My Octopress Blog

A blogging framework for hackers.

A Little Challenge (Part 1 of 2)

Several months ago, I was given credentials to download a piece of software, and I needed to download another copy only to find that I had forgotten the password. I anticipated it would take quite a while to email the people in charge, and on a whim I decided to take action. Right click, view source.

To my surprise, all the authentication was done in JavaScript, though in all fairness it was “encrypted.” I’ve changed the underlying keyphrase in a code example, and I pose a small puzzle - find the password.

You may find jconsole helpful.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

var pass=new Array()
var t3=""
var lim=8
pass[0]="fE13Cw9emtKIg1F"
pass[1]="wKTuZEy387Im8b2"
pass[2]="3NKevEgjpWWwmSE"
pass[3]="CryO6BmP9XpUlke"
pass[4]="8R4Gf2sgs5Xs5KI3"
pass[5]="62GZJ9Dzc2y8lBTU"

var extension=".html"
var enablelocking=0
var numletter="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
var temp3=''
var cur=0

function max(which){
return (pass[Math.ceil(which)+(3&15)].substring(0,1))
}

function testit(input){
temp=numletter.indexOf(input)
var temp2=temp^parseInt(pass[phase1-1+(1|3)].substring(0,2))
temp2=numletter.substring(temp2,temp2+1)
return (temp2)
}


function submitentry(){
t3=''
verification=document.password1.password2.value
phase1=Math.ceil(Math.random())-6+(2<<2)
var indicate=true
for (i=(1&2);i<window.max(Math.LOG10E);i++)
t3+=testit(verification.charAt(i))
for (i=(1&2);i<lim;i++){
if (t3.charAt(i)!=pass[phase1+Math.round(Math.sin(Math.PI/2)-1)].charAt(i))
indicate=false
}
if (verification.length!=window.max(Math.LOG10E))
indicate=false
if (indicate)
alert("Correct password.")
else
alert("Invalid password. Please try again")
}

You can also get it in a testable html page.