Webpages source fishing
Javascript "protections"

by jcr
(08 September 1997)


Courtesy of Fravia's page of reverse engineering

Well, this is a VERY interesting essay, in my opinion... see, if you have a look at my antismut pages, you'll see that one of them is dedicated to the gathering of tiny information snippets that are frequently "forgotten" inside the html source code of many pages. I have personally destroyed many sites using those informations. You may need some other tools: a java decompiler (in order to disassemble java compiled code, duh) and a "classviewer" (and a java virtual machine of course) in order to practicize this kind of nice activity... in the mean time you'll have your fun just examining the source code of all "suspect" pages, as jcr teaches us with this very interesting example of a stupid web protection. Here is what he wrote to me:

fravia: i came across this web protection that made me laugh, and 
then cry. I's just dumb, dumb dumb dumb.
And the most saddening aspect is that the guy does have a brain, 
because the code is interesting.
It's like shorting out a terribly complex copy protection scheme 
with a silly simple jmp.
       

jcr    (j, seer of the code)        


Webpages source fishing Javascript "protections" by jcr, September 1997
A candidate for the stupidest (web-based) protection scheme: I'm sorry if this is not appropriate material, but i just had to document this blatant misuse of a brain (such a terrible thing to waste!). This is not at all a crack, and has nothing to do with disassembly language, but it is the st00pidest implementation of "security" on the web i have ever seen. While i was persuing after our beloved softice 3.2 (yes 3.2), walking the warez road for all it's sin, (i'd buy the damn thing but i haven't scrounged up a bleeding cent towards the 559$US or so needed, this hacking gig isn't putting down the bills, you catch?) anyway, i came across this silly little site at: http://www.octonline.com/usr/fity07/main.htm (which does NOT host THE debugger) the story, as the author writes, is that you have to click on these ad banners, muck around through all this bullshit commercialization, and find a keyphrase (uh-oh) in order to enter the warez site. I'm not into that, i don't like that, so i won't do that. I hit the warez site, and sure enough am presented with a form asking me to login. Let's see first of all if there is anything in the markup that i can use to my advantage: (please excuse: here is the mark in its entirety): pwd.htm: <HTML><HEAD> <SCRIPT LANGUAGE="JavaScript"> <!-- Hide from JavaScript-Impaired Browsers al="`1234567890-=~!@#$%^&*()_+qwer" +"tyuiop[]QWERTYUIOP{}|asdfghjkl;A" +"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?"; ab1=""; bctr=0; function ckPwd(){ tst=document.isn.username.value +"*"+document.isn.passwrd.value+"*"; ls=document.pd.pe.value; a=eval(ls.substring(0,2))-91; ls=ls.substring(2,ls.length); nls=""; flg=0; while (ls.length>12){ ab=eval(ls.substring(0,2))-89; ab1=(ab1==""?""+ab:ab1); oab1=ab1; ls=ls.substring(2,ls.length); for (var i=0;i<ab;i++){ nr=eval(ls.substring(0,2))-a; ls=ls.substring(2,ls.length); nls+=al.charAt(nr); } nls+="*"; if (nls.indexOf(tst)>-1){ ls=""; flg=1; } } if (flg==1){ tstOk(); } else{ bctr++; if (bctr>3){ /* Be sure to put the name of the page here to which you want visitors are to be sent after three tries if they FAIL to enter a correct password and user name. */ location.href="error.htm"; } else{ alert("Sorry. Bad Username or Password." +" Failed Attempt #"+bctr+"."); } } } function tstOk(){ ab1=ab1+""+a; alert("OK. You Entered a Valid Username and Password, " +document.isn.username.value+"! Taking you to the" +" restricted page as soon as you click OK."); location.href="pwdss.htm?"+ab1; <---- gee, thats sweet } function srand() { today=new Date(); rand=today.getTime(); picker=""+rand picker=picker.charAt((picker.length-4)); rec=eval(picker); } // End Hiding --> </SCRIPT> </HEAD> <BODY BGCOLOR="white"><CENTER> <FORM NAME="pd"> <!-- IMPORTANT: After you run the pseudo-encrypter, you will get a "hidden" form element constructed especially for your own user names and passwords. Paste that form element right below this note and above the end of form tag. --> <!-- Paste this element into your main script named pwd.htm in the location indicated --> <INPUT TYPE='hidden' NAME='pe' VALUE='999881643741603841598498816759606041815967 '> </FORM> <!-- You may put any page content you wish here The HTML below for the password entry is presently set for blue background and white type. You may change colors to fit your own page design without impacting on the script, so long as the form elements stay the same. --> <FORM NAME="isn"> <TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE> <TR><TD COLSPAN=2 ALIGN=CENTER><FONT SIZE=4 COLOR=WHITE FACE="helvetica,arial,geneva"><B>Password Access<BR>to Our Restricted Pages</B></FONT></TD></TR> <TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your User Name:</B></FONT></TD> <TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR> <TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your Password:</B></FONT></TD> <TD><INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10></TD></TR> <TR><TD COLSPAN=2 ALIGN=CENTER><INPUT TYPE="button" NAME="btn" VALUE=" Submit " onClick="ckPwd();return false;"></TD></TR> </TABLE></FORM> <!-- Put any other content you wish on your page here --> <SCRIPT LANGUAGE="JavaScript"> <!-- Hide JavaScript from Java-Impaired Browsers /* This little script at the bottom of your page isn't strictly necessary, but it does put the visitor's cursor in the password form. It's a small, but polite and thoughtful thing to do for your visitors. */ document.isn.username.focus(); // End Hiding --> </SCRIPT> </BODY> </HTML> And here is the effect. The whole thing reminds me so much of deprotecting and otherwise reengineering, that i couldn't help but think of fravia and the stupid protectionists page. (or is that just "stupid protections" page?) anyways, right there, right in the middle of the markup i stare at a link to the following scrap of markup: pwdss.htm: <!-- Create this intervening page named "pwdss.htm" to help keep the restricted page URL a bit more difficult to discern. --> <HTML><HEAD><SCRIPT LANGUAGE="JavaScript"> ck=location.search; if (ck!="?98"){ /* Substitute your own WRONG destination here. */ location.href="error.htm"; <-- Wanna this page } else{ /* Put the correct restricted page name here. */ location.href="waret.htm"; <-- or rather this one? } </SCRIPT></HEAD></HTML> </center> The moral of this sad tale is: don't waste your time coercing your markup language to implement security. IT WON'T DO, YOU CANNOT HIDE BEHIND YOUR JAVASCRIPT, NOR YOUR JAVA CLASS, NOR YOUR ACTIVE-X. If the protectionist's code must live on a host, it will never be secure. Sad to say, this protection would be secure only to the most naive web-idiot ("uhh, what's 'view source'... an option?") Or: don't confuse obscurity and obsfucation with security. j, seer of the code. ps: or maybe i'm just the rare sort that happens to source the majority of the web pages encountered... and for that matter... of the programs encountered ;-)
(c) jcr, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?