J
A
V
A
S
C
R
I
P
T
|
fravia's
Javascript section
~
Help
Fravia's Nofrill
Web design
(1998)
|
|
Updated
25 January 1998
|
SOME HELP
(for the "easy" entrance)
Many among you have emailed me claiming that there are much too many
possible solutions for the "easy entrance" to the advanced javascript pages. I decided to give you some more hints, albeit I don't believe they are
really that necessary...
Here follow some examples: a letter by Jean Flynn,
who worked correctly in finding out the 'obligatory' last letters of the
password, yet failed in the 'reducing' part of the crack, and a email by Tristan, who worked correctly in
calculating the password length (10 characters, the first one
irrelevant for the code part) but failed miserably in his 'flair'
for the correct name (+ORC wrote that good crackers should study
more rhetoric/semanthic and less math and programming :-)
Anyway, here you go...
|
|
Caveat
Some readers have expressly asked me NOT to give any explanations
about the javascript entrances for instance Andrex: "...all this just to say: I'm working and I think that lots of other
people are doing the same. PLEASE, don't explain the solution of this
problem because I'll make my brain to work till I'll get the right
password.
BTW, I'm very happy to work on this code because I'm learning a bit
of Javascript.
This is REAL FUN, thank you. Andrex"
Others, on the other hand, have asked for more clues,
like diphth:"...I know how the damn thing works.. I mean it's not way above my
head. You have a defined array, and the first three functions serve
to set another array up. Then the final (get the obfuscated password
function) each char. of the password entered sets up the final loop
(outer to its # of iterations based on pass.length) the inner produces
that obscenely large number by code = code + one of the members of
the f array, then code = code * (1-however long the password entered
was.) I want a hint (so here it is.. my foolish intent finally
blurted out; this is where you either aid me or drop me like a
forgettable cigarrette end)..."
Well, for those
of you that want to work alone on all this, just DO NOT
READ WHAT FOLLOWS!
A letter by Jean "Flynn"
with a c decoder (18
January 1998)
In fact I decided to publish this help page you are reading now after having read
this... Clearly, if people are capable to find out that the last letter must
be r (among a couple of other possibilities), that the first one
does not matter and YET they don't find the real password they do
deserve some more clues...
<![CDATA[
...The key may be proven to be 10 digits, the first one being useless
(Javabug there?), and the 2nd and 3rd being allowed to be switched, and
the last one being in [C, Z, h, i, r, w] - the program generates only
the 9 significant characters of the key, you have to add one random char
in front.
That is, that makes about 500 Mb of generated keys. I didn't find
anything 'obvious' in them to indicate a password - so I'm kind on the
way of giving up.
If you feel my efforts worth it, may be you'll point out the detail I
missed...
// warning - need support of __int64 (64-bits integers) type to work
properly.
// C++, but nothing really needed from C++
#include <STDIO.h>
#include <STDLIB.h>
#include <STRING.h>
char base[62] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9','A', 'B', 'C', 'D',
'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z','a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
'u', 'v', 'w', 'x', 'y', 'z'} ;
// this array has been obtained by inserting "prompt("", f) ;"
// after the array f is generated in the Java script. I'm so lazy.
int f[62] = {
23,535,1047,1559,2071,2583,3095,3607,4119,4631,
12,21,26,38,53,72,101,139,294,375,584,841,1164,
1678,2425,4989,6478,10076,14494,21785,30621,69677,
87452,139356,201113,278810,80,83,93,99,113,131,
159,194,346,416,619,861,1165,1649,2256,4766,6077,
9554,13713,20576,28894,65661,82386,131248,164801,262524 } ;
char key[20] ;
inline int test(int i)
{
// return i>=36 ; // use this to generate only lower case keys
// return ((i>=10)&&(i<36)) ; // use this to generate only Upper case
keys
// return i>=10 ; // use this to generate key with no digits
return 1 ; // generate all keys
}
// no much comments in this - reverse it to understand what it does :-)
int ptry(int level, __int64 val, int start)
{
__int64 tval ;
val/=level ;
level-- ;
if (level==0)
{
for (int i=0; i<62; ++i)
{
if (test(i))
if (val==f[i])
{
key[level] = base[i] ;
key[10] = 0 ;
printf("%s\n", key) ;
}
}
return 0;
}
for (int i=start; i<62; ++i)
{
tval = val-f[i] ;
if ((tval % level)==0)
{
if (test(i))
{
key[level] = base[i] ;
ptry(level, tval, 0) ; // recursivity is the worst technique, but I
love it
}
}
}
return 1 ;
}
void main(int argc, char *argv[])
{
memset(key, ' ', sizeof(key)) ;
ptry(9, 25834242042, 0) ; // key_length, passkey, starting_value
(should be zero)
}]]>
A letter by Tristan
with a c decoder (25
January 1998)<![CDATA[Fravia+,
I started to write a little bruce force cracker for the
jscript. But wait a moment, how many possibilities are there?
Errh, let'S fire the windows calculator up, and that gives me:
around 1,3 * 10^16 possibilities, hmm well forget this bruce force
cracker!!
So a bit more ZEN, first of all let's CALCULATE THE PASSWORD LENGTH!
1.Dumping the params to a file i get for the littlest f[x]=12 and
the biggest f[x]=278810.
2. Calculation with the littlest number it gives me the information
that the pwd. must be longer then 7 chars, and another calculation gives
me that it must be smaller than 13.
3.Because of the calculation the length of the pwd. must be
1,2,3,6,7,9,14,18,21,42,63,126 or longer.
But i think 126 is very long.
Now combinig this information i get the length of the pwd. it's 9!
But looking a bit better at the code it tells me that you throw the first
character of the pwd. away. (Btw. did you wanted to do this, as a trick of
a genius to bounce all lamers out?)
Well after this we have much less pwd. to be cracked with my bruce force cracker.
But this is also too much. I reversed the whole protection:
I think you know your code very good so i don't have to tell you how this works.
(divide by the length of pwd. subtrakt f[length(pwd)...]
This gives me a piece of c++ code.
And wow it works, and it is very fast.
After 3 hours it had calculated all possibilities.
Not bad i thought... let's try these few possibilieties... FEW?, no they are
NOT few! There are more then 900000 possibiliteis to match the calculation.
Here are some of them:
_M8xNC100C
_PIxNC100C
....
_veJiwyznw
_evJiwyznw (If you don't believe just try)
But which one is the right? I searched for some java oriented words
and found these:
_LHXfRav7C
_HLXfRav7C
_VLejAvA7h
_LVejAvA7h
_vOJaVa2Ji
_OvJaVa2Ji
But, as you know, they don't work.
Now comes the question part:
1. Can you give me a hint? I solved the mathematical quest, but which code is the
right one? I think there is no hint in the page wich gives me a clou.
2.Would you like me to write a tut on my way to solve this quest?
(I promisse that i won't have so much faults in the tut than in this letter!!!)
3.Will ther come more such games?? PLEASE i liked it very much!!
If you like to answer my letter then send to to.tristan@usa.net
Bye till the next time.
What now comes is my fast cracker.
If you don't want to look at it then cut this message here.
---------------cut here, compiled with watcom c/c++ 11.0----------
#include <IOSTREAM.h>
int Teiler;
int z1,z2,z3,z4,z5,z6,z7,z8;
__int64 a1[62],a2[62],a3[62],a4[62],a5[62],a6[62],a7[62],a8[62];
__int64 base[62];
__int64 code;
int i;
char getit[64] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz?";
void main( void )
{
base[0]=23;
base[1]=535;
base[2]=1047;
base[3]=1559;
base[4]=2071;
base[5]=2583;
base[6]=3095;
base[7]=3607;
base[8]=4119;
base[9]=4631;
base[10]=12;
base[11]=21;
base[12]=26;
base[13]=38;
base[14]=53;
base[15]=72;
base[16]=101;
base[17]=139;
base[18]=294;
base[19]=375;
base[20]=584;
base[21]=841;
base[22]=1164;
base[23]=1678;
base[24]=2425;
base[25]=4989;
base[26]=6478;
base[27]=10076;
base[28]=14494;
base[29]=21785;
base[30]=30621;
base[31]=69677;
base[32]=87452;
base[33]=139356;
base[34]=201113;
base[35]=278810;
base[36]=80;
base[37]=83;
base[38]=93;
base[39]=99;
base[40]=113;
base[41]=131;
base[42]=159;
base[43]=194;
base[44]=346;
base[45]=416;
base[46]=619;
base[47]=861;
base[48]=1165;
base[49]=1649;
base[50]=2256;
base[51]=4766;
base[52]=6077;
base[53]=9554;
base[54]=13713;
base[55]=20576;
base[56]=28894;
base[57]=65661;
base[58]=82386;
base[59]=131248;
base[60]=164801;
base[61]=262524;
cout<FAST cracker started"<<endl;
code="25834242042%3b.html" tppabs="../../../../fravia.org/25834242042%3b.class"
Teiler=9;
code=code/Teiler%3b.html
/*Erzeuge Array a1*/
for (i=0; i<62; i++)
{a1[i]=code-base[i];}
for (z1=0; z1<62; z1++)
{
cout<<"nächster teiler"<<endl;
if (a1[z1]/8*8==a1[z1])
{
a1[z1]=a1[z1]/8;
for (i=0; i<62; i++)
{a2[i]=a1[z1]-base[i];}
for(z2=0; z2<62; z2++)
{
if (a2[z2]/7*7==a2[z2])
{
a2[z2]=a2[z2]/7;
for (i=0; i<62; i++)
{a3[i]=a2[z2]-base[i];}
for(z3=0; z3<62; z3++)
{
if (a3[z3]/6*6==a3[z3])
{
a3[z3]=a3[z3]/6;
for (i=0; i<62; i++)
{a4[i]=a3[z3]-base[i];}
for(z4=0; z4<62; z4++)
{
if (a4[z4]/5*5==a4[z4])
{
a4[z4]=a4[z4]/5;
for (i=0; i<62; i++)
{a5[i]=a4[z4]-base[i];}
for (z5=0; z5<62; z5++)
{
if (a5[z5]/4*4==a5[z5])
{
a5[z5]=a5[z5]/4;
for (i=0; i<62; i++)
{a6[i]=a5[z5]-base[i];}
for (z6=0; z6<62; z6++)
{
if (a6[z6]/3*3==a6[z6])
{
a6[z6]=a6[z6]/3;
for (i=0; i<62; i++)
{a7[i]=a6[z6]-base[i];}
for (z7=0; z7<62; z7++)
{
if (a7[z7]/2*2==a7[z7])
{
a7[z7]=a7[z7]/2;
for (i=0; i<62; i++)
{a8[i]=a7[z7]-base[i];}
for (z8=0; z8<62; z8++)
{
for (i=0; i<62; i++)
{
if (a8[z8]-base[i]==0)
{
cout<<"_"<<getit[i]<<getit[z8]<<getit[z7]<<getit[z6]<<getit[z5]<<getit[z4]<<getit[z3]<<getit[z2]<<getit[z1]<<endl;
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}/*ENDE*/]]>
Some help for you:
1) The 'easy solution' code "throws away" the first letter of the password to solve all
case sensitive problems for users. So the only way you can get it correct
(short of trying all combiantions from axxxxxxxxx to zxxxxxxxxx) is to
reconstruct it from the other letters... incidentally that means that the
name of the page MAKES sense and it is NOT just something like 4_RRA3Z_.htm
2) There are NO numbers in the code, only chars
3) You should have understood that the last letter is a "r" (like ronald)
That should be enough even for a brute force attack, yet if you read the 'dead end'
part of the entrances, you may find ANOTHER way to get there...
So, I hope that now many more of you will find the right way (WITHOUT or WITH
bruteforcing as you like)...
and, what's more important, may be some of my more advanced readers and wizards have
something interesting to add, which I will publish... of
course "on the other side"...
Back to the Javascript entrances
homepage
links
search engines
+ORC
students' essays
academy database
tools
javascripts wars
cocktails
anonimity academy
antismut CGI-scripts
counter measures
mail_fravia+
Is reverse engineering legal?
(c)
Fravia 1995, 1996, 1997, 1998. All rights
reserved