Reverse Engineering

vault-door-training [50 pts]

Description

Your mission is to enter Dr. Evil's laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault's computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java

Solution

Looking at the bottom with the Check Password Method is the flag

Flag: picoCTF{w4rm1ng_Up_w1tH_jAv4_eec0716b713}

vault-door-1 [100 pts]

Description

This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java

Solution

It gave a lot of things to check and not wanting to do anything by hand created a quick python script by replacing the charAt with brackets and easily prints out the result.

password = []
for i in range(0, 32):
	password.append('')
password[0]='d'
password[29]='3'
password[4]='r'
password[2]='5'
password[23]='r'
password[3]='c'
password[17]='4'
password[1]='3'
password[7]='b'
password[10]='_'
password[5]='4'
password[9]='3'
password[11]='t'
password[15]='c'
password[8]='l'
password[12]='H'
password[20]='c'
password[14]='_'
password[6]='m'
password[24]='5'
password[18]='r'
password[13]='3'
password[19]='4'
password[21]='T'
password[16]='H'
password[27]='f'
password[30]='b'
password[25]='_'
password[22]='3'
password[28]='6'
password[26]='f'
password[31]='0'
result = ""
for a in password:
	result += a
print(result)

Flag: picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_ff63b0}

asm1 [200 pts]

Description

What does asm1(0x6fa) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source

Solution

asm1:
	<+0>:		push   ebp
	<+1>:		mov    ebp,esp
	<+3>:		cmp    DWORD PTR [ebp+0x8],0x3a2	; Compare 0x6fa to 0x3a2
	<+10>:	jg     0x512 <asm1+37>						; Jump taken
	<+12>:	cmp    DWORD PTR [ebp+0x8],0x358
	<+19>:	jne    0x50a <asm1+29>
	<+21>:	mov    eax,DWORD PTR [ebp+0x8]
	<+24>:	add    eax,0x12
	<+27>:	jmp    0x529 <asm1+60>
	<+29>:	mov    eax,DWORD PTR [ebp+0x8]
	<+32>:	sub    eax,0x12
	<+35>:	jmp    0x529 <asm1+60>
	<+37>:	cmp    DWORD PTR [ebp+0x8],0x6fa	; Compare 0x6fa to 0x6fa
	<+44>:	jne    0x523 <asm1+54>						; Jump not taken (0x6fa == 0x6fa)
	<+46>:	mov    eax,DWORD PTR [ebp+0x8]		; eax = 0x6fa
	<+49>:	sub    eax,0x12										; eax = 0x6fa - 0x12 = 0x6e8
	<+52>:	jmp    0x529 <asm1+60>						; Jump
	<+54>:	mov    eax,DWORD PTR [ebp+0x8]
	<+57>:	add    eax,0x12
	<+60>:	pop    ebp												; Finished
	<+61>:	ret    

Flag: 0x6e8

vault-door-3 [200 pts]

Description

This vault uses for-loops and byte arrays. The source code for this vault is here: VaultDoor3.java

Solution

Given the check password function, I take that and use the password objective as the input which will print out the flag. This is done by modifying to start with our output jU5t_a_sna_3lpm18gb41_u_4_mfr340 and printing out buffer once done.

    public boolean checkPassword() {
        password = "jU5t_a_sna_3lpm18gb41_u_4_mfr340";
        char[] buffer = new char[32];
        for (int i=0; i<8; i++) {
            buffer[i] = password.charAt(i);
        }
        for (; i<16; i++) {
            buffer[i] = password.charAt(23-i);
        }
        for (; i<32; i+=2) {
            buffer[i] = password.charAt(46-i);
        }
        for (i=31; i>=17; i-=2) {
            buffer[i] = password.charAt(i);
        }
        String s = new String(buffer);
        System.out.println(buffer);
        return s.equals("jU5t_a_sna_3lpm18gb41_u_4_mfr340");
    }

Flag: picoCTF{jU5t_a_s1mpl3_an4gr4m_4_u_1fb380}

asm2 [250 pts] [Not Solved]

Description

What does asm2(0x4,0x21) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source

Solution

a

Flag:

vault-door-4 [250 pts]

Description

This vault uses ASCII encoding for the password. The source code for this vault is here: VaultDoor4.java

Solution

I love when I am given source code because all I have to do most of the time is insert a little bit of code and print kind of like what breakpoints do when debugging code.

public class MyClass {
    public static void main(String args[]) {
      checkPassword("This");

    }
    public static boolean checkPassword(String password) {
        byte[] myBytes = {
            106 , 85  , 53  , 116 , 95  , 52  , 95  , 98  ,
            0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
            0142, 0131, 0164, 063 , 0163, 0137, 0143, 061 ,
            '9' , '4' , 'f' , '7' , '4' , '5' , '8' , 'e' ,
        };
        String ans = "";
        for (int i=0; i<32; i++) {
            ans += (char)myBytes[i];
        }
        System.out.println(ans);
        return true;
    }
}

Flag: picoCTF{jU5t_4_bUnCh_0f_bYt3s_c194f7458e}

droids0 [300 pts] [Not Solved]

Description

Where do droid logs go. Check out this file.

Solution

First, since it was an APK I had to decompile it which I choose to do through ApkTool d zero.apk -o outs. I think I have to actually install it so that will be for another time. Based on the code I just have to click the button.

Flag:

asm3 [300 pts] [Not Solved]

Description

What does asm3(0xd2c26416,0xe6cf51f0,0xe54409d5) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source

Solution

a

Flag:

vault-door-5 [300 pts]

Description

In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! The source code for this vault is here: VaultDoor5.java

Solution

Starting from the end it was expecting a base64 encoded URL encoded password. So I ran that through CyberChef and the flag just popped right out.

Flag: picoCTF{c0nv3rt1ng_fr0m_ba5e_64_0b957c4f}

reverse_cipher [300 pts] [Not Solved]

Description

We have recovered a binary and a text file. Can you reverse the flag.

Solution

It says binary file and wasn't sure if that was 1 and 0 or an actual file and after checking it is an ELF file so I went to disassemble it online. Running it by itself gives the error code segmentation fault.

Flag:

droids1 [350 pts] [Not Solved]

Description

Find the pass, get the flag. Check out this file.

Solution

a

Flag:

vault-door-6 [350 pts]

Description

This vault uses an XOR encryption scheme. The source code for this vault is here: VaultDoor6.java

Solution

Xor is really cool as when using it you can mix the variables around. In this case, let's say a is my password Byte and b is a guess byte. It calculates a ^ 0x55 - b = 0 which can also be displayed b ^ 0x55 - a = 0.

  public boolean checkPassword() {
        byte[] myBytes = {
            0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d,
            0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa ,
            0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27,
            0xa , 0x6c, 0x60, 0x37, 0x30, 0x60, 0x31, 0x36,
        };
        String ans = "";
        for (int i=0; i<32; i++) {
        	ans += (char)(0x55 ^ myBytes[i]);
        }
        System.out.println(ans);
        return true;
    }

Flag: picoCTF{n0t_mUcH_h4rD3r_tH4n_x0r_95be5dc}

asm4 [400 pts] [Not Solved]

Description

What will asm4("picoCTF_724a2") return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source

Solution

a

Flag:

Need For Speed [400 pts] [Not Solved]

Description

The name of the game is speed. Are you quick enough to solve this problem and keep it above 50 mph? need-for-speed.

Solution

a

Flag:

B1ll_Gat35 [400 pts] [Not Solved]

Description

Can you reverse this Windows Binary?

Solution

a

Flag:

droids2 [400 pts] [Not Solved]

Description

Find the pass, get the flag. Check out this file.

Solution

a

Flag:

vault-door-7 [400 pts]

Description

This vault uses bit shifts to convert a password string into an array of integers. Hurry, agent, we are running out of time to stop Dr. Evil's nefarious plans! The source code for this vault is here: VaultDoor7.java

Solution

The program is validating a 32 set of characters by splitting the 32 into 8 groups of 4 characters. Those 4 characters are then converted to hex and concatenating the binaries to create 1 integer. This reminds me of a hash, which at first I was tempted to just brute force and try each attempt of 4 characters as that is only 26 ^4, not that long but I realize, it can be way shorter so I got to work on the code. I wasn't getting at first so I wrote this down and it all became clear. I need to turn the integers -> Binary -> Hex -> Characters.

key = [1096770097,1952395366, 1600270708, 1601398833, 1716808014, 1734291511, 960049251, 1681089078]
ans = ""
for i in key:
	b = format(i, "b")
	x = hex(int(b, 2))
	for o in range(1, 5):
		cur = int(x[o * 2: (o + 1) * 2], 16)
		ans += chr(cur)
print(ans)

Flag: picoCTF{A_b1t_0f_b1t_sh1fTiNg_07990cd3b6}

vault-door-8 [450 pts] [Not Solved]

Description

Apparently Dr. Evil's minions knew that our agency was making copies of their source code, because they intentionally sabotaged this source code in order to make it harder for our agents to analyze and crack into! The result is a quite mess, but I trust that my best special agent will find a way to solve it. The source code for this vault is here: VaultDoor8.java

Solution

a

Flag:

droids3 [450 pts] [Not Solved]

Description

Find the pass, get the flag. Check out this file.

Solution

a

Flag:

droids4 [500 pts] [Not Solved]

Description

Reverse the pass, patch the file, get the flag. Check out this file.

Solution

a

Flag:

Forky [500 pts] [Not Solved]

Description

In this program, identify the last integer value that is passed as parameter to the function doNothing().

Solution

a

Flag: