The impossible entrance
clever attempts



[SnW] ~ [Don Quijote]

Snw (June 1999):
I was wondering if anyone has solved this problem found on Fravia's "hyper protections" page?! (If you don't know what I'm talking about, then "reverse" the entrance for warm up.)

If so, I would appreciate your thoughts.

If not, I can give some clues (I am out of time for trying further at the moment.) Ok, you know from viewing source that this is a JScript thing. Furthermore, you know that if you enter the correct code, you will be "TAKEN" to a secure page. This is really too much of a clue! Although we don't know how many characters the key is, we also really don't care too much.

Rather than do the brain-dead method of straight brute force (good luck spending years trying), think smarter. Obviously the "Eval()" function is looking for some JScript. Since we know we will be relocating, try to brute force on the relevant JScript phrases, such as "navigate", "location", "window", "http://", etc... (my guess is "navigate" will be the winner, but others with more JScript experience would know better).

I would try all combinations of 4 letters/digits at a time. For instance, search for "navi", "wind", etc. If found, prepend your 4-letter key so far to all combinations of 2 or 3 more letters and repeat the process over and over. (Now searching for "naviga", then "navigate", etc.) Sooner or later, things should shake loose and in much less time than a straight brute force!

If the real key is only a letter or two, you haven't lost a thing (i.e. "ababab" might indicate a two digit key: "ab").

To get someone started, here is some "C" code I used for the first step. Either modify it, or after running, take the output file and using UltraEdit or something, extract a list of possible keys which passed through our first filter. These can be read into an array for the second attempt. (i.e. fscanf(fInput, "%\"%4s%\"\n", aKeys[iKey++]);)

Any thoughts?

- sNw

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void)
{
FILE *fOutput;
char sLookup[]="@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!#$%^&*():;/.\t\r -'+\"=";
char sCipher[]="6gy.=gvlq:z91=uowwYsM+w86gyrQnzpPfI!7jFrBpWAy'H86jTJAlzly I!8lMNCoywG=H7~myrBpyF5aH~dSWYWSF2rkG!#HCoBnPDw@I~#fBtCkwep'E86g";
char sValid[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-";
char aPhrase[7][5] ={"loca", "navi", "wind", "open", "hist", "href", "writ"};
char sOutFile[]="c:\\misc\\text.out";
char sKey[]=" ";
char sTmp[]=" ";
char sText[200], sTest[200];
int i1, i2, i3, i4, iChar, iPos, iLookup, iFirst, iSecond;
int nLookupLen, nCipherLen, nValidLen, nKeyLen;

if ((fOutput = fopen(sOutFile, "w")) == NULL) {
fprintf(stderr, "Unable to open output file %s\n", sOutFile);
exit(1);
}
nValidLen=strlen(sValid);
nLookupLen=strlen(sLookup);
nCipherLen=strlen(sCipher);
nKeyLen=strlen(sKey);
for (i1=0;i1<nValidLen;i1++) {
fprintf(stderr, "%d of %d...\n", i1+1, nValidLen);
sKey[0]=sValid[i1];
for (i2=0;i2<nValidLen;i2++) {
sKey[1]=sValid[i2];
for (i3=0;i3<nValidLen;i3++) {
sKey[2]=sValid[i3];
for (i4=0;i4<nValidLen;i4++) {
sKey[3]=sValid[i4];
sKey[4]='\0';

iPos=0;
for (iChar=0;iChar<nCipherLen;iChar++) {
sTmp[0]=sCipher[iChar];
sTmp[1]='\0';
iFirst=strcspn(sLookup, sTmp);
sTmp[0]=sKey[iPos];
sTmp[1]='\0';
iSecond=strcspn(sLookup, sTmp);
iLookup=(iFirst-iSecond+nLookupLen)%nLookupLen;
sText[iChar]=sLookup[iLookup];
iPos=(iPos+1)%nKeyLen;
}
sText[iChar]='\0';
for (iPos=0;iPos<strlen(sText);iPos++) {
sTest[iPos]=tolower(sText[iPos]);
}
sTest[iPos]='\0';
for (iPos=0;iPos<7;iPos++){
if (strstr(sTest, aPhrase[iPos]) != NULL) {
fprintf(fOutput, "\"%s\" --> %s\n", sKey, sText);
break;
}
}

}
}
}
}
fclose(fOutput);
return 0;
}
snwoods-at-earthlink-dot-net (sNw)
Don Quijote (June 1999):

I spend last three days trying to crack it!
I got many hints! Here are they:

a) Key is 12 characters long: ------------
b) If have a pretty sure guess for first and last character: %----------^
c) Second letter may be "m" or "r"
d) Fifth and sixth letter may be "Ht" or "Iv"
e) Eleventh letter is probably an "O"

My guesses are mainly based on the high probability of spaces, the order of \t after \r, more lowercase than uppercase letters, repeating patterns (every 12 chars) in cipher string, etc.

In the process of distillating a useful key I wrote a few C proggies, totalling 17 KB of source code and approx. 7 different approaches. I'll wrap everything up and send it to you via mail if I get your OK.
There are still some checks to be made, for example, testing against following occurences:
- location
- write
- alert
- document.
- .htm
- possible (partial match for i/I mpossible)
- navigate (stealed from sNw)

In the mean time, here's a nice key that sadly does not work: "Y+pci+Nym.N*"

I'll probably write an essay describing all my different failed attempts at the impossible entrance. Of course, only after I find the correct one!

Fravia+ or The Seeker, if you happen to read this post, could you please tell where you got the code from (I like to study the environment) and if you also customized the encrypted code!

Anyone else interested in reversing the impossible entrance?

Bye. A happy poster.

Don Quijote
redhomepage redlinks redsearch engines red+ORC redstudents' essays redacademy database
redtools redcocktails redbots wars redanonimity academy redantismut CGI-scripts
redcounter measures redmail_Fravia+
redIs reverse engineering legal?