"...I don't know if you or some other +HCU cracker has already tried this 'ping'-search approach. I hope you didn't, because then I haven't written (and you haven't read) this essay in vain ;-). And if you didn't, then I hope I've enlightened you about the things you can do with the speed of internet these days, and I hope you'll publish this essay, so the entire world can use this technique..."

From: Gattman 



Hello Fravia,



First of all I want to thank you for bringing us one of only a few sites

that really brings knowledge and challenges. A site, not for the

millions of brainless surfers, but one that appeals to the gray mass on

the top floor.

Speaking of challenges, I greatly enjoyed cracking your JavaScript

pages. But I want to bring something to everyones attention, since

judging from the solutions on 'the other side' of the pages, I'm the

only one who devised the (actually quite obvious) technique I'm about to

describe.



I cracked the two pages a few months ago. It was almost a fluke, the way

I came up with the first one. I reversed the obfuscation with a

recursive, backtracking algorithm (with the help of my friend and fellow

student Douby. He sent you an essay about ReBirth, which you have

published). I had to use Java, since it was the only available

programming environment available at that time and place. One thing I'd

like to put straight by the way: Java and JavaScript are not the same!

Almost every essay used both terms quite loosely. Java is a complete

programming language, with a compiler which generates bytecode. It was

developed by Sun.

JavaScript was developed by Netscape as a scripting language for use in

WWW-pages. It is an interpreted language.

The syntax, commands and source code are not interchangeable. They are

quite similar, but Java is much like C++ (only easier and safer in some

aspects) whereas JavaScript leans more toward Pascal. After setting that

straight, on with the story...



After getting the password length (another thing nobody seemed to do

like I did: I added up all the values in the obfuscated character array,

and divided it by the length of the array. This gave me the average

value of a character. I tried how many times I could multiply and add

until the value was greater than the target code. I got a value of 9.

This makes a password of 10 characters, since the first one is skipped.)

I generated a list of possible solutions of the desired length. I

browsed the list, and suddenly the following password yanked my

attention: '_avfurther'

Well well! I figured the first letter must be a 'j', since it would make

perfect sense: 'javfurther'.

So I fired up Netscape, entered the following URL:

http://Fravia.org/javfurther.htm

Bingo! I was in.



Time for the second entrance.

This one was really easy. It generated a password, depending on the day

of the month. But... it was reversible!!! So all I had to do, was to

generate a password from the hint-page you gave for every day of the

month, and put those through the encrypter to get 31 pages, one of which

was the right one.

I edited the script so it would open a new browser-window for every

generated page. Now I had 32 windows open. One with the entrance-page,

30 '404 not found' pages, and the right one. All I had to do was close

all windows until I found the right one. It was a bit messy, but I got

in.



Then I figured there had to be a better way to do this than just opening

31 windows. But I never payed any attention to it anymore, until

yesterday.

Because yesterday a friend of mine found a JavaScript protection on a

Quake-clan site (http://qrt.gamepoint.net). He asked if we (me and

Douby, that is) could get in. We decided to give it a shot.



The protection was really lame. Just six numbers multiplied, which

should give 32. Douby wiped the dust of his trusty calculator and

decided there were 216 solutions. This would mean 216 browser windows.

We went for it, to see how far we could get. But you know Windows... At

the 100th window or so, it became terribly instable, and decided to kill

the browser. This called for a more subtle approach. Douby made a

counter, and made the Script pop an alert window at every 20th

browser-window. Then he closed all bad windows and clicked on OK, until

he reached the inner sanctum...



But I wanted to do it another way. So I made a Java program that

generated all possibilies. And then came the good part: it connected to

every page and grabbed the server's response code. Now all I had to do

was:



if (responseCode!=404)

        {print the URL, because this is the one!}



And it worked! It came up with exactly one code: 141222. That was the

same as Douby found! The speed at which it did was impressive: over 25

pages a second!

This is a great technique!



This trick is probably faster than a dictionary check on the average PC,

and generates a much better outcome: it also works if the password does

not contain any words at all, like this example. And it keeps you from

endlessly entering passwords.



With a protection as complex as your first JavaScript entrance, you

would be completely helpless if the password didn't make sense. Now I

can try all possible addresses (about a thousand 'tails', with any

possible first character, at 25 pages a second: (1000*62)/25)  within an

hour!

This is quite interesting...



I don't know if you or some other HCU cracker has already tried this

'ping'-search approach. I hope you didn't, because then I haven't

written (and you haven't read) this essay in vain ;-). And if you

didn't, then I hope I've enlightened you about the things you can do

with the speed of internet these days, and I hope you'll publish this

essay, so the entire world can use this technique.



(By the way, if you are interested in the source, or just want to try

out the program yourself, then just reply, and I'll mail it to you. I'd

attach it to this mail, but I know how much you hate attachments.)



Keep up the great site!



Gattman signing off (phew, finally...).