How to Crack
				The Snake's JavaScript HackMe No2

Welcome to my tutorial! I will explain you how to crack the JS HackMe no2 from Snake, i first start with an overview of the protection and the global variables, next i will explain you the detail of the protection.

This protection is built on two function called by <BODY> of HTML page, the entry point of JS code of protection is hidden into the HTML command and you will search for it, the first function is enter().

Enter() will control if you press a button for the code with the mouse, the other function is invoked by a line a little under the first:

...
<INPUT type="button" value="CHECK" onClick="chk_sum()">
...

This call the function chk_sum() every time the CHECK button is pressed.
Obviously this page take the pass code from function enter() and control it when you press the CHECK button with the function chk_sum().

Now i will explain the use of global variables defined in Js code:

----------------
Global Variables
----------------

'Chars' contain two URL codified into a unique string, the first char have position 0, all the chars of even position and the une of position 0 are a trap URL, the chars on odd position if reversed gave you the correct URL.

The original is:

chars="slkmytshc.rkacpuelry./feosritruenhetc/imtoyc..cyotmi/cjeanvuat"
        +"/r7o6f9./rnelpuacrkc.shytkmsl";

Even chars:

	skyscraper.fortunecity.com/java/769/nluck.html

Odd chars:
	lmth.kculy/esireht/moc.yticenutrof.reparcsyks

Who reversed give you:

	skyscraper.fortunecity.com/therise/yluck.html

Now the code will define:

	str="";

Who contain the codified password of button we have pressed.
The 'tl' variable is used to codify our button pressed and put him into 'str':

tl="emnopbcdtuvwfglxyqrsazhijk"
     +"SAXYHBCDFGVWIJKLMNRTUEOPQZ";
	 
'tsltr' is nothing less than a counters array we will see it later.

tsltr="00000000000000000000000000";

Next the last two:
i=0;	sum=0;

The first coutns how many code buttons you have pressed from your entry in the page. The other contain the result of simply operation on the code value of code button and is nothing less than a test value to pass the protection.

Now i will explain the various functions:

----------------
Function Enter()
----------------

function enter()    {      document.write("<form name=\"pazel\">");
      document.write("<input type=\"button\" value=\" G \" onClick=\"Get_letter(2)\">");
      document.write("<input type=\"button\" value=\" I  \" onClick=\"Get_letter(20)\">");
      document.write("<input type=\"button\" value=\" H \" onClick=\"Get_letter(0)\"><br>");
      document.write("<input type=\"button\" value=\" K \" onClick=\"Get_letter(22)\">");
      document.write("<input type=\"button\" value=\" A \" onClick=\"Get_letter(19)\">");
      document.write("<input type=\"button\" value=\" E \" onClick=\"Get_letter(25)\"><br>");
      document.write("<input type=\"button\" value=\" S \" onClick=\"Get_letter(23)\">");
      document.write("<input type=\"button\" value=\" N \" onClick=\"Get_letter(8)\">");
      document.write("<input type=\"button\" value=\" T \" onClick=\"Get_letter(13)\"><br>");
      document.write("<input type=\"password\" name=\"letters\" size=10 value=\"\"><br>");
      document.write("</form>");
}

This is the fuction who create the buttons we see into the HTML page and control if a pass button is pressed. Let's look at the lines and notice who every line is a button on the screen and contain the call to the 'get_letter()' function with the numeric code of button.
Here a table with the numeric value of every button:

Key | Value
--------------
G.......2
I.......20
H.......0
K.......22
A.......19
E.......25
S.......23
N.......8
T.......13
-------------

This is the value we pass at get_letter().

---------------------
Function get_Letter()
---------------------

This function is invoked with the parameter 'letter' who is the numeric value of pass button pressed.

Look at this piece of code who is repeated many times into the function:

	eval(tl.indexOf(tl.charAt(letter)))

N.B. The variable letter can have only one of nine possibly value(the 9 of table above), all into the range from 0 to 25, the string 'tl' is long over 26 chars (i don't have counted it exactly!-).Then

	tl.charAt(letter)
	
return value is the char of string 'tl' at position gived by the numeric code of pass button.
Now we search the numeric position of this char into 'tl' with the code:

	tl.indexOf(tl.charAt(letter))

But think a moment, this is exactly the code we haved the first time we come into this function, then the two two codes below are equals:

	eval(tl.indexOf(tl.charAt(letter)))

is equal to:

	eval(letter)
	
Who is the numeric value of the pass button pressed.

If this is clear into your mind then i change the code with a simplest version:

      i=i+1;
      str=str+tl.charAt(letter); // This is the password

      document.pazel.letters.value=str;
       if (i==3||i==5){
           sum=sum*letter;
		      }
     else{         
	if (i==7){          
		sum=sum-letter;
		 }
         else{
		sum=sum+letter;
		}
      }

This function create two codes to make test on it, the first are into 'sum' the second into 'str'. To create the 'sum' code we use the number of pressed button from the 'i' variable and we make sum/products/difference with 'letter' and 'sum'. The exact type of operation between 'letter' and 'sum' is determined by the 'i' value, here a table to explain:

 i       |  Operation
----------------------------
 3 or 5		sum=sum*code
 
 7			sum=sum-code

 Other		sum=sum+code
----------------------------

Every time we press a pass button, a value is passed to this function into 'letter' we control how many times we have pressed a button and control the table above to make the exact operation on 'sum'. The value of 'letter' is the position of the codified letter of the password to search into 'tl', every number have a codify letter. With ours 9 pass button we have only 9 possibly letter out from this string, the table below explain the true code of various button.

Key | Value | Current letter of Password
----------------------------------------
G.......2........n
I.......20.......a
H.......0........e
K.......22.......h
A.......19.......s
E.......25.......k
S.......23.......i
N.......8........t
T.......13.......g
----------------------------------------

Example: if i press the N and T pass button the password created is 'tg'.

The second part of the get_letter() function is:

x=(eval(tl.indexOf(tl.charAt(letter)))); 
      temp1=tsltr.substring(0,x);
      tl_plus1=eval(tsltr.substring(x,x+1))+1;
      temp2=tsltr.substring(x+1,tsltr.length+1); 
      tsltr=temp1+tl_plus1+temp2;}

This part manipulate the 'tsltr' string who is a counter array. For every number from 0 to 25 this is a char of same position into the 'tsltr' string, this char is initialized to 0 for every position, if i press a pass button i have a numeric code into 'letter', i take this number and search this position into 'tsltr', i take the numeric char into this position and add 1 to his value. I will explain with an example:

	Initially tsltr="00000000000000000000000000"
	I push 'G', the G code is 2, then the counter of position two is increased by one:
	tsltr="00100000000000000000000000"
	I repush G:
	tsltr="00200000000000000000000000"
	Now push 'I', it's code is 20 then i will increase the 20 position:
	tsltr="00200000000000000000100000"


At this point the acquisition of the pass code with the buttons is ended, you must press the CHECK button, we will now know that three codes are created, a control number 'sum', a string of chars 'str' and the buttons pressed into 'tsltr'.
The CHECK button invoke the chk_sum() function.

------------------
function chk_sum()
------------------
This is a ery simply function, it control if our numeric value stored into 'sum' is lesser than a certain value (in this case 16311), if this test is not passed all the variables are initializated using function clear() (the 'i' variable into the prev. function is non put to 0 when the controls fails, then when you have pressed 7 buttons and pressed CHECK, if the code is not correct 'i' is not put to 0 then 'sum=sum+letter' in the prec function, the 16311 value is very great and to have a 'sum' value greaten or equal than 16311 you will press the button 16311/25= 652 times, i will doubt that someone press 652 times the 'E' button, then this test is passed every time.

Now to the next test:

-----------------
function chkcmb()
-----------------
The first part of code initialize a variable 'message="this is it"', next we are two controls:

	if (tsltr[0]==2&&tsltr[2]==1&&tsltr[8]==1&&tsltr[19]==1&&tsltr[20]==1
		&&tsltr[22]==1&&tsltr[25]==1)

	if (tsltr[8]==2&&tsltr[19]==2&&tsltr[23]==3&&tsltr[22]==1)

It's shape is identical, it only test for different codes, recall that the 'tsltr' is a counter array (see above), the meaning of this code is:

(n & k are two numeric values)

tsltr[n]==k -> the number of time we have pressed the pass button of pass code 'n' is equal to the value 'k'

The && symbols are logical 'AND', it mean that you will pass the first test only if you ave pressed a certain number of times every pass button, the first of the two control lines have the below test condition:

Pass Button 	G	I	H	K	A	E	S	N	T
Code			2	20	0	22	19	25	23	8	13
N.Times			1	1	2	1	1	1	?	1	?

The pass buttonsto press to pass the first control are: GIHHKEN in any order.
This char codified into the 'str' string are: naeehskt.

(The char ? means that its value is never controlled).

For the second control:

Pass Button 	G	I	H	K	A	E	S	N	T
Code			2	20	0	22	19	25	23	8	13
N.Times			?	?	?	1	2	?	3	2	?

To pass the second IF you must enter the pass button: GIHKAESNT
Who codified into 'str' are: hssiiitt

This function have thre possibly exit points:
1 - If the first test is passed invoke chkorder().
2 - OR If the second test is passed invoke chkreverse(message) (N.B. message="this is it")
3 - OR The test fails and an error message occurs.

-------------------
function chkorder()
-------------------
Here we control if password stored into 'str' is equal to "thesnake". To obtain this password stored into 'str' you must press the buttons in the order you may obtain by the table here:

Tasto | Valore|tl.CharAt(letter)
--------------------------------
G.......2........n
I.......20.......a
H.......0........e
K.......22.......h
A.......19.......s
E.......25.......k
S.......23.......i
N.......8........t
T.......13.......g

	t	h	e	s	n	a	k	e
	N	K	S	A	S	A	S	N

The result is: 		NKSASASN

If you pass this test you go to another part of code who retrieve from the 'chars' string the location to send the user:

 for (i=0;i<chars.length;i++){
            x=i*2;
            loc=loc+chars.charAt(x);
			
This is the code that i have explained at the start of this tutorial and who take only the even position chars into the string, at the string obtained is summed the "http://" string that is deja into 'loc'.

loc="http://skyscraper.fortunecity.com/java/769/nluck.html"

If the password is nont "thesnake" the error message is sent and the variables are re-initialized.

N.B. If you take a look to the name of the page you see nluck.html, its name recall in my mind the phrase "no luck", maybe this is a trap... yes, but go to the page if you don't are yet convinced.

Now go to the CORRECT page whit the other code:

----------------------------
function chkreverse(message)
----------------------------

At the start of this function they are a piece of code:

	tmp=message;
	message="";
	for (i=0;i<tmp.length;i++){
		if (tmp[i]!=" "){
		message=message+tmp.charAt(i);
		}
	}

This eliminate the empty spaces from the string into 'message' the string passed is "this is it" then the string you obtain from this piece of code is "thisisit", this is the password we must have stored into 'str'. To have "thisisit" into 'str' you use the same table of the function above:

Key | Value | tl.CharAt(letter)
--------------------------------
G.......2........n
I.......20.......a
H.......0........e
K.......22.......h
A.......19.......s
E.......25.......k
S.......23.......i
N.......8........t
T.......13.......g

	t	h	i	s	i	s	i	t
	N	K	S	A	S	A	S	N

The result is: 		NKSASASN

If you insert this code the code below is used to extract from the 'chars' string the location of the true congratulation page.

	for (i=chars.length;i>0;i--){
           loc=loc+chars.charAt(i);
           i=i-1

This code take only the chars of odd position in reversed order, the obtained URL is:

loc="http://skyscraper.fortunecity.com/therise/yluck.html"

I have finished! I hope i have explained you as good as possible! Greets!

							CASTA