HWQt2k83

1/**
2 * Ph0wn CTF - HomeAlarm rev250 writeup by maro
3 *
4 */
5import java.io.DataInputStream;
6import java.io.File;
7import java.io.FileInputStream;
8import java.security.Key;
9import java.security.NoSuchAlgorithmException;
10import java.security.spec.InvalidKeySpecException;
11
12import javax.crypto.Cipher;
13import javax.crypto.SecretKey;
14import javax.crypto.SecretKeyFactory;
15import javax.crypto.spec.IvParameterSpec;
16import javax.crypto.spec.PBEKeySpec;
17import javax.crypto.spec.SecretKeySpec;
18
19//flag = Ph0wn{MeWantCookiesShareThemMaybe}
20
21public class Alarm {
22
23	private final static char[] hexArray = "0123456789ABCDEF".toCharArray();
24
25	public static String bytesToHex(byte[] bytes) {
26		char[] hexChars = new char[bytes.length * 2];
27		for (int j = 0; j < bytes.length; j++) {
28			int v = bytes[j] & 0xFF;
29			hexChars[j * 2] = hexArray[v >>> 4];
30			hexChars[j * 2 + 1] = hexArray[v & 0x0F];
31		}
32		return new String(hexChars);
33	}
34
35	public static SecretKey derivKey(String paramString,
36			byte[] paramArrayOfByte, int paramInt1, int paramInt2)
37			throws InvalidKeySpecException, NoSuchAlgorithmException {
38		return new SecretKeySpec(SecretKeyFactory
39				.getInstance("PBKDF2WithHmacSHA1")
40				.generateSecret(
41						new PBEKeySpec(paramString.toCharArray(),
42								paramArrayOfByte, paramInt1, paramInt2))
43				.getEncoded(), "AES");
44	}
45
46	public static void main(String[] args) {
47
48		try {
49
50			File file = new File("C:\\settings.dat");
51			DataInputStream dis = new DataInputStream(new FileInputStream(file));
52
53			int tag = dis.readByte();
54
55			int saltLen = dis.readByte();
56
57			byte salt[] = new byte[64];
58
59			for (int i = 0; i < saltLen; i++)
60				salt[i] = dis.readByte();
61
62			tag = dis.readByte(); // 1
63
64			int ivLen = dis.readByte(); // <- IV
65			byte iv[] = new byte[ivLen];
66			for (int i = 0; i < ivLen; i++)
67				iv[i] = dis.readByte();
68
69			tag = dis.readByte(); // 2
70
71			tag = dis.readByte();
72
73			int iterations = tag * 1000;
74
75			tag = dis.readByte(); // 3
76			tag = dis.readByte();
77
78			int cipherLen = tag;
79			byte cipherText[] = new byte[cipherLen];
80			for (int i = 0; i < cipherLen; i++)
81				cipherText[i] = dis.readByte();
82
83			Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
84
85			System.out.print("IV:");
86			System.out.println(bytesToHex(iv));
87
88			System.out.print("Salt:");
89			System.out.println(bytesToHex(salt));
90
91			System.out.print("Cipher:");
92			System.out.println(bytesToHex(cipherText));
93
94			System.out.println("Iterations=" + iterations);
95
96			// Got it with SMALI
97			byte[] passphrase = "oNcTSFM@SR`UiNLD".getBytes();
98
99			for (int i = 0; i < 16; i++)
100				passphrase[i] = (byte) (passphrase[i] ^ 0x21);
101
102			System.out.print("Passphrase:");
103			System.out.println(bytesToHex(passphrase));
104
105			Key k = derivKey(new String(passphrase), salt, iterations, 128);
106
107			System.out.print("Key:");
108			System.out.println(bytesToHex(k.getEncoded()));
109
110			cipher.init(Cipher.DECRYPT_MODE, k, new IvParameterSpec(iv));
111
112			System.out.print("Secret:");
113			byte[] original = cipher.doFinal(cipherText);
114			System.out.println(new String(original, "UTF-8"));
115
116			dis.close();
117
118		} catch (Exception e) {
119			System.out
120					.println("Error reading/parsing/decrypting settings file "
121							+ e.getMessage());
122		}
123
124	}
125
126}