Hacking Series Part 12

Challenge: vault-door-6

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well. This condition is the most important part of figuring out what the password should be, and is shown again below.

if (((passBytes[i] ^ 0x55) — myBytes[i]) != 0)

Each character in the inputted password must equal to 0 after being xored with 0x55 (85), then subtracted by a character in the array myBytes. The bitwise operation xor is also known as exclusive or, and returns true only when the bits being xored differ. For example, 1 xored with 0 would return true (or 1), and 1 xored with 1 would return false (or 0), since they are not different.

Bitwise xor operation.

This also means that you can discern one of the original bits if you have the output of the xor operation.

X ^ Y = Z   means   Z ^ Y = X

Using this logic, we can reverse the condition of the if statement, then use it to print out what the password should be. To do this, we can isolate each character in passBytes, then print them all out at the end to get our flag.

(passBytes[i] ^ 0x55) — myBytes[i] != 0
passBytes[i] ^ 0x55 = myBytes[i]
myBytes[i] ^ 0x55 = passBytes[i]

After appending each character to a string called pass, then printing pass, I got the correct flag.


some chaos for you

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How We Ran a Hackathon Remotely

Running C# code in the browser: pt 1

Lessons learned from doing a timeline retrospective.

Problem while compiling and executing Java program with JAR file

Don’t learn a syntax, learn to change the way you think

First Steps With Unit Tests and Python

CI/CD of CakePHP with Bitbucket Pipelines & Heroku

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


some chaos for you

More from Medium

The Apache Log4j Vulnerability: What Is It and How to Fix it

How to Protect Text Input from Cross-Site-Scripting (XSS) Attacks Through Normalization using Java

Beginners: Docker & Kubernetes

Android Pentest Lab Setup: MobSF Installation on Windows+ [ERROR] Python3 is not installed solved