Description
The source code is intentionally messy. The scramble method transposes pairs of bits in each character. Reverse the scrambler by applying it in reverse order to find the password.
Setup
Download the Java source file.
wget <url>/VaultDoor8.javaSolution
Walk me through it- Step 1Analyze the scramble methodOpen VaultDoor8.java. Find the scramble() method which applies a series of bit swaps to each character. The checkPassword method calls scramble() on each input character and compares to a hardcoded array.bash
cat VaultDoor8.javaLearn more
The scramble method typically performs a sequence of bit-pair swaps on an 8-bit character. For example, it may swap bit 0 with bit 1, bit 2 with bit 3, etc. These are self-contained permutations.
Because each operation swaps exactly two bits, applying the same operation twice returns the original value. This means
scramble(scramble(c)) == c- the function is its own inverse. - Step 2Reverse the scramble by running the operations in reverse orderMartin's approach: copy the Java source, reverse the order of the bit-swap operations in the scramble method, then apply that reversed scramble to the expected array. This unscrambles each byte back to the original password character. Alternatively, since each individual swap is its own inverse, apply the operations in reverse sequence.python
python3 -c " def unscramble(c): # Replicate the bit-swap operations from Java scramble() # Example: swap bits 0,1 then bits 2,3 then bits 4,5 then bits 6,7 c = ((c & 0x55) << 1) | ((c & 0xAA) >> 1) # Add more swaps if the Java code has them return c enc = [/* paste hardcoded byte array */] print(''.join(chr(unscramble(b & 0xFF)) for b in enc)) "Learn more
The bitmask 0x55 is 01010101 in binary - it selects all even-positioned bits. The mask 0xAA is 10101010 - it selects all odd-positioned bits. Together they can swap adjacent bit pairs across an entire byte in two operations.
Read the Java source carefully to replicate the exact sequence of bit swaps. Each swap operation in the Java code must appear in the same order in your Python unscramble function.
- Step 3Submit the flagThe unscrambled characters form the password. Wrap in picoCTF{...} to get the flag.
Learn more
This is a classic example of a bijective (one-to-one) encoding function used as obfuscation. Since every possible input maps to exactly one output, the function is fully reversible - the only question is figuring out the reverse mapping.
Flag
picoCTF{...}
The scramble function is its own inverse - apply the same bit-swap operations to the hardcoded array to recover the password.