Can you crack this code?

[meeble]

My friend uses this code on his paysite for people with a password. I've told him I think it's too weak as it's JavaScript but he says it's fine. Can anyone crack this or is it ok?

Can you find out the password? I admit, I can't...

<script>

var pass=new Array()
var t3=&quot;&quot;
var lim=5
pass[0]=&quot;SKGGk6Y6CObrhkR&quot;
pass[1]=&quot;hUYRL9vGfkjpnfu&quot;
pass[2]=&quot;kYU9MqqvbPMEXcZ&quot;
pass[3]=&quot;DwyysHn5vwZML1f&quot;
pass[4]=&quot;5ehoWp1uSs60U1IF&quot;
pass[5]=&quot;62ehoWp1uSs60U1I&quot;

//configure extension to reflect the extension type of the target web page (ie: .htm or .html)
var extension=&quot;.html&quot;
var enablelocking=0
var numletter=&quot;0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&quot;
var temp3=''
var cur=0


function max(which){
return (pass[Math.ceil(which)+(3&15)].substring(0,1))
}

function testit(input){
temp=numletter.indexOf(input)
var temp2=temp^parseInt(pass[phase1-1+(1|3)].substring(0,2))
temp2=numletter.substring(temp2,temp2+1)
return (temp2)
}


function submitentry(){
t3=''
verification=document.password1.password2.value
phase1=Math.ceil(Math.random())-6+(2<<2)
var indicate=true
for (i=(1&2);i<window.max(Math.LOG10E);i++)
t3+=testit(verification.charAt(i))
for (i=(1&2);i<lim;i++){
if (t3.charAt(i)!=pass[phase1+Math.round(Math.sin(Math.PI/2)-1)].charAt(i))
indicate=false
}
if (verification.length!=window.max(Math.LOG10E))
indicate=false
if (indicate)
window.location=verification+extension
else
alert(&quot;Invalid password. Please try again&quot
}
</script>

 

[modalman]

Nice challenge. Took an hour and 10 mins (that included making the kids brekkie as well).

I don't want to give it away for others that may want to crack the code. So here's a clue that proves I've found it out. Garfield/Felix.

I bet your friend has got a history in Machine Code programming. It shows in his code.

So whats the address of his website?

Modalman

ASCII silly question, get a silly ANSI

 

[meeble]

I KNEW it was crackable. Are you sure you've got it? My email is jamesf4218@yahoo.co.uk.

Can you give me the password or the page? I'll try it and let you know if you're right or not before I go gloating.

Then I'll show him this thread. Maybe you can be his security consultant...

 

[modalman]

Mmmmm, with all due respect I could be giving you access to a site that you should not be accessing. You say he's your friend but I would have to take your word for that. How about you give me the site name and then I can see for myself whether you're trying to get into the Pentagon or not. If I think the site is not that important then I'll send you the password.

Hope you can see where I'm coming from.

Modalman

ASCII silly question, get a silly ANSI

 

[meeble]

Nice try pal

I can't give you my friend's site and have you get in if you've really cracked the code.

And quite frankly, if the Pentagon is using a JavaScript script to safeguard its secrets, then America has a lot more to worry about that an election stealing dunce of a president...

 

[AnanthaP]

The goalpost just moved.
End.

 

[tviman]

Seems to me that if he's your &quot;friend&quot;, he'd give you the password!

There's always a better way. The fun is trying to find it!

 

[meeble]

>>>>>>>>>>>>>>>>>>>>>>>Seems to me that if he's your &quot;friend&quot;, he'd give you the password!



What would be the point in that??!!

Did you read the original post?

I don't WANT the password. I want to prove that JavaScript is unstable and not a secure way of securing a pay site.

It seems I was wrong though. No one here has been able to crack it so I will save my comments about how unsuitable JavaScript is for another time.

It would have been nice to get some useful advice from JavaScript experts on the subject, but the replies so far have been less than helpful.

If anyone does manage to crack it, let me know by email, but if a forum of JavaScript 'experts' can't then I doubt the average surfing Joe will be able to.

James

 

[adam0101]

It took me 40 minutes. I can confirm that modalman has it right. I had to laugh after I found out what his clue meant!

meeble, to answer your question
1. yes it's crackable
2. yes JavaScript is unsuitable for encryption
3. no you ain't gettin' the password from me

Adam
while(ignorance==true){perpetuate(violence,fear,hatred);life=life-1};

 

[stormbind]

QUOTE: I don't WANT the password. I want to prove that JavaScript is unstable and not a secure way of securing a pay site.

Then point your friend to this thread.

----------
I'm willing to trade custom scripts for... [see profile]

 

[mwolf00]

hmm - took about 20 mins, I didn't crack it by reading it, I wrote a program using his function.... I'm guessing that this site isn't for kids...

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

 

[YNOTU]

[tt]The password =


Ask your friend to join the site and read this post.



Can I officially close this post?
Thank you.

 

[kaht]

Heh, EXCELLENT point stormbind. Why don't you just point your friend to this thread meeble? Or do you wanna give him the password so that you can get all the &quot;glory&quot; of figuring it out &quot;yourself&quot;? I especially liked the quote from above:

>>It seems I was wrong though. No one here has been able to crack it so I will save my comments about how unsuitable JavaScript is for another time.

Seems a bit elementary to pass accusations that nobody has solved it, especially considering modalman told you he had in the first reply.

-and-

>>It would have been nice to get some useful advice from JavaScript experts on the subject, but the replies so far have been less than helpful.

If your knowledge is so broad so as to make judgement what a javascript expert is or isn't, why not just solve the problem yourself. Adam and mwolf are regular posters on this forum and have received many stars for other members. This kinda leads me to believe that if they said they cracked the code, they probably did.

All that said, I guess that your friends password algorithm is secure in the sense that all the ppl that know how to crack it don't know the site, and the ppl that know the site don't know how to crack it.

-kaht

 

[adam0101]

mwolf00,
Actually it only took me two minutes, it took me 38 minutes to find my Cap'n Crunch cereal decoder ring.


Adam
while(ignorance==true){perpetuate(violence,fear,hatred);life=life-1};

 

[BillyRayPreachersSon]

Hehe.. what can I say...

I guessed the correct pwd from the first poster's clue before even trying... But had to prove myself right ;o)

16 minutes later, and I got it too.

Incidentally, most of the original code is all waffle... Used to obfuscate simple constant values. Here is what the code boils down to:

<html>
<head>
<script language=&quot;javascript&quot;>
<!--
	var numletter = &quot;0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&quot;;
	var pass = new Array();
	pass[0] = &quot;&quot;;
	pass[1] = &quot;&quot;;
	pass[2] = &quot;&quot;;
	pass[3] = &quot;Dwyys&quot;;
	pass[4] = &quot;&quot;;
	pass[5] = &quot;&quot;;

	function testit(input)
	{
		temp = numletter.indexOf(input);
		var temp2 = temp^62;
		temp2 = numletter.substring(temp2, temp2+1);
		return (temp2);
	}
	
	function submitentry()
	{
		var t3 = &quot;&quot;;
		verification = &quot;password guess here&quot;;
		var indicate = true;

		for (i=0; i<5; i++) t3 += testit(verification.charAt(i));
		for (i=0; i<5; i++)
		{
			if (t3.charAt(i) != pass[3].charAt(i)) indicate = false;
		}
		if (verification.length != 5) indicate = false;
		if (indicate) alert(&quot;Right Password!&quot;);
			else alert(&quot;Wrong Password&quot;);
	}
//-->
</script>
</head>
<body onload=&quot;submitentry();&quot;>
</body>
</html>

And it can probably be reduced even more than that.

My money is still on Password Pro for Javascript client-side pwd protection... My cracker ran 24/7 for 3 months on that baby, and I still never got my password ;o)

A fun project all the same! ;o)

Dan

 

[meeble]

It would seem I need to point out how a forum works.

Somebody posts a question and if you know the answer, you post it OR, if you don't you don't post it.

You don't cast aspersions on that person's integrity or claim to have the answer but refuse to give it. This is unhelpful and simply highlights you as someone who is paranoid and suspicious, or someone who, having no power in his life gets a sad thrill out of knowing something someone else doesn't.

This was a genuine query to help a friend I didn't want to see get ripped off.

Sadly, all I seem to have done is expose the mentality of the type of individual who gives the web a bad name.

Out of all the posts I got, the ones by BillyRayPreachersSon and mwolf00 were the most useful.

I had thought about people running programs to crack code although I've never seen one of these working. I think this may be a bigger problem than people working it out from scratch.

For those of you who haven't got it yet, the password is 'p*ussy' (without the star). And no, it isn't an adult site. I think he may have stolen this script off the net and used it - I don't think his programming is good enough to come up with this.

Anyway, for those that helped - thank you.

For those who refused (or were unable) to help with that puzzle, he's another, much simpler one for you to solve.

Rearrange the letters below to spell a well known phrase.

(And don't bother emailing me when you get this one).

'GTE A LEFI'



James

 

[mwolf00]

James -

As honorable as I'm sure your intentions are, there are those who have used Tek-Tips to attempt hacks and code cracks. There is NO WAY for us to know who you are and what your intentions are. In a case like this, it is better for us to use our judgement and not give you the password. Your original question was &quot;Can anyone crack this or is it ok? Can you find out the password?&quot;. You did not ask for the password itself nor for the code to crack it.

Several of us let you know that we could indeed crack the code and therefore it was not &quot;ok&quot; for security. We are not trying to be pains, we are just trying to be safe.

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

 

[BillyRayPreachersSon]

James,

Normally I'd agree with you - and have pointed the same thing out to people in the past.

However, Tek-Tips is for &quot;Computer Professionals&quot;, and thus I wouldn't want to demean the status of us as professionals by posting the actual answer.

It is most likely that either the password was for a pr0n site, or the friend chose the password to appear as rude... Many of us who have found the solution are of that same opinion.

But for the sake of wanting to help, but without appearing rude and unprofessional, the password is &quot;pussy&quot;.

Dan

 

[mwolf00]

Dan -

He actually posted it in his last post...

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

 

[BillyRayPreachersSon]

Hehe.. missed that one.

Guess I didn't let the pussy out of the bag, then ;o)

Dan