javhelp1.htm Fravia explaining easy Javascript password systems

J A V A S C R I P T	fravia's Javascript section ~ Help Fravia's Nofrill Web design (1998)		Updated 25 January 1998	SOME HELP (for the "easy" entrance) Many among you have emailed me claiming that there are much too many possible solutions for the "easy entrance" to the advanced javascript pages. I decided to give you some more hints, albeit I don't believe they are really that necessary... Here follow some examples: a letter by Jean Flynn, who worked correctly in finding out the 'obligatory' last letters of the password, yet failed in the 'reducing' part of the crack, and a email by Tristan, who worked correctly in calculating the password length (10 characters, the first one irrelevant for the code part) but failed miserably in his 'flair' for the correct name (+ORC wrote that good crackers should study more rhetoric/semanthic and less math and programming :-) Anyway, here you go...

Caveat
Some readers have expressly asked me NOT to give any explanations about the javascript entrances for instance Andrex:

 "...all this just to say: I'm working and I think that lots of other 
people are doing the same. PLEASE, don't explain the solution of this 
problem because I'll make my brain to work till I'll get the right 
password.

BTW, I'm very happy to work on this code because I'm learning a bit 
of Javascript.

This is REAL FUN, thank you. Andrex"

Others, on the other hand, have asked for more clues, like diphth:

"...I know how the damn thing works.. I mean it's not way above my 
head. You have a defined array, and the first three functions serve 
to set another array up. Then the final (get the obfuscated password 
function) each char. of the password entered sets up the final loop 
(outer to its # of iterations based on pass.length) the inner produces 
that obscenely large number by code = code + one of the members of 
the f array, then code = code * (1-however long the password entered 
was.) I want a hint (so here it is.. my foolish intent finally 
blurted out; this is where you either aid me or drop me like a 
forgettable cigarrette end)..."

Well, for those of you that want to work alone on all this, just DO NOT READ WHAT FOLLOWS!

A letter by Jean "Flynn"
with a c decoder (18 January 1998)

In fact I decided to publish this help page you are reading now after having read this... Clearly, if people are capable to find out that the last letter must be r (among a couple of other possibilities), that the first one does not matter and YET they don't find the real password they do deserve some more clues... ...The key may be proven to be 10 digits, the first one being useless (Javabug there?), and the 2nd and 3rd being allowed to be switched, and the last one being in [C, Z, h, i, r, w] - the program generates only the 9 significant characters of the key, you have to add one random char in front. That is, that makes about 500 Mb of generated keys. I didn't find anything 'obvious' in them to indicate a password - so I'm kind on the way of giving up. If you feel my efforts worth it, may be you'll point out the detail I missed... // warning - need support of __int64 (64-bits integers) type to work properly. // C++, but nothing really needed from C++ #include <stdio.h> #include <stdlib.h> #include <string.h> char base[62] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9','A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z','a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'} ; // this array has been obtained by inserting "prompt("", f) ;" // after the array f is generated in the Java script. I'm so lazy. int f[62] = { 23,535,1047,1559,2071,2583,3095,3607,4119,4631, 12,21,26,38,53,72,101,139,294,375,584,841,1164, 1678,2425,4989,6478,10076,14494,21785,30621,69677, 87452,139356,201113,278810,80,83,93,99,113,131, 159,194,346,416,619,861,1165,1649,2256,4766,6077, 9554,13713,20576,28894,65661,82386,131248,164801,262524 } ; char key[20] ; inline int test(int i) { // return i>=36 ; // use this to generate only lower case keys // return ((i>=10)&&(i<36)) ; // use this to generate only Upper case keys // return i>=10 ; // use this to generate key with no digits return 1 ; // generate all keys } // no much comments in this - reverse it to understand what it does :-) int ptry(int level, __int64 val, int start) { __int64 tval ; val/=level ; level-- ; if (level==0) { for (int i=0; i<62; ++i) { if (test(i)) if (val==f[i]) { key[level] = base[i] ; key[10] = 0 ; printf("%s\n", key) ; } } return 0; } for (int i=start; i<62; ++i) { tval = val-f[i] ; if ((tval % level)==0) { if (test(i)) { key[level] = base[i] ; ptry(level, tval, 0) ; // recursivity is the worst technique, but I love it } } } return 1 ; } void main(int argc, char *argv[]) { memset(key, ' ', sizeof(key)) ; ptry(9, 25834242042, 0) ; // key_length, passkey, starting_value (should be zero) }

A letter by Tristan
with a c decoder (25 January 1998)Fravia+, I started to write a little bruce force cracker for the jscript. But wait a moment, how many possibilities are there? Errh, let'S fire the windows calculator up, and that gives me: around 1,3 * 10^16 possibilities, hmm well forget this bruce force cracker!! So a bit more ZEN, first of all let's CALCULATE THE PASSWORD LENGTH! 1.Dumping the params to a file i get for the littlest f[x]=12 and the biggest f[x]=278810. 2. Calculation with the littlest number it gives me the information that the pwd. must be longer then 7 chars, and another calculation gives me that it must be smaller than 13. 3.Because of the calculation the length of the pwd. must be 1,2,3,6,7,9,14,18,21,42,63,126 or longer. But i think 126 is very long. Now combinig this information i get the length of the pwd. it's 9! But looking a bit better at the code it tells me that you throw the first character of the pwd. away. (Btw. did you wanted to do this, as a trick of a genius to bounce all lamers out?) Well after this we have much less pwd. to be cracked with my bruce force cracker. But this is also too much. I reversed the whole protection: I think you know your code very good so i don't have to tell you how this works. (divide by the length of pwd. subtrakt f[length(pwd)...] This gives me a piece of c++ code. And wow it works, and it is very fast. After 3 hours it had calculated all possibilities. Not bad i thought... let's try these few possibilieties... FEW?, no they are NOT few! There are more then 900000 possibiliteis to match the calculation. Here are some of them: _M8xNC100C _PIxNC100C .... _veJiwyznw _evJiwyznw (If you don't believe just try) But which one is the right? I searched for some java oriented words and found these: _LHXfRav7C _HLXfRav7C _VLejAvA7h _LVejAvA7h _vOJaVa2Ji _OvJaVa2Ji But, as you know, they don't work. Now comes the question part: 1. Can you give me a hint? I solved the mathematical quest, but which code is the right one? I think there is no hint in the page wich gives me a clou. 2.Would you like me to write a tut on my way to solve this quest? (I promisse that i won't have so much faults in the tut than in this letter!!!) 3.Will ther come more such games?? PLEASE i liked it very much!! If you like to answer my letter then send to to.tristan@usa.net Bye till the next time. What now comes is my fast cracker. If you don't want to look at it then cut this message here. ---------------cut here, compiled with watcom c/c++ 11.0---------- #include <iostream.h> int Teiler; int z1,z2,z3,z4,z5,z6,z7,z8; __int64 a1[62],a2[62],a3[62],a4[62],a5[62],a6[62],a7[62],a8[62]; __int64 base[62]; __int64 code; int i; char getit[64] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz?"; void main( void ) { base[0]=23; base[1]=535; base[2]=1047; base[3]=1559; base[4]=2071; base[5]=2583; base[6]=3095; base[7]=3607; base[8]=4119; base[9]=4631; base[10]=12; base[11]=21; base[12]=26; base[13]=38; base[14]=53; base[15]=72; base[16]=101; base[17]=139; base[18]=294; base[19]=375; base[20]=584; base[21]=841; base[22]=1164; base[23]=1678; base[24]=2425; base[25]=4989; base[26]=6478; base[27]=10076; base[28]=14494; base[29]=21785; base[30]=30621; base[31]=69677; base[32]=87452; base[33]=139356; base[34]=201113; base[35]=278810; base[36]=80; base[37]=83; base[38]=93; base[39]=99; base[40]=113; base[41]=131; base[42]=159; base[43]=194; base[44]=346; base[45]=416; base[46]=619; base[47]=861; base[48]=1165; base[49]=1649; base[50]=2256; base[51]=4766; base[52]=6077; base[53]=9554; base[54]=13713; base[55]=20576; base[56]=28894; base[57]=65661; base[58]=82386; base[59]=131248; base[60]=164801; base[61]=262524; cout<<"Fast cracker started"<<endl; code="25834242042;.class" tppabs="http://fravia.org/25834242042;.class" Teiler=9; code=code/Teiler; /*Erzeuge Array a1*/ for (i=0; i<62; i++) {a1[i]=code-base[i];} for (z1=0; z1<62; z1++) { cout<<"nΣchster teiler"<<endl; if (a1[z1]/8*8==a1[z1]) { a1[z1]=a1[z1]/8; for (i=0; i<62; i++) {a2[i]=a1[z1]-base[i];} for(z2=0; z2<62; z2++) { if (a2[z2]/7*7==a2[z2]) { a2[z2]=a2[z2]/7; for (i=0; i<62; i++) {a3[i]=a2[z2]-base[i];} for(z3=0; z3<62; z3++) { if (a3[z3]/6*6==a3[z3]) { a3[z3]=a3[z3]/6; for (i=0; i<62; i++) {a4[i]=a3[z3]-base[i];} for(z4=0; z4<62; z4++) { if (a4[z4]/5*5==a4[z4]) { a4[z4]=a4[z4]/5; for (i=0; i<62; i++) {a5[i]=a4[z4]-base[i];} for (z5=0; z5<62; z5++) { if (a5[z5]/4*4==a5[z5]) { a5[z5]=a5[z5]/4; for (i=0; i<62; i++) {a6[i]=a5[z5]-base[i];} for (z6=0; z6<62; z6++) { if (a6[z6]/3*3==a6[z6]) { a6[z6]=a6[z6]/3; for (i=0; i<62; i++) {a7[i]=a6[z6]-base[i];} for (z7=0; z7<62; z7++) { if (a7[z7]/2*2==a7[z7]) { a7[z7]=a7[z7]/2; for (i=0; i<62; i++) {a8[i]=a7[z7]-base[i];} for (z8=0; z8<62; z8++) { for (i=0; i<62; i++) { if (a8[z8]-base[i]==0) { cout<<"_"<<getit[i]<<getit[z8]<<getit[z7]<<getit[z6]<<getit[z5]<<getit[z4]<<getit[z3]<<getit[z2]<<getit[z1]<<endl; } } } } } } } } } } } } } } } } } }/*ENDE*/

Some help for you:
1) The 'easy solution' code "throws away" the first letter of the password to solve all case sensitive problems for users. So the only way you can get it correct (short of trying all combiantions from axxxxxxxxx to zxxxxxxxxx) is to reconstruct it from the other letters... incidentally that means that the name of the page MAKES sense and it is NOT just something like 4_RRA3Z_.htm

2) There are NO numbers in the code, only chars

3) You should have understood that the last letter is a "r" (like ronald)

That should be enough even for a brute force attack, yet if you read the 'dead end' part of the entrances, you may find ANOTHER way to get there...

So, I hope that now many more of you will find the right way (WITHOUT or WITH bruteforcing as you like)... and, what's more important, may be some of my more advanced readers and wizards have something interesting to add, which I will publish... of course "on the other side"...

Back to the Javascript entrances

Is reverse engineering legal?