C
O
M
P
I
L
A
T
I
O
N


javascri.gif

Fravia's
"Hyper" Javascript
~
Javascript
hyperprotections
and protections developing lab





Fravia's Nofrill
Web design
('98 ~ '99)
 

Started
June 1999
Welcome to Fravia's "password-compilation" Javascript page
This is a 'living' workshop on Javascript site protection.
(moderated by The Seeker)

This is the attempt to compile all the interesting javascript-protections. Don't expect, that you will find here, at the beginning (June-July 1999) everything ready to download. It will surely take some time to put all things together.
It is not my intention to explain everything. I will need your help.
I am neither your guru nor your trainer, just the moderator of these pages. I know for sure, that there is a whole lot of better javascript-coders out there, so please
contribute
The Seeker


[The Hardcoded Ones] ~ [The Gate-Keepers] ~ [The Logicals] ~ [The Maths] ~ [The Encrypted] ~ [Special : using cookies] ~ [The Commercials] ~ [The Bluffers] ~ [Bonus : standalone encryption]
 

Javascript protection reversing
Fravia's living workshop on Javascript site protection : The compilation
(moderated by The Seeker)
First issue : Collector's items
Last modified : 09.06.99

I better say it twice : NO, I am not the new javascript-messias you have all been waiting for ! I am just an (almost) average javascript-coder, who is trying to bring some things on the line. But I need your help ! This is a workshop, where everyone is called to contribute. I can't do this stuff all alone (just because I need some time for real-life, too). The more you contribute, the sooner this page will get what it is intended to be : a real compilation of javascript-protections.
What you can do :
- explain us, how some protections work
- write universal decoders
- tell us about other protections you have found
There are a lot of white places in the javascript-protection-landscape to fill ! It is up to YOU, if this page will be a milestone in javascript-reversing or just another giant flop.
Javascript wizards of all countries, unite ! CONTRIBUTE !
The Seeker
BTW : if I say 'reversable==NO, this means that you can not get access to the protected page in reversing the code ! Every kind of 'hacking' or 'site-grabbing' is not our point of view. Of course, even if there is no access possible, the code could be interesting. So don't hesitate to send solutions for these protections !

The Hardcoded Passwords

bullet The dull ones
URL :can be found at a lot of places, try http://www.javagoodies.com
reversable ::)
I call them 'dull', because all you have to do is to view the source and read the password. To leave no stone unturned and for the sake of completteness, take this example :
    var ask = prompt("Please enter the username", "John")
    var ask2 = prompt("Please enter the password for " + ask, "unlock")
	if (ask != "John" || ask2 != "unlock") {
		alert("Username/Password Incorrect\nAccess denied!")
		location.href= "index2.htm"}



bullet The tricky ones
  bullet bullet The old CHR$-trick
URL :http://www.bietsoft.de/passwort.htm
reversable ::)
essays :~


  bullet bullet The old *.js-trick
(never forget about the little treasures in your browser's cache :-)
URL :http://www.antihero.jab.net/
reversable ::)
essays :~
When entering this URL they tell you : The page you are trying to access is not compatable with Netscape browsers!
Feel free to come back useing Internet Explorer.

Don't waste your time and nerves installing M$-exploder. I have got an old version of this protection Login 4.2 - not worth to mention. The only 'highlight' is that they are hidding the passwords and usernames in a pw.js-file.
BTW : Ever tested the
<META HTTP-EQUIV="Pragma" CONTENT="no_cache">
with a *.js-file ? - Could be worth some investigation !

  bullet bullet The old substring-trick
URL :http://www.javascripts.com (script 15577.html)
reversable ::)
essays :~
A little bit more tricky : the Javascript Combination Access Protection
http://www.geocities.com/SiliconValley/7116 (jv_comb01.html)

The Gate-Keepers
I call them Gate-Keepers, because the password is the name of the URL (sometimes this password is additionally encrypted).
If the password == the URL, you have no chance.
If the password == the encrypted URL, you may be able to reverse the code, but not to get access to the hidden page (unless you have some hints). But it could be fun anyway, to understand how this encryption works. (And maybe this understanding is helpful for reversing another protection)

bullet Javascript Password System (JPS)
URL :http://www.bloodaxe.demon.uk/JPS
reversable :no
essays :~
Taken from the manual :

How Does it Work?

The system uses the present date and the options given to produce an encryption code which is then used to convert the password given to a different code that can change automatically every so-many days, weeks or months. This code is then used as a directory name on a web server that cannot be seen unless you know where it is. It has advantages over just hiding a directory on a web server and telling people where it is as you can give people a simple, easy-to-remember password and have a fairly complex directory name, and with the system using the date as an encryption code the hidden directory can change regularly without having to continuously change the password given to users. This reduces the amount of people who should not be viewing the pages from getting to them, and if they do, it reduces the time that they can.



bullet McCombs Protection
URL :http://gmccomb.com/javascript/
reversable :no
essays :~

The author says :
The password.html file demonstrates a JavaScript program showing the basic principle of allowing access to the restricted page. The program allows the user to enter a password. Clicking the Submit button decodes the password, and links to that page. Note that if the user selects the wrong password, an incorrect decipher string is generated, and Netscape attempts to link to a file that does not exist. An error message results.
The key value gives you many more password combinations. The password.html file uses the current day of the month as the key value. This allows the user to access the page for one day only. The next day the key value changes, and therefore the same password yields a different enciphered result. This system is particularly useful if you cannot update the restricted files on a regular basis. The files "self-expire" according to the current date.
(From The JavaScript Sourcebook, coming soon by Gordon McComb. Published by Wiley Computer Publishing. )

The Logicals


bullet The Screen-Size
URL : http://www.idca.com/~thesandman/javascript/easy/latigo/reverse2.htm
reversable :Yes
essays :~

The Maths

I know, it is a bit 'dangerous' to say : this is 'Math' and that is 'Encrypted'. Take it as a subjective classification. I hope that YOUR contributions will make these classifications a bit more objective !
YES, and it could be, that some of the 'Maths' or the 'Encrypted' are just gatekeepers !

bullet The Calculator
URL : http://www.idca.com/~thesandman/javascript/easy/sand1/sand1.html
reversable :Yes
essays :~


bullet Lef's Password Pro
URL :http://www.geocities.com/~lef/
reversable :?
essays :~


bullet Chen's Password Pro II
URL : http://www.timetrends.com/howard/jsresource/indexTree.htm
reversable :?
essays :~


bullet Chen's Password Pro II a
URL : http://www.timetrends.com/howard/jsresource/indexTree.htm
reversable :?
essays :~


bullet Dude's JavaScript Page Protection Scheme. Realize 2 (Clarie's blue eyes)
URL : http://ns.onego.ru/trifles/
reversable :?
essays :~


bullet Kipling's Crackme
URL :http://www.kipling.com (site down - hacked - look here : http://gaby.ne.mediaone.net/crack )
reversable :Yes
essays :~


bullet Warp
URL : http://members.xoom.com/JmV/JavaScript/index.htm
reversable :Yes
essays :~

The Encrypted


bullet Capo Encrypter v.2.0
URL :http://www.mindspring.com/rjsavattiere/index2.htm (or look at http://www.infohiway.com)
reversable :yes
essays :~
A lot of implementations are available But very few make use of the '?'-thing after the URL.
But this could be the interesting part !

bullet Cyberarmy's Escape-Encrypter
URL : www.cyberarmy.com/encrypt.shtml
reversable :yes
essays :~


bullet The Index-List
URL : http://www.saunalahti.fi/jaakko1/the/page/klacrew/index2.html
reversable :yes
essays :~


bullet Login Script Creator 3.1
URL : http://members.xoom.com/_XOOM/yoboseyo/index2.html
reversable :?
essays :~
for history's sake : an older version (Login coder) can be found at
http://javascript.internet.com/passwords/login-coder.html

bullet Login Script Creator 4.0
URL : http://members.xoom.com/_XOOM/yoboseyo/index2.html
reversable :?
essays :~


bullet Login Script Creator 5 Beta
URL : http://members.xoom.com/_XOOM/yoboseyo/index2.html
reversable :?
essays :~


bullet dRnSofts Crackme
URL : http://www.drnsoft.demon.co.uk/
reversable :?
essays :~




bullet Infohiway's Encoder
URL : http://www.infohiway.com/javascript/encoder/index.htm
reversable :?
essays :~
They have a reverse-contest too (with a different version of the encoder) :
http://www.infohiway.com/javascript/n/n898.htm
impossible ?? :-))
Special : using cookies


bullet Wai's cookie protection
URL : http://www.lokhome.demon.co.uk/
reversable :?
essays :~


bullet The JavaScript Source's cookie protection
URL : http://javascript.internet.com/passwords/cookie.html
reversable :?
essays :~

They say :
You can use a basic cookie script to keep visitors (that don't have the cookie on their system) from viewing certain parts of your site (kind of.... There are always ways around it). The cookie is placed when the password provided is correct. Then, when they are forwarded to the password protected page, the cookie allows them to stay. Those without the cookie are sent back.

bullet Warp - Cookie version
URL : http://members.xoom.com/JmV/JavaScript/index.htm
reversable :Yes
essays :~

The Commercials

bullet Jammer
URL :http://www.geocities.com/SiliconValley/4274/jammer.htm
reversable :?
essays :~




bullet Page Parser
URL :http://www.ozemail.com.au/~jbp/impressions/pageparser.html
reversable :?
essays :~




bullet Jmyth
URL :http://www.geocities.com/SiliconValley/Vista/5233/jmyth.htm
reversable :?
essays :~




bullet Javascript Scrambler
URL :http://members.tripod.com/~tier/
reversable :?
essays :~




bullet Psyral Phobia
URL :http://amazinglocations.com/heavensrage/pphobia4pro.html
reversable :?
essays :~




bullet ScryptKeeper
URL :http://amazinglocations.com/heavensrage/scryptkeeper.html
reversable :?
essays :~




bullet Micro$oft's Javascript-Encrypter
URL :?
reversable :hope so !
essays :~
Damn, I lost all the informations about this. Have to search again. As far as I can remember there was a download for some kind of javascript-encrypter. When I wanted to download this crap, it was not more available. Who knows something about this ?
The bluffers
We will come across some code, where (for example) a lot of math is done to encode your password, and in the end, all you have to do is to make a little alert box to see the correct password/URL or whatever. :-)
I will mention them in this section once again, just for the sake of completeness

bullet Capo Encrypter v.2.0
see : 'The Encrypted'
Standalone Encryption
Has nothing to do with this whole password-thing, but during the writing of this page I came across some encryptions on my HD. Why not collect them here ? (Maybe the starting point of just another lab or workshop ??)
Got some other crypto-URLs, but this should be enough for the moment.

bullet (Very) basic Encryption
URL :http://www.javascripts.com/ look for : script11657.html
reversable ::)
essays :~




bullet Infohiway's encrypter
URL :http://www.infohiway.com (encrypt.htm)
reversable ::)
essays :~




bullet Chen's cipher
URL :http://www.timetrends.com/howard/jsresource/indexTree.htm (cipher.htm)
reversable ::)
essays :~




bullet Yobo's Encryption
URL : http://members.xoom.com/_XOOM/yoboseyo/index2.html
reversable :?
essays :~




bullet RSA Message-Digest Algorithm
URL :http://www.geocities.com/SiliconValley/7116 (jv_md5.html)
reversable :?
essays :~




bullet How to Hide Your EMAIL Address from Webspiders
includes an e-mail-encrypter
URL : http://mayashastra.simplenet.com/mail/mail_mask.html
reversable :?
essays :~



redhomepage redlinks redsearch engines red+ORC redstudents' essays redacademy database
redtools redcocktails redbots wars redanonimity academy redantismut CGI-scripts
redcounter measures redmail_Fravia
redIs reverse engineering legal?

red(c) Fravia 1995, 1996, 1997, 1998, 1999. All rights reserved