Latest Announcemnent
New thread

What encoding method does this site use?

Status
Not open for further replies.
L

Lifetalk

Active Member
4,392
2008
2,119
530
http://www.proxy-server.at

Try entering a URL. This does appear to be the Glype proxy which commonly uses Base64 encoding on their URL's, but this case appears to be different. I've tried Base64 and a combination of Rot13 with Base64 but I just can't seem to figure out what method they're using to encode their urls. Would appreciate if anyone could shed some light on this.

Another site that appears to be the same:
http://www.plwe.info/
 
Last edited:
5 comments
y0NwFsGNN5xwWq+mosFxN+XtUJ2VwvyKwfAo

it could be anything tbh, near impossible to reverse engineer even a simple encoding like this in a black box environment (i.e. not knowing what happens behind the scenes).

for example it could just be base64 with a custom alphabet instead of the usual one.
could be base64'd binary, deflated, rotated, reversed... anything really.

p.s. it is valid base64 but returns useless data, so could've been passed through anything beforehand.
 
You would need to guess at the encoding method, I would start with XOR or rotation ciphers.

A quick look reveals that the cipher is simple in nature (there is a high similarity between google.com and google.co and google.com.au etc).

You could figure it out with enough time an samples.
 
Great, thanks guys. I'll be looking deeper into this. Just wanted to be sure I wasn't missing out something simple before diving into it :)
 
check the source code:

there are 3 functions:
function bas64_encode
function base64_decode
function arcfour

Now when we submit a URL a user session or some other encoded string is stored in javascript variable ginf.enc.u

When cript is called it is using above user hash and input URL to encode/decode.

to encode
Code: 
input=base64_encode(arcfour(ginf.enc.u,input));
and to decode it back this method is used like this
Code: 
input=arcfour(ginf.enc.u,base64_decode(input));
//notice the decode method is gettintg same variable "input" and reversing it back.

So convert ur URL to base64 then pass through arcfour method. Now you can check what is happening to string in this function :

PHP: 
function arcfour(k,d){
   var o='';
   s=new Array();
   var n=256;
   l=k.length;
    for(var i=0;i<n;i++){s[i]=i;}
    for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x;}    
    for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n]);} return o;}
Source code here:
Code: 
http://www.proxy-server.at/includes/main.js?1.4.4
 
Last edited:
Status
Not open for further replies.
Back
Top