|
Good, raduga_fb found bugs in the application.
1. the customized Base64 encoding/decoding has problem.
UserCode 000000000000000000000000000870~879 and 87a, 87A, 87b, 87B result same after decoded.
2. validation logic
The success flag is set if UserCode length greater than 0x1D. But next it will jump over the UserName check if ElGamalDecrypt() failed.
We need to counterfeit a UserCode with the correct checksum, and cause ElGamalDecrypt() return NULL, the trick is done.
Some "valid" UserCode:
00000000000000000000000000004s
000000000000000000000000000+6s
0000000000000ca210e81sg92ku=gs
000000000000YRi210e81sg92kuaFs
000000000000JS0mA591h7l9nhR2Yc
000000000000Mt4tE4AMIojgpaJbQc
0000000000000AstE4AMIojgpaJbDCq
00000000000007yc93CdcfKwlGnPsRk
|