hitting on me will get you nowhere caldouche 2011/4/18 Cal Leeming <[email protected]>
> Considering that this code is already open source on Github? Not much, > faggot. lol. > > > On Mon, Apr 18, 2011 at 2:28 PM, huj huj huj <[email protected]> wrote: > >> caldouche >> what does your company think about you copy pasting production code on fd? >> >> 2011/4/13 Cal Leeming <[email protected]> >> >>> Absolutely nothing. It really is only meant to stop "stupid bots", which >>> for us, was good enough at the time ;p >>> >>> >>> On Wed, Apr 13, 2011 at 7:07 PM, Chris M <[email protected]> wrote: >>> >>>> How does all of this stop someone feeding the obfuscated code into >>>> jsunpack and reloading it into a bot application with an inbuilt browser >>>> object and just following links etc? >>>> >>>> >>>> On Wed, Apr 13, 2011 at 3:50 PM, Christian Sciberras <[email protected] >>>> > wrote: >>>> >>>>> Is it me or are spammers recruiting more script kiddies as of late? >>>>> Not much of a big deal considering their numbers are on the >>>>> rise...*ahem* anonymous *ahem*. >>>>> >>>>> Chris. >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <[email protected]>wrote: >>>>> >>>>>> Well, the problem was the person(s) running the bots kept bypassing >>>>>> the simple protections such as these. Although it isn't 100% fool proof, >>>>>> it >>>>>> does make things *extremely* difficult for the person(s) with the bots, >>>>>> so >>>>>> much so, that they usually give up, unless they have specifically >>>>>> targeted >>>>>> you for some reason. >>>>>> >>>>>> So, instead we created hundreds of these little JS chunks, all with >>>>>> different lookup tables applied, and cycled them on an hourly basis. It >>>>>> meant if they wanted to continuously bot the service, they would have to >>>>>> de >>>>>> obfuscate the protection code, or find a mathmatical/bruteforce attack >>>>>> that >>>>>> would generate the seedkey for them. It would either involve manual >>>>>> intervention or code modification on the bot to make it work.. I'd >>>>>> have preferred to have added captcha, but there was a reasonable >>>>>> explanation >>>>>> as to why the client didn't want it. >>>>>> >>>>>> Either way, once we put this in, they gave up pretty quickly lol. >>>>>> >>>>>> >>>>>> On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Cal /Ryan, >>>>>>> >>>>>>> I'm not sure what you're trying to achieve. >>>>>>> If we're talking about absolutely stupid bots, the following easily >>>>>>> defeats them: >>>>>>> <form> >>>>>>> <stuff/> >>>>>>> <script type=text/javascript>document.write('<input >>>>>>> type="hidden" name="access" value="code"/>');</script> >>>>>>> <form> >>>>>>> >>>>>>> I suppose you could obfuscate it all if you wanted to cater for >>>>>>> script kiddies. >>>>>>> But considering this is very weak protection (as opposed to proper >>>>>>> captcha), I'm not sure if it's even worthwhile. >>>>>>> One of the ways I can see this work is against automated, >>>>>>> "JS-ignorant", MITM systems. >>>>>>> >>>>>>> As indeed is true, you should never trust the end user. >>>>>>> But in a MITM scenario, the user we're not trusting is the one >>>>>>> conducting the attack, not the other. >>>>>>> >>>>>>> Chris. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> Lol, I've just realised something.. I didn't include the seed key >>>>>>>> variable itself, so this code would have been pretty much useless on >>>>>>>> it own >>>>>>>> *DOH*. >>>>>>>> >>>>>>>> So, here's something else a bit tasty.. this is the server side code >>>>>>>> used to check and create the seedkey itself (secret lookup table has >>>>>>>> been >>>>>>>> changed obv.). >>>>>>>> >>>>>>>> This code allows seedkeys to be generated from epoch time. Now, >>>>>>>> cryptographically I don't know how "sane" this is, but I'm fairly sure >>>>>>>> that >>>>>>>> if the lookup table contained large integers it would become almost >>>>>>>> impossible to do a pattern based brute force. I actually had quite a >>>>>>>> lot of >>>>>>>> fun trying to break my own code. :D >>>>>>>> >>>>>>>> PS) you have been awarded 1 internets. >>>>>>>> >>>>>>>> >>>>>>>> function get_valid_keys() { >>>>>>>> // Create key store >>>>>>>> $_s = array(); >>>>>>>> >>>>>>>> // Create valid key ranges (+900 seconds) >>>>>>>> for($x=300;$x>=900;$x+=300): >>>>>>>> $_s[] = $this->create_key($offset=$x); >>>>>>>> endfor; >>>>>>>> >>>>>>>> // Create valid key ranges (-900 seconds) >>>>>>>> for($x=300;$x>=-900;$x-=300): >>>>>>>> $_s[] = $this->create_key($offset=$x); >>>>>>>> endfor; >>>>>>>> >>>>>>>> $_s[] = $this->create_key(); >>>>>>>> >>>>>>>> return $_s; >>>>>>>> } >>>>>>>> >>>>>>>> function create_packed_key() { >>>>>>>> // Create a new valid key >>>>>>>> $key = $this->create_key(); >>>>>>>> >>>>>>>> // Now generate the packed key >>>>>>>> $k = array(); >>>>>>>> // Now convert it into an array >>>>>>>> for($x=0;$x<strlen($key);$x++): >>>>>>>> $_v = unpack("H*", $key[$x]); >>>>>>>> $k[]='\x'.$_v[1]; >>>>>>>> endfor; >>>>>>>> >>>>>>>> // Okay, here is your brand new shiney key, sir :) >>>>>>>> $m = '"'.implode('","', $k).'"'; >>>>>>>> $m = strrev($m); >>>>>>>> $_m = array(); >>>>>>>> for($x=0;$x<strlen($m);$x++): >>>>>>>> $_m[]=$m[$x]; >>>>>>>> endfor; >>>>>>>> return json_encode(implode("ZPAK", $_m)); >>>>>>>> } >>>>>>>> >>>>>>>> function create_key($offset=0) { >>>>>>>> // Secret key table, used to mix up the seed >>>>>>>> $enc = array( >>>>>>>> 0 => "67892", >>>>>>>> 1 => "3953", >>>>>>>> 2 => "49474", >>>>>>>> 3 => "494755", >>>>>>>> 4 => "30585", >>>>>>>> 5 => "30582", >>>>>>>> 6 => "20485", >>>>>>>> 7 => "20486", >>>>>>>> 8 => "97294", >>>>>>>> 9 => "10284" >>>>>>>> ); >>>>>>>> >>>>>>>> // Generate new seed >>>>>>>> $time = time(); >>>>>>>> if ($offset): >>>>>>>> $time=$time+$offset; >>>>>>>> endif; >>>>>>>> $c=(int)($time/$this->_security_key_refresh); >>>>>>>> $_c = "$c"; >>>>>>>> >>>>>>>> // Extract the last 5 digits of the number >>>>>>>> $char1 = substr($_c, strlen($c)-1, 1); >>>>>>>> $char2 = substr($_c, strlen($c)-2, 1); >>>>>>>> $char3 = substr($_c, strlen($c)-3, 1); >>>>>>>> $char4 = substr($_c, strlen($c)-4, 1); >>>>>>>> $char5 = substr($_c, strlen($c)-5, 1); >>>>>>>> >>>>>>>> // Lookup the modifier from the secret key table >>>>>>>> $mt1 = $enc[$char1]; >>>>>>>> $mt2 = $enc[$char2]; >>>>>>>> $mt3 = $enc[$char3]; >>>>>>>> $mt4 = $enc[$char4]; >>>>>>>> $mt5 = $enc[$char5]; >>>>>>>> >>>>>>>> // Generate a new key, based on the modifiers >>>>>>>> $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) >>>>>>>> + ($c+$mt5))/256); >>>>>>>> $key = "$key"; >>>>>>>> return $key; >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <[email protected]>wrote: >>>>>>>> >>>>>>>>> Me thinks I may have it right (mostly)... >>>>>>>>> >>>>>>>>> It seems to be some jquery to append a hidden input element to the >>>>>>>>> "theform" id (presumably a form on the page ;) ) called "seedkey", >>>>>>>>> and has a >>>>>>>>> value of whatever t is evaluated to (which I'm still stuck on as I >>>>>>>>> don't >>>>>>>>> know jquery much at all, so I can't figure out the s[] array, but I >>>>>>>>> know it >>>>>>>>> has something to do with the bracket notation...). >>>>>>>>> >>>>>>>>> ================================================= >>>>>>>>> += Orig =+ >>>>>>>>> $(function () { >>>>>>>>> var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", >>>>>>>>> "\x6A\x6F\x69\x6E", "\x72\x65\x76\x65\x72\x73\x65", >>>>>>>>> "\x73\x70\x6C\x69\x74", >>>>>>>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"]; >>>>>>>>> >>>>>>>>> eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi, >>>>>>>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi, >>>>>>>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) >>>>>>>>> + >>>>>>>>> _0xafd3[6]); >>>>>>>>> var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E", >>>>>>>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72", >>>>>>>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", >>>>>>>>> "\x76\x61\x6C\x75\x65", >>>>>>>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"]; >>>>>>>>> _n = $(_0x5bfa[0]); >>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]); >>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]); >>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[6], t); >>>>>>>>> $(_0x5bfa[8])[_0x5bfa[7]](_n); >>>>>>>>> }); >>>>>>>>> >>>>>>>>> += De-obfuscated =+ >>>>>>>>> $(function () { >>>>>>>>> var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', >>>>>>>>> 'replace', '"']; >>>>>>>>> var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', >>>>>>>>> 'name', 'seedkey', 'value', 'append', '#theform']; >>>>>>>>> >>>>>>>>> eval('t = "' + s['replace'](/ZPAK/gi, >>>>>>>>> '')['replace'](/\",\"/gi, '')['replace'](/\"/gi, >>>>>>>>> '')['split']('')['reverse']()['join']('') + '"'); >>>>>>>>> >>>>>>>>> _n = $('<input />'); >>>>>>>>> _n['attr']('type', 'hidden'); >>>>>>>>> _n['attr']('name', 'seedkey'); >>>>>>>>> _n['attr']('value', t); >>>>>>>>> $('#theform')['append'](_n); >>>>>>>>> }); >>>>>>>>> >>>>>>>>> ================================================= >>>>>>>>> >>>>>>>>> Fun stuffs. I can haz a internetz? :-P >>>>>>>>> >>>>>>>>> Ryan >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Cal Leeming" <[email protected]> >>>>>>>>> To: [email protected] >>>>>>>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada >>>>>>>>> Eastern >>>>>>>>> Subject: [Full-disclosure] guess what this does.. >>>>>>>>> >>>>>>>>> $(function() { >>>>>>>>> var >>>>>>>>> >>>>>>>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]); >>>>>>>>> var >>>>>>>>> >>>>>>>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n); >>>>>>>>> }); >>>>>>>>> >>>>>>>>> enjoy ;p >>>>>>>>> >>>>>>>>> ps) yes I obfuscated this, and no it doesn't contain any nasties. >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> I’m a hot-wired, heat seeking, warm-hearted cool customer, voice >>>> activated and bio-degradable. I interface with my database, my database is >>>> in cyberspace, so I’m interactive, I’m hyperactive and from time to time >>>> I’m >>>> radioactive. >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
