Courtesy of Fravia's page of reverse engineering
Well, MR and some other javacrackers have written to me that the 'easy' devious entrance is indeed TOO easy. May be, yet as you know I see exactly who peruses my pages, and I can assure you that out of 4-5000 hits (March 1998) per day only 10-12 "new" identities land on the devious page in a week.
And anyway don't worry: the entrance to the advanced stalking javascript section, in July, will be MUCH more difficult :-)

javascript
Back to Devious javascript
MR to Fravia+: 26 March 1998
Greetings to all fellow crackers...



Nothing really new in this essay but Fravia+ wanted us to write him our 

ways to the "devious" page, so I do...



Well, I finally got to the devious page thru the easy entrance (lamer) :)

although I first tried the hard entrance for a couple of days.

Here are my approaches.



First of all I saved a copy of javdevio.htm and started to study the

script.

After a short look at the functions used to encrypt the username and

password I already knew that it wouldn't be easy to reverse them.



And after a closer look at them I concluded that it's just impossible

due to the fact that Sine functions are being used. As most of you know

there are infinitely many arguments that produce a given Sine value.



So I tried to understand the "general" principle of the code I was

starring at, and found out that the 'username' and 'password' were

totally independent in the protection scheme. That means, you can actually 

think of them like just two passwords that both must be correct to get

in.



F1 encrypts username, F2 encrypts password, if both encrypted values

coincide with the user-array-values, then F3,F4, and the 3rd user-array

value are used to calculate the name of the page.



Since there was no way to reverse the encryption algorithm and

a few "manual" attempts with likely words as username/password 

combinations didn't work, I saw nothing better than a brute force

approach.



As soon as I noticed how slow javascript execution is, I ported the 

javascript code to C. 



Somewhere in this phase I found out which 2 user/pass combinations in

the user-array are yet "unused" and also found the thing with the username

"username".

It was used twice and one of them belonged to the array-entry leading to

the devious page. 

So one username that would let you enter the devious page was already

there!

(='username'). The "only" thing to do was to find the password belonging

to  that user.

(Alas, none of the other 4 known passwords matched the

password-array-value for that user :-)



So from this point on I concentrated on searching the password, that

would work in combination with the username "username".



Alas, all my attempts to find the right password with the brute force

method failed. Since I didn't know the length of the password I had to

start with 1 and increase the length in case of no success. 

I gave up after the length of 6.

It took hours already, and multiplying by 36 possible characters at the

7th position implied that it would take days. (Funny... the correct password

was mozilla which indeed is 7 characters long!)



Then I searched the web for word lists and found quite a few (the

biggest one 2.5 MB I think) but obviously not the right ones, because 

checking them gave me no results.



So I was at the end and took once more a very careful look at the

myown511.htm page, read the DECIDING sentence:

"The correct password, that would land you on my 'devious' page on 20

MARCH 1998, would land you on vournt.htm on another march day... another, 

not any other day... duh" and finally I understood it's meaning!

(I had read it before but somehow I understood it wrong.)

The CORRECT password produces "vournt" on SOME day of march!!!

So it was all there. Since it's a self-reversing algorithm, just

calculate the page names for password "vournt" for all 31 days of march.

Take the page names now as passwords!

Clear: all of them produce "vournt" as page name on any given march day.

AND one of them is the correct password that lands you on the devious

page on march 20th! 

So all you have to do is to set the date to march 20th in

your copy of "myown511.htm", try out all of the "passwords" and look for 

the ones that produce a number as the page name (Fravia already said 

it was a number).

Pretty quickly you'll find the "devious" page.



Conclusion:

I would have succeeded with the "hard entrance" if I

a) had found a 'better' word list, or

b) had compiled my own word list from contents of Fravia's pages

   (I had better followed Fravias tip about some stalking/searching and

sniffing !!)

Secondly, the easy entrance is really easy. The only thing is to

understand Fravias (quite loosely formulated :-) tip.



MR.
(c) 1998 MR All rights reversed
You are deep inside Fravia's page of reverse engineering, choose your way out:

devious
Back to Devious Javascript

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redjavascripts wars redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?