picoCTF Solutions
picoCTF 2019Reverse EngineeringEasy

vault-door-1

Published: April 2, 2026

Description

This vault uses some complicated arrays to store the password. Can you decrypt it? The Java source code is provided.

Setup

Download VaultDoor1.java from the challenge page.

Solution

  1. Step 1Trace the character index checks
    Open VaultDoor1.java and inspect checkPassword(). The method checks individual characters at specific indices using charAt() -- for example, password.charAt(0) == 'd', password.charAt(29) == '3', etc. Collect each required character, placing it at the index specified, to reconstruct the full password string.
    Learn more

    This challenge demonstrates static analysis -- reading source code or compiled bytecode to understand a program's behavior without executing it. The checkPassword() method validates each character of the password individually using Java's String.charAt(index) method, which returns the character at a given zero-based position.

    Because the checks are written out in source code, every required character and its required position are fully visible to the reader. The "security" relies entirely on the hope that an attacker won't read the source -- a strategy known as security through obscurity, which is universally considered ineffective. Once source code is available (or a binary is decompiled), this protection provides zero resistance.

    This pattern is a classic example of what the OWASP Top 10 calls Insecure Design -- the fundamental approach to authentication is flawed regardless of implementation details. The correct approach is to store a cryptographic hash of the password and compare hashes, never the plaintext characters directly.

  2. Step 2Reassemble the password in order
    Sort all the charAt index-value pairs by index and concatenate the characters. The resulting string is the flag content to put inside picoCTF{...}.
    Learn more

    Reconstructing a scrambled string from index-value pairs is a straightforward permutation reversal. If you have a list of (index, character) pairs, sorting by index and joining the characters gives the original string. In Python this looks like: ''.join(c for _, c in sorted(pairs)).

    In real-world security research, this type of reconstruction is common when analyzing obfuscated code. Malware authors frequently split strings across multiple assignments, reverse them, or interleave characters to defeat simple strings analysis. But once the obfuscation logic is understood, reconstruction is mechanical. Tools like de4dot (for .NET) and jadx (for Android APKs) automate much of this deobfuscation.

    The key lesson: any password check implemented in application logic can be reversed by reading that logic, no matter how cleverly the characters are scattered. True authentication security requires cryptographic primitives (hashing, signing) that are mathematically hard to reverse -- not code complexity.

Flag

picoCTF{...}

Character-by-index scrambling provides no security -- reading the source and reassembling characters in index order immediately reveals the password.

More Reverse Engineering