PDA

Click to See Complete Forum and Search --> : i need to find the password in this script

modifier_guy
11-23-2003, 10:00 PM
<HTML>
<HEAD>
<TITLE></TITLE>
<META name="description" content="">
<META name="keywords" content="">
<META name="generator" content="CuteHTML">
</HEAD>
<BODY BGCOLOR="#cccccc" TEXT="red" LINK="red" VLINK="red">
<!--Don't forget to add your FREE HitBOX statistics to your web page. To
do so, click on Tools\Online Services\Add statistics...-->

<style type="text/css">
<!--
A:Link {text-decoration:none;color:gray;}
A:Hover {text-decoration:none;color:white;}
A:Visited {text-decoration:none;}
-->
</style>

<style type="text/css">
<!--
BODY {scrollbar-highlight-color:red;scrollbar-base-color:silver;scrollbar-arrow-color:red;scrollbar-shadow-color:maroon;}
//-->
</style>

<HEAD>

<SCRIPT LANGUAGE="JavaScript">

<!-- Begin
var base= new Array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9","A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z","a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z")
var pass=""
var z=23;
var y=28;
var f= new Array();
var K= new Array();
for (x=0; x<10; x++){
f[x]=x<<9
f[x]+=23
}
for (x=10; x<36; x++){
y=y<<1
v= Math.sqrt(y)
v = parseInt(v,16)
v+=5
f[x]=v
y++
}
for (x=36; x<62; x++){
z=z<<1
v= Math.sqrt(z)
v = parseInt(v,16)
v+=74
f[x]=v
z++
}
var iCounter = 3 //How many retries
function inc(){
iCounter--
if (iCounter > 0)
{
if (confirm("\nPassword is incorrect.\n\n\n\nRetry?"))
Check()
else
alert('Password incorrect.');
history.go(-1);

// You may use this element istead if you want.
// location.href='denied.html' //Cancel html file

}
else
alert('Your three tries are up. Access Denied.');
history.go(-1);

// You may use this element istead if you want.
// location.href='denied.html' // 3 times incorrect html file

}
function Check(){
pass = prompt("Enter your password.","")
if(pass==null || pass==""){
history.go(-1)}
else{
var lpass=(pass.length)+1
for (l=1; l<lpass; l++){
K[l]=pass.charAt(l)
}
var code=0;
for (y=1; y<lpass; y++){
for(x=0; x<62; x++){
if (K[y]==base[x]){
code+=f[x]
code*=y
}
}
}

<!-- STEP TWO: Put access code here! -->
if (code==174153441) // code==[your access code]

go()
else
inc()
}
}
function go(){
location.href=pass+".html";
}
// End -->
</SCRIPT>

<!-- STEP THREE: Put this coding into the BODY of your HTML document -->

<center>
<A HREF="javascript:Check()">Access the protected area.</A><BR>
<P>
</center>

</BODY>
</HTML>

i need to find teh password and i dont know were to look
Gollum
11-24-2003, 06:35 AM
An interesting puzzle indeed!

Sadly, there is no "password" hidden in the script. To work out what the "password" is, you need to reverse engineer the algorithm to work out which combination of letters results in the access code of 174153441. Note too that the first character is ignored for some reason - probably some VB guy not familiar with zero based arrays and strings.

The trouble is, in total there are 2373732 combinations (I counted them ;) ) that the script will pass on to the next page, and that doesn't include characters not included in the algorithm like "-"

Now, the next page is in fact the password with ".html" tacked on the end so you need to know which one of those combinations it is or you will get the "page not found" error.

All is not lost though. Out of those 2373732 combinations (most of which looked like gobldigook) there was one that looked promising.

Try "password" and see where that leads.
CardboardHammer
11-24-2003, 07:01 AM
? Are you trying to (1) hack into someone's site or (2) do you just want to use that code for yourself?

If (1), then you're wasting your time. Period. It's a one-way hash... you won't come up with the password in any way quicker than blind guessing, as the number of possible passwords is effectively limitless.

If (2), then pick your own password and see what number you end up with assigned to "code".

Hint:
<!-- STEP TWO: Put access code here! -->
if (code==174153441) // code==[your access code]


"// code==[your access code]" means generate your own code and replace their code with that code...

Note: the page that the "password" matches up to CAN'T be directly linked to from anywhere accessible without the "password", or people will be able to just follow in the link.
Gollum
11-24-2003, 07:11 AM
the number of possible passwords is effectively limitless.
Well, not limitless actually, for the access code given there are 2373732 that will be accepted by the javascript.

PS. just realised - if "password" doesn't work, try "Password"
modifier_guy
11-24-2003, 08:38 AM
thanx people


o and the password is password


but unfortly there is nuttin in the prtected area, darnit, i wans hoping for sumthing good. but thanx for ur guys help
CardboardHammer
11-24-2003, 09:39 AM
Originally posted by Gollum
Well, not limitless actually, for the access code given there are 2373732 that will be accepted by the javascript.

PS. just realised - if "password" doesn't work, try "Password"

Where's it limiting the length of the password? I'm not really a javascript guru, but I don't see any limiter in there at first or second glance...
Gollum
11-24-2003, 10:02 AM
Well, it's not blatant certainly.

It all comes down to the bit where it processes the password.
The function Check() itterates through the characters starting at the second one (an oversight by the programmer perhaps) and finishing with the one just after the end - which in JS is "" which fortunately can be ignored.

Part 1
For each character, it finds its index in the array base[], and uses that to find an associated number in the array f[]. f gets calculated somehow at startup, but here's what it looks like when it's done...

var f = [
23,535,1047,1559,2071,2583,3095,3607,4119,4631,
12,21,26,38,53,72,101,139,294,375,
584,841,1164,1678,2425,4989,6478,10076,14494,21785,
30621,69677,87452,139356,201113,278810,80,83,93,99,
113,131,159,194,346,416,619,861,1165,1649,
2256,4766,6077,9554,13713,20576,28894,65661,82386,
131248,164801,262524
];


once the number in f[] is found, it is added to a total, then the total is multiplied by the character's position in the password (first 1, then 2, then 3, etc)

with a little bit of maths, you can see that using the smallest number in f[] for each letter in the password (by typing "AAA..." generates the following numbers for successively longer passwords...
"A" --> 12
"AA" --> 48
"AAA" --> 180
"AAAA" --> 768
"AAAAA" --> 3900
"AAAAAA" --> 23472
"AAAAAAA" --> 164388
"AAAAAAAA" --> 1315200
"AAAAAAAAA" --> 11836908
"AAAAAAAAAA" --> 118369200
"AAAAAAAAAAA" --> 1302061332

The last one using 11 chars produces a code bigger than the access code so the length of the password must be smaller than this.


Part 2
Now the last thing that the algorithm does is multiply the running total (the variable called 'code') by the length of the password minus 1. Now of all the numbers from 1 to 9, the access code 174153441 is divisible by 1, 3 and 7 giving possible password lengths of 2, 4 and 8.

It turns out there are no possible passwords of length 2 or 4 that produce the required access code but there are 2373732 8 letter passwords that do.

QED.
CardboardHammer
11-24-2003, 10:21 AM
Does javascript wrap around or error out on arithmatic overflow?
Gollum
11-24-2003, 10:32 AM
In Javascript, numbers are all floating point. When the number gets too large to fit (about 1.79E+308) it uses a special number called Infinity.
Gollum
11-24-2003, 10:35 AM
Sorry, meant to say...

Javascript integers go up to 9007199254740992. If you go higher than that, it switches to floating point.
CardboardHammer
11-24-2003, 10:52 AM
Ah, thanks for the info.

Of course, with a bit of modification, that code COULD be made to handle "passwords" of arbitrary (within the limitations of "the real world") length...
Gollum
11-24-2003, 10:57 AM
In fact, the whole script could be replaced by...


pass = prompt("Enter your password.","");
location.href=pass+".html";


and it will be just about as good ;)
CardboardHammer
11-24-2003, 11:20 AM
Or just skip it entirely and just type the URL of the page you want to go to in the first place...

With programming on the server side, the server could spew out an arbitrarily chosen, always different, password grinder that would execute on the client side after which the client would return the number generated to the server. Server allows access if the number is validated by the server. Poof! secure login without https... though I'm sure it's been/being done... Hell, with some creativity, you could effectively get the security of HTTPS via HTTP...
Jeff Mott
11-24-2003, 11:29 AM
If (1), then you're wasting your time. Period. It's a one-way hash... you won't come up with the password in any way quicker than blind guessingIf the algorithm was secure then you'd be correct. But this was obviously written by someone who is far from being a cryptographer. For example, one of the steps multiplies the code number. Thus, when reversing the operations, any letter corresponding to a number that does not divide evenly into the code number is known to be wrong. This would greatly reduce the number of possible combinations. And I'm sure there are many other weaknesses in the algorithm that a real cryptographer would be able to exploit. The people at sci.crypt may be of more help.
CardboardHammer
11-24-2003, 11:37 AM
Ultimately, it's already been determined that the password was... password. I'm more familiar with crypto than javascript... I guess I should have said "If (1), and if the algorithm is good, ..."

At any rate, it seemed likely from the get go that (2) was intended by the original host of that code.
Gollum
11-24-2003, 02:24 PM
By the looks of the code and the fact that the password was "password" I think the code was offered as a "this is how you do it" template.