How to land in devious

by Peter Papazov

21 February 1998



Javascript page
Back to devious




Well in the past two days I reached consequently the ~ advanced javascript page and 

the ~160593.HTM URLs.



For the 'devious' puzzle things seemed complicated:



I consider that those who read the following lines already know well the ins 

and outs of Dolgov's routines, so I'll point out only the major steps I 

took...



  For the time I've put into it I couldn't find an approach of 

eliminating ranges of usernames and passwords. The way the F1 - F4 codes 

were generated seemed complicated enough (not a simple multiply and add) 

to be reversed out of the generated values.

  For a moment I thought there could be some mathematical way to figure 

out the F3 and F4 values, knowing F1 and F2. Or at least to figure out 

F3+F4.

  It seemed very complicated, and moreover improbable, because it would 

be a major flaw in the protection.

  Being given the F1 and F2 values of all the users, it is easy to 

modify the JavaScript to point out which username/password couples were 

omitted. I inserted a 'prompt( id )' in the place of the 'this.location' 

statement. The not given ones turned out to be users 4 and 6.

  A closer look showed that the F1 values of users 6 and 2 are equal. 

This meant that user 6's name is 'username' (same as user 2's).

  So here we had the F1 and F3 values for user 6. So we could find the 

sum of the page's name and the F4 value for user 6. This didn't seem 

quite helpfull to me.

  So I decided bruteforcing. One more thing which lead me this way was 

the mentioning that stalking/searching/sniffing would help a lot. 

Porting the JavaScript code to C is straightforward, I used the __int64 

and double types for the integer and floating point calculations. I 

ported only functions F1 and F2, and wrote a wordlist checking main 

routine. Looked up some english wordlist files and fired it up. I was 

searching for the F1 and F2 values of user 4 and for the F2 value of 

user 6. With a general english wordlist I found that the password for 

user 4 is 'targeted'. 

  Well, this was on the first line of the 'javdevio.htm' file? So, why 

don't we try gathering a reverser.org wordlist. I used Jean Flynn's 

approach - Black Widow + his word extracting program.

  I sorted the file and removed the duplicates in the Aurora editor 

(really cool, DOS and Win32 console versions).

  When passed to the checker it gave the password for user 6 - 

'mozilla'.

  These loaded into the original 'javdevio.htm' form lead me to the 

'160593.htm' page.

  Well this is classified as a beginner solution. I sure am a beginner 

in this field. Finding the 'targeted' password was mostly good luck for 

me and bad luck for the single-english-word password users.



  Again I reached the solution, mostly on other people's shoulders (on 

what I have read of reaching the previous hidden pages), but this only 

proves that the lessons work ;-).



  In the end thanks to all the contributors and their host - you reverser. 

  

Best regards,

Peter Papazov  



P.S. here I include the C checking program. it takes as a parameter the 

wordlist file
---------------------cut here------------------------- #include <stdio.h> #include <string.h> #include <ctype.h> #include <math.h> char weight[]="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //****************************************************************************** // // Encryption operators // You got to alter the following values to get your own unique encryption code // // 1. The values should be within 0 ... 7 double fi11=2.232, fi12=0.372, fi13=1.322, fi14=5.322, fi15=2.322, fi16=3.771, fi17=2.313, fi18=1.300; double fi21=5.112, fi22=1.472, fi23=4.322, fi24=1.792, fi25=6.737, fi26=2.141, fi27=2.882, fi28=1.382; double fi31=3.342, fi32=5.352, fi33=1.732, fi34=3.008, fi35=1.399, fi36=5.999, fi37=4.913, fi38=2.578; double fi41=3.773, fi42=2.348, fi43=5.769, fi44=2.112, fi45=1.922, fi46=3.573, fi47=3.317, fi48=6.273; double fj11=0.732, fj12=4.732, fj13=4.732, fj14=0.732; double fj21=1.742, fj22=0.102, fj23=1.001, fj24=6.272; double fj31=4.732, fj32=6.212, fj33=6.001, fj34=6.212; double fj41=3.273, fj42=2.723, fj43=1.392, fj44=0.039; double m11=5.7193, m12=5.3732, m13=4.8313, m14=2.3991; double m21=3.3923, m22=3.3021, m23=6.4622, m24=1.1392; double m31=5.3991, m32=2.3010, m33=5.9223, m34=5.8283; double m41=2.3042, m42=1.3923, m43=1.2419, m44=0.3573; // // 2. The following values should be within limits 9.9999 ... 0.0001 // double k11=3.8173, k12=7.2094, k13=0.0001, k14=6.0202, k15=1.9294, k16=0.0011, k17=0.0033, k18=0.0492; double k21=1.3048, k22=0.0083, k23=0.0038, k24=0.0302, k25=2.3935, k26=9.4007, k27=4.2042, k28=0.0004; double k31=0.0298, k32=3.0020, k33=0.0912, k34=0.0123, k35=0.2033, k36=0.0001, k37=3.0034, k38=0.0009; double k41=0.2094, k42=9.0031, k43=5.2059, k44=2.4010, k45=0.0324, k46=0.0023, k47=0.2034, k48=9.9414; // // 3. 'Bases' should be within limits 10...36 (only integer!) // int base1=29, base2=31, base3=24, base4=34; #define MAXLEN 255 char buffer[MAXLEN+1]; FILE *input; //__________________________________________________________________________ // // Encryption functions F1 F2 F3 F4 (don't alter the following code) __int64 F1(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base1; }; return floor( 5e14*sin(m11*sin(z*k11+fi11)*cos(z*k12+fi12)+fj11)* sin(m12*sin(z*k13+fi13)*cos(z*k14+fi14)+fj12)* sin(m13*sin(z*k15+fi15)*cos(z*k16+fi16)+fj13)* sin(m14*sin(z*k17+fi17)*cos(z*k18+fi18)+fj14)+5e14); } __int64 F2(char *j) { int x,i,k; __int64 z=0; char *p; __int64 pow=1; if( strlen( j ) > 10 ) j[10]=0; k=strlen( j ); for(i=0;i<k;i++) { p=strchr( weight, toupper( j[i] ) ); if( p ) { x=p-weight; z+=x*pow; } pow*=base2; }; return floor( 5e14*sin(m21*sin(z*k21+fi21)*cos(z*k22+fi22)+fj21)* sin(m22*sin(z*k23+fi23)*cos(z*k24+fi24)+fj22)* sin(m23*sin(z*k25+fi25)*cos(z*k26+fi26)+fj23)* sin(m24*sin(z*k27+fi27)*cos(z*k28+fi28)+fj24)+5e14); } int main( int argc, char **argv ) { __int64 f2, f1; int t=0; if( argc > 1 ) { input=fopen( argv[1], "rt" ); if( input ) { while( !feof( input ) ) { if( fgets( buffer, MAXLEN, input ) != NULL ) { buffer[ strlen( buffer )-1 ]=0; f1=F1( buffer ); if( f1==191979145621879 ) printf( "\nUser 4's name is: %s\n", buffer ); f2=F2( buffer ); if( f2==251426266017281 ) printf( "\nUser 4's password is: %s\n", buffer ); if( f2==492060879591955 ) printf( "\nUser 6's password is: %s\n", buffer ); if( ++t==1000 ) { printf( "." ); t=0; } } else break; } fclose( input ); } } return 0; } ------------------------cut here-------------------------
You are deep inside reverser's page of reverse engineering, choose your way out:

entrance
devious page
Back to the entrance
Back to the devious page

redhomepage redlinks redanonymity red+ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?