Inside Technique : Hiding HTML/SCRIPT... I think it IS possible! : The Deception

You've already seen some of the deception, if the request to hidden.asp isn't perfect fake.js is sent instead of real.js. One of the (many) weaknesses of "Find the Source Code Challenge" (Part I) was that I didn't send fake code for a bad request, instead I wrote various taunts similar to this. Well I came to realize that I was helping the one trying to crack it by giving a definite negative response. They know not to try the same thing and they are forced to think of a something new. I left in the taunt for a non-existent or non 32 character pass parameter because it would seem odd that a clearly invalid pass would generate the exact same response as a valid pass.

After making the decision to send fake code I needed something that would be the perfect distraction. I needed code that looked legitimate but did absolutely nothing. It had to be something that would completely befuddle someone who knew what they were doing. I decided to make a play on a very common script encoding technique: eval(unescape("escaped characters"));. Meet SuperDuperTopSecretDecodingFunction(). It really looks like it does something. SuperDuperTopSecretDecodingFunction is used instead of a plain unescape, but it doesn't seem to be defined anywhere (because it isn't). Traditional unescaping the string just produces garbage, so SuperDuperTopSecretDecodingFunction would seemingly have to be some kind of complex encryption algorithm. Of course, since there is no SuperDuperTopSecretDecodingFunction it had to be wrapped inside of ultimateProtectedScript(). I didn't want an error generated from using an undefined function, and merely declaring a function that contains an undefined function call is perfectly OK as long as it's never called (which it isn't). And all that escaped data was just a bunch of random numbers with % in front of them. :) Good times...

Side note: I actually contemplated changing the function names, especially SuperDuperTopSecretDecodingFunction; it's just too cheesy, I was afraid someone would pick up on that and not even bother to waste any effort by trying to crack it because they knew I was messing with them. But in the end I kept the name if only for my own personal amusement.

Then I wanted to take it even further, I had to make it so that the given cracker was convinced they were on the right track figuring out SuperDuperTopSecretDecodingFunction. The best way to make sure of that is to make them work for it. If I made getting ultimateProtectedScript a challenge in of itself, albeit a pretty easy challenge, it makes it seem as though it has to be the right code, because why would all that work be spent on something that wasn't?

The extra work comes in the form of script encoding, using both the eval(unescape()) method and the Microsoft Windows Script Encoder method. I chose these 2 because they are very common and very easy to crack. Anyone who has ever done this type of challenge before knows exactly decode it. However, it still presents a time and effort investment: For instance setting up a page with a textarea and a script that runs unescape to get the decoded string. Also If the challenger doesn't have a Windows Script decoder locally they have to go find and download one like scrdec14. By the time they download it, read the syntax and execute it they've probably spent anywhere from 5-30 minutes. With all that time invested in one direction, they are unlikely to try different requests in hope of getting a different code output.

At first after creating the perfect "red herring" script I thought it would be a nice touch of irony to leave the real code in its original form. It would have been a funny ending to discover all the decoding was for nothing when the real code was sent in plain form. However I soon realized another trick can be played by encoding the real code. I took the original fake code, took some characters out, and appended an escaped version of the real code. Here is the result. Someone casually looking over this code is likely to dismiss it as being this code that they have come to know and love. Of course I couldn't just serve that version, it needed to be put through the same process as the fake code. Here is the finished product. While the encoding process did change the lengths of the final scripts, they are still strikingly similar. Put them up side by side and do a line by line comparison, I know I wouldn't have given it a second thought.

<- Previous (The Mechanics) Index Next -> (Covering Up Tracks)

© 1997-2000 InsideDHTML.com, LLC. All rights reserved.