Hacking Series Part 12

Challenge: vault-door-6

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well. This condition is the most important part of figuring out what the password should be, and is shown again below.

if (((passBytes[i] ^ 0x55) — myBytes[i]) != 0)

Each character in the inputted password must equal to 0 after being xored with 0x55 (85), then subtracted by a character in the array myBytes. The bitwise operation xor is also known as exclusive or, and returns true only when the bits being xored differ. For example, 1 xored with 0 would return true (or 1), and 1 xored with 1 would return false (or 0), since they are not different.

Bitwise xor operation.

This also means that you can discern one of the original bits if you have the output of the xor operation.

X ^ Y = Z   means   Z ^ Y = X

Using this logic, we can reverse the condition of the if statement, then use it to print out what the password should be. To do this, we can isolate each character in passBytes, then print them all out at the end to get our flag.

(passBytes[i] ^ 0x55) — myBytes[i] != 0
passBytes[i] ^ 0x55 = myBytes[i]
myBytes[i] ^ 0x55 = passBytes[i]

After appending each character to a string called pass, then printing pass, I got the correct flag.





some chaos for you

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Hare and Tortoise. The NFT Market

In case you don´t use the Laravels timestamp mechanism

365 Days In a Product Manager’s Life: Day #2.

2D Cameras in Unity Using Cinemachines Virtual Camera

I made a website … sort of

How to host a lightning-fast website on Github Pages

Biometrics 生物辨識 ( Swift )

Efficient Text Scanning: How to Quickly Process Text in Code

Timelapse of highway through the mountains.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


some chaos for you

More from Medium

How to hack into a Linux machine?

onewrite CTF Writeup

Syscall-Based Log4Shell Detection on Linux

Understanding Memories (Binex-1)