```How to land in devious
by Peter Papazov
21 February 1998 Back to devious

Well in the past two days I reached consequently the ~ advanced javascript page and
the ~160593.HTM URLs.

For the 'devious' puzzle things seemed complicated:

I consider that those who read the following lines already know well the ins
and outs of Dolgov's routines, so I'll point out only the major steps I
took...

For the time I've put into it I couldn't find an approach of
eliminating ranges of usernames and passwords. The way the F1 - F4 codes
were generated seemed complicated enough (not a simple multiply and add)
to be reversed out of the generated values.
For a moment I thought there could be some mathematical way to figure
out the F3 and F4 values, knowing F1 and F2. Or at least to figure out
F3+F4.
It seemed very complicated, and moreover improbable, because it would
be a major flaw in the protection.
Being given the F1 and F2 values of all the users, it is easy to
modify the JavaScript to point out which username/password couples were
omitted. I inserted a 'prompt( id )' in the place of the 'this.location'
statement. The not given ones turned out to be users 4 and 6.
A closer look showed that the F1 values of users 6 and 2 are equal.
This meant that user 6's name is 'username' (same as user 2's).
So here we had the F1 and F3 values for user 6. So we could find the
sum of the page's name and the F4 value for user 6. This didn't seem
quite helpfull to me.
So I decided bruteforcing. One more thing which lead me this way was
the mentioning that stalking/searching/sniffing would help a lot.
Porting the JavaScript code to C is straightforward, I used the __int64
and double types for the integer and floating point calculations. I
ported only functions F1 and F2, and wrote a wordlist checking main
routine. Looked up some english wordlist files and fired it up. I was
searching for the F1 and F2 values of user 4 and for the F2 value of
user 6. With a general english wordlist I found that the password for
user 4 is 'targeted'.
Well, this was on the first line of the 'javdevio.htm' file? So, why
don't we try gathering a Fravia.org wordlist. I used Jean Flynn's
approach - Black Widow + his word extracting program.
I sorted the file and removed the duplicates in the Aurora editor
(really cool, DOS and Win32 console versions).
When passed to the checker it gave the password for user 6 -
'mozilla'.
These loaded into the original 'javdevio.htm' form lead me to the
'160593.htm' page.
Well this is classified as a beginner solution. I sure am a beginner
in this field. Finding the 'targeted' password was mostly good luck for
me and bad luck for the single-english-word password users.

Again I reached the solution, mostly on other people's shoulders (on
what I have read of reaching the previous hidden pages), but this only
proves that the lessons work ;-).

In the end thanks to all the contributors and their host - you Fravia.

Best regards,
Peter Papazov

P.S. here I include the C checking program. it takes as a parameter the
wordlist file```
---------------------cut here------------------------- #include <stdio.h> #include <string.h> #include <ctype.h> #include <math.h> char weight[]="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //****************************************************************************** // // Encryption operators // You got to alter the following values to get your own unique encryption code // // 1. The values should be within 0 ... 7 double fi11=2.232, fi12=0.372, fi13=1.322, fi14=5.322, fi15=2.322, fi16=3.771, fi17=2.313, fi18=1.300; double fi21=5.112, fi22=1.472, fi23=4.322, fi24=1.792, fi25=6.737, fi26=2.141, fi27=2.882, fi28=1.382; double fi31=3.342, fi32=5.352, fi33=1.732, fi34=3.008, fi35=1.399, fi36=5.999, fi37=4.913, fi38=2.578; double fi41=3.773, fi42=2.348, fi43=5.769, fi44=2.112, fi45=1.922, fi46=3.573, fi47=3.317, fi48=6.273; double fj11=0.732, fj12=4.732, fj13=4.732, fj14=0.732; double fj21=1.742, fj22=0.102, fj23=1.001, fj24=6.272; double fj31=4.732, fj32=6.212, fj33=6.001, fj34=6.212; double fj41=3.273, fj42=2.723, fj43=1.392, fj44=0.039; double m11=5.7193, m12=5.3732, m13=4.8313, m14=2.3991; double m21=3.3923, m22=3.3021, m23=6.4622, m24=1.1392; double m31=5.3991, m32=2.3010, m33=5.9223, m34=5.8283; double m41=2.3042, m42=1.3923, m43=1.2419, m44=0.3573; // // 2. The following values should be within limits 9.9999 ... 0.0001 // double k11=3.8173, k12=7.2094, k13=0.0001, k14=6.0202, k15=1.9294, k16=0.0011, k17=0.0033, k18=0.0492; double k21=1.3048, k22=0.0083, k23=0.0038, k24=0.0302, k25=2.3935, k26=9.4007, k27=4.2042, k28=0.0004; double k31=0.0298, k32=3.0020, k33=0.0912, k34=0.0123, k35=0.2033, k36=0.0001, k37=3.0034, k38=0.0009; double k41=0.2094, k42=9.0031, k43=5.2059, k44=2.4010, k45=0.0324, k46=0.0023, k47=0.2034, k48=9.9414; // // 3. 'Bases' should be within limits 10...36 (only integer!) // int base1=29, base2=31, base3=24, base4=34; #define MAXLEN 255 char buffer[MAXLEN+1]; FILE *input; //__________________________________________________________________________ // // Encryption functions F1 F2 F3 F4 (don't alter the following code) __int64 F1(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base1; }; return floor( 5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)* sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)* sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)* sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14); } __int64 F2(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base2; }; return floor( 5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)* sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)* sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)* sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14); } int main( int argc, char **argv ) { __int64 f2, f1; int t=0; if( argc > 1 ) { input=fopen( argv, "rt" ); if( input ) { while( !feof( input ) ) { if( fgets( buffer, MAXLEN, input ) != NULL ) { buffer[ strlen( buffer )-1 ]=0; f1=F1( buffer ); if( f1==191979145621879 ) printf( "\nUser 4's name is: %s\n", buffer ); f2=F2( buffer ); if( f2==251426266017281 ) printf( "\nUser 4's password is: %s\n", buffer ); if( f2==492060879591955 ) printf( "\nUser 6's password is: %s\n", buffer ); if( ++t==1000 ) { printf( "." ); t=0; } } else break; } fclose( input ); } } return 0; } ------------------------cut here-------------------------
You are deep inside Fravia's page of reverse engineering, choose your way out:  Back to the entrance Back to the devious page homepage links anonymity +ORC students' essays academy database tools cocktails antismut CGI-scripts search_forms mail_Fravia Is reverse engineering legal?