recursion

Recently, I was trying to download an image from Cafe Press for the new "Local Gear" page on the Minnesota for Dean site. Right clicking on the image gave the name "spacer.gif". I thought it was odd, but who am I to argue with CafePress's CMS?

Turns out what I downloaded really WAS a spacer. They've got an image obfuscation system set up to prevent you from saving or linking to images on the site.

Fortunately, it's easy to crack, if you can do some simple math.

The link looked like this:

<script language="Javascript">e(2800703, 338, 400, 0, false);</script>

the function "e" is defined in common.js:

function e (z, h, w, b, g) {

document.write('<div style="width:'+w+';height:'+h+';background:white url(http://zoom.cafepress.com/'+(z%10)+'/'+z+'_zoom.jpg) no-repeat center center;"><img border="'+b+'" class="imageborder" src="/cp/img/'+(g?'zoom':'spacer')+'.gif" width="'+w+'" height="'+h+'"></div>')

}

It writes out a div with a background of the image you want. Furthermore, they do some hax0ring to prevent you from guessing the image's actual location.

In this case, z=2800703 and the URL is "http://zoom.cafepress.com/" + ( z % 10 ) + "/" + z + "_zoom.jpg"

So, to break the obfuscation, take z % 10 = 3, and plug that into the function to get the URL: http://zoom.cafepress.com/3/2800703_zoom.jpg