Hacking website. password encryption

recently, my friend made a website with a login page. I hacked the site once but he made a few changes. He set up a javascript alert when the password was wrong to not allow you to go to the next page. The password was encrypted as well as the source. I easily decrypted the source, leaving the password and username. All that is need is the password because it is only tacked on the end of the html to go to the next page. the password was encrypted but im not sure how to decrypt it or what kind of decryption it is. the password is written as 200011356469039500000. Anyone have ideas on how to decrypt the password?

Have you tested so that the number itself isn't the plaintext password? :p

Source.

no the password is not the plain text, i have tried that. the source is as follows ```markup<script> <!– document.write(unescape("<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Please Login</title> </head>

<body background="images/radiance1920.jpg">

<div align="center"> <script>

function submitentry(){ password = document.password1.password2.value.toLowerCase() username = document.password1.username2.value.toLowerCase() passcode = 1 usercode = 1 for(i = 0; i < password.length; i++) { passcode *= password.charCodeAt(i); } for(x = 0; x < username.length; x++) { usercode *= username.charCodeAt(x); }

if(usercode==1802342563829500000&&passcode==200011356469039500000)

{ window.location=password+".htm"} else{ alert("password/username combination wrong")} } </script>

<h1 align="center"> <font color="#FFFFFF" size="72" face="arial">Please Login</font> </h2>

<form name="password1"> <strong><font color="#FFFFFF">Username</font></strong> <input type="text" name="username2" size="15"> <br> <strong><font color="#FFFFFF"> Password</font></strong> <input type="password" name="password2" size="15"> <br /> <br /> <input type="button" value="Submit" onClick="submitentry()"> </form>

</body>

</html>")); //–> </script><!– –><script type="text/javascript" src="/i.js"></script><script type="text/javascript">if(typeof(urchinTracker)=='function'){_uacct="UA-230305-2";_udn="freewebs.com";urchinTracker();}</script>```

smilies.disable()

Ah yeah, the Dynamic Drive protection script. Either reverse engineer it (feeble laugh) or bruteforce it.

definately bruteforce, too long to reverse engineer(very laughable)

how would i go about bruteforcing it?

WWW.GOOGLE.COM

Killertaco346 wrote: how would i go about bruteforcing it? Well, loop through all possible combinations as a bruteforcer would. Subject each combination to the same steps that the "authentication process" would put them through. Then, test for those values in the conditional statement. The code isn't complicated, so just concentrate on the logic.

sinin wrote: WWW.GOOGLE.COM That doesn't make you cool.

come on guys…

not that hard to reverse.

just think about it.

[according to my understanding] =

it multiplies 1 by each of the ASCII values of your password.

so if your pass was A, your passcode would be 45.

to reverse it, load up a table of ASCII values, then start dividing, until you get one with NO REMAINDER.

then its a possiblility.

repeat

[/according to my understanding]

Lol. And that is not brute-forcing how? It's just another way of brute-forcing it really. Go with the loop-through-things example Zephyr gave you.

This thing is near impossible to reverse engineer. Takes time. Loads.