2
\$\begingroup\$

Alright. So TryHackme is a website that tries to teach hacking with hands on labs. They have a room called JVM Reverse Engineering where the user gets to reverse engineer Java apps, and in particular the code that I am asking you to review is for task #5.

Task #5 challenges the user to crack a password encrypted with a simple XOR cipher. You can reverse engineer the app yourself, but here are the important bits:

Firstly, their xor cipher is defined as the following String:

// Decompiled from the task #5 challenge.
private static String xor(String var0) {
  char[] var1 = var0.toCharArray();
  char[] var2 = new char[var1.length];

  for(int var3 = 0; var3 < var2.length; ++var3) {
     char var4 = var1[var3];
     var2[var3] = (char)(var4 ^ var3 % 3);
  }

  return new String(var2);
}

Secondly, the password is correct if the XOR of the inputted password is equal to the xor of the correctPassword, which is a string equal to aRa2lPT6A6gIqm4RE.

My solution is to use my own modified and applied version of Dawkins' weasel to "evolve," for lack of a better term, a solution to what the "password" might be. When looking at my code, I would like feedback as to make it better. Here are some things to consider in your feedback:

  1. Can I adopt better a coding style?
  2. Can I make my code smaller without compromising its ease of reading?
  3. Can I optimise my code to make it run quicker?

The following is my code:

/*
 * An application to crack an XOR cipher using Dawkins' weasel
 * By A. S. "Aleksey" Ahmann <[email protected]>
 * - Githubs: https://github.com/Alekseyyy
 * - TryHackMe: https://tryhackme.com/p/EntropyThot
 *
 * Note that some parts of this programme are borrowed from o-
 * -ther sources. Most notably, the "xor" function that retur-
 * -ns a String is the result of decompiling the .class file
 * of TryHackMe's problem. P1's random string generator is ba-
 * -sed off of the following website:
 * - https://www.baeldung.com/java-random-string
 */

import java.io.*;
import java.util.*;

public class Dawkins {
   private static final String correctPassword = "aRa2lPT6A6gIqm4RE";

   public static void main(String[] args) {
      Random random = new Random();
      int counter = 1;
    
      char[] target = correctPassword.toCharArray();
      char[] solution = new char[target.length];

      System.out.println("==========================================================");
      System.out.println("= A crude, amateurish implementation of Dawkins'          ");
      System.out.println("= weasel to crack the TryHackMe XOR cipher                ");
      System.out.println("= By A. S. \"Aleksey\" Ahmann <[email protected]>   ");
      System.out.println("= - https://github.com/Alekseyyy                          ");
      System.out.println("= - https://tryhackme.com/p/EntropyThot                   ");
      System.out.println("==========================================================\n");

      boolean done = false;
      while (!done) {
         // [P1] Generate random string (of course the length of random string should = correctPassword)
         // - this "seed" is based off of the following: https://www.baeldung.com/java-random-string
         char[] seed = random.ints(48, 123)
            .filter(k -> (k <= 57 || k >= 65) && (k <= 90 || k >= 97))
            .limit(target.length)
            .collect(StringBuilder::new, StringBuilder::appendCodePoint, StringBuilder::append)
            .toString().toCharArray(); 
         // [P2] Put the random string through the xor cipher, and split it into char array of course
         char[] nextGen = xor(new String(seed)).toCharArray();
         // [P3] Save the matching characters as "offspring"
         boolean emptySlots = false;
         for (int k = 0; k < solution.length; k++) {
            if (solution[k] != Character.MIN_VALUE) {
               continue;
            }
            else {
               emptySlots = true;
               if (nextGen[k] == target[k]) {
                  solution[k] = seed[k];
               }
            }
         }

         System.out.printf("Generation %d: %s\n", counter, new String(solution));
         counter++;
         if (!emptySlots) {
            done = true;
         }
      }

      System.out.printf("Solution: %s\n", new String(solution));
   }

   // From the decompile dump of "BasicStringObfuscation.class"
   private static String xor(String var0) {
      char[] var1 = var0.toCharArray();
      char[] var2 = new char[var1.length];

      for(int var3 = 0; var3 < var2.length; ++var3) {
         char var4 = var1[var3];
         var2[var3] = (char)(var4 ^ var3 % 3);
      }

      return new String(var2);
   }
}
```
\$\endgroup\$

1 Answer 1

Reset to default
1
\$\begingroup\$

Disclaimer: I'm no Java expert and I may have missed some of the point of the code.

Last iteration

When iterating the characters of solution to check whether it is valid, we rely on its previous value instead of the one we may possible give it.

Hence, we go through an additional iteration even though we could stop directly.

Here is my suggestion

         // [P3] Save the matching characters as "offspring"
         boolean solutionIsValid = true;
         for (int i = 0; i < solution.length; i++) {
            if (solution[i] == Character.MIN_VALUE) {
               if (cipheredSeed[i] == target[i]) {
                  solution[i] = seed[i];
               } else {
                  solutionIsValid = false;
               }
            }
         }

I took this chance to:

  • get rid of continue

  • rename a few things

Principle

A lot of time is spent generating random values, ciphering them and checking the ciphered value but most of the characters ciphered and wrong and/or unused.

Because each character is ciphered independenly (otherwise, the whole logic here would fail), it may be faster to progress character by character.

This gives something like:

/*
 * An application to crack an XOR cipher using Dawkins' weasel
 * By A. S. "Aleksey" Ahmann <[email protected]>
 * - Githubs: https://github.com/Alekseyyy
 * - TryHackMe: https://tryhackme.com/p/EntropyThot
 *
 * Note that some parts of this programme are borrowed from o-
 * -ther sources. Most notably, the "xor_str" function that retur-
 * -ns a String is the result of decompiling the .class file
 * of TryHackMe's problem. P1's random string generator is ba-
 * -sed off of the following website:
 * - https://www.baeldung.com/java-random-string
 */

import java.io.*;
import java.util.*;

public class Dawkins {
   private static final String correctPassword = "aRa2lPT6A6gIqm4RE";

   public static void main(String[] args) {
      char[] target = correctPassword.toCharArray();
      char[] solution = new char[target.length];

      System.out.println("==========================================================");
      System.out.println("= A crude, amateurish implementation of Dawkins'          ");
      System.out.println("= weasel to crack the TryHackMe XOR cipher                ");
      System.out.println("= By A. S. \"Aleksey\" Ahmann <[email protected]>   ");
      System.out.println("= - https://github.com/Alekseyyy                          ");
      System.out.println("= - https://tryhackme.com/p/EntropyThot                   ");
      System.out.println("==========================================================\n");

      for (int i = 0; i < solution.length; i++) {
         // Loop over candidates
         for (char c = 48; c <= 123; c++) {
             if ((c <= 57 || c >= 65) && (c <= 90 || c >= 97)) {
                 // Check if valid
                 if (xor_c(c, i) == target[i]) {
                     solution[i] = c;
                 }
             }
         }
      }

      // TODO: Handle cases when 0 or many characters are found
      System.out.printf("Solution: %s\n", new String(solution));
   }

   // From the decompile dump of "BasicStringObfuscation.class" and then refactored
   private static char xor_c(char c, int index) {
       return (char)(c ^ index % 3);
   }
   private static String xor_str(String s) {
       char[] input = s.toCharArray();
       char[] output = new char[input.length];
   
       for(int i = 0; i < output.length; ++i) {
           output[i] = xor_c(input[i], i);
       }
       return new String(output);
   }
}

Then, if we are ready to take into the actual logic in xor_c, we could compute the solution value directly by performing the opposite of the operations. In this particular case, the function to decipher is actually the one used to cipher as well. This idea does not generalize to an arbitrary cipher function.

\$\endgroup\$
1
  • \$\begingroup\$ Oh gol dang, thanks for dat input :D I am not a Java developer either so that in part explains why my code is a bit rubbish. I already published an article discussing my solution (if the paywall is giving you problems, just view the article in private browsing mode ;-) ai.plainenglish.io/… But I will def take your advices into account (esp since I want to rewrite this into something better in the future ;-) \$\endgroup\$ Commented Oct 7, 2022 at 17:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.