Can anyone make sense of this?
Results 1 to 5 of 5

Thread: Can anyone make sense of this?

  1. #1
    Member
    Join Date
    Jun 2003
    Posts
    58

    Can anyone make sense of this?

    I'm having problems figuring out this javascript:

    <HTML>
    <HEAD>
    <TITLE>Null</TITLE>
    <SCRIPT>

    var string = "8ac249fbd363fx52j1";
    var enigma = "";
    var whatisthis = "var myxor = prompt('Password:','');

    for (y=1; y<5; y++)
    {
    enigma += (string.indexOf(y)+1);
    }
    enigma += 5;
    if (myxor==enigma)
    {
    enigma = enigma + '.php';location.href=enigma;
    }
    else{location.href='hahaha.php';
    }";

    eval(whatisthis);

    </SCRIPT>
    </HEAD>
    <BODY></BODY>
    </HTML>

    I kind of separated it a little bit for it to be somewhat understandable. For those who might recognize it, this is some source code for the first level of the Mod-X wargame. I'm a real newbie at this and can't get some of it....mainly I don't understand what += means. Can anyone help?

    [Edit: This is me assuming this is javascript. I mean, I see the script tag, but I don't know if it's java. Just a naive assumption. Correct me if I'm wrong]
    \"I ONLY DRINK THE BLOOD OF MY ENEMIES....and maybe a strawberry yoohoo....and a...Pina Co-la-da!...
    If you like pina coladas....ugh!, gettin\' caught in the rain....ugh!\"
    -Sarge

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Now I'm not much of a javascript user... in fact if i use more than 2 lines anywhere I'd be impressed.. but this looks fairly straightforward.
    Code:
    string = 8 a c 2 4 9  f  b  d  3  6   3    f    x    5     2    j    1
                 0 1 2 3 4 5 6  7  8  9 10 11 12  13  14  15  16  17
    So the first time through string.indexOf(1) = 17
    The next time string.indexOf(2) = 3
    string.indexOf(3) = 9
    string.indexOf(4) = 4

    when you add 1 you get the values of
    18
    4
    10
    5

    Then they add 5

    so.. 1841055

    The only thing to take into account (the number will vary on this.. it isn't always the same).. if the number doesn't exist in the string.. it will return a value of -1... so when you add one.. you'll get a 0.


    Anyways... I went through a tested this and that's how I'd assume it was done (and it worked for me)....

    Peace,
    HT

    PS if you want more of an explanation let me know.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    variable += value

    is the same as

    variable = variable + value

    The same goes for a number of other operators.

    Furthermore, try to use the [ code ] tags when you supply code, it's much easier on the eyes this way:

    Code:
    var string	= "8ac249fbd363fx52j1";
    var enigma	= "";
    var whatisthis	= "var myxor = prompt('Password:','');
    
    for (y=1; y<5; y++)
    {
    	enigma += (string.indexOf(y)+1);
    }
    
    enigma += 5;
    
    if (myxor==enigma)
    {
    	enigma = enigma + '.php';location.href=enigma;
    }
    else
    {
    	location.href='hahaha.php';
    }";
    
    eval(whatisthis);
    Also, it's easy to tell the difference between java and javascript: java is not a script language, so you can't supply java-code in HTML. You could, however, add java-applets (pre-compiled java code) to your HTML. You'd use the <APPLET> tag for that, as opposed to the <SCRIPT> tag you use for javascript.

    Furthermore, the browser should be told what kind of script is loaded, so if you wrote a page like that, you should modify the <SCRIPT> tag to include something like this: <SCRIPT type="text/javascript">

    If you'd use VBScript, you'd do something like this: <SCRIPT type="text/vbscript">

    More information on the HTML <SCRIPT> tag on http://www.w3.org/TR/REC-html40/interact/scripts.html

    Finally this remark: the code from that game is a bad, bad example on how to supply password protection (you just cracked it, that should be evidence enough :P ). As a rule of thumb, all protection that is solely client-sided (javascript, html-constructions, flash, java-applets, vbscript, etc) is useless, because you're sending the client the 'key to your lock' in some way or another, even before you validate that the user actually is a valid user.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Apparently, I wasn't clear in my previous post. Hope this helps.

    Hey Hey,

    It's all fine and dandy that you were explaining what he wanted to know... but you didn't explain it... since he knows nothing about it you would have created more confusion...

    a = 5
    a += 5

    Now what does a = ...

    The way the code is written it wants 55... but saying that it's variable = variable + value (you wrote it out in english... in english + means add by default.. not append)... which would make the value 10... If you're going to post regarding the matter you need to clarify it.
    In other words: the + sign in javascript both adds as concats:

    1+2=3
    but
    '1'+'2' is '12'

    (in the first example, 1 and 2 are numbers, in the second example they are characters).

    Depending on the type of your variables and values, variable += value (or variable = variable + value for that matter) could do something different.

    In any case:
    variable += value does the same thing as variable = variable + value.
    It's just a shorter way of writing things down.
    For example: the same goes for variable -= value

    Criticizers of this world and the next: did I satisfy you now?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Member
    Join Date
    Jun 2003
    Posts
    58
    Thanks !
    \"I ONLY DRINK THE BLOOD OF MY ENEMIES....and maybe a strawberry yoohoo....and a...Pina Co-la-da!...
    If you like pina coladas....ugh!, gettin\' caught in the rain....ugh!\"
    -Sarge

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides