diff --git a/rev/vault_door_8/VaultDoor8.java b/rev/vault_door_8/VaultDoor8.java new file mode 100644 index 0000000..8d7ce83 --- /dev/null +++ b/rev/vault_door_8/VaultDoor8.java @@ -0,0 +1,18 @@ +// These pesky special agents keep reverse engineering our source code and then +// breaking into our secret vaults. THIS will teach those sneaky sneaks a +// lesson. +// +// -Minion #0891 +import java.util.*; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; +import java.security.*; class VaultDoor8 {public static void main(String args[]) { +Scanner b = new Scanner(System.in); System.out.print("Enter vault password: "); +String c = b.next(); String f = c.substring(8,c.length()-1); VaultDoor8 a = new VaultDoor8(); if (a.checkPassword(f)) {System.out.println("Access granted."); } +else {System.out.println("Access denied!"); } } public char[] scramble(String password) {/* Scramble a password by transposing pairs of bits. */ +char[] a = password.toCharArray(); for (int b=0; b>shift) | rest); return result; +} public boolean checkPassword(String password) {char[] scrambled = scramble(password); char[] expected = { +0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4, 0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86, 0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC1, 0xC0, 0x95, 0x94, 0x94, 0xC1, 0xD1, 0xE1, 0xF1 }; return Arrays.equals(scrambled, expected); } } \ No newline at end of file diff --git a/rev/vault_door_8/VaultDoor8Formatted.java b/rev/vault_door_8/VaultDoor8Formatted.java new file mode 100644 index 0000000..a7c8284 --- /dev/null +++ b/rev/vault_door_8/VaultDoor8Formatted.java @@ -0,0 +1,75 @@ +import java.security.*; +import java.util.*; +import javax.crypto.Cipher; +import javax.crypto.spec.SecretKeySpec; + +class VaultDoor8 { + public static void main(String args[]) { + Scanner b = new Scanner(System.in); + System.out.print("Enter vault password: "); + String c = b.next(); + String f = c.substring(8, c.length() - 1); + VaultDoor8 a = new VaultDoor8(); + if (a.checkPassword(f)) { + System.out.println("Access granted."); + } else { + System.out.println("Access denied!"); + } + } + + /* Scramble a password by transposing pairs of bits. */ + public char[] scramble(String password) { + char[] a = password.toCharArray(); + for (int b = 0; b < a.length; b++) { + char c = a[b]; + c = switchBits(c, 1, 2); + c = switchBits(c, 0, 3); + /* + c = switchBits(c,14,3); + c = switchBits(c, 2, 0); + */ + c = switchBits(c, 5, 6); + c = switchBits(c, 4, 7); + c = switchBits(c, 0, 1); + /* + d = switchBits(d, 4, 5); + e = switchBits(e, 5, 6); + */ + c = switchBits(c, 3, 4); + c = switchBits(c, 2, 5); + c = switchBits(c, 6, 7); + a[b] = c; + } + return a; + } + + /* Move the bit in position p1 to position p2, and move the bit + that was in position p2 to position p1. Precondition: p1 < p2 + */ + public char switchBits(char c, int p1, int p2) { + char mask1 = (char) (1 << p1); + char mask2 = (char) (1 << p2); + /* + char mask3 = (char)(1<> shift) | rest); + return result; + } + + public boolean checkPassword(String password) { + char[] scrambled = scramble(password); + char[] expected = {0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4, 0xF0, + 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86, 0xD0, 0xA5, 0x45, 0x96, 0x27, + 0xB5, 0x77, 0xC1, 0xC0, 0x95, 0x94, 0x94, 0xC1, 0xD1, 0xE1, 0xF1}; + return Arrays.equals(scrambled, expected); + } +} diff --git a/rev/vault_door_8/solve.py b/rev/vault_door_8/solve.py new file mode 100755 index 0000000..f3a5de1 --- /dev/null +++ b/rev/vault_door_8/solve.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python3 + +EXPECTED = [ + 0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4, + 0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86, + 0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC1, + 0xC0, 0x95, 0x94, 0x94, 0xC1, 0xD1, 0xE1, 0xF1, +] + +def switch_bits(c: int, p1: int, p2: int) -> int: + bits = list(bin(c)[2:].rjust(8, '0')) + bits[p1], bits[p2] = bits[p2], bits[p1] + return int(''.join(bits), 2) + +def unscramble_char(c: int) -> int: + c = switch_bits(c, 7, 6) + c = switch_bits(c, 5, 2) + c = switch_bits(c, 4, 3) + c = switch_bits(c, 1, 0) + c = switch_bits(c, 7, 4) + c = switch_bits(c, 6, 5) + c = switch_bits(c, 3, 0) + c = switch_bits(c, 2, 1) + return c + +def unscramble(xs: list[int]) -> str: + return ''.join(chr(unscramble_char(x)) for x in xs) + +def main(): + print('picoCTF{', end='') + print(unscramble(EXPECTED), end='') + print('}') + +if __name__ == '__main__': + main() +