How to land in devious
by Peter Papazov
21 February 1998

Javascript page
Back to devious


Well in the past two days I reached consequently the ~ advanced javascript page and 
the ~160593.HTM URLs.

For the 'devious' puzzle things seemed complicated:

I consider that those who read the following lines already know well the ins 
and outs of Dolgov's routines, so I'll point out only the major steps I 
took...

  For the time I've put into it I couldn't find an approach of 
eliminating ranges of usernames and passwords. The way the F1 - F4 codes 
were generated seemed complicated enough (not a simple multiply and add) 
to be reversed out of the generated values.
  For a moment I thought there could be some mathematical way to figure 
out the F3 and F4 values, knowing F1 and F2. Or at least to figure out 
F3+F4.
  It seemed very complicated, and moreover improbable, because it would 
be a major flaw in the protection.
  Being given the F1 and F2 values of all the users, it is easy to 
modify the JavaScript to point out which username/password couples were 
omitted. I inserted a 'prompt( id )' in the place of the 'this.location' 
statement. The not given ones turned out to be users 4 and 6.
  A closer look showed that the F1 values of users 6 and 2 are equal. 
This meant that user 6's name is 'username' (same as user 2's).
  So here we had the F1 and F3 values for user 6. So we could find the 
sum of the page's name and the F4 value for user 6. This didn't seem 
quite helpfull to me.
  So I decided bruteforcing. One more thing which lead me this way was 
the mentioning that stalking/searching/sniffing would help a lot. 
Porting the JavaScript code to C is straightforward, I used the __int64 
and double types for the integer and floating point calculations. I 
ported only functions F1 and F2, and wrote a wordlist checking main 
routine. Looked up some english wordlist files and fired it up. I was 
searching for the F1 and F2 values of user 4 and for the F2 value of 
user 6. With a general english wordlist I found that the password for 
user 4 is 'targeted'. 
  Well, this was on the first line of the 'javdevio.htm' file? So, why 
don't we try gathering a Fravia.org wordlist. I used Jean Flynn's 
approach - Black Widow + his word extracting program.
  I sorted the file and removed the duplicates in the Aurora editor 
(really cool, DOS and Win32 console versions).
  When passed to the checker it gave the password for user 6 - 
'mozilla'.
  These loaded into the original 'javdevio.htm' form lead me to the 
'160593.htm' page.
  Well this is classified as a beginner solution. I sure am a beginner 
in this field. Finding the 'targeted' password was mostly good luck for 
me and bad luck for the single-english-word password users.

  Again I reached the solution, mostly on other people's shoulders (on 
what I have read of reaching the previous hidden pages), but this only 
proves that the lessons work ;-).

  In the end thanks to all the contributors and their host - you Fravia. 
  
Best regards,
Peter Papazov  

P.S. here I include the C checking program. it takes as a parameter the 
wordlist file
---------------------cut here------------------------- #include <stdio.h> #include <string.h> #include <ctype.h> #include <math.h> char weight[]="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //****************************************************************************** // // Encryption operators // You got to alter the following values to get your own unique encryption code // // 1. The values should be within 0 ... 7 double fi11=2.232, fi12=0.372, fi13=1.322, fi14=5.322, fi15=2.322, fi16=3.771, fi17=2.313, fi18=1.300; double fi21=5.112, fi22=1.472, fi23=4.322, fi24=1.792, fi25=6.737, fi26=2.141, fi27=2.882, fi28=1.382; double fi31=3.342, fi32=5.352, fi33=1.732, fi34=3.008, fi35=1.399, fi36=5.999, fi37=4.913, fi38=2.578; double fi41=3.773, fi42=2.348, fi43=5.769, fi44=2.112, fi45=1.922, fi46=3.573, fi47=3.317, fi48=6.273; double fj11=0.732, fj12=4.732, fj13=4.732, fj14=0.732; double fj21=1.742, fj22=0.102, fj23=1.001, fj24=6.272; double fj31=4.732, fj32=6.212, fj33=6.001, fj34=6.212; double fj41=3.273, fj42=2.723, fj43=1.392, fj44=0.039; double m11=5.7193, m12=5.3732, m13=4.8313, m14=2.3991; double m21=3.3923, m22=3.3021, m23=6.4622, m24=1.1392; double m31=5.3991, m32=2.3010, m33=5.9223, m34=5.8283; double m41=2.3042, m42=1.3923, m43=1.2419, m44=0.3573; // // 2. The following values should be within limits 9.9999 ... 0.0001 // double k11=3.8173, k12=7.2094, k13=0.0001, k14=6.0202, k15=1.9294, k16=0.0011, k17=0.0033, k18=0.0492; double k21=1.3048, k22=0.0083, k23=0.0038, k24=0.0302, k25=2.3935, k26=9.4007, k27=4.2042, k28=0.0004; double k31=0.0298, k32=3.0020, k33=0.0912, k34=0.0123, k35=0.2033, k36=0.0001, k37=3.0034, k38=0.0009; double k41=0.2094, k42=9.0031, k43=5.2059, k44=2.4010, k45=0.0324, k46=0.0023, k47=0.2034, k48=9.9414; // // 3. 'Bases' should be within limits 10...36 (only integer!) // int base1=29, base2=31, base3=24, base4=34; #define MAXLEN 255 char buffer[MAXLEN+1]; FILE *input; //__________________________________________________________________________ // // Encryption functions F1 F2 F3 F4 (don't alter the following code) __int64 F1(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base1; }; return floor( 5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)* sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)* sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)* sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14); } __int64 F2(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base2; }; return floor( 5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)* sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)* sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)* sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14); } int main( int argc, char **argv ) { __int64 f2, f1; int t=0; if( argc > 1 ) { input=fopen( argv[1], "rt" ); if( input ) { while( !feof( input ) ) { if( fgets( buffer, MAXLEN, input ) != NULL ) { buffer[ strlen( buffer )-1 ]=0; f1=F1( buffer ); if( f1==191979145621879 ) printf( "\nUser 4's name is: %s\n", buffer ); f2=F2( buffer ); if( f2==251426266017281 ) printf( "\nUser 4's password is: %s\n", buffer ); if( f2==492060879591955 ) printf( "\nUser 6's password is: %s\n", buffer ); if( ++t==1000 ) { printf( "." ); t=0; } } else break; } fclose( input ); } } return 0; } ------------------------cut here-------------------------
You are deep inside Fravia's page of reverse engineering, choose your way out:

entrance
devious page
Back to the entrance
Back to the devious page

redhomepage redlinks redanonymity red+ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?