Hello all… here we are again to talk on the possible solutions that crossed my mind to solve the **challenge** on **reversing** the** javascript** function we showed in the last post.

Here is the code again, so you can go through it and analyse how to break this small piece of code.

date = new Date(); year = date.getYear(); pass = 1337; for(i = 1; i <= year; i++) { pass += year * i * year; } if(pass == 318338237039211050000) { alert("Good job!"); window.location.href = "http://challenges.org/js/12/" + year + ".php"; } else { alert("Sorry, did you fail already?!"); window.location.href = "http://www.comingback.org/pages/challenges/"; }

OK, lets start with the obvious. The **javascript** function is doing a calculation and we have to match the number to get the flat which is in: http://challenges.org/js/12/” + year + “.php”

So, OPTION 1: break it by **brute force**. So the year should be… a year… I mean, it shouldn’t be a big number, should it?. That was my first try but it didn’t succeed because the number is higher than you would expect with the information in here and if you don’t take a closer look at the number being compared to the *pass * variable. I tried with the first 3.000 using burp suite intruder and a numeric payload and as I commented previously… jump to the void… nothing there.

OPTION 2: A **binary search algorithm:** It is a little bit of programming and depending on how you developed the output condition on the search algorithm it is possible you never find the answer as there is none integer number matching the condition. However if the output condition is accurate you can find it in this way. I was lazy to develop it :).

OPTION 3: **Develop** exactly **the same algorithm** and input the year manually: I went for this on in first instance and I got it quite quick, I think the amount of time invested in the binary search or any other search algorithm doesn’t worth the time as, once you have a little piece of python code parametrised you get the number in a matter of seconds just by trial and error.

Here you have the code:

#!/usr/bin/env python import sys passs = 1337 year = int(sys.argv[1]) for i in range (1,year+1): passs += year * i * year print 'lf: ' + '318338237039211050000' print 'wh: ' + str(passs)

where *lf* stands for *looking for* and wh for *we have.*

OPTION 4: Let the **mathematics** assist you: yes, I know it sounds weird but this can be solved getting even the deviation in the condition, that can’t be fulfilled, using your basic mathematics. The ones you have already forgotten, yes, that ones :). I am going to demonstrate it to you.

Lets develop how this series looks like:

So we can calculate this as an arithmetical series sum added to the free term 1337. That sum is in the form:

And the key here is that we know what is f(n) because we have the number we need to get the flag and we now besides that this number is reached when n = y so…

And now?, easy, just apply a square root in both sides of the equation and solve the resulting second degree equation.

And that is the reason why, depending how you code your script to find the number, it won’t ever find it, it is a Real and not an Integer. The most close integer number is 158.847 so…

Our **flag** is in the url: http://challenges.org/js/12/158847.php

Don’t worry, be hacking!

++Security