picoCTF Reverse Engineering Guide

here's how to solve vault-door-1

Back to the Reverse Engineering Guides

vault-door-1

Name: vault-door-1
Description: This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java
Author: Mark E. Haase
Tags: Medium, Reverse Engineering, picoCTF 2019
Challenge from: picoCTF 2019
Files: VaultDoor1.java
Hints:
1. Look up the charAt() method online.

Theory

According to the description, this is gonna be a series of challenges of "doors", that are like codes we have to change or something to get the flag of each door, and that kinda stuff. So for this second one, it's gonna be about arrays, alright, let's go download the code and see what's inside.

Solution

So, let's open the code we just downloaded and see what's going on in this door:

import java.util.*;

class VaultDoor1 {
    public static void main(String args[]) {
        VaultDoor1 vaultDoor = new VaultDoor1();
        Scanner scanner = new Scanner(System.in);
        System.out.print("Enter vault password: ");
	String userInput = scanner.next();
	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
	if (vaultDoor.checkPassword(input)) {
	    System.out.println("Access granted.");
	} else {
	    System.out.println("Access denied!");
	}
    }

    // I came up with a more secure way to check the password without putting
    // the password itself in the source code. I think this is going to be
    // UNHACKABLE!! I hope Dr. Evil agrees...
    //
    // -Minion #8728
    public boolean checkPassword(String password) {
        return password.length() == 32 &&
               password.charAt(0)  == 'd' &&
               password.charAt(29) == 'a' &&
               password.charAt(4)  == 'r' &&
...

Yeah, no need to show all of it. So we have to unscramble all the letters, and I know a funny but weird way to do it. We can use Javascript to first replace the charAt by just putting it in an array, so basically password[number] = 'lol', and then printing it all joined. We can do this by getting rid of charAt like I just said, then instead of equalling, just putting it in that order in an array, so cutting off one of the equal signs for both the normal one and the one that has two spaces, and then separate it all to get a good command. So to do these replaces we just put all the character code in a string and run it through this:

.replaceAll("               password.charAt(", "password[").replaceAll(")  =", "] ").replaceAll(") =", "] ").replaceAll(" &&\n", ";")

And if we run it:

`                password.charAt(0)  == 'd' &&
                password.charAt(29) == 'a' &&
                password.charAt(4)  == 'r' &&
...
...
                password.charAt(31) == '4';`.replaceAll("               password.charAt(", "password[").replaceAll(")  =", "] ").replaceAll(") =", "] ").replaceAll(" &&\n", ";")

"password[0] = 'd';password[29] = 'a';password[4] = 'r';password[2] = '5';password[23] = 'r';password[3] = 'c';password[17] = '4';password[1] = '3';password[7] = 'b';password[10] = '_';password[5] = '4';password[9] = '3';password[11] = 't';password[15] = 'c';password[8] = 'l';password[12] = 'H';password[20] = 'c';password[14] = '_';password[6] = 'm';password[24] = '5';password[18] = 'r';password[13] = '3';password[19] = '4';password[21] = 'T';password[16] = 'H';password[27] = '6';password[30] = 'f';password[25] = '_';password[22] = '3';password[28] = 'd';password[26] = 'f';password[31] = '4';"

And those replacing commands, give us another command. Which if we run (also remember to create the array, because we can't just add elements to an array that doesn't exist):

password = []
Array (0)[]

password[0] = 'd';password[29] = 'a';password[4] = 'r';password[2] = '5';password[23] = 'r';password[3] = 'c';password[17] = '4';password[1] = '3';password[7] = 'b';password[10] = '_';password[5] = '4';password[9] = '3';password[11] = 't';password[15] = 'c';password[8] = 'l';password[12] = 'H';password[20] = 'c';password[14] = '_';password[6] = 'm';password[24] = '5';password[18] = 'r';password[13] = '3';password[19] = '4';password[21] = 'T';password[16] = 'H';password[27] = '6';password[30] = 'f';password[25] = '_';password[22] = '3';password[28] = 'd';password[26] = 'f';password[31] = '4';

Now just add all the elements into a string in the correct order, without forgetting to create the string first:

s = ''; for(let i of password){s += i}; console.log(s);
d35cr4mbl3_tH3_cH4r4cT3r5_f6daf4

Finally, we got it unscrambled, there was probably a better way by editing the java code, but idk, I know more JavaScript from my early html days than I do java. And add the flag format:

picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_f6daf4}

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/12

Explore My Website