How to land in devious by Peter Papazov 21 February 1998 Javascript page
Back to devious
Well in the past two days I reached consequently the ~ advanced javascript page and the ~160593.HTM URLs. For the 'devious' puzzle things seemed complicated: I consider that those who read the following lines already know well the ins and outs of Dolgov's routines, so I'll point out only the major steps I took... For the time I've put into it I couldn't find an approach of eliminating ranges of usernames and passwords. The way the F1 - F4 codes were generated seemed complicated enough (not a simple multiply and add) to be reversed out of the generated values. For a moment I thought there could be some mathematical way to figure out the F3 and F4 values, knowing F1 and F2. Or at least to figure out F3+F4. It seemed very complicated, and moreover improbable, because it would be a major flaw in the protection. Being given the F1 and F2 values of all the users, it is easy to modify the JavaScript to point out which username/password couples were omitted. I inserted a 'prompt( id )' in the place of the 'this.location' statement. The not given ones turned out to be users 4 and 6. A closer look showed that the F1 values of users 6 and 2 are equal. This meant that user 6's name is 'username' (same as user 2's). So here we had the F1 and F3 values for user 6. So we could find the sum of the page's name and the F4 value for user 6. This didn't seem quite helpfull to me. So I decided bruteforcing. One more thing which lead me this way was the mentioning that stalking/searching/sniffing would help a lot. Porting the JavaScript code to C is straightforward, I used the __int64 and double types for the integer and floating point calculations. I ported only functions F1 and F2, and wrote a wordlist checking main routine. Looked up some english wordlist files and fired it up. I was searching for the F1 and F2 values of user 4 and for the F2 value of user 6. With a general english wordlist I found that the password for user 4 is 'targeted'. Well, this was on the first line of the 'javdevio.htm' file? So, why don't we try gathering a wordlist. I used Jean Flynn's approach - Black Widow + his word extracting program. I sorted the file and removed the duplicates in the Aurora editor (really cool, DOS and Win32 console versions). When passed to the checker it gave the password for user 6 - 'mozilla'. These loaded into the original 'javdevio.htm' form lead me to the '160593.htm' page. Well this is classified as a beginner solution. I sure am a beginner in this field. Finding the 'targeted' password was mostly good luck for me and bad luck for the single-english-word password users. Again I reached the solution, mostly on other people's shoulders (on what I have read of reaching the previous hidden pages), but this only proves that the lessons work ;-). In the end thanks to all the contributors and their host - you Fravia. Best regards, Peter Papazov P.S. here I include the C checking program. it takes as a parameter the wordlist file
---------------------cut here------------------------- #include <stdio.h> #include <string.h> #include <ctype.h> #include <math.h> char weight[]="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //****************************************************************************** // // Encryption operators // You got to alter the following values to get your own unique encryption code // // 1. The values should be within 0 ... 7 double fi11=2.232, fi12=0.372, fi13=1.322, fi14=5.322, fi15=2.322, fi16=3.771, fi17=2.313, fi18=1.300; double fi21=5.112, fi22=1.472, fi23=4.322, fi24=1.792, fi25=6.737, fi26=2.141, fi27=2.882, fi28=1.382; double fi31=3.342, fi32=5.352, fi33=1.732, fi34=3.008, fi35=1.399, fi36=5.999, fi37=4.913, fi38=2.578; double fi41=3.773, fi42=2.348, fi43=5.769, fi44=2.112, fi45=1.922, fi46=3.573, fi47=3.317, fi48=6.273; double fj11=0.732, fj12=4.732, fj13=4.732, fj14=0.732; double fj21=1.742, fj22=0.102, fj23=1.001, fj24=6.272; double fj31=4.732, fj32=6.212, fj33=6.001, fj34=6.212; double fj41=3.273, fj42=2.723, fj43=1.392, fj44=0.039; double m11=5.7193, m12=5.3732, m13=4.8313, m14=2.3991; double m21=3.3923, m22=3.3021, m23=6.4622, m24=1.1392; double m31=5.3991, m32=2.3010, m33=5.9223, m34=5.8283; double m41=2.3042, m42=1.3923, m43=1.2419, m44=0.3573; // // 2. The following values should be within limits 9.9999 ... 0.0001 // double k11=3.8173, k12=7.2094, k13=0.0001, k14=6.0202, k15=1.9294, k16=0.0011, k17=0.0033, k18=0.0492; double k21=1.3048, k22=0.0083, k23=0.0038, k24=0.0302, k25=2.3935, k26=9.4007, k27=4.2042, k28=0.0004; double k31=0.0298, k32=3.0020, k33=0.0912, k34=0.0123, k35=0.2033, k36=0.0001, k37=3.0034, k38=0.0009; double k41=0.2094, k42=9.0031, k43=5.2059, k44=2.4010, k45=0.0324, k46=0.0023, k47=0.2034, k48=9.9414; // // 3. 'Bases' should be within limits 10...36 (only integer!) // int base1=29, base2=31, base3=24, base4=34; #define MAXLEN 255 char buffer[MAXLEN+1]; FILE *input; //__________________________________________________________________________ // // Encryption functions F1 F2 F3 F4 (don't alter the following code) __int64 F1(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base1; }; return floor( 5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)* sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)* sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)* sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14); } __int64 F2(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base2; }; return floor( 5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)* sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)* sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)* sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14); } int main( int argc, char **argv ) { __int64 f2, f1; int t=0; if( argc > 1 ) { input=fopen( argv[1], "rt" ); if( input ) { while( !feof( input ) ) { if( fgets( buffer, MAXLEN, input ) != NULL ) { buffer[ strlen( buffer )-1 ]=0; f1=F1( buffer ); if( f1==191979145621879 ) printf( "\nUser 4's name is: %s\n", buffer ); f2=F2( buffer ); if( f2==251426266017281 ) printf( "\nUser 4's password is: %s\n", buffer ); if( f2==492060879591955 ) printf( "\nUser 6's password is: %s\n", buffer ); if( ++t==1000 ) { printf( "." ); t=0; } } else break; } fclose( input ); } } return 0; } ------------------------cut here-------------------------
You are deep inside Fravia's page of reverse engineering, choose your way out:

devious page
Back to the entrance
Back to the devious page

redhomepage redlinks redanonymity red+ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?