picoCTF Solutions
picoCTF 2019Reverse EngineeringHard

vault-door-7 picoCTF 2019 Solution

Published: April 2, 2026

Description

This vault uses bit manipulation to check the password. Reverse the bit operations to recover it.

Setup

Download the Java source file.

bash
wget <url>/VaultDoor7.java

Solution

Walk me through it
  1. Step 1Understand the bit manipulation
    Open VaultDoor7.java. The checkPassword method packs four characters at a time into a 32-bit integer using bit shifts, then compares to hardcoded integers. You need to reverse this packing.
    bash
    cat VaultDoor7.java
    Learn more

    The encoding works by shifting each character's ASCII value to a specific bit position within a 32-bit integer. For example, four chars packed as: (c0 << 24) | (c1 << 16) | (c2 << 8) | c3.

    Bit shifting left by N is equivalent to multiplying by 2^N. OR-ing the shifted values combines them into a single integer without overlap, since each character occupies exactly 8 bits (one byte) within the 32-bit word.

  2. Step 2Reverse the packing in Python
    For each hardcoded 32-bit integer, extract each 8-bit group by right-shifting and masking with 0xFF. This recovers the four original characters per integer.
    python
    python3 -c "
ints = [/* paste hardcoded integers */]
password = ''
for val in ints:
    password += chr((val >> 24) & 0xFF)
    password += chr((val >> 16) & 0xFF)
    password += chr((val >> 8) & 0xFF)
    password += chr(val & 0xFF)
print(password)
"
    Learn more

    Masking with 0xFF (binary 11111111) after right-shifting isolates the lowest 8 bits of the result, discarding any higher bits. This is how you extract individual bytes from a multi-byte integer.

    This packing technique is common in low-level code for performance: processing 4 characters at once as a 32-bit word is faster than processing them individually on many architectures.

  3. Step 3Submit the flag
    Concatenate all extracted characters in order to form the password. Wrap in picoCTF{...} to submit.
    Learn more

    When reversing bit manipulation, always check the shift amounts carefully in the original code. The order of bytes within the integer (big-endian vs little-endian) determines which byte to extract with which shift amount.

Flag

picoCTF{...}

Unpack each 32-bit integer by extracting 4 bytes via right-shift + 0xFF mask to recover the password.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Reverse Engineering

Related reading

What to try next