'; document.writeln(my_chunk); } } // --> --> nb_es005.html: Reversing some commercial page/site protections
Reversing some commercial page/site protections
Keep your money for something else
student
Hyper Javascript
4 Nov 1999
by Laurent
(always) Courtesy of Fravia's page of reverse engineering
NOT edited
fra_00xx
98xxxx
handle
1100
NA
PC
A short and quick analysis of what you can get for 20 USD and 1 (or 2) Mb on your hard disk.
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Never believe what 'money-oriented' people say about their products. Always check by yourself if the product really worth it.
If sp!ke very good essay didn't convinced you of that, keep reading.
Reversing some commercial page/site protections
Keep your money for something else
Written by Laurent


Introduction

A few days ago, I saw a post on Fravia's TOT MB about some new Internet software. I thought it could be worth to have a look at it. What a disapointment when, after a few minutes, I discovered those 'software' were totally crap. This essay is not about how to 'crack' this protection cause there is nothing to crack. I just want to show what some 'money oriented' people seems to -unfortunately- be able to sell.

Tools required

A Brain (a little one should be enough :)
JS- & java- enabled browser.

Target's URL/FTP

www.moonlight-software.com/webcrypt.htm
www.moonlight-software.com/sentry.htm

Program History

No history yet. Version 1.

Essay

So let's start with WebCrypt. This is supposed to crypt your html pages so that people won't be able to reuse them too easily. Well, I won't say much about this, Sp!ke already wrote a very good essay about this kind of protection. Find it and and you'll know how to bypass this one and many others. By the way, I'm not even sure we can use the word 'encryption' for that crap. The encryption consist in reordering the letters of your page ... first character comes last and last character comes first ... really too bad to be called encryption. Here is what you get for 19.95 USD :

function Encrypt(Str)
{
  var returnStr=""
    var NewStr=""
    for (var x=Str.length;x>=0;x--)
    {
    returnStr=Str.charAt(x)
    NewStr+=returnStr
    }

    return NewStr
}

Moreover, although I did not tested extensively, it seems that it causes javascript errors with pages containing scripts :(

Ok, that 'webcrypt' doesn't deserve any more words. Let's have a look at 'Site Sentry' protection to see if it's better.
Quote from moonlight software :
" Protect your Web site with this easy to use Java Applet brought to you by MoonLight Software. No knowledge of Java required - take our realtime Test-Drive above and see how easily you can put Site Sentry to work for you!
Server-side solutions aside, this is the best protection you can buy. Javascript doesn't cut it - your usernames and passwords are visible to anyone who knows how to view your HTML source. "

I'm not sure if it's the best protection you can buy, but it's definitaly not the best protection you can find on the web for free. And, believe me, there are lots of better protection written in JavaScript where you can't see username or password in the HTML source. Anyway, let's see how this work. Just download their trial version and do some test. Add a user 'abcd' with a password of 'ABCD', and look at the html code generated.

<APPLET CODE=".secApplet.class" archive="secapplet.jar" codebase="." WIDTH=343 HEIGHT=152> <param name=CREATED value="SITE SENTRY WWW.MOONLIGHT-SOFTWARE.COM"> <param name=numusers value="1"> <param name="0" value="pqrs|PQRS|wiie://lll.bddcaxvwi-hduilpgt.rdb"> <param name=basename value="jhtgh.spi"> <param name=style value="0"> <param name=numtries value="3"> <param name=width value="343"> <param name=height value="152"> <param name=l2 value="8|38|63|13|"> <param name=l3 value="10|76|59|13"> <param name=t1 value="74|38|245|21"> <param name=t2 value="74|76|245|21"> <param name=b1 value="74|108|245|20"> <param name=bkcolor value="0"> <param name=txcolor value="16777215"> <param name=alturl value="http://www.moonlight-software.com"> <param name=ltitle value="Enter your Username and Password"> </APPLET> Got it ? yep, that param "0" is your "user/password/goodboy url" information encrypted with a character subsitution method. Upper/lower case is respected and you add 15 to each letter value, rolling over at z or Z... a becomes p, A becomes P, u becomes j, ...
Is that so easy ? Can't believe it .... usernames and passwords are visible to anyone who knows how to view your HTML source and who knows how to substract 15 !
But you'll say "Hey, I can't find that param "0" on their realtime Test-Drive page ?". I know, but have a look at that other param "basename value". Looks like its value is crypted too ... let's decrypt it .... "users.dat". Yep you got it, username/password are stored in that file. By the way, users.dat is the default file name of 'Site Sentry' code generator, they even did not bothered to change it. So just download that file and you'll find our param "0" information stored there with the same encryption as before. As we are describing the parameters passed to the applet, param "style value" = 1 mean using the external file while if 0 it means to use the param "0", "1" ...

Just a last thing about those 'java applet' protection. Before using one, you should always have a look at its code. You never know, they may have hidden something malicious in it, like a backdoor or whatever else ... So be carefull.

Final Notes

Well, it's time to conclude now. I have been writing already too much. I just don't understand how people dare to SELL things like that. I did not checked their other products, but I doubt they are any better. Maybe someone else will have a look at them.
So, if you are looking to protect your pages or site, look around the net, you'll certainly find something better than this and for free. Or even better, write your own stuff -and you don't need Java applet for that, JavaScript can do a great work (whatever those moonlight people say) -. Of course, you won't get a nice packaging, but if you really want to spend 20 dollars for nothing, you can always send them to me, they will be welcome :)

Ob Duh


"Ob Duh" section doesn't apply since we aren't cracking anyones _program_, are we ;)


choose your way out:

redFravia's (frozen) homepage redThe Seeker's homepage redThe javascript workshop redWhat's new