# YALA (PART 1)

This is the fourth challenge from the Mobile section of DSO-NUS CTF 2021. The challenge needs us to brute force the password for the user.

## Statement

Time to look at Yet Another Login App. Try to find the right credentials and login!

We are given an apk.

apk

## Observation

First I decompile the apk using this website to get the source code in java.

Then by analyzing the source code we can find a file responsible for the login logic C0742d.java

Observe that the logic is just checking the password against a sha-256 hash

## Solution

I need to find a value for str2 such that the hash is equal to 516b36ed915a70852daf6a06c7fd1a1451d8269a8b2c5ae97110bc77b083c420.

I tried reverse the sha-256 hash but found nothing.

So the next thing I do is to brute force the password with rockyou.txt . Hope that some weak password will produce the hash after added with ā)(*&^%$#ā. I used the following code to find the password. import hashlib f = open('rockyou.txt',errors="ignore").read().split() ans = "516b36ed915a70852daf6a06c7fd1a1451d8269a8b2c5ae97110bc77b083c420" for i in f: m = hashlib.sha256() m.update(")(*&^%$#".encode())
m.update(i.encode())
if (m.hexdigest() == ans):
print(i)


Thankfully, it found aeroplane as the password.

Now we can just generate the flag easily.

import java.security.MessageDigest;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

class Sol {

public static final char[] f2784a = "0123456789ABCDEF".toCharArray();

/* renamed from: a */
public static byte[] m2369a(String str) {
int length = str.length() / 2;
byte[] bArr = new byte[length];
for (int i = 0; i < length; i++) {
int i2 = i * 2;
bArr[i] = Integer.valueOf(str.substring(i2, i2 + 2), 16).byteValue();
}
return bArr;
}

/* renamed from: b */
public static String m2370b(byte[] bArr) {
char[] cArr = new char[(bArr.length * 2)];
for (int i = 0; i < bArr.length; i++) {
var b = (bArr[i] & 255);
int i2 = i * 2;
char[] cArr2 = f2784a;
cArr[i2] = cArr2[b >>> 4];
cArr[i2 + 1] = cArr2[b & 15];
}
return new String(cArr);
}

public static final String mo3707a(byte[] bArr) {
byte[] a = m2369a("915FEF11402D050651818133ADFE98509249307131F7240173784135C136E27DDCF1C2898D405C18C7DE75CCD25C9CCF");
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "AES");
Cipher instance = Cipher.getInstance("AES");
instance.init(2, secretKeySpec);
byte[] doFinal = instance.doFinal(a);
if (doFinal[0] == 102 && doFinal[1] == 108 && doFinal[2] == 97 && doFinal[3] == 103) {
return m2370b(doFinal);
}
return "00";
} catch (Exception e) {
e.printStackTrace();
return "00";
}
}

public static void main(String args[]) {
String str = new String(new byte[]{(byte) (-1462734071 >>> 4), (byte) (-385552254 >>> 9), (byte) (1107918732 >>> 19), (byte) (-198649565 >>> 6), (byte) (728446419 >>> 19), (byte) (718529411 >>> 17), (byte) (-2089595746 >>> 19)});
String str2 = "aeroplane";
String str3 = str + ":" + str2;
try {
MessageDigest instance2 = MessageDigest.getInstance("SHA-256");
instance2.update(str3.getBytes());
byte[] digest = instance2.digest();
System.out.println("CONGRATS! The 1st flag is " + mo3707a(digest));
} catch (Exception e){

}

}
}


flag : DSO-NUS{4c7863c34040f76ffbea3f8341370db4e2c0c9bc110bc9755cd4801c54acb0af}

Updated: