vault-door-3 - Points 200
This vault uses for-loops and byte arrays. The source code for this vault is here:
import java.util.*;
class VaultDoor3 {
public static void main(String args[]) {
VaultDoor3 vaultDoor = new VaultDoor3();
Scanner scanner = new Scanner(System.in);
System.out.print("Enter vault password: ");
String userInput = scanner.next();
String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
if (vaultDoor.checkPassword(input)) {
System.out.println("Access granted.");
} else {
System.out.println("Access denied!");
}
}
// Our security monitoring team has noticed some intrusions on some of the
// less secure doors. Dr. Evil has asked me specifically to build a stronger
// vault door to protect his Doomsday plans. I just *know* this door will
// keep all of those nosy agents out of our business. Mwa ha!
//
// -Minion #2671
public boolean checkPassword(String password) {
if (password.length() != 32) {
return false;
}
char[] buffer = new char[32];
int i;
for (i=0; i<8; i++) {
buffer[i] = password.charAt(i);
}
for (; i<16; i++) {
buffer[i] = password.charAt(23-i);
}
for (; i<32; i+=2) {
buffer[i] = password.charAt(46-i);
}
for (i=31; i>=17; i-=2) {
buffer[i] = password.charAt(i);
}
String s = new String(buffer);
System.out.println(s);
return s.equals("jU5t_a_sna_3lpm1dg347_u_4_mfr54b");
}
}
Solution
This is vault-door-3 Flag Problem, this program uses for loops and user input value is being stored in a char[] array and then compares the modified buffer array with the modified flag.
You might get a overview of how to get the flag but if you're not, don't worry I will try to explain as clear as possible.
if (password.length() != 32) {
return false;
}
char[] buffer = new char[32];
int i;
for (i=0; i<8; i++) {
buffer[i] = password.charAt(i);
}
for (; i<16; i++) {
buffer[i] = password.charAt(23-i);
}
for (; i<32; i+=2) {
buffer[i] = password.charAt(46-i);
}
for (i=31; i>=17; i-=2) {
buffer[i] = password.charAt(i);
}
String s = new String(buffer);
System.out.println(s);
return s.equals("jU5t_a_sna_3lpm1dg347_u_4_mfr54b");
This is the actual loops that modifies the actual Flag which will be given by the user, we will see them one by one and how they are stored in the buffer[] array
char[] buffer = new char[32];
int i;
for (i=0; i<8; i++) {
buffer[i] = password.charAt(i);
}
This is the first loop and as we can clearly see that the first 8 characters of user input Flag is stored as it is in the first 8 characters of the buffer array and we can also see that the first 8 characters are not modified after this loop so they are part of the actual Flag, remember we are taking these characters from the modified Flag string given in the Code, which is
return s.equals("jU5t_a_sna_3lpm1dg347_u_4_mfr54b");
the resultant characters stored in the buffer array are:
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| j | U | 5 | t | _ | a | _ | s |
for (; i<16; i++) {
buffer[i] = password.charAt(23-i);
}
This is the second loop, but this one does not have a initialization part of the for loops, so the i value would be previous loop last value, that is 8, but the characters are stored in 23-ith index which is
the resultant characters stored in the buffer array are:
| 23-8 | 23-9 | 23-10 | 23-11 | 23-12 | 23-13 | 23-14 | 23-15 |
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 |
| 1 | m | p | l | 3 | _ | a | n |
for (; i<32; i+=2) {
buffer[i] = password.charAt(46-i);
}
This is the third for loop and even this loop has no initialization part which means it takes the last loop ith value which is 16, but the characters are stored in 46-ith value and also increments by 2 not 1. Let's see how it is stored.
the resultant characters stored in the buffer array are:
| 46-16 | 46-18 | 46-20 | 46-22 | 46-24 | 46-26 | 46-28 | 46-30 |
| 30 | 28 | 26 | 24 | 22 | 20 | 18 | 16 |
| 4 | r | m | 4 | u | 7 | 3 | d |
for (i=31; i>=17; i-=2) {
buffer[i] = password.charAt(i);
}
This is the final loop in the code, this one starts with 31 and down to 17 (inclusive) and it is stored as it is, no modifications and also decrements by 2.
the resultant characters stored in the buffer array are:
| 31 | 29 | 27 | 25 | 23 | 21 | 19 | 17 |
| b | 5 | f | _ | _ | _ | 4 | g |
When you put them all togerther you get the Flag as
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| j | U | 5 | t | _ | a | _ | s | 1 | m | p | l | 3 | _ | a | n | 4 | g | r | 4 | m | _ | 4 | _ | u | _ | 7 | f | 3 | 5 | d | b |
now you can see the final buffer array and the Flag is
picoCTF{jU5t_a_s1mpl3_an4gr4m_4_u_7f35db}
To know how to run a java program, please refer this link