{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-cybersecurity-rumble-2023-en","result":{"data":{"markdownRemark":{"id":"3a3af57e-c941-5a18-884f-aa1069d9b75f","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-cybersecurity-rumble-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in Cyber Security Rumble CTF 2023, which started on 7/8, as part of 0nePadding, and we finished 35th out of 622 teams.</p>\n<p>There did not seem to be many Japanese participants this time, so somehow we ended up as the top-ranked team from Japan, which was a surprise haha.</p>\n<p>As usual, I will go through the writeups.</p>\n<h2 id=\"shellcode-ceptionrev\" style=\"position:relative;\"><a href=\"#shellcode-ceptionrev\" aria-label=\"shellcode ceptionrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SHELLCODE-CEPTION(Rev)</h2>\n<blockquote>\n<p>I think I lost my flag in some kind of inception. Can you help me find my flag?</p>\n</blockquote>\n<p>Decompiling the challenge binary produced the following output.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 618px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0d315e27a85ebfec358455f84866abbd/6e6fb/image-20230709011605412.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABlUlEQVQoz52STUvcUBSG87dLNyKKC9GF4MKF4EJw4Q9oQap0qG2plKILa24Gh44fmUwnXzeZfNw4eTwJolOVmbYXHu5J4L73vOe91rv3J7x902Fp6ZiFhSPZD1lb67QsLx+yuPiBlZUjVlc/sr7eYWPjE5ubx2xtfWF7+ys7O9/Y3T1hb+87+/s/sE5Pzzk7+8xP+4AL+wKlIhxnxNVVSL8f8qsf0Je6+b6+jri5ibi9bYhx3ZjBIMbzNN5QMxQsx3HQSQ8zucRUCcYg1Pzvsmzbxg9yknEjlLY0azKpX1DX87G63a50mFGaQn5UM29vDrQ79WP9okMllqNIE/gxSZrghxrXz/CCClf/JsoSMpNTT+on0RkTkRnaMtQx3iAj0kPSNOJy5OHGIUGSMhJRX/uYO9NCPadDR0koWktZyPxyoRJRI5TkuaEyElRZUtyVjIvxQ3ezLCtbnkMg8ReM/JA884mLiKRIXz1UM8eyshvLYq9NWrdpTofwnLmWlVIPlnlVaDrdv3qHvV6PvCj+EPpXkel1D/LHlFDQsBz+AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0d315e27a85ebfec358455f84866abbd/8ac56/image-20230709011605412.webp 240w,\n/static/0d315e27a85ebfec358455f84866abbd/d3be9/image-20230709011605412.webp 480w,\n/static/0d315e27a85ebfec358455f84866abbd/fd768/image-20230709011605412.webp 618w\"\n              sizes=\"(max-width: 618px) 100vw, 618px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0d315e27a85ebfec358455f84866abbd/8ff5a/image-20230709011605412.png 240w,\n/static/0d315e27a85ebfec358455f84866abbd/e85cb/image-20230709011605412.png 480w,\n/static/0d315e27a85ebfec358455f84866abbd/6e6fb/image-20230709011605412.png 618w\"\n            sizes=\"(max-width: 618px) 100vw, 618px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0d315e27a85ebfec358455f84866abbd/6e6fb/image-20230709011605412.png\"\n            alt=\"image-20230709011605412\"\n            title=\"image-20230709011605412\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The program XORs data embedded in the binary, stores it in memory, and then uses <code class=\"language-text\">mprotect</code> to set attributes such as <code class=\"language-text\">PROT_EXEC</code> on that region.</p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/mprotect.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">mprotect(2) - Linux manual page</a></p>\n<p>From this, I inferred that the program had functionality to execute shellcode decoded at runtime.</p>\n<p>So I used the following script to extract the shellcode into a file.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">data <span class=\"token operator\">=</span> <span class=\"token string\">b'\\x3c\\x21\\xe0\\x8c\\x21\\xd1\\x6b\\x7b\\x7a\\x53\\x58\\x1c\\x4b\\x43\\x21\\xd3\\x41\\x46\\x4f\\x77\\x19\\x46\\x4b\\x1b\\x21\\xe0\\x2c\\xb9\\x21\\xe0\\x3c\\xb1\\x21\\xd1\\x58\\x5c\\x19\\x18\\x46\\x77\\x4b\\x1c\\x21\\xd3\\x46\\x77\\x4a\\x4d\\x77\\x1c\\x46\\x46\\x21\\xe0\\x2c\\x89\\x21\\xe0\\x3c\\x81\\xae\\x2c\\x99\\x47\\x51\\x19\\x46\\x0f\\xae\\x2c\\x9d\\x4f\\x55\\xaf\\x2c\\x9f\\x69\\xae\\x2c\\x95\\x69\\x69\\x69\\x69\\x82\\x75\\xe2\\x2c\\x95\\x21\\xf1\\x66\\xdf\\x2d\\x6c\\xb9\\xea\\x99\\x28\\xe0\\xab\\xe2\\x2c\\x95\\x21\\xf1\\xe1\\x3d\\x6c\\xb9\\xea\\x2c\\x95\\x68\\xea\\x14\\x95\\x4c\\x17\\xb7\\xae\\x2c\\x91\\x69\\x69\\x69\\x69\\x82\\x67\\xe2\\x2c\\x91\\x21\\xf1\\xaf\\x2d\\x6c\\xb9\\x69\\xea\\x2c\\x91\\x68\\xea\\x14\\x91\\x4c\\x17\\x85\\xf9\\x34\\xaa'</span>\ndist <span class=\"token operator\">=</span> <span class=\"token string\">b''</span>\n<span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> data<span class=\"token punctuation\">:</span>\n    dist <span class=\"token operator\">+=</span> <span class=\"token punctuation\">(</span>d<span class=\"token operator\">^</span><span class=\"token number\">0x69</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token string\">'big'</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"shellcode\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>dist<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Further analyzing the extracted shellcode in Ghidra produced the following result.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 734px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7233f866ad54b0d13f24b66e559b3753/c6d67/image-20230709011545535.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 75.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoklEQVQ4y6WSbVPiMBSF+f//Zx0ZV74yIzIwuChuKVIqFFEKNEmTNGnPHur4NvvBquncmSRNnpx772m1T89wcvIL7fZvxhnOzzvodDrodru46PXQu7xEv9/HYDDAcDjEaDTC1dUfjMdjXF/fYDKZ4Pb2L4IgwHQaohVNL+DdDjoHjHmOn4zWfL6AJkQoB+c0isKgqqpvRyuKYsSJQ7TUUGoNKR/5Az8ALghcO8yPQJkQ+ATy/jvYOOXZLEKysXhMLaw5wFr5+vMroFdgGM5ZQ8fLvlZWVuUHVd9QOKOyLVS+x4N8wEqssMxWSNXuA/CzqM/yq4F5nkCIJ9xnS0T7CItDjK3afh1Y1cA75GrDZmyRiDU2cgPjLHzp6zebjhcoa3hHdQYHIbDLBNIshSsEtNbc0/RmgVx7Gr6AVAV9quC9YYkcjLXQ9K4vyzeFYXhM2dPYtE2usRMHwgQP51wbdt3BFp5gT5gnrEBZOhSu5Jz7nJfvUz4CpXRI95ZKLDKpuVa8LAizz6pYgmP3G6UcBFMqBF+rGtXp06bE8X3jbjYx+z8/bo8evrs0bgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7233f866ad54b0d13f24b66e559b3753/8ac56/image-20230709011545535.webp 240w,\n/static/7233f866ad54b0d13f24b66e559b3753/d3be9/image-20230709011545535.webp 480w,\n/static/7233f866ad54b0d13f24b66e559b3753/a242a/image-20230709011545535.webp 734w\"\n              sizes=\"(max-width: 734px) 100vw, 734px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7233f866ad54b0d13f24b66e559b3753/8ff5a/image-20230709011545535.png 240w,\n/static/7233f866ad54b0d13f24b66e559b3753/e85cb/image-20230709011545535.png 480w,\n/static/7233f866ad54b0d13f24b66e559b3753/c6d67/image-20230709011545535.png 734w\"\n            sizes=\"(max-width: 734px) 100vw, 734px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7233f866ad54b0d13f24b66e559b3753/c6d67/image-20230709011545535.png\"\n            alt=\"image-20230709011545535\"\n            title=\"image-20230709011545535\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The logic itself was simple, so I wrote the following solver and recovered the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> struct\n\na <span class=\"token operator\">=</span> <span class=\"token number\">0x2a2275313a131202</span>\nb <span class=\"token operator\">=</span> <span class=\"token number\">0x72222f701e262f28</span>\nc <span class=\"token operator\">=</span> <span class=\"token number\">0x75221e2f71703531</span>\nd <span class=\"token operator\">=</span> <span class=\"token number\">0x2f2f751e24231e2f</span>\ne <span class=\"token operator\">=</span> <span class=\"token number\">0x2f70382e</span>\nf <span class=\"token operator\">=</span> <span class=\"token number\">0x3c26</span>\n\n<span class=\"token comment\"># https://docs.python.org/ja/3.9/library/struct.html</span>\ndata <span class=\"token operator\">=</span> struct<span class=\"token punctuation\">.</span>pack<span class=\"token punctuation\">(</span><span class=\"token string\">\"&lt;qqqqih\"</span><span class=\"token punctuation\">,</span> a<span class=\"token punctuation\">,</span> b<span class=\"token punctuation\">,</span> c<span class=\"token punctuation\">,</span> d<span class=\"token punctuation\">,</span>e<span class=\"token punctuation\">,</span>f<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> data<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>d<span class=\"token operator\">^</span><span class=\"token number\">0x41</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># CSR{p4cking_1nc3pt10n_c4n_be_4nnoy1ng}</span></code></pre></div>\n<h2 id=\"lightbulbrev\" style=\"position:relative;\"><a href=\"#lightbulbrev\" aria-label=\"lightbulbrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>LIGHTBULB(Rev)</h2>\n<blockquote>\n<p>I have a very nice light bulb at home, and I found out I can switch with my phone using the app I wrote.</p>\n<p>But the app only works on my phone, so good luck switching my light!</p>\n</blockquote>\n<p>The challenge binary is provided as an APK file.</p>\n<p>Running it in an emulator showed that it was an app where you log in with a password and then toggle a light switch on and off.</p>\n<p>First, after unpacking the APK with <code class=\"language-text\">apktool</code> and looking through the files, I found that <code class=\"language-text\">583908295080</code>, which is used as the login password, was stored in plaintext.</p>\n<p>Then, to trace what happened after login, I used Smali2Java to decompile the Smali files into Java and inspected the result.</p>\n<p>This showed that <code class=\"language-text\">LightSwitchingActivity</code> performs the following processing.</p>\n<div class=\"gatsby-highlight\" data-language=\"java\"><pre class=\"language-java\"><code class=\"language-java\"><span class=\"token class-name\">String</span> string <span class=\"token operator\">=</span> sharedPreferences<span class=\"token punctuation\">.</span><span class=\"token function\">getString</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"secret_key\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Log</span><span class=\"token punctuation\">.</span><span class=\"token function\">d</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"LIGHTSWITCH\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"the sk was \"</span> <span class=\"token operator\">+</span> string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNull</span><span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> bytes <span class=\"token operator\">=</span> string<span class=\"token punctuation\">.</span><span class=\"token function\">getBytes</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">Charsets</span><span class=\"token punctuation\">.</span>UTF_8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>bytes<span class=\"token punctuation\">,</span> <span class=\"token string\">\"this as java.lang.String).getBytes(charset)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">APIKeyHash</span> aPIKeyHash <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">APIKeyHash</span><span class=\"token punctuation\">(</span>bytes<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">StringBuilder</span> sb <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">StringBuilder</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CSR{\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> bytes2 <span class=\"token operator\">=</span> <span class=\"token string\">\"APIKEY\"</span><span class=\"token punctuation\">.</span><span class=\"token function\">getBytes</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">Charsets</span><span class=\"token punctuation\">.</span>UTF_8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>bytes2<span class=\"token punctuation\">,</span> <span class=\"token string\">\"this as java.lang.String).getBytes(charset)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>apiKey <span class=\"token operator\">=</span> sb<span class=\"token punctuation\">.</span><span class=\"token function\">append</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">LightSwitchingActivityKt</span><span class=\"token punctuation\">.</span><span class=\"token function\">toHex</span><span class=\"token punctuation\">(</span>aPIKeyHash<span class=\"token punctuation\">.</span><span class=\"token function\">hash</span><span class=\"token punctuation\">(</span>bytes2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">append</span><span class=\"token punctuation\">(</span><span class=\"token char\">'}'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">RequestQueue</span> newRequestQueue <span class=\"token operator\">=</span> <span class=\"token class-name\">Volley</span><span class=\"token punctuation\">.</span><span class=\"token function\">newRequestQueue</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">Context</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">this</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>newRequestQueue<span class=\"token punctuation\">,</span> <span class=\"token string\">\"newRequestQueue(this)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>requestQueue <span class=\"token operator\">=</span> newRequestQueue<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">SwitchCompat</span> findViewById <span class=\"token operator\">=</span> <span class=\"token function\">findViewById</span><span class=\"token punctuation\">(</span><span class=\"token number\">2131231147</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>findViewById<span class=\"token punctuation\">,</span> <span class=\"token string\">\"findViewById(R.id.switch_light_bulb)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nfindViewById<span class=\"token punctuation\">.</span><span class=\"token function\">setOnCheckedChangeListener</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">new</span> <span class=\"token class-name\">LightSwitchingActivity</span>$<span class=\"token punctuation\">.</span><span class=\"token function\">ExternalSyntheticLambda0</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">this</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Here, it first converts the <code class=\"language-text\">secret_key</code> string—which is also the login password—into a byte array and then constructs an <code class=\"language-text\">APIKeyHash</code> object.</p>\n<p>After that, it converts the string <code class=\"language-text\">APIKEY</code> into a byte array and passes it to the <code class=\"language-text\">hash</code> method of <code class=\"language-text\">APIKeyHash</code>.</p>\n<p>I found that feeding the resulting byte array returned by <code class=\"language-text\">hash</code> into <code class=\"language-text\">LightSwitchingActivityKt.toHex()</code> produced the flag.</p>\n<p>As before, I used Smali2Java to decompile <code class=\"language-text\">APIKeyHash</code> and <code class=\"language-text\">LightSwitchingActivityKt</code> into Java so I could inspect their implementations.</p>\n<div class=\"gatsby-highlight\" data-language=\"java\"><pre class=\"language-java\"><code class=\"language-java\"><span class=\"token comment\">// LightSwitchingActivityKt </span>\n<span class=\"token keyword\">package</span> <span class=\"token namespace\">club<span class=\"token punctuation\">.</span>redrocket<span class=\"token punctuation\">.</span>lightbulb</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">import</span> <span class=\"token namespace\">kotlin<span class=\"token punctuation\">.</span></span><span class=\"token class-name\">Metadata</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">import</span> <span class=\"token namespace\">kotlin<span class=\"token punctuation\">.</span>jvm<span class=\"token punctuation\">.</span>internal<span class=\"token punctuation\">.</span></span><span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">;</span>\n<span class=\"token comment\">/* compiled from: LightSwitchingActivity.kt */</span>\n<span class=\"token annotation punctuation\">@Metadata</span><span class=\"token punctuation\">(</span>d1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"\\u0000\\u0012\\n\\u0000\\n\\u0002\\u0010\\u0019\\n\\u0000\\n\\u0002\\u0010\\u000e\\n\\u0002\\u0010\\u0012\\n\\u0000\\u001a\\n\\u0010\\u0002\\u001a\\u00020\\u0003*\\u00020\\u0004\\\"\\u000e\\u0010\\u0000\\u001a\\u00020\\u0001X\\u0082\\u0004¢\\u0006\\u0002\\n\\u0000¨\\u0006\\u0005\"</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> d2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"HEX_CHARS\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"toHex\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"app_release\"</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> k <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> mv <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> xi <span class=\"token operator\">=</span> <span class=\"token number\">48</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\">/* loaded from: /tmp/jadx-9359415826287627730.dex */</span>\n<span class=\"token keyword\">public</span> <span class=\"token keyword\">final</span> <span class=\"token keyword\">class</span> <span class=\"token class-name\">LightSwitchingActivityKt</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">private</span> <span class=\"token keyword\">static</span> <span class=\"token keyword\">final</span> <span class=\"token keyword\">char</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> HEX_CHARS<span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">static</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">char</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> charArray <span class=\"token operator\">=</span> <span class=\"token string\">\"0123456789ABCDEF\"</span><span class=\"token punctuation\">.</span><span class=\"token function\">toCharArray</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>charArray<span class=\"token punctuation\">,</span> <span class=\"token string\">\"this as java.lang.String).toCharArray()\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        HEX_CHARS <span class=\"token operator\">=</span> charArray<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">public</span> <span class=\"token keyword\">static</span> <span class=\"token keyword\">final</span> <span class=\"token class-name\">String</span> <span class=\"token function\">toHex</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> bArr4<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullParameter</span><span class=\"token punctuation\">(</span>bArr4<span class=\"token punctuation\">,</span> <span class=\"token string\">\"&lt;this>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token class-name\">StringBuffer</span> stringBuffer <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">StringBuffer</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">byte</span> b <span class=\"token operator\">:</span> bArr4<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">char</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> cArr <span class=\"token operator\">=</span> HEX_CHARS<span class=\"token punctuation\">;</span>\n            stringBuffer<span class=\"token punctuation\">.</span><span class=\"token function\">append</span><span class=\"token punctuation\">(</span>cArr<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">240</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">>>></span> <span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            stringBuffer<span class=\"token punctuation\">.</span><span class=\"token function\">append</span><span class=\"token punctuation\">(</span>cArr<span class=\"token punctuation\">[</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">15</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token class-name\">String</span> stringBuffer2 <span class=\"token operator\">=</span> stringBuffer<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullExpressionValue</span><span class=\"token punctuation\">(</span>stringBuffer2<span class=\"token punctuation\">,</span> <span class=\"token string\">\"result.toString()\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> stringBuffer2<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\">// APIKeyHash </span>\n<span class=\"token keyword\">package</span> <span class=\"token namespace\">club<span class=\"token punctuation\">.</span>redrocket<span class=\"token punctuation\">.</span>lightbulb</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">import</span> <span class=\"token namespace\">kotlin<span class=\"token punctuation\">.</span></span><span class=\"token class-name\">Metadata</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">import</span> <span class=\"token namespace\">kotlin<span class=\"token punctuation\">.</span>jvm<span class=\"token punctuation\">.</span>internal<span class=\"token punctuation\">.</span></span><span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">;</span>\n<span class=\"token comment\">/* compiled from: APIKeyHash.kt */</span>\n<span class=\"token annotation punctuation\">@Metadata</span><span class=\"token punctuation\">(</span>d1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"\\u0000\\u001a\\n\\u0002\\u0018\\u0002\\n\\u0002\\u0010\\u0000\\n\\u0000\\n\\u0002\\u0010\\u0012\\n\\u0002\\b\\u0005\\n\\u0002\\u0010\\u0002\\n\\u0002\\b\\u0002\\u0018\\u00002\\u00020\\u0001B\\u000f\\b\\u0000\\u0012\\u0006\\u0010\\u0002\\u001a\\u00020\\u0003¢\\u0006\\u0002\\u0010\\u0004J\\u000e\\u0010\\u0006\\u001a\\u00020\\u00032\\u0006\\u0010\\u0007\\u001a\\u00020\\u0003J\\b\\u0010\\b\\u001a\\u00020\\tH\\u0002J\\u0006\\u0010\\n\\u001a\\u00020\\tR\\u000e\\u0010\\u0002\\u001a\\u00020\\u0003X\\u0082\\u0004¢\\u0006\\u0002\\n\\u0000R\\u000e\\u0010\\u0005\\u001a\\u00020\\u0003X\\u0082\\u0004¢\\u0006\\u0002\\n\\u0000¨\\u0006\\u000b\"</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> d2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"Lclub/redrocket/lightbulb/APIKeyHash;\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"key\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"([B)V\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"hash\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"plaintext\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"initializeS\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"reset\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"app_release\"</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> k <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> mv <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> xi <span class=\"token operator\">=</span> <span class=\"token number\">48</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\">/* loaded from: /tmp/jadx-2851593408582218842.dex */</span>\n<span class=\"token keyword\">public</span> <span class=\"token keyword\">final</span> <span class=\"token keyword\">class</span> <span class=\"token class-name\">APIKeyHash</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">private</span> <span class=\"token keyword\">final</span> <span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> key<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">private</span> <span class=\"token keyword\">final</span> <span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> s<span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">public</span> <span class=\"token class-name\">APIKeyHash</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> bArr<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">Intrinsics</span><span class=\"token punctuation\">.</span><span class=\"token function\">checkNotNullParameter</span><span class=\"token punctuation\">(</span>bArr<span class=\"token punctuation\">,</span> <span class=\"token string\">\"key\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>key <span class=\"token operator\">=</span> bArr<span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>s <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token keyword\">byte</span><span class=\"token punctuation\">[</span><span class=\"token number\">256</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>bArr<span class=\"token punctuation\">.</span>length <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">||</span> bArr<span class=\"token punctuation\">.</span>length <span class=\"token operator\">></span> <span class=\"token number\">256</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">throw</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">IllegalArgumentException</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"key length must be between 1 and 256\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token function\">initializeS</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span></code></pre></div>","fields":{"slug":"/ctf-cybersecurity-rumble-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-07-12","description":"A writeup for Cyber Security Rumble CTF 2023.","tags":["CTF (en)","Rev (en)","Forensic (en)","English"],"title":"Cyber Security Rumble CTF 2023 Writeup","socialImage":{"publicURL":"/static/e896b189daf825dfc86bef394b230f76/ctf-cybersecurity-rumble-2023.png"}}}},"pageContext":{"slug":"/ctf-cybersecurity-rumble-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}