Hacking Series Part 12

Challenge: vault-door-6

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well. This condition is the most important part of figuring out what the password should be, and is shown again below.

if (((passBytes[i] ^ 0x55) — myBytes[i]) != 0)

Each character in the inputted password must equal to 0 after being xored with 0x55 (85), then subtracted by a character in the array myBytes. The bitwise operation xor is also known as exclusive or, and returns true only when the bits being xored differ. For example, 1 xored with 0 would return true (or 1), and 1 xored with 1 would return false (or 0), since they are not different.

Bitwise xor operation.

This also means that you can discern one of the original bits if you have the output of the xor operation.

X ^ Y = Z   means   Z ^ Y = X

Using this logic, we can reverse the condition of the if statement, then use it to print out what the password should be. To do this, we can isolate each character in passBytes, then print them all out at the end to get our flag.

(passBytes[i] ^ 0x55) — myBytes[i] != 0
passBytes[i] ^ 0x55 = myBytes[i]
myBytes[i] ^ 0x55 = passBytes[i]

After appending each character to a string called pass, then printing pass, I got the correct flag.

picoCTF{n0t_mUcH_h4rD3r_tH4n_x0r_95be5dc}