## Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

### Access Level - 1

Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -

<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

function encrypt(form)

{

var res;

res=numerical_value(form.password.value);

res=res*(3+1+3+3+7);

res=res>>>6;

res=res/4;

res=res^4153;

if(res!=0)

{

alert('Invalid password!');

}

else

{

alert('Correct password :)');

}

form.key.value=numerical_value(form.password.value);

form.verification.value="yes"+simpleHash(form.password.value);

return true;

}

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.

- Before if we have XOR. so res should be equal to 4153 to make res=0

- res * 4 [ 4153*4 = 16612]

- >>> right shift so we have 16612 = X>>>6.

16612 - 100000011100100

we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.

100000011100100+000000 - 1063168 But it can vary with +0 to +63.

- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.

- now a weird function numerical_value

function numerical_value(str)

{

var i,a=0,b;

for(i=0;i<str.length;++i)

{

b=ascii_one(str.charAt(i));

a+=b*(i+1);

}

return a;

}

observe one more function ascii_one

function ascii_one(foo)

{

foo=foo.charAt(0);

var i;

for(i=0;i<256;++i)

{

var hex_i=i.toString(16);

if(hex_i.length==1)

hex_i="0"+hex_i;

hex_i="%"+hex_i;

hex_i=unescape(hex_i);

if(hex_i==foo)

break

}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.

var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

*** Note this was easy because without knowing much of JavaScript i could solve it.

-> And a rough screenshot of manual brute force. So you can get a rough idea -

Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.

-> Suggestions/Comments are most welcomed !!! :)

Thanks for reading through

Happy hacking! Happy coding!!

I found the key with the other logic way, without ariphmetical counting:

ReplyDelete1st - length of the key are proportional length of Bit of the number 4153

So we found a length of key - key filled by character "a"

A sampler is: b1000000111001

Result is: b1001010100101

2nd - In numerical_value result of function ansii_one increase by i+1, so when a Bit meet later in the key string, then closer it will be to the first bit of the number. Lower than hexcode of "a" is a hexcode of numbers and symbols. So I have fill from left a string by the numbers while the second Bit will not placed under second bit of sampler.

"55555555555555555555aaaaaaaaaaaaaaaaaa"

b1000000111111.01

With this simple brute, the result of my way is

"*0033444445555555555aaaaaaaaaaaaaaaaaa"

b1000000111001

better change the template, its looks fuss

ReplyDelete