Description
This vault uses XOR with 0x55 to encode the password. Reverse it to find the flag.
Setup
Download the Java source file.
wget <url>/VaultDoor6.javaSolution
Walk me through it- Step 1Find the hardcoded byte arrayOpen VaultDoor6.java. The checkPassword method XORs each byte of the input with 0x55 and compares it to a hardcoded byte array. Extract that array.bash
cat VaultDoor6.javaLearn more
0x55 in binary is 01010101. XORing with this value flips every other bit. Because XOR is its own inverse, applying 0x55 twice returns the original value.
Single-byte XOR ciphers like this are trivially broken: there are only 256 possible keys, so even brute-force works instantly. With the key given in the source code, a single pass suffices.
- Step 2Decrypt using PythonXOR each byte in the hardcoded array with 0x55 to recover the original password characters.python
python3 -c " enc = [/* paste byte array values */] print(''.join(chr(b ^ 0x55) for b in enc)) "Learn more
In Python, the
^operator performs bitwise XOR on integers. Since each Javabytevalue may be signed (range -128 to 127), you may need to apply& 0xFFfirst to convert to an unsigned 0-255 range before XORing. - Step 3Submit the flagThe decoded string is the password. Wrap it in picoCTF{...} to form the final flag.
Learn more
This challenge illustrates why XOR with a fixed single-byte key provides essentially zero security - it is equivalent to a Caesar cipher operating on individual bits rather than characters.
Alternate Solution
Paste the hardcoded byte array as hex into the XOR Cipher tool on this site and enter 0x55 as the key - the tool XORs every byte instantly and shows the decoded password without writing any Python.
Flag
picoCTF{...}
XOR every byte in the hardcoded array with 0x55 to get the password characters.