Hacking Series Part 12
Category: reverse engineering
We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called
In order for access to be granted, the function must return
true. If the password passed to the function is less than 32 characters,
false is returned. If any character of the inputted password does not match the condition specified in the if statement,
false is returned as well. This condition is the most important part of figuring out what the password should be, and is shown again below.
if (((passBytes[i] ^ 0x55) — myBytes[i]) != 0)
Each character in the inputted password must equal to 0 after being xored with
0x55 (85), then subtracted by a character in the array
myBytes. The bitwise operation
xor is also known as exclusive or, and returns
true only when the bits being xored differ. For example, 1 xored with 0 would return
true (or 1), and 1 xored with 1 would return
false (or 0), since they are not different.
This also means that you can discern one of the original bits if you have the output of the
X ^ Y = Z means Z ^ Y = X
Using this logic, we can reverse the condition of the if statement, then use it to print out what the password should be. To do this, we can isolate each character in
passBytes, then print them all out at the end to get our flag.
(passBytes[i] ^ 0x55) — myBytes[i] != 0
passBytes[i] ^ 0x55 = myBytes[i]
myBytes[i] ^ 0x55 = passBytes[i]
After appending each character to a string called
pass, then printing
pass, I got the correct flag.