Facebook CTF 2013 - NcN 2013
There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.
Access Level - 1
Whatever input 'key' is given you get a alert saying 'Invalid password!'.
Tools -> browser with JavaScript console. I used Google Chrome :p
Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">
So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.
function encrypt(form)
{
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
return true;
}
That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.
Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
16612 - 100000011100100
we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
100000011100100+000000 - 1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
- now a weird function numerical_value
function numerical_value(str)
{
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
return a;
}
observe one more function ascii_one
function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}
But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";
start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!
so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.
After submiting the key -
*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D
-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)
Thanks for reading through
Happy hacking! Happy coding!!
I found the key with the other logic way, without ariphmetical counting:
ReplyDelete1st - length of the key are proportional length of Bit of the number 4153
So we found a length of key - key filled by character "a"
A sampler is: b1000000111001
Result is: b1001010100101
2nd - In numerical_value result of function ansii_one increase by i+1, so when a Bit meet later in the key string, then closer it will be to the first bit of the number. Lower than hexcode of "a" is a hexcode of numbers and symbols. So I have fill from left a string by the numbers while the second Bit will not placed under second bit of sampler.
"55555555555555555555aaaaaaaaaaaaaaaaaa"
b1000000111111.01
With this simple brute, the result of my way is
"*0033444445555555555aaaaaaaaaaaaaaaaaa"
b1000000111001
better change the template, its looks fuss
ReplyDeleteThanks for letting me know :)
DeleteWill change it soon.