Here you go: (01 March 1998)
Dear Fravia,

I've reached you 'javdevio.htm' page 3 days ago, and yesterday I finally 
got a username/password to reach the protected part...

The method I used was :
1 - look at the JavaScript code, and modify it in order to localize the 
    usernames/passwords
    I mean username/password is user 2, fred/fred user 1, Fravia/Fravia 
    user 3...
    Doing this I realised that I have to find username/password for user 
    4 & 6.
    Just a little observation lead me the conclusion that user 6 name is 
    "username" 'coz it's the same that user 2.

2 - write an utility to brute-force these unknown codes (user4, 
    password4, password6)
    My first C program was performing about 20000 tries by second on my 
    Pentium 2 233Mhz.
    I then computed how much time should be required with this approach, 
    assuming that the username/password to find has only characters (so 
    digits), the result was :

    Phase 1 (password is 1 character long)............... 26 possibilities  immediate result
    Phase 2 (password is 2 character long).............. 676 possibilities  immediate result
    Phase 3 (password is 3 character long)........... 17.576 possibilities  immediate result
    Phase 4 (password is 4 character long).......... 456.976 possibilities  23 seconds
    Phase 5 (password is 5 character long)....... 11.881.376 possibilities  10 minutes
    Phase 6 (password is 4 character long)...... 308.915.776 possibilities  4 hours
    Phase 7 (password is 4 character long).... 8.031.810.176 possibilities  4,5 days
    Phase 8 (password is 8 character long)...208.827.064.576 possibilities  121 days

3 - considering the results above, I then decided to optimize my C code, 
    moving as much computation I could outside of the loops, storing results 
    in arrays...  I also decided to change to order of characters to check, 
    from 'A', 'B'... 'Z' to the growing order of frequency of the characters 
    in a common language "ERISANTOULCPMDGFBVHZQXYJKW" (in french) my result 
    was something like the following code :
-------------------------------------------------------- //__________________________________________________________________________ // parse(c) <==> parse(uppercase(j[i]),36); #define parse(c) ((c)-'A'+10) //__________________________________________________________________________ char savefile[80],resultfile[80]; FILE *fcfg, *fsav; char last_try[]="AAAA"; // starting values for a,b,c,d char start_phase; char a,b,c,d,e,f,g,h; char CharacterSet[26]="ERISANTOULCPMDGFBVHZQXYJKW"; double tpow1[10][26+'A'],tpow2[10][26+'A'],tpow3[10][26+'A'],tpow4[10][26+'A']; int len; void init_arrays(void) { char i,j; for(i=0;i<10;i++) for(j='A';j<='Z';j++) { tpow1[i][j]=parse(j)*pow(base1,i); tpow2[i][j]=parse(j)*pow(base2,i); tpow3[i][j]=parse(j)*pow(base3,i); tpow4[i][j]=parse(j)*pow(base4,i); } } //__________________________________________________________________________ // // Encryption functions F1 F2 ... double F1(char j[]) { char i; double z=0; // if (strlen(j)>10) j=j.substring(0,10); for(i=0;i<len;i++){ z+=tpow1[i][j[i]]; } return floor(5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)* sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)* sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)* sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14); } double F2(char *j) { char i; double z=0; // if (strlen(j)>10) j=j.substring(0,10); for(i=0;i<len;i++){ z+=tpow2[i][j[i]]; } return floor(5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)* sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)* sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)* sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14); } void write_result(char type, char u, char *s, double v) { if((fsav=f0/*n(resultfile,"at*/;)==NULL){ printf("ERROR: can't open result file\n"); exit(1); } fprintf(fsav,"\n%s %d : %s [%15.0lf]\n",(!type)?"User":"Password",u,s,v); fclose(fsav); } void test(char *s) { double z1,z2; z1=F1(s); z2=F2(s); // if(USERS[0][0]==z1) printf("\nUser 1 : %s [%15.0lf]\n",s,z1); // if(USERS[1][0]==z1) printf("\nUser 2 : %s [%15.0lf]\n",s,z1); // if(USERS[2][0]==z1) printf("\nUser 3 : %s [%15.0lf]\n",s,z1); if(USERS[3][0]==z1) write_result(0,4,s,z1); // if(USERS[4][0]==z1) printf("\nUser 5 : %s [%15.0lf]\n",s,z1); // if(USERS[5][0]==z1) printf("\nUser 6 : %s [%15.0lf]\n",s,z1); // if(USERS[0][1]==z2) printf("\nPassword 1 : %s [%15.0lf]\n",s,z2); // if(USERS[1][1]==z2) printf("\nPassword 2 : %s [%15.0lf]\n",s,z2); // if(USERS[2][1]==z2) printf("\nPassword 3 : %s [%15.0lf]\n",s,z2); if(USERS[3][1]==z2) write_result(1,4,s,z2); // if(USERS[4][1]==z2) printf("\nPassword 5 : %s [%15.0lf]\n",s,z2); if(USERS[5][1]==z2) write_result(1,6,s,z2); } void main(int argc, char **argv) { char tmp[]="AAAAAAAAAA"; // word to test against user/password char current[]="AAAAAAAAAA"; // starting counters clock_t clk; double tim; double speed=0.015; // tick / possibility init_arrays(); sprintf(savefile,"%s.cfg",argv[0]); sprintf(resultfile,"%s.out",argv[0]); if((fcfg=fopen(savefile,"rb+"))==NULL){ start_phase='5'; a=b=c=d=0; if((fcfg=fopen(savefile,"wb+"))==NULL){ printf("ERROR: can't creat save file\n"); exit(1); } save_last_try(); printf("Starting a new session at phase %c with word %s\n",start_phase,last_try); } else { fread(&start_phase,sizeof(char),1,fcfg); // starting_phase fread(&last_try,sizeof(char),4,fcfg); // last_try printf("Continuing, phase %c - word %s\n",start_phase,last_try); } if((fsav=fopen(resultfile,"at+"))==NULL){ printf("ERROR: can't creat result file\n"); exit(1); } if(start_phase<'5') { // 1 char, 26 possibilities clk=clock(); printf("--- Phase 1\n"); len=1; tmp[1]=0; for(a=0;a<26;a++){ tmp[0]=CharacterSet[a]; test(tmp); } tim=clock()-clk; printf("Phase 1 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/26); // 2 chars, 676 possibilities clk=clock(); printf("--- Phase 2 (will take %.3lf s)\n",speed*676/CLOCKS_PER_SEC); len=2; tmp[2]=0; for(a=0;a<26;a++){ tmp[0]=CharacterSet[a]; for(b=0;b<26;b++){ tmp[1]=CharacterSet[b]; test(tmp); } } tim=clock()-clk; printf("Phase 2 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/676); // 3 chars, 17.576 possibilities clk=clock(); printf("--- Phase 3 (will take %.3lf s)\n",speed*17576/CLOCKS_PER_SEC); len=3; tmp[3]=0; for(a=0;a<26;a++){ tmp[0]=CharacterSet[a]; for(b=0;b<26;b++){ tmp[1]=CharacterSet[b]; for(c=0;c<26;c++){ tmp[2]=CharacterSet[c]; test(tmp); } } } tim=clock()-clk; printf("Phase 3 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/17576); // 4 chars, 456.976 possibilities clk=clock(); printf("--- Phase 4 (will take %.3lf s)\n",speed*456976/CLOCKS_PER_SEC); len=4; tmp[4]=0; for(a=0;a<26;a++){ tmp[0]=CharacterSet[a]; for(b=0;b<26;b++){ tmp[1]=CharacterSet[b]; for(c=0;c<26;c++){ tmp[2]=CharacterSet[c]; for(d=0;d<26;d++){ tmp[3]=CharacterSet[d]; test(tmp); } } } } tim=clock()-clk; printf("Phase 4 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/456976); } if(start_phase<='5') { current[0]=last_try[0]; current[1]=last_try[1]; current[2]=last_try[2]; current[3]=last_try[3]; // 5 chars, 11.881.376 possibilities clk=clock(); printf("--- Phase 5 (will take %.3lf s)\n",speed*11881376/CLOCKS_PER_SEC); len=5; tmp[5]=0; for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a]; for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b]; for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c]; for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d]; save_last_try(); for(e=0;e<26;e++){ tmp[4]=CharacterSet[e]; test(tmp); } } current[3]='A'; } current[2]='A'; } current[1]='A'; } start_phase++; current[0]='A'; tim=clock()-clk; printf("Phase 5 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/11881376); } if(start_phase=='6') { current[0]=last_try[0]; current[1]=last_try[1]; current[2]=last_try[2]; current[3]=last_try[3]; // 6 chars, 308.915.776 possibilities clk=clock(); printf("--- Phase 6 (will take %.3lf s)\n",speed*308915776/CLOCKS_PER_SEC); len=6; tmp[6]=0; for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a]; for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b]; for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c]; for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d]; save_last_try(); for(e=0;e<26;e++){ tmp[4]=CharacterSet[e]; for(f=0;f<26;f++){ tmp[5]=CharacterSet[f]; test(tmp); } } } current[3]='A'; } current[2]='A'; } current[1]='A'; } start_phase++; current[0]='A'; tim=clock()-clk; printf("Phase 6 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/308915776); } if(start_phase=='7') { current[0]=last_try[0]; current[1]=last_try[1]; current[2]=last_try[2]; current[3]=last_try[3]; // 7 chars, 8.031.810.176 possibilities clk=clock(); printf("--- Phase 7 (will take %.3lf s)\n",speed*8031810176/CLOCKS_PER_SEC); len=7; tmp[7]=0; for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a]; for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b]; for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c]; for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d]; save_last_try(); for(e=0;e<26;e++){ tmp[4]=CharacterSet[e]; for(f=0;f<26;f++){ tmp[5]=CharacterSet[f]; for(g=0;g<26;g++){ tmp[6]=CharacterSet[g]; test(tmp); } } } } current[3]='A'; } current[2]='A'; } current[1]='A'; } start_phase++; current[0]='A'; tim=clock()-clk; printf("Phase 7 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/8031810176); } if(start_phase=='8') { current[0]=last_try[0]; current[1]=last_try[1]; current[2]=last_try[2]; current[3]=last_try[3]; // 8 chars, 208.827.064.576 possibilities clk=clock(); printf("--- Phase 8 (will take %.3lf s)\n",speed*208827064576/CLOCKS_PER_SEC); len=8; tmp[8]=0; for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a]; for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b]; for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c]; for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d]; save_last_try(); for(e=0;e<26;e++){ tmp[4]=CharacterSet[e]; for(f=0;f<26;f++){ tmp[5]=CharacterSet[f]; for(g=0;g<26;g++){ tmp[6]=CharacterSet[g]; for(h=0;h<26;h++){ tmp[7]=CharacterSet[h]; test(tmp); } } } } } current[3]='A'; } current[2]='A'; } current[1]='A'; } start_phase++; current[0]='A'; tim=clock()-clk; printf("Phase 8 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/208827064576); } printf("All done... bye\n"); fclose(fcfg); exit(0); } --------------------------------------------------------


    With this code the performance was : about 666667 tries by second, 
    giving :

    Phase 1 (password is 1 character long)............... 26 possibilities  immediate result
    Phase 2 (password is 2 character long).............. 676 possibilities  immediate result
    Phase 3 (password is 3 character long)........... 17.576 possibilities  immediate result
    Phase 4 (password is 4 character long).......... 456.976 possibilities  6 seconds
    Phase 5 (password is 5 character long)....... 11.881.376 possibilities  3 minutes
    Phase 6 (password is 4 character long)...... 308.915.776 possibilities  80 minutes
    Phase 7 (password is 4 character long).... 8.031.810.176 possibilities  35 hours
    Phase 8 (password is 8 character long)...208.827.064.576 possibilities  37 days

    This was much better, but not enough for me...

4 - Considering that when you want to use brute force, you have to be 
    very strong, powerful, etc...
    I choosed to reduce the waiting time using the computing power of 
    the network of my company...
    This required a little more coding but the result is here : only 
    using the network after working hours (in order to not disturb the 
    employees), the more the network uses computer, the less it takes to 
    find a solution.

    That's all, the result is here.


Comments can be send at :
Azazel_Corp(at)hotmail(point)com