Here you go:
(01 March 1998)
Dear Reverser,
I've reached you 'javdevio.htm' page 3 days ago, and yesterday I finally
got a username/password to reach the protected part...
The method I used was :
1 - look at the JavaScript code, and modify it in order to localize the
usernames/passwords
I mean username/password is user 2, fred/fred user 1, reverser/reverser
user 3...
Doing this I realised that I have to find username/password for user
4 & 6.
Just a little observation lead me the conclusion that user 6 name is
"username" 'coz it's the same that user 2.
2 - write an utility to brute-force these unknown codes (user4,
password4, password6)
My first C program was performing about 20000 tries by second on my
Pentium 2 233Mhz.
I then computed how much time should be required with this approach,
assuming that the username/password to find has only characters (so
digits), the result was :
Phase 1 (password is 1 character long)............... 26 possibilities immediate result
Phase 2 (password is 2 character long).............. 676 possibilities immediate result
Phase 3 (password is 3 character long)........... 17.576 possibilities immediate result
Phase 4 (password is 4 character long).......... 456.976 possibilities 23 seconds
Phase 5 (password is 5 character long)....... 11.881.376 possibilities 10 minutes
Phase 6 (password is 4 character long)...... 308.915.776 possibilities 4 hours
Phase 7 (password is 4 character long).... 8.031.810.176 possibilities 4,5 days
Phase 8 (password is 8 character long)...208.827.064.576 possibilities 121 days
3 - considering the results above, I then decided to optimize my C code,
moving as much computation I could outside of the loops, storing results
in arrays... I also decided to change to order of characters to check,
from 'A', 'B'... 'Z' to the growing order of frequency of the characters
in a common language "ERISANTOULCPMDGFBVHZQXYJKW" (in french) my result
was something like the following code :
<![CDATA[
--------------------------------------------------------
//__________________________________________________________________________
// parse(c) <==> parse(uppercase(j[i]),36);
#define parse(c) ((c)-'A'+10)
//__________________________________________________________________________
char savefile[80],resultfile[80];
FILE *fcfg, *fsav;
char last_try[]="AAAA"; // starting values for a,b,c,d
char start_phase;
char a,b,c,d,e,f,g,h;
char CharacterSet[26]="ERISANTOULCPMDGFBVHZQXYJKW";
double
tpow1[10][26+'A'],tpow2[10][26+'A'],tpow3[10][26+'A'],tpow4[10][26+'A'];
int len;
void init_arrays(void)
{
char i,j;
for(i=0;i<10;i++)
for(j='A';j<='Z';j++) {
tpow1[i][j]=parse(j)*pow(base1,i);
tpow2[i][j]=parse(j)*pow(base2,i);
tpow3[i][j]=parse(j)*pow(base3,i);
tpow4[i][j]=parse(j)*pow(base4,i);
}
}
//__________________________________________________________________________
//
// Encryption functions F1 F2 ...
double F1(char j[])
{
char i;
double z=0;
// if (strlen(j)>10) j=j.substring(0,10);
for(i=0;i<len;i++){
z+=tpow1[i][j[i]];
}
return floor(5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)*
sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)*
sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)*
sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14);
}
double F2(char *j)
{
char i;
double z=0;
// if (strlen(j)>10) j=j.substring(0,10);
for(i=0;i<len;i++){
z+=tpow2[i][j[i]];
}
return floor(5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)*
sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)*
sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)*
sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14);
}
void write_result(char type, char u, char *s, double v)
{
if((fsav=f0/*n(resultfile,"at*/;)==NULL){
printf("ERROR: can't open result file\n"); exit(1);
}
fprintf(fsav,"\n%s %d : %s
[%15.0lf]\n",(!type)?"User":"Password",u,s,v);
fclose(fsav);
}
void test(char *s)
{
double z1,z2;
z1=F1(s);
z2=F2(s);
// if(USERS[0][0]==z1) printf("\nUser 1 : %s [%15.0lf]\n",s,z1);
// if(USERS[1][0]==z1) printf("\nUser 2 : %s [%15.0lf]\n",s,z1);
// if(USERS[2][0]==z1) printf("\nUser 3 : %s [%15.0lf]\n",s,z1);
if(USERS[3][0]==z1) write_result(0,4,s,z1);
// if(USERS[4][0]==z1) printf("\nUser 5 : %s [%15.0lf]\n",s,z1);
// if(USERS[5][0]==z1) printf("\nUser 6 : %s [%15.0lf]\n",s,z1);
// if(USERS[0][1]==z2) printf("\nPassword 1 : %s [%15.0lf]\n",s,z2);
// if(USERS[1][1]==z2) printf("\nPassword 2 : %s [%15.0lf]\n",s,z2);
// if(USERS[2][1]==z2) printf("\nPassword 3 : %s [%15.0lf]\n",s,z2);
if(USERS[3][1]==z2) write_result(1,4,s,z2);
// if(USERS[4][1]==z2) printf("\nPassword 5 : %s [%15.0lf]\n",s,z2);
if(USERS[5][1]==z2) write_result(1,6,s,z2);
}
void main(int argc, char **argv)
{
char tmp[]="AAAAAAAAAA"; // word to test against user/password
char current[]="AAAAAAAAAA"; // starting counters
clock_t clk;
double tim;
double speed=0.015; // tick / possibility
init_arrays();
sprintf(savefile,"%s.cfg",argv[0]);
sprintf(resultfile,"%s.out",argv[0]);
if((fcfg=fopen(savefile,"rb+"))==NULL){
start_phase='5';
a=b=c=d=0;
if((fcfg=fopen(savefile,"wb+"))==NULL){
printf("ERROR: can't creat save file\n"); exit(1);
}
save_last_try();
printf("Starting a new session at phase %c with word
%s\n",start_phase,last_try);
} else {
fread(&start_phase,sizeof(char),1,fcfg); // starting_phase
fread(&last_try,sizeof(char),4,fcfg); // last_try
printf("Continuing, phase %c - word %s\n",start_phase,last_try);
}
if((fsav=fopen(resultfile,"at+"))==NULL){
printf("ERROR: can't creat result file\n"); exit(1);
}
if(start_phase<'5') {
// 1 char, 26 possibilities
clk=clock();
printf("--- Phase 1\n");
len=1;
tmp[1]=0;
for(a=0;a<26;a++){ tmp[0]=CharacterSet[a];
test(tmp);
}
tim=clock()-clk;
printf("Phase 1 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/26);
// 2 chars, 676 possibilities
clk=clock();
printf("--- Phase 2 (will take %.3lf s)\n",speed*676/CLOCKS_PER_SEC);
len=2;
tmp[2]=0;
for(a=0;a<26;a++){ tmp[0]=CharacterSet[a];
for(b=0;b<26;b++){ tmp[1]=CharacterSet[b];
test(tmp);
}
}
tim=clock()-clk;
printf("Phase 2 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/676);
// 3 chars, 17.576 possibilities
clk=clock();
printf("--- Phase 3 (will take %.3lf s)\n",speed*17576/CLOCKS_PER_SEC);
len=3;
tmp[3]=0;
for(a=0;a<26;a++){ tmp[0]=CharacterSet[a];
for(b=0;b<26;b++){ tmp[1]=CharacterSet[b];
for(c=0;c<26;c++){ tmp[2]=CharacterSet[c];
test(tmp);
}
}
}
tim=clock()-clk;
printf("Phase 3 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/17576);
// 4 chars, 456.976 possibilities
clk=clock();
printf("--- Phase 4 (will take %.3lf s)\n",speed*456976/CLOCKS_PER_SEC);
len=4;
tmp[4]=0;
for(a=0;a<26;a++){ tmp[0]=CharacterSet[a];
for(b=0;b<26;b++){ tmp[1]=CharacterSet[b];
for(c=0;c<26;c++){ tmp[2]=CharacterSet[c];
for(d=0;d<26;d++){ tmp[3]=CharacterSet[d];
test(tmp);
}
}
}
}
tim=clock()-clk;
printf("Phase 4 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/456976);
}
if(start_phase<='5') {
current[0]=last_try[0];
current[1]=last_try[1];
current[2]=last_try[2];
current[3]=last_try[3];
// 5 chars, 11.881.376 possibilities
clk=clock();
printf("--- Phase 5 (will take %.3lf s)\n",speed*11881376/CLOCKS_PER_SEC);
len=5;
tmp[5]=0;
for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a];
for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b];
for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c];
for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d];
save_last_try();
for(e=0;e<26;e++){ tmp[4]=CharacterSet[e];
test(tmp);
}
}
current[3]='A';
}
current[2]='A';
}
current[1]='A';
}
start_phase++;
current[0]='A';
tim=clock()-clk;
printf("Phase 5 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/11881376);
}
if(start_phase=='6') {
current[0]=last_try[0];
current[1]=last_try[1];
current[2]=last_try[2];
current[3]=last_try[3];
// 6 chars, 308.915.776 possibilities
clk=clock();
printf("--- Phase 6 (will take %.3lf
s)\n",speed*308915776/CLOCKS_PER_SEC);
len=6;
tmp[6]=0;
for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a];
for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b];
for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c];
for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d];
save_last_try();
for(e=0;e<26;e++){ tmp[4]=CharacterSet[e];
for(f=0;f<26;f++){ tmp[5]=CharacterSet[f];
test(tmp);
}
}
}
current[3]='A';
}
current[2]='A';
}
current[1]='A';
}
start_phase++;
current[0]='A';
tim=clock()-clk;
printf("Phase 6 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/308915776);
}
if(start_phase=='7') {
current[0]=last_try[0];
current[1]=last_try[1];
current[2]=last_try[2];
current[3]=last_try[3];
// 7 chars, 8.031.810.176 possibilities
clk=clock();
printf("--- Phase 7 (will take %.3lf s)\n",speed*8031810176/CLOCKS_PER_SEC);
len=7;
tmp[7]=0;
for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a];
for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b];
for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c];
for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d];
save_last_try();
for(e=0;e<26;e++){ tmp[4]=CharacterSet[e];
for(f=0;f<26;f++){ tmp[5]=CharacterSet[f];
for(g=0;g<26;g++){ tmp[6]=CharacterSet[g];
test(tmp);
}
}
}
}
current[3]='A';
}
current[2]='A';
}
current[1]='A';
}
start_phase++;
current[0]='A';
tim=clock()-clk;
printf("Phase 7 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/8031810176);
}
if(start_phase=='8') {
current[0]=last_try[0];
current[1]=last_try[1];
current[2]=last_try[2];
current[3]=last_try[3];
// 8 chars, 208.827.064.576 possibilities
clk=clock();
printf("--- Phase 8 (will take %.3lf s)\n",speed*208827064576/CLOCKS_PER_SEC);
len=8;
tmp[8]=0;
for(a=current[0]-'A';a<26;a++){ tmp[0]=CharacterSet[a];
for(b=current[1]-'A';b<26;b++){ tmp[1]=CharacterSet[b];
for(c=current[2]-'A';c<26;c++){ tmp[2]=CharacterSet[c];
for(d=current[3]-'A';d<26;d++){ tmp[3]=CharacterSet[d];
save_last_try();
for(e=0;e<26;e++){ tmp[4]=CharacterSet[e];
for(f=0;f<26;f++){ tmp[5]=CharacterSet[f];
for(g=0;g<26;g++){ tmp[6]=CharacterSet[g];
for(h=0;h<26;h++){ tmp[7]=CharacterSet[h];
test(tmp);
}
}
}
}
}
current[3]='A';
}
current[2]='A';
}
current[1]='A';
}
start_phase++;
current[0]='A';
tim=clock()-clk;
printf("Phase 8 took %lf sec (%lf ticks by possibility)\n",(tim/CLOCKS_PER_SEC),tim/208827064576);
}
printf("All done... bye\n");
fclose(fcfg);
exit(0);
}
--------------------------------------------------------
]]>
With this code the performance was : about 666667 tries by second,
giving :
Phase 1 (password is 1 character long)............... 26 possibilities immediate result
Phase 2 (password is 2 character long).............. 676 possibilities immediate result
Phase 3 (password is 3 character long)........... 17.576 possibilities immediate result
Phase 4 (password is 4 character long).......... 456.976 possibilities 6 seconds
Phase 5 (password is 5 character long)....... 11.881.376 possibilities 3 minutes
Phase 6 (password is 4 character long)...... 308.915.776 possibilities 80 minutes
Phase 7 (password is 4 character long).... 8.031.810.176 possibilities 35 hours
Phase 8 (password is 8 character long)...208.827.064.576 possibilities 37 days
This was much better, but not enough for me...
4 - Considering that when you want to use brute force, you have to be
very strong, powerful, etc...
I choosed to reduce the waiting time using the computing power of
the network of my company...
This required a little more coding but the result is here : only
using the network after working hours (in order to not disturb the
employees), the more the network uses computer, the less it takes to
find a solution.
That's all, the result is here.
Comments can be send at :
Azazel_Corp(at)hotmail(point)com