picoCTF Solutions
picoCTF 2023Reverse EngineeringMedium

Safe Opener 2

Published: April 26, 2023

Description

A compiled SafeOpener.class supposedly reveals the forgotten safe code. Either strings analysis or Java decompilation uncovers the embedded flag.

Setup

Download SafeOpener.class

Download SafeOpener.class and inspect it with strings or a Java decompiler such as jd-gui.

Extract the Java source to locate the hard-coded password and picoCTF flag.

wget https://artifacts.picoctf.net/c/290/SafeOpener.class
strings SafeOpener.class | grep pico
sudo apt install jd-gui && jd-gui SafeOpener.class

Solution

  1. Step 1Use strings for a quick win
    The compiled class embeds the flag literally. Running strings (or cat if you convert to .java) reveals picoCTF{...} near the bottom.
    Learn more

    Java .class files are compiled bytecode in the JVM (Java Virtual Machine) format. Unlike native machine code (ELF/PE), Java bytecode retains a great deal of structural information: class names, method names, field names, and - critically - string constants are all stored as UTF-8 in the constant pool, a table at the beginning of every .class file. This makes Java bytecode significantly more transparent to analysis than stripped C/C++ binaries.

    Because string constants live in the constant pool as plain text, strings SafeOpener.classdirectly surfaces any hard-coded credentials or flags. This is a fundamental limitation of client-side validation in Java: the class file must ship to the user's machine to run, and any secrets embedded in the source code are exposed in the distributed bytecode.

    In real-world Android and Java reverse engineering, this property is exploited routinely: decompiling APK files (which contain .dex rather than .class files, but with the same characteristic) reveals API keys, hardcoded tokens, and server URLs that developers intended to keep secret. Tools like jadx, jd-gui, and CFR reconstruct near-perfect Java source from bytecode.

  2. Step 2Optional: Decompile
    Open the class in jd-gui to view SafeOpener.java. The flag appears in the clear, and you can save the decompiled file for reference.
    cat SafeOpener.java | grep pico | cut -d "\" -f1
    Learn more

    jd-gui is a graphical Java decompiler that translates .class bytecode back into readable Java source code. The decompilation is not always perfect (variable names are often replaced with generic identifiers like paramString1, and some control flow may look different from the original), but it is generally good enough to understand the program's logic and find embedded strings.

    The cut -d "\"" -f1 command splits the grep output on double-quote characters and takes the first field - this cleanly extracts the string literal value from a Java source line like String flag = "picoCTF{...}"; without the surrounding syntax.

    For more powerful analysis, Ghidra (from the NSA, free and open-source) can analyze both Java .class files and native binaries. Its decompiler produces C-like pseudocode for native code and understands JVM bytecode, making it versatile for multi-language challenge binaries. bytecode-viewer combines multiple decompilers in one tool and lets you compare outputs side-by-side.

Flag

picoCTF{SAf3_0p3...8a993}

No dynamic execution is required; the challenge is purely static analysis.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Reverse Engineering

Related reading

What to try next