<html>
<script>
function simpleHash(str) {
var i, hash = 0;
for (i = 0; i < str.length; i++) {
hash += (str[i].charCodeAt() * (i + 1))
}
return Math.abs(hash) % 31337
}
function ascii_one(foo) {
foo = foo.charAt(0);
var i;
for (i = 0; i < 256; ++i) {
var hex_i = i.toString(16);
if (hex_i.length == 1) hex_i = "0" + hex_i;
hex_i = "%" + hex_i;
hex_i = unescape(hex_i);
if (hex_i == foo) break
}
return i
}
function numerical_value(str) {
var i, a = 0,
b;
for (i = 0; i < str.length; ++i) {
b = ascii_one(str.charAt(i));
a += b * (i + 1)
}
return a
}
function encrypt(form) {
var res;
res = numerical_value(form.password.value);
res = res * (3 + 1 + 3 + 3 + 7); //res=1063168/17=62539.2941
res = res >>> 6; //res=16612<<6=1063168
res = res / 4; //res=4153*4=16612
res = res ^ 4153; //res=4153
if (res != 0) {
alert('Invalid password!')
} else {
alert('Correct password :)')
}
form.key.value = numerical_value(form.password.value);
form.verification.value = "yes" + simpleHash(form.password.value);
return true
}
</script>
<body>
<form action="" method="POST" onsubmit="return encrypt(this);">
<table border=0 align="center">
<tr>
<td><label style="color: white" for="key"><b>Key: </b></label></td>
<td><input type="text" name="password" id="password" class="input" ></td>
<input type="hidden" name="key" id="key" value="">
<input type="hidden" name="verification" id="verification" value="yes">
</tr>
<tr>
<td colspan="2" align="center"><p><input type="submit" name="send" class="button" value="Send" ></p></td>
</tr>
</table>
</form>
<span id="new"><span>
</body>
</html>
现在有了源码,要做的就是分析这些源码了,我们可以轻易到找到encrpt()函数,发现它就是对我们的输入做了一系列的处理,最后如果处理结果为0,则我们就能得到这个key了,所以我们逆推上去,这几行代码
res = numerical_value(form.password.value);
res = res * (3 + 1 + 3 + 3 + 7); //res=1063168/17=62539.2941 (1)
res = res >>> 6; //res=16612<<6=1063168 (2)
res = res / 4; //res=4153*4=16612 (3)
res = res ^ 4153; //res=4153 (4)
要(4)中res为0,因为4153^4153才等于0,所以(3)左式的res必须为4153,则右式必须为16612,如此这样向上反推,最后得到(1)中左式res需要的值,由于(3)中的除整操作,所以导致上面的运算会有偏差,但是大致范围确定了,我们可以在62539附近进行尝试。分析numerical_value()函数,发现它的功能就是取当前输入字符串,然后按位取出相应的Ascci码值,与当前此字符在第几位乘起来,加上过去的值,要得到我们需要的62539,只需要进行一些次数的尝试,这里就不进行了。
进过修改后的代码如下
<html>
<script>
function simpleHash(str) {
var i, hash = 0;
for (i = 0; i < str.length; i++) {
hash += (str[i].charCodeAt() * (i + 1))
}
return Math.abs(hash) % 31337
}
function ascii_one(foo) {
foo = foo.charAt(0);
var i;
for (i = 0; i < 256; ++i) {
var hex_i = i.toString(16);
if (hex_i.length == 1) hex_i = "0" + hex_i;
hex_i = "%" + hex_i;
hex_i = unescape(hex_i);
if (hex_i == foo) break
}
//document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + ",ascii_one=" + i ;
return i
}
function numerical_value(str) {
var i, a = 0,
b;
for (i = 0; i < str.length; ++i) {
b = ascii_one(str.charAt(i));
a += b * (i + 1)
}
return a
}
function encrypt(form) {
var res;
res = numerical_value(form.password.value);
res = res * (3 + 1 + 3 + 3 + 7);
res = res >>> 6;
res = res / 4;
res = res ^ 4153;
if (res != 0) {
alert('Invalid password!');
} else {
alert('Correct password :)');
}
form.key.value = numerical_value(form.password.value);
form.verification.value = "yes" + simpleHash(form.password.value);
return true;
}
function a(form)
{
var res;
var str = "";
res = numerical_value(form.password.value);
//需要res=1063168/17=62539.2941
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + "we need:62539.2941,res=" +
res;
res = res * (3 + 1 + 3 + 3 + 7);
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + ",output1=" + res;
res = res >>> 6;
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + ",output2=" + res;
res = res / 4;
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + ",output3=" + res;
res = res ^ 4153;
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + ",output4=" + res +
"<br/>";
if (res != 0) {
//alert('Invalid password!');
} else {
//alert('Correct password :)');
document.getElementById("new").innerHTML = document.getElementById("new").innerHTML + "--就是这个
<br>";
}
return false;
}
</script>
<body>
<form action="" method="POST" onsubmit="return a(this)">
<table border=0 align="center">
<tr>
<td><label style="color: white" for="key"><b>Key: </b></label></td>
<td><input type="text" name="password" id="password" class="input" ></td>
<input type="hidden" name="key" id="key" value="">
<input type="hidden" name="verification" id="verification" value="yes">
</tr>
<tr>
<td colspan="2" align="center"><p><input type="submit" name="send" class="button" value="Send" ></p></td>
</tr>
</table>
</form>
<table>
<tr>
<td>
<span id="new"><span>
</td>
</tr>
</table>
</body>
</html>