Two Paths To Success
An accidental? solution on the road to devious
March 08 1998
by JimBob
Courtesy of Fravia's page of reverse engineering
OK, ok, so the devious 'easy' entrance was indeed a little too easy... yet I'm still amazed at how FEW people got there (I know that many tried because I get a lot of hits on non-existing pages that 'feel' like page called by people working on the easy devious access: puotha.htm, gffade.htm, jk4532.htm and so on, merrily sexlettering my hosting server...
Well, the minimum you can do if you found this 'easy' entrance is (if you did not do it already) to work your way in through the harder devious one and trough the TWO accesses to the advanced javascript page!
There is a crack, a crack in everything That's how the light gets in
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

We take an overall look at what this protection is doing and use the many hints +Fravia gives us. We find you don't always have to get your hands 'dirty' with tracing source code or figuring out some light or heavy duty ecryption.

Two Paths To Success
An accidental? solution on the road to devious
Written by JimBob

Here we find two ways into the devious javascript page. The first
was accidently found while trying to figure a way to the page using
the information provided us. I am not a master cracker or hacker.
I am just a guy who knows or figures out how to get the answers or
solutions that I need. Everyone says knowledge is power, thats true,
but I also believe that real power is the ability to collect, increase
and most important, use that knowledge.
It's also helpful to be able to think logically

Tools required
An open mind & curiousity

Target's URL/FTP

I must start by saying that I like to approach these problems like
I approach Fravia's site. First I get an over-all feel for the site,
see whats new, how things are layed out etc.
Only after that do I start to tackle the specifics.

I tried out the page before even looking at the source, just to see
what it wanted and what its responses were.
First I quickly read the couple sentences on your easy page and
saw it wanted a password. I entered the word 'correct' and got sent
to _tuub_o.htm. Hmm, it looks like a 1 to 1 letter substitution,
it has the same number of letters in each word and the c's become _'s
and the r's become u's. We haven't looked at the source yet so we still
don't know exactly what +his set of letters is.

If we glance at the source we can confirm that a simple letter exchange
is happening based on the string

But why make it hard so quickly, lets forget about the specifics of
the protection for a minute. Lets slow down and re-read what Fravia
actually wrote 'the code works as a generator: if you introduce
the name of a url, you get the password to the url as well,
Wait a minute now, that sounds like he's giving us part
of the answer right here!

So we also re-read the 2nd sentence 'The correct password,
that would land you on my 'devious' page on 20 MARCH 1998, would
land you on vournt.htm on another march day..another, not any other day'

I figured that if the same password would get you to 2 different
pages on different days, then somehow the protection must also use
the date when scrambling the password, this seems re-enforced by the fact
that he emphasizes another day and not any other.

He tells us the protection can be used as a keygenerator.
Now if I want to find the password the the page vournt.htm, I need
to enter the word 'vournt' as the password and get a 404 error,
but write down the page it tried to find. Then I take this page,
which when I tried this on March 4th, I got rsqvjp.htm. So lets
test what Fravia is telling us and enter 'rsqvjp' as the password
and bingo, we land on vournt.htm Now lets examine what he is saying
about March 20th,

'The correct password, that would land you on my 'devious' page
on 20 MARCH 1998, would land you on vournt.htm on another march day'
Ok so on March 4th the password to vournt.htm is 'rsqvjp' I figure ok,
all I have to do is set my clock and find the password to vournt.htm
on each day of the month, 1-31 and then set my clock to March 20th
and try each password. So I start entering vournt as the password
on each day of the month, then on March 30th, I enter vournt and
instead of a 404 error and a password, I get sent to the devious page!

Now I ask myself 2 questions, was my approach correct?
and what the hell just happened?
1st, yes my approach would have worked, Here is a listing of the passwords
for vournt.htm on each eay of March:

1 upvqms
2 tqsplv
3 srtoku
4 rsqvjp
5 qtruao
6 puothr
7 ovpsgq
8 ngmjvl
9 mhnauk
10 lakhtn
11 kjlgsm
12 jkanrh
13 aljmqg
14 hmglpj
15 gnhkoa
16 f8eb7d
17 e9fi6w
18 diw95f
19 wbd84e
20 bwif39
21 idbe28
22 9e8d1b
23 8f9w0i
24 7063f5
25 6172e4
26 5241d7
27 4350w6
28 3427b1
29 2536i0
30 160593.htm devious javascript page!
31 071482

On March 10 the password for vournt.htm was lakhtn,if I try that
password on March 20th, it does also bring me to the devious page.
2nd, I guess what I am left asking myself is, is this how Fravia
'happened' to choose the pair 160593 and vournt?

Final Notes
Well it turns out that this is indeed an easy entrance,
we found the devious page without even having to really pick
apart the source code or the encryption method. Even if we hadn't
luck'ed into the vournt-160593 pair on march 30th, we would
have still found the page trying the March 10th password for
vournt.htm on March 20th

You are deep inside Fravia's page of reverse engineering, choose your way out:

Back to devious

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?