Preserved Topic: Encryptic JavaScript

Anybody dare to decryptic this valid encryptic javascript sniplet ? :


<script language="JavaScript1.2">
eNc='enbtldou/vshud)&=rbshqu!m`oft`fd<#K`w`Rbshqu0/3#!rsb<#rbshqu/kr#?=.rb&*&shqu?&(:';
eval(unescape('str%3D%27%27%3B for%20%28 var%20c%3D0%3Bc%3CeNc.length%3Bc++%29str+%3DString.fromCharCode%28eNc.charCodeAt%28c%29%5E1%29%3Beval%28str%29'));
</script>

The second line (which does decrypting) looks like this:

str=''; for ( var c=0;c<eNc.length;c++)str+=String.fromCharCode(eNc.charCodeAt(c)^1);eval(str)

And when you run that code on eNc variable (in order to decrypt it), you'll get the following JS code:

document.write('<script language="JavaScript1.2" src="script.js"></sc'+'ript>');

So, basically, the purpose of this waste-of-time script is to include another JavaScript file called "script.js", which resides in the same folder as the calling page...

You got it mr.max!
I'll upgrade it next time
Thanks !

i am tempted to laugh at the poor soul who thought that up, but i think i may be working with him.

You know, by replacing the word "eval" in that script with "alert", you can get a popup that contains the first bit of code that is executed =)

Then you just have to replace eval in *that* with alert also. (you can do this all in one step by assigning the first part to a variable, then running .replace(/eval/,'alert') on that variable, and eval'ing that.

Proving, once again, that there is no such thing as security with client side coding.

WoW that's pretty cool maX & Slime

Could you point me to more info or sites to learn more about how that stuff works? I've searched google but found mostly junk...

Is this page using the same type of browser encryption? or something else?

edit = {edit removed link, I wouldn't want to give them free promotion now would I lol}

[This message has been edited by Synthetic (edited 07-16-2002).]

Synthetic, I would suggest you not to waste time with this. As Slime said you can secure/encrypt client-side code...

Anyway, the web site that you linked uses similar technique, and if you want to see the actual code, just replace document.write() statement with alert() and you'll see the code.

BTW One thing that's funny about that web site is that they "encrypted" complete HTML code, including META data (keywords & description), and as a result search engines won't index them at all, because they don't interpret JavaScript code...

in addition to slime's code revealing techniques, i'ld also say that you'ld add a <form name='test'><textarea name=src></textarea></form>
and then instead of alert()ing the decrypted code, just do document.test.src.value = [decrypted string goes here]

so like that you can copy/paste the decrypted text for later usage.

Under Windows 2K/XP, you can simply press Ctrl+C when alert box appears and its contents will be copied to clipboard. This also works with all other kinds of dialog boxes. So, there's no need for using forms and textarea fields (unless you stil use the old Windows 9x)...

I bet that nobody knew this *trick*, heh...

Instead of sniplets why challenge to find the correct password for this one


<SCRIPT LANGUAGE="JavaScript">

var base= new Array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9","A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z","a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z")

var pass=""

var z=23;

var y=28;

var f= new Array();

var K= new Array();

for (x=0; x<10; x++){

f[x]=x<<9

f[x]+=23

}

for (x=10; x<36; x++){

y=y<<1

v= Math.sqrt(y)

v = parseInt(v,16)

v+=5

f[x]=v

y++

}

for (x=36; x<62; x++){

z=z<<1

v= Math.sqrt(z)

v = parseInt(v,16)

v+=74

f[x]=v

z++

}

var iCounter = 3

function inc() {

iCounter--

if (iCounter > 0) {

if (confirm("\nPassword is incorrect."))

Check()

else

alert('Password incorrect.\nHahahahahaha.');

history.go(-1);

}

else

alert('\nYour three tries are up.\nAccess Denied.');

history.go(-1);

}

function Check() {

pass = prompt("Enter your password.","")

if(pass==null &#0124; &#0124; pass==""){ history.go(-1) }

else {

var lpass=(pass.length)+1

for (l=1; l<lpass; l++) {

K[l]=pass.charAt(l)

}

var code=0;

for (y=1; y<lpass; y++) {

for(x=0; x<62; x++){

if (K[y]==base[x]){

code+=f[x]

code*=y

}

}

}

if (code== 374044)

go()

else

inc()

}

}

function go() { location.href=pass+".htm"; }
</SCRIPT>

I must admit, that's pretty tricky.

>> and << are bitshift operators, right?

I'll have a look at this later on.

*rmr1 that gets the code=374044, but i still don't get why you started charAt with index 1? character 1 doesn't matter? also, the last one will be <undefined>. typo?? (this is why i had to put an extra character at the beginning)

i'm wondering, did you just put me to crack someone's page for you or you just want to test your code? i could explain how i did it so you could improve it (i also have a few pointers of my own)

anyway, i liked the idea but it wasn't too hard to figure it out.

[edit: typos and minor corrections ]

[This message has been edited by lacapaca (edited 07-16-2002).]

some ideas:

• just do the multiplication first, then the addition. that will add more complexity and make it harder to find the code.
• try to use some one-way function to get the code
• extend the charset

if you do the multiplication last, then the number of characters in the pass can be found easily (the code has to be dividable by it) and that's half the work

hope this was helpful

p.s. i wrote a proggie in ms vc++ 6 for this, if you're interested...

so basically you brute-force cracked it? cause porting it to vc will faster the bruteforce process (especially that the charset is small).

well, that's what i was saying. brute force was made way too simple by the algorithm. it can find the correct pass in no time.

but what do you think lallous about the way he gets the password, copying it into the K array but starting from 1 and to length+1?? do you think he wanted it that way?

i don't think it was 100% brute force (that would be blind search, imho). i used the information i could form the code.

you think there's another way to 'crack' it?

quote:

---

for (y=1; y<lpass; y++)
{
for(x=0; x<62; x++)
{
if (K[y]==base[x])
{

code+=f[x]
code*=y

}
}

}

---

that was the core checking, and all the arrays are constants independant of the password entered.

code initially is zero.
i denote by x1, x2, xn the value of f[x] when K[y]==base[x].

the formula at every 'y' change is:

y=1 -> (0+x1)*y1 = x1*y1
y=2 -> (x1*y1 + x2)*y2 = x1*y1*y2 + x2*y2
.
.
.
y=n -> x1*y1*y2*...*yn + x2*y2*y3*...yn + .... + xn*yn

every yj * yi is known -> y1*y2 = constant ...
so we only have to find x1 to xn (where n is the length of the password) such: x1*k1 + x2*k2 + ... + xn*kn = 374044
(where 'k' = constant)

so it is simpler than bruteforcing because one can write a smart/optimized bruteforcer.

i looked at it a bit fast, so excuse me if i was wrong!

what do you think laca?

yeah... i thought about this and i don't think it's bruteforce, i think it's reverse engineering. the 'core checking' as you so elegantly put it is too simple. it can be reversed with a bit of guessing. i don't think that guessing part qualifies for brute force.

if the multiplication would come first, then it would be harder, given a good initial f[x] is chosen. that multiplication just has to go!

that's what I think.
btw, how in the hell did you guess my name (actually nickname) is laca????

i called you 'laca' just because of lazyness, most of us call half of our names sometimes...

btw, i like this sort of password hacking and stuff...

well, i guessed that you like this kind of stuff. lol, you're the only guy (girl?) who hangs around here (besides me ). even this sunsuron fellow abandoned his thread

anyway, i like this stuff too (go figure). but i don't bother to secure javascript. it's useless, imho, as one can see here...

lallous is male (derived from elias->lello->lallous).

javascript can be secure!

you can make something really hard to be broken using only the md5() and some techniques!

(md5() was ported to javascript).

if you've got something nice and does not require much time, post it so we can play with !

i was talking about securing javascript, i.e. the code.
you can secure data with md5, but not code.

as i said i don't develop javascript security code, but if i come across something interesting i'll let you know

btw. doesn't yahoo use some kind of encryption at login (md5 maybe??)

when i refered to using md5() i was giving an example in the same context as this thread it self! secure/hide a page that is hidden (you don't know its name).

so you're interested in protecting the code itself?
yes, javascript can't really do it...
not even a win32 app can do it...it has be said that:
"if it runs, it can be defeated"
pardoy of Arnold's movie:
"If it bleeds, it can be killed" ...

so no matter how much you hide/protect the code, at certain levels your code will be exposed to trained eyes...

yes, yahoo uses md5 in its unsecure login page.

/lallous

Hmm, well, now that I've seen sunsuron's code, I believe that you *could* hide a password through JS reasonably successfully if you could find a function whos inverse is nearly impossible to find. This is the basic idea behind encryption algorithms.

yes, Slime you can hide other pages' name/link/passwords very securely but you can't hide the page's code itself securely. the page can always be decrypted as you showed above.

anyway, what's the url ?

Well, the advantage is that you can use this to hide the name of a file. And if you otherwise prevent anyone from getting a directory listing, finding that file could require the knowing its filename.