Webpages source fishing

A candidate for the stupidest (web-based) protection scheme:
I’m sorry if this is not appropriate material, but i just had to document
this blatant misuse of a brain (such a terrible thing to waste!).
This is not at all a crack, and has nothing to do with disassembly language,
but it is the st00pidest implementation of "security" on the web i have ever                           
seen.

While i was persuing after our beloved softice 3.2 (yes 3.2), walking the
warez road for all it’s sin, (i’d buy the damn thing but i haven’t
scrounged up a bleeding cent towards the 559$US or so needed, this hacking
gig isn’t putting down the bills, you catch?)  anyway, i came across this
silly little site at:
        
             http://www.octonline.com/usr/fity07/main.htm
           (which does NOT host THE debugger)

the story, as the author writes, is that you have to click on these ad
banners, muck around through all this bullshit commercialization, and find
a keyphrase (uh-oh) in order to enter the warez site.
I’m not into that, i don’t like that, so i won’t do that.
I hit the warez site, and sure enough am presented with a form asking me to
login.
Let’s see first of all if there is anything in the markup that i can use to
my advantage:  (please excuse: here is the mark in its entirety):

pwd.htm:

<HTML><HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!– Hide from JavaScript-Impaired Browsers
al="`1234567890-=~!@#$%^&*()_+qwer"
+"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
+"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
ab1="";
bctr=0;
function ckPwd(){
 tst=document.isn.username.value
 +"*"+document.isn.passwrd.value+"*";
 ls=document.pd.pe.value;
 a=eval(ls.substring(0,2))-91;
 ls=ls.substring(2,ls.length);
 nls="";
 flg=0;
 while (ls.length>12){
  ab=eval(ls.substring(0,2))-89;
  ab1=(ab1==""?""+ab:ab1);
  oab1=ab1;
  ls=ls.substring(2,ls.length);
  for (var i=0;i<ab;i++){
   nr=eval(ls.substring(0,2))-a;
   ls=ls.substring(2,ls.length);
   nls+=al.charAt(nr);
   }
  nls+="*";
  if (nls.indexOf(tst)>-1){
   ls="";
   flg=1;
   }
  }
 if (flg==1){
  tstOk();
  }
 else{
  bctr++;
  if (bctr>3){
  /* Be sure to put the name of the page
     here to which you want visitors are to be
     sent after three tries if they FAIL to enter
     a correct password and user name. */
   location.href="error.htm";
   }
  else{
   alert("Sorry. Bad Username or Password."
   +" Failed Attempt #"+bctr+".");
   }
  }
 }

function tstOk(){
 ab1=ab1+""+a;
  alert("OK. You Entered a Valid Username and Password, "
  +document.isn.username.value+"! Taking you to the"
  +" restricted page as soon as you click OK.");
  location.href="pwdss.htm?"+ab1;              <—- gee, thats sweet
 }

function srand() {
 today=new Date();
 rand=today.getTime();
 picker=""+rand
 picker=picker.charAt((picker.length-4));
 rec=eval(picker);
 } // End Hiding –> </SCRIPT> </HEAD> <BODY BGCOLOR="white"><CENTER>
<FORM NAME="pd">

<!– IMPORTANT: After you run the pseudo-encrypter, you will get a
"hidden" form element constructed especially for your own user names and
passwords. Paste that form element right below this note and above the end
of form tag. –>

<!– Paste this element into your main script named pwd.htm in the
location indicated –>

<INPUT TYPE=’hidden’ NAME=’pe’
VALUE=’999881643741603841598498816759606041815967 ‘> </FORM>

<!– You may put any page content you wish here The HTML below for the
password entry is presently set for blue background and white type. You
may change colors to fit your own page design without impacting on the
script, so long as the form elements stay the same.  –>

<FORM NAME="isn">
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR><TD COLSPAN=2 ALIGN=CENTER><FONT SIZE=4 COLOR=WHITE
FACE="helvetica,arial,geneva"><B>Password Access<BR>to Our Restricted
Pages</B></FONT></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your User Name:</B></FONT></TD>
<TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=WHITE><B>Your Password:</B></FONT></TD>
<TD><INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10></TD></TR>
<TR><TD COLSPAN=2 ALIGN=CENTER><INPUT TYPE="button" NAME="btn"
VALUE=" Submit " onClick="ckPwd();return false;"></TD></TR>
</TABLE></FORM>

<!– Put any other content you wish on your page here –>

<SCRIPT LANGUAGE="JavaScript">
<!– Hide JavaScript from Java-Impaired Browsers
/* This little script at the bottom of your
   page isn’t strictly necessary, but it does
   put the visitor’s cursor in the password form.
   It’s a small, but polite and thoughtful thing
   to do for your visitors. */
document.isn.username.focus();
// End Hiding –>
</SCRIPT>
</BODY>
</HTML>
        

And here is the effect.
       

The whole thing reminds me so much of deprotecting and otherwise
reengineering, that i couldn’t help but think of Fravia and the stupid
protectionists page. (or is that just "stupid protections" page?) anyways,
right there, right in the middle of the markup i stare at a link to the
following scrap of markup:
 
pwdss.htm:

<!– Create this intervening page named "pwdss.htm" to help keep the
restricted page URL a bit more difficult to discern. –>

<HTML><HEAD><SCRIPT LANGUAGE="JavaScript">
ck=location.search;
if (ck!="?98"){
/* Substitute your own WRONG
    destination here. */
 location.href="error.htm";             <– Wanna this page  
 }
else{
 /* Put the correct restricted
    page name here. */
 location.href="waret.htm";             <– or rather this one?    
 }
</SCRIPT></HEAD></HTML>
     </center>
               
The moral of this sad tale is: don’t waste your time coercing your markup
language to implement security. IT WON’T DO, YOU CANNOT HIDE BEHIND
YOUR JAVASCRIPT, NOR YOUR JAVA CLASS, NOR YOUR ACTIVE-X. If the
protectionist’s code must live on a host, it will never be secure.
Sad to say, this protection would be secure only to the most naive
web-idiot ("uhh, what’s ‘view source’… an option?")

Or: don’t confuse obscurity and obsfucation with security.

j, seer of the code.

ps: or maybe i’m just the rare sort that happens to source the majority
of the web pages encountered… and for that matter… of the programs
encountered 😉

Kaynak: www.woodmann.com/fravia
belgesi-1024

Belgeci , 2422 belge yazmış

Cevap Gönderin