Tuesday, August 12, 2008

What's your secret?

Returning to this blog's founding idea of being "comprehensive" or "total," I wanted to reflect on a thought, share a story, and ask a question.

Tell me if I'm off-base...

Teachers often get put into boxes. If you have a math problem, you ask the math teacher. If you have a question about history, you ask the history teacher. If you want music, you ask the music teacher. But teachers don't end at their subjects; simply through living, people tend toward diversity of interests and abilities, and those often go unsung because the subject never really comes up.


Before I wanted to be a music teacher, I wanted to be a software engineer, and the decision to switch is another post altogether. Anyway, when I got this message the other day, I had to figure out what was up:

Hey ;) You have a secret crush.
Can you guess who it is??
Go Here to find out:
http://insert prefix here.blogspot.com

The URL naturally went to a phishing site, and the person from whom I got this had had her account compromised, and this was spread to the top half of her contact list, each person with their own prefix in the URL (just some junk characters).

Now, since a blogspot.com address led to a phishing site, there must have been some trickery going on to the tune of redirection. To see where to and what else was happening, I needed to get at the page source for that blogspot page, but since it redirected me, I had to use "curl" (would have used "wget" if I was on linux; I like it better than curl) to dump the page's HTML to my terminal. Turns out there was a block of javascript code that looked like total garbage...

var wevoswe='rhsjluaenoakbkewrt',mneuf='aqvngcwnsjhc',rbgmtdy=0,frlbdef,lsqato,shucocy='%',
lsqato+= String.fromCharCode(xqulosji);if(rbgmtdy>=lnmxsi)rbgmtdy=0;}

Basically, it's been scrambled. The variable names have been obscured so as to not give hints of what's going on, and it's made to look as unreadable as possible. After some work in VI, though, it came to look like...

var w='rhsjluaenoakbkewrt', // a "key" for a lewis-carroll-like cipher
rb=0, // an index through var. w
i, // iterator for a loop
doc, // document to write at the end
percent='%', // something to hold the escape character
m='aqvngcwnsjhc', // why is this even getting initialized?
str='rjweepocopg', // does this do anything? red herring?
str2='sodjlhmmu', // does this do anything? red herring?
doc='', // initialize blank document?
bignumber, // big number to be catted to document? - actually, no
useless; // never initialized, just used... default=0?

for(i=0;i<longLen;i+=2) // work our way through 'long' 2 chars at a time
tmpchar=unescape(percent+long.substr(i,2)); // decode every two chars
base=tmpchar.charCodeAt(useless); // get unicode of tmpchar
m=str+str2; // concatenate? red herring?
power=w.charCodeAt(rb++); // get unicode of w
str=m+w; // concatonate? red herring?
bignumber=base^power; // bitwise operator?
doc+= String.fromCharCode(bignumber); // decode from unicode
if(rb>=lenW)rb=0; // reset counter for shorter 'key' string
} // for

document.write(doc); // write it to where?

Sorry, I lost the indenting... I don't think blogger lets you keep it.

I've worked with C and Java, but not Javascript, so there were some places where I was a bit confused, but it's basically a way to decode a string and make the browser deal with it. What happens, if you don't want to look through the comments, is it starts with a key and a code, w and long respectively. The code is actually a bunch of hex escape codes with the delimiters taken out, so the first step is to decode those and turn them into letters. Then, a character is taken from the key, matched up with the corresponding letter in the code, and an operation is done on them to get the real letter. The fact that it uses a passphrase and not just a constant value as a key reminds me of polyalphabetic ciphers like the Lewis Carroll cipher, as my Dad will likely remember it from the science fair project on codes and ciphers from my early elementary school days. Anyway, I'm pretty sure the operator is a
bitwise xor operator
and not an exponent function, but in the end, you get your message.

And what is this message? It turns out that what it gives the browser (because document.print() prints to the main frame, I think) is a small script to redirect the browser to another website. What was going on on that other website, though, will stay a mystery because before I could get back and grab the html from it, someone had taken it down and it just forwards to a 404 page for what sounds like the hosting server for a bunch of phishing scams.

The hunt ended there, but it was fun to try my hand again at code hacking. The last time I did anything like this, it was a port over to my old Mac LC-something, redoing the save system and getting rid of all the myriad gotos and parallel arrays in a really fun game done in C by Griffin Knodle called "Bad King," an early project of his. But getting those neurons firing again was just like getting back on an old bike; the syntax may have changed a little, but the process itself never really left me, and it was still as fun as ever.

So now for the question, you who either read all that or skipped down here : what gets put outside your box? What don't people expect you to do? Are you glad you're in this box rather than the other? Do you ever get to use both boxes?

Well, I'm back to music history (mmmm... Wagner) until the next phisher tries messing with this band teacher. :)

No comments: