


The First Encounter
-------------------
Recette is a recipe database program that contains 150 complete
dinners together with drinks. You can search for a dinner through
using the search criterias ingredients, cooking-time and name.

When you start it up, we'll see a splash screen and then a screen 
will appear saying that this proggy is shareware, and you should 
register it. Anyway, push the middle button, with the text 
'Jag accepterar...' and you are allowed to try it out for 20 days.

Ok, now push the 'Registrera!' menu and a dialog box appears where
you are supposed to enter your name and your password. Do so and
press enter. Oh no... Our password was invalid! Well... We're
gonna solve that one now.


The Dissecting
--------------
Close Recette down and start SmartCheck up. Once started, open 
Recette.exe and push F5 to get the show running. Now, do the same
thing again... press 'Jag accepterar...', push the 'Registrera!'
menu and enter L!M!T [TEX] as your name and 1212 as your bogus 
password. Now, you should be at the messagebox telling you that 
is was wrong. Return to Smartcheck.

Check that 'Show Errors and specific events' are checked under the
'View' menu in Smartcheck. If it isn't, then check it.
In the left pane in Smartcheck is the program thread, it's here 
you'll see what actions are executed. What has happened while we 
were starting Recette and trying to register it? Let's see...

Draft from Smartcheck;

........     Thread 0 [thread id:4290937205 (0xFFC28175)]
........     Event reporting....
........     ............................... [snipped]
........     ............................... [snipped]
........     frmSplash (Form) created
........ [+] frmSplash_Load
........     ............................... [snipped]
........     ............................... [snipped]
........     Huvud (MDIForm) created
........     ............................... [snipped]
........     ............................... [snipped]
........ [+] Huvud_Load
........     ............................... [snipped]
........     ............................... [snipped]
........ [+] mnuREG_Click 
........ [+] Command1_Click

*EOF*

This is the thread, or the 'flow' of the program. We can see
what happened when we clicked the 'Jag accepterar...' button,
when we clicked the 'Registrera!' menu and most important,
what happened when we clicked the 'Ok' button at the register
window! So... click the plus sign next to the Command1_Click
procedure.

Draft from Smartcheck;

........     text1.Text
........     text2.Text
........     Len(String"1212") returns LONG:4
........     text1.Text
........ (1) UCase$(String:"L!M!T [TEX]")
........     ............................... [snipped]
........     ............................... [snipped]
........ (2) Mid(VARIANT:String:"L!M!T [TEX]", long:6, long:1073741823, VARIANT:String:"A")
........     ............................... [snipped]
........     ............................... [snipped]
........ (3) Left$(String:"L!M!TA[TEX]", long:10)
........     Integer (0) --> String ("0")
........     Integer (1) --> Long (1)
........ (4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........ (5) Asc(String:"L!M!TA[TEX"), returns Integer:76
........ (6) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........ (7) Asc(String:"L!M!TA[TEX"), returns Integer:76
........     ............................... [snipped]
........ (8) Double (5776) --> String ("5776")
........     Integer (2) --> Long (2)
........ (9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing)
........(10) Asc(String:"!M!TA[TEX") returns Integer:33
........(11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........(12) Asc(String:"L!M!TA[TEX") returns Integer:76 
........(13) String ("5776") --> Double (5776)
........(14) Double (8284) --> String ("8284")
........     ............................... [snipped]
........     ............................... [snipped]
........     ............................... [snipped]

*EOF*

This is the calculation routine for the password. This snippet you
see above is for the first two characters in your name. There are
actually a lot more lines, but these are enough to explain
the algorithm so to spare your eyes we'll end the calculation
routine snippets here. Ok, check the positions in the code and 
my explanations to it. Here we go;

(1) UCase$(String:"L!M!T [TEX]")
    Convert the whole string (your username) to UPPERCASE.

(2) Mid(VARIANT:String"L!M!T [TEX]", long:6...    
    Check the string for any spaces. If there are any, replace
    those with capital A. (L!M!T [TEX] = L!M!TA[TEX])

(3) Left$(String:"L!M!TA[TEX]", long:10)
    Trim the string 10 chars from the left. (L!M!TA[TEX)
    Trims the length of your username to 10 characters (i.e. EXTERMINATORS = EXTERMINAT)

(4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
    Take the first character (long:1) and

(5) Asc(String:"L!M!TA[TEX") returns Integer:76
    get the ASCII value for it (returns Integer:76)

(6) Repeat step 4
(7) Repeat step 5

(8) Double (5776) --> String ("5776")
    The result from ASCII value from char 1 * ASCII value from char 1

(9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing)
    Take the second character (long:2) and

(10) Asc("!M!TA[TEX") returns Integer:33
     get the ASCII value for it (returns Integer:33)

(11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
     Step 4 repeated...

(12) Asc(String:"L!M!TA[TEX") returns Integer:76
     Step 5 repeated

(13) String ("5776") --> Double (5776)
     Convert string 5776 to double value

(14) Double (8284) --> String ("8284")
     Convert double value 8284 to a string

All these steps are executed for the entire username, after it's
trimmed down to 10 chars and every (if there are any) space in the 
username been replaced with A. The sum of every new multiplication
is added to the sum of the prior multiplication, ending in the final
sum, also known as our password. You can see this comparation further
down in the thread listing. Your bogus password (1212) will be compared
to the correct one just before the messagebox appears. Just step
down to the end of the 'Command1_Click' routine and you can see the
correct password being compared to our bogus one.


The Algorithm
-------------
Actually, you already seen it. It's there, above this text. 
Here I'll explain the algorithm in words.

Take the entire username and convert it to uppercase.
Replace all eventual spaces with A.

* This one is new;
If the length of the username is less than 10, copy
the string to itself so it will meet this demand.
I.e (MR USA = MRAUSAMRUS)
We didn't see this before 'coz our username was 11 chars.

The red line going through the entire algorithm is the
ASCII value for char number 1 in the username.
This ASCII value is multiplied with itself, then it's
multiplied with the ASCII values for the other char's.

Like this;

ASCII value char 1 = x
ASCII value char 2 = x2
ASCII value char 3 = x3
.......................
.......................
ASCII value char 10 = x10

--------------------------

Sum of x * x   = Sum1
Sum of x * x2  = Sum2
Sum of x * x3  = Sum3
.....................
.....................
Sum of x * x10 = Sum10

--------------------------

The password calculation

Password = Sum1 + Sum2 + Sum3 + Sum4 + Sum5 + Sum6 + Sum7 + Sum8 + Sum9 + Sum10

Done. We've just retreived our valid serial and we've dissected the algorithm...



Final words
-----------
Try to enter a space as username and click OK...
You could also change to the 'Show All Events' in the 'View' menu in
Smartcheck to expand your view...
Fool around a bit with it and try different usernames etc. to
see what happens and how the prog reacts...




'Knowledge is neither given nor taken. It is earned.'

Regards,

L!M!T [TEX]
