Challenge – Reversing Javascript – Solutions

Hello all… here we are again to talk on the possible solutions that crossed my mind to solve the challenge on reversing the javascript function we showed in the last post.

Here is the code again, so you can go through it and analyse how to break this small piece of code.

 date = new Date();
 year = date.getYear();
 pass = 1337;
 for(i = 1; i <= year; i++)
    pass += year * i * year;
 if(pass == 318338237039211050000) 
    alert("Good job!");
    window.location.href = "" + year + ".php";
    alert("Sorry, did you fail already?!");
    window.location.href = "";

OK, lets start with the obvious. The javascript function is doing a calculation and we have to match the number to get the flat which is in:; + year + “.php”

So, OPTION 1: break it by brute force. So the year should be… a year… I mean, it shouldn’t be a big number, should it?. That was my first try but it didn’t succeed because the number is higher than you would expect with the information in here and if you don’t take a closer look at the number being compared to the pass  variable. I tried with the first 3.000 using burp suite intruder and a numeric payload and as I commented previously… jump to the void… nothing there.

OPTION 2: A binary search algorithm: It is a little bit of programming and depending on how you developed the output condition on the search algorithm it is possible you never find the answer as there is none integer number matching the condition. However if the output condition is accurate you can find it in this way. I was lazy to develop it :).

OPTION 3: Develop exactly the same algorithm and input the year manually: I went for this on in first instance and I got it quite quick, I think the amount of time invested in the binary search or any other search algorithm doesn’t worth the time as, once you have a little piece of python code parametrised you get the number in a matter of seconds just by trial and error.

Here you have the code:

#!/usr/bin/env python

import sys

passs = 1337
year = int(sys.argv[1])

for i in range (1,year+1):
 passs += year * i * year

print 'lf: ' + '318338237039211050000'
print 'wh: ' + str(passs)

where lf stands for looking for and wh for we have.

OPTION 4: Let the mathematics assist you: yes, I know it sounds weird but this can be solved getting even the deviation in the condition, that can’t be fulfilled, using your basic mathematics. The ones you have already forgotten, yes, that ones :). I am going to demonstrate it to you.

Lets develop how this series looks like:


So we can calculate this as an arithmetical series sum added to the free term 1337. That sum is in the form:


And the key here is that we know what is f(n) because we have the number we need to get the flag and we now besides that this number is reached when n = y so…


And now?, easy, just apply a square root in both sides of the equation and solve the resulting second degree equation.


And that is the reason why, depending how you code your script to find the number, it won’t ever find it, it is a Real and not an Integer. The most close integer number is 158.847 so…

Our flag is in the url:

Don’t worry, be hacking!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s