epiclo_4.htm Fravia's Javascript Protection

	Fravia's Javascript Protection How to use aids from your target :=)	Advanced Javascript
1 February 1998	by Epic Lord
	Courtesy of Fravia's page of reverse engineering	slightly edited by Fravia+
	Epic Lord is a good old +HCU friend, and I'm happy to host his first essay for this section! He did not write the password in this text, assuming that I would have published it on the 'public side', but i decided to publish all 'REAL' solutions on this side... as you can see from this very text, my help has helped people, may be, a little too much. Enjoy! (And please send me a MORE difficult strainer for the next phase if you find one, else I'll have to devise it myself :-)
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

This documents deals with Fravia's protected javascript entrance page. As everybody interested may noticed, Fravia has chosen another new path to follow, namely Java and Javascript. As a dedicated teacher, it seems that he also tries to make us learn Java a little. This essay is not a real "cracking" one, but a chit-chat from a fellow friend of yours :=) working (nowadays) on "the dark side" of the web.

The level of this essay IS NOT beginner, it is for ALL AUDIANCES, whether cracker or not :=)

Fravia's Javascript Protection
How to use aids from your target :=)
Written by Epic Lord

Some Chatter & Introduction

After reading about the OOB bug and experimented it, I was amazed about the weaknesses of the Windoze boxes. So, I began to work on Windoze remote exploits, especially the ones for NT systems. IMHO, better study them, can be very useful for anti-smut purposes. Detailed information about the subject can be obtained from Known NT Exploits and Fyodor's Playhouse.

Studying the exploits brings the compiler problem together. You need a Windoze compatible compiler/linker if you are working on windoze socket programming (BTW, with winsock 2.2, it is possible to use RAW sockets, you got what I mean?). Though I have MSVC++ 4.2, searched for a smaller and better compiler, and found LCC. Wonderful piece of work, a free windoze C++ compiler (fits in a 1.44" foppy), can be found here. As you can easily deduce, it IS possible to write a perfect attack tool running on windoze, against windoze boxes connected to internet, whether they have the necessary patches (service packs ets) installed or not. Better begin using Linux friends, windows is as sure as a lost wallet.

Meanwhile, I was searching a computer game (yes yes) which my lovely wife likes to play. Heretic, 1994, a nice game from id software. I did have a shareware version and I was trying to locate the full copy. None of the warez sites I've looked had a copy of it. So I remembered Fravia and did an ftp search with fpArchie for HERETIC.ZIP (6MB). Believe me, I found it on one of the least used public servers' incoming directory. Do learn to search!. BTW, do not forget to have a look at the award winning engine Profusion.

During all these tasks :=) stated above, although I'm using an offline browser to surf the web (while I'm reading, grasping all pages), I stopped at Fravia's as I continiosly do. I love his tricks and traps. I found his "weird" entrance to JavaScript page. First, I thought that the protection is a fake, a joke but, finally understood that he REALLY protected his page!!

Tools required

A java aware browser, preferably Netscape (try MSIE and see what happens :=), a C compiler, some programming knowledge, and the releveant pages from Fravia's.

Target's URL/FTP

Fravia explaining easy Javascript password systems

Essay

So, whats going on? Nothing, because I disabled my browser's java awareness. While surfing, keeping java off can be very useful for anonymity purposes. OK, I enabled it to see Fravia+ asking MY password. I ve 4 tries to go. UH!

I disabled JavaScript to see the source (disable to get rid off the nag, otherwise you can not see the source). Well well, dear Fravia+ puts the fully :=) explained source in here. Of course a nice act, he could have easily called a compiled Java applet and we would NEVER have had the opportunity to see his nice source code. BTW, I hope you know at least HOW to see the html source code of a page you visit, if you don't, well: it's easy Menu->View->DocumentSource or shift click and save it somewhere as text.

OK. Whats this code doing?

	1. Defines a character set, 0..9,A..Z,a..z, 60 chars total, BASE array
	2. Defines a function array, f()
	3. Fills the f() with mathematically defined values as:
		0..9 -> x<<9, +=23
		A..Z -> y<<1, +=(sqrt(y)+5)
		a..z ->	z<<1, +=(sqrt(z)+74)

	4. Sets fraCounter to 4. Only 4 incorrect tries
	5. Asks the password, throws him away if he cancels or exceeds 4 guesses
		BTW, if he cancels, throws him to index.htm
		if he exceeds, to the previous document (history.go(-1))

	6. Gets the variable length password, IGNORING THE FIRST char
		lpass=(pass.length)+1
		this code "ignores.class" tppabs="http://Fravia.org/ignores.class" the  char located at array[0]

	7. If the char is a member of array BASE
		get the numeric values of the char from array f()
		calculate the password_value as
			password_value+=value_of_the_char_from_f()
			password_value*=sequence_number__of_the_pass_char

	8. If the pass is Fravia display a funny message (no no do not display)
		This part of code is commented of the program

	9. If the password_value=25834242042 then go to the protected page
           (i.e. password.htm) 
		else go somewhere else...

OK. How we crack it?

	1. Read the help file
	2. Reverse the algorithm. Jean Flynn, has done this for us.
		However, he says he could not find the code. Why?
		BTW, the result is common_sense divisible by 14, 9 and 7. 
		So the code must be 15, 10 or 8 chars long.
		Tristan somehow explained it is 9 chars long (+1 fake char)

	3. Compile and execute the code that Jean Flynn sent.
		BTW, Mr(s) Flynn, a very nice example of recursive programming.
		Though a little slow, it is a cute code :=)

	4. Gee! Millons of combinations. Bad Fravia+. There is more than 1 solution 
           to the problem: 25834242042.

	5. Begin to use your brain. Remember what Fravia+ wrote on his help page
		combinations from axxxxxxxxx to zxxxxxxxxx
		NO numbers in the code
		the last letter is a "r" (like rinaldo) 

	6. Modify Mr Flynn's code so it creates ONLY small letters. Uncomment the line
		return i>=36 ;    // use this to generate only lower case keys
			and commment out
		return 1 ;

	7. Compile and execute the program again. Redirect the output to somewhere
		Fravia.exe > gec.txt

	8. There are only 308 combinations in gec.txt. 
		Now delete the ones without an r at the end.
		Sort the remaining 193 candidates and look for "rav", "ava" ..
			for (f)ravia and/or (j)ava or whatever relevent.

	9. YES. YOU FOUND IT AT LINE 8... Add the obvious prefix and enjoy.

Sorry for not openly telling the password. But you are going to be crackers, not thieves :=)

Final Notes

Seems easy ha? It is NOT. Without the help of Fravia+ himself, it would NOT be possible
to crack (or reverse) this kind of protection. Total combinations for 10 characters is
60^10 which is 604,661,760,000,000,000.

Also, what would happen if we would not have been able to see the source code?

This paper is NOT copyrighted or whatsoever. Any part of it can be used for any purpose. 
Epic, epic@lords.com

You are deep inside Fravia's page of reverse engineering, choose your way out:


entrance page	advanced page

links

mail_Fravia

Is reverse engineering legal?