javascript help: encryption/decryption

[PCboy]

I got this from dynamicdrive and I'm going to use it for my site I'm going put up soon..

<script>
//Encrypted Password script- By Rob Heslop
//Script featured on Dynamic Drive
//Visit http://www.dynamicdrive.com

function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}
//CHANGE THE NUMBERS BELOW TO REFLECT YOUR USERNAME/PASSWORD
if(usercode==134603040&&passcode==126906300)
//CHANGE THE NUMBERS ABOVE TO REFLECT YOUR USERNAME/PASSWORD
{
window.location=password+".htm"}
else{
alert("password/username combination wrong")}
}
</script>

<form name="password1">
<strong>Enter username: </strong>
<input type="text" name="username2" size="15">


<strong>Enter password: </strong>
<input type="password" name="password2" size="15">

<input type="button" value="Submit" onClick="submitentry()">
</form>

The question I'm wondering is, what is the reverse encryption code for:

for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);

I already know a=97, therefore if the next letter is a, it'll be 97 * 97 = 9409..
So if my username will be pcboy (p=112 c=99 _=95 b=98 o=111 y=121), the encryption key will be 1386472459680, p*c*_*b*o*y.
Now my question is, how can I do the reverse? For instance, if I put 112, it'll give me p and etc.

btw: the source is here.

 

[mundane]

There's an ASCII character table at : ASCII

However, I think you want it to be done inside of the code.

It looks like Character.forDigit( int number, int radix ); might do the job. I'm away from a compiler at the time to verify, though.

char result = Character.forDigit( 112, 10 );
--> result should be 'p'

-I think-

Lemme know.
-Josh

 

[PCboy]

Hmm, I'm mediocre with javascripting, but which lines do I replace with

char result = Character.forDigit(int number, int radix);

The source code page contains the values to generate the passwords.

function calculate(){

passworda = document.password1.user1.value.toLowerCase()
passwordb = document.password1.pass1.value.toLowerCase()

var user = 1
var pass = 1

for(d=0;d<passwordb.length;d++) {
pass*= passwordb.charCodeAt(d);
}
for(e=0;e< passworda.length; e++) {
user *= passworda.charCodeAt(e);
}
document.password1.outputuser1.value = user;
document.password1.outputpass1.value = pass;

Maybe that might help..

 

[mundane]

I'm sorry, I was off working in Java land. I had conveniently ignored your title, clearly stating javascript. I'm sorry, I can't help converting the Java to Javascript, I'd only screw things up more.

-Josh

 

[PCboy]

Originally posted by: diegoalcatraz
I'm sorry, I was off working in Java land. I had conveniently ignored your title, clearly stating javascript. I'm sorry, I can't help converting the Java to Javascript, I'd only screw things up more.

-Josh

well you came really close to it and you're the only one who's replying to my topic.. have you visited the source page? Can you can find the reverse function.. are they completely different from Java codes?

 

[Barnaby W. Füi]

That doesn't seem very secure to me. I wouldn't use it on anything remotely important.

 

[PCboy]

Originally posted by: BingBongWongFooey
That doesn't seem very secure to me. I wouldn't use it on anything remotely important.

Try finding 20649565836900000.

 

[MrChad]

It's not a reversible function - it's a hash function. You can't have an encryption algorithm where multiple inputs can yield the same output.

For instance, the password "PC" and "CP" would both result in the same "encrypted" value under your algorithm.

 

[MrChad]

Originally posted by: PCboy

Originally posted by: BingBongWongFooey
That doesn't seem very secure to me. I wouldn't use it on anything remotely important.

Try finding 20649565836900000.

\32 \27 \125 \25 \7 \121 \13 \13 \23 \23 \101

Those character ascii values will yield that number. Text

 

[mundane]

The way it looks to me, you could write a quick factoring script - i.e. factor that value into numeric equivalents to ascii text. Take those, pop 'em into the inputs on the web page. The thing is, it doesn't matter if your username is POTASH or SHOPTA - the hash'll render them the same. (Or any other values that results in the same hash.). You don't need to reproduce the admin's user name and password, just come up with other strings that yield the same result.

-Josh

Still no help on the javascript, though.

Edit: Like the above entry.

 

[PCboy]

Originally posted by: diegoalcatraz
The way it looks to me, you could write a quick factoring script - i.e. factor that value into numeric equivalents to ascii text. Take those, pop 'em into the inputs on the web page. The thing is, it doesn't matter if your username is POTASH or SHOPTA - the hash'll render them the same. (Or any other values that results in the same hash.). You don't need to reproduce the admin's user name and password, just come up with other strings that yield the same result.

-Josh

Still no help on the javascript, though.

Edit: Like the above entry.

I see..

Originally posted by: MrChad

Originally posted by: PCboy

Originally posted by: BingBongWongFooey
That doesn't seem very secure to me. I wouldn't use it on anything remotely important.

Try finding 20649565836900000.

\32 \27 \125 \25 \7 \121 \13 \13 \23 \23 \101

Those character ascii values will yield that number. Text

There's an exception to that because there are no HTML ascii codes for 27, 25, 7, 13, and 23... and if 32 was the first letter, it would be space. The encrypted username/password only shows lowercase so it has to be 97-122 (exception of other characters besides the letters). Uppercase letters are already converted.

 

[MrChad]

My points are:

1. It's a hash algorithm that cannot be reversed to produce the exact input.
2. It's not secure because if someone can get your JavaScript source and view both the algorithm and the hash value you are checking for, they can derive an acceptable string that will yield that code.

 

[PCboy]

Originally posted by: MrChad
My points are:

1. It's a hash algorithm that cannot be reversed to produce the exact input.
2. It's not secure because if someone can get your JavaScript source and view both the algorithm and the hash value you are checking for, they can derive an acceptable string that will yield that code.

I agree with you on both of your points. However, before I put the code into waste, can you or anyone else find the acceptable string that will yield that 20649565836900000?

 

[mundane]

xd[uessy

 

[PCboy]

Originally posted by: diegoalcatraz
xd[uessy

Well I thought you had it but xd[uessy = 660786106780800000.. I'm still trying to find out too.

 

[rainypickles]

would it help if you did

for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x) * x;
}

instead of

for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}

 

[mundane]

I just double checked it on the Dynamic Drive link you gave at the top of the thread: link,

and it hashed to 20649565836900000. Isn't that the target value? Am I missing something?

Edit: Make sure to include no spaces - they are ASCII code 32, and throw the hash off.

 

[mundane]

Originally posted by: rainypickles
would it help if you did

for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x) * x;
}

Even better. That way order of the inputs count. And perhaps do more than just multiply - Add/subtract some minor values, as well.

But what it does come down to - People can see the way you obtain the value, and the value itself. It won't stop anyone mildly determined to get in. All they need in a compiler and some time (or, in this case, a calculator and pencil). However, if you don't need high security ... it's better than nothing.

 

[PCboy]

Originally posted by: rainypickles
would it help if you did

for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x) * x;
}

instead of

for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}

Awesome idea! I'll incorporate that now..

Originally posted by: diegoalcatraz
I just double checked it on the Dynamic Drive link you gave at the top of the thread: link,

and it hashed to 20649565836900000. Isn't that the target value? Am I missing something?

Edit: Make sure to include no spaces - they are ASCII code 32, and throw the hash off.

My fault. It resulted into nine chars rather than 8 from the space. You guys did it, especially diego. Thanks a lot guys. :beer: