dexer/Dockerfile

+FROM openjdk:8-jdk
+
+# Set up Android SDK and NDK
+RUN apt-get update && apt-get install -y \
+    wget \
+    unzip \
+    python3-pip \
+    && wget -q https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip -O android-sdk.zip \
+    && unzip -q android-sdk.zip -d /usr/local/android-sdk \
+    && rm android-sdk.zip \
+    && yes | /usr/local/android-sdk/tools/bin/sdkmanager --licenses \
+    && /usr/local/android-sdk/tools/bin/sdkmanager "platform-tools" "build-tools;30.0.3" "platforms;android-30" "ndk-bundle"
+
+# Set environment variables
+ENV ANDROID_HOME /usr/local/android-sdk
+ENV ANDROID_NDK_HOME /usr/local/android-sdk/ndk-bundle
+ENV PATH ${PATH}:${ANDROID_HOME}/tools:${ANDROID_HOME}/platform-tools:${ANDROID_NDK_HOME}:${ANDROID_HOME}/build-tools/30.0.3
+
+
+COPY . .
+RUN chmod +x /compile.sh
+
+
+
+# Copy source files
+RUN pip install --no-cache-dir -r requirements.txt
+# Set entrypoint
+WORKDIR /code
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"]

dexer/app/MyClass.java

+
+
+package be.dauntless.twofa;
+
+import android.util.Log;
+
+import java.security.MessageDigest;
+
+public class Vault{
+
+    // 243d16af5d636a9a5c2ce5c2c5531b8d7777779a9c965708ef7b4ca380c75a60c063a2de287e29a4a38788ba96136d6c2f21d0
+    String a = "c0464a67969afeffc119ed5c7841c05e";
+    String c = "f2d3e977f0b719b19cba665c9d5adc18";
+    String b = "cecc3f78f4eb98de0dc3a58264fdf8c6abc3a2a55a1a0a8d564b0d4542974e8658d0611ea2d127a7e141450ea4c75b16f58cb165925c3ff4e6fdba0b4c468afa";
+
+    public String d = "xxxxxxxxxxxxxxxxxxxxx";
+   
+    public boolean a(String b, String c) throws Exception
+    {
+        return this.a(a + b + this.c + c).equals(this.b);
+    }
+
+    private String a(String b) throws Exception
+    {
+        //Log.d("xxx" ,b);
+        MessageDigest md = MessageDigest.getInstance("SHA-512");
+        byte[] digest = md.digest(b.getBytes());
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < digest.length; i++) {
+            sb.append(Integer.toString((digest[i] & 0xff) + 0x100, 16).substring(1));
+        }
+        //Log.d("xxx", sb.toString());
+        return sb.toString();
+    }
+}
+

dexer/app/Vault.java

+
+
+package be.dauntless.twofa;
+
+import java.security.MessageDigest;
+
+public class Vault{
+
+    // 243d16af5d636a9a5c2ce5c2c5531b8d7777779a9c965708ef7b4ca380c75a60c063a2de287e29a4a38788ba96136d6c2f21d0
+    String a = "0d9da05378382a05e6d31f33b242aeb8";
+    String c = "2e334509359f8b3ec24ce82b43e89aca";
+    String b = "cecc3f78f4eb98de0dc3a58264fdf8c6abc3a2a55a1a0a8d564b0d4542974e8658d0611ea2d127a7e141450ea4c75b16f58cb165925c3ff4e6fdba0b4c468afa";
+
+    public String d = "xxxxxxxxxxxxxxxxxxxxx";
+   
+    public boolean a(String b, String c) throws Exception
+    {
+        return this.a(a + b + this.c + c).equals(this.b);
+    }
+
+    private String a(String b) throws Exception
+    {
+        //Log.d("xxx" ,b);
+        MessageDigest md = MessageDigest.getInstance("SHA-512");
+        byte[] digest = md.digest(b.getBytes());
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < digest.length; i++) {
+            sb.append(Integer.toString((digest[i] & 0xff) + 0x100, 16).substring(1));
+        }
+        //Log.d("xxx", sb.toString());
+        return sb.toString();
+    }
+}
+

dexer/app/main.py

+import base64
+import subprocess
+import json
+import time, os
+import logging
+import hashlib
+import random
+from fastapi import FastAPI, HTTPException, Body, Request
+from cryptography.fernet import Fernet
+import redis
+
+app = FastAPI()
+redis_pool = redis.ConnectionPool(host='redis', port=6379, db=0)
+
+
+logger = logging.getLogger("gunicorn.error")
+logger.setLevel(logging.DEBUG)
+KEY = "x3UbhzTEKZHmtjSfgSsmymigjKKXwppkEWan9i2JG7M="
+flag = "csc(The_2FA_codes_mason_what_do_they_mean)"
+
+def encrypt(message: bytes, key: bytes) -> bytes:
+    return Fernet(key).encrypt(message)
+
+def decrypt(token: bytes, key: bytes) -> bytes:
+    return Fernet(key).decrypt(token)
+
+class_template = """
+
+package be.dauntless.twofa;
+
+import java.security.MessageDigest;
+
+public class Vault{{
+
+    // 243d16af5d636a9a5c2ce5c2c5531b8d7777779a9c965708ef7b4ca380c75a60c063a2de287e29a4a38788ba96136d6c2f21d0
+    String a = "{}";
+    String c = "{}";
+    String b = "{}";
+
+    public String d = "{}";
+
+    public String dd(){{
+        return this.d;
+    }}
+   
+    public boolean a(String b, String c) throws Exception
+    {{
+        return this.a(a + b + this.c + c).equals(this.b);
+    }}
+
+    private String a(String b) throws Exception
+    {{
+        //Log.d("xxx" ,b);
+        MessageDigest md = MessageDigest.getInstance("SHA-512");
+        byte[] digest = md.digest(b.getBytes());
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < digest.length; i++) {{
+            sb.append(Integer.toString((digest[i] & 0xff) + 0x100, 16).substring(1));
+        }}
+        //Log.d("xxx", sb.toString());
+        return sb.toString();
+    }}
+}}
+
+"""
+
+def Sha512Hash(pwd):
+    return  hashlib.sha512(pwd.encode('utf-8')).hexdigest()
+
+
+
+@app.post('/submitkey')
+async def submit_key(request : Request):
+    r = redis.Redis(connection_pool=redis_pool)
+    try:
+        data = await request.json()
+
+        logger.error("solution pin: " + data["pin"])
+
+        vault = data["vault"]
+        logger.error(vault)
+
+        decryptedVault = decrypt(vault, KEY)
+        logger.error(decryptedVault)
+
+        vaultData = json.loads(decryptedVault)
+
+        if r.get(vaultData["id"]):
+            return {"response": encrypt_for_delivery("This vault was destroyed. Access is forever lost.")}
+
+        if round(time.time()) - vaultData["time"] <= 30:
+            if vaultData["pin"] == data["pin"]:
+                r.set(vaultData["id"], 1)
+                return  {"response": encrypt_for_delivery(flag)}
+            else:
+                r.set(vaultData["id"], 1)
+                return  {"response": encrypt_for_delivery("Wrong PIN. Vault is destroyed.")}
+        else:
+            r.set(vaultData["id"], 1)
+            return  {"response": encrypt_for_delivery("Expired vault. Vault is now destroyed.")}
+    except:
+        return  {"response": encrypt_for_delivery("Invalid vault")}
+
+@app.get('/getvault')
+async def get_vault():
+
+    a = hashlib.md5(os.urandom(32)).hexdigest()
+    c = hashlib.md5(os.urandom(32)).hexdigest()
+    hardcoded = "de287e29a4a38788ba96136d6c2f21d0"
+    
+    pin = str(random.randint(100000, 999999))
+    sol = Sha512Hash(a + pin + c + hardcoded)
+
+    
+    confirmation = {
+        "time": round(time.time()),
+        "pin": pin,
+        "id": hashlib.md5(os.urandom(32)).hexdigest()
+    }
+
+    encryptedConfirmation = encrypt(json.dumps(confirmation).encode(), KEY)
+    thecode = class_template.format(a, c, sol, encryptedConfirmation.decode("utf-8"))
+
+    source_code_encoded = base64.b64encode(thecode.encode('utf-8')).decode('utf-8')
+
+    # Compile Java source code to Android dex file
+    result = subprocess.run(['/compile.sh', source_code_encoded], capture_output=True)
+    if result.returncode != 0:
+        raise HTTPException(status_code=500, detail=result.stderr.decode('utf-8'))
+    #logger.error(result.stdout)
+    return {"vault": encrypt_for_delivery(result.stdout.decode('utf-8'))}
+
+@app.get('/validate')
+async def validate(code: str):
+
+   
+    return Sha512Hash("243d16af5d636a9a5c2ce5c2c5531b8d7777779a9c965708ef7b4ca380c75a60c063a2de287e29a4a38788ba96136d6c2f21d0")
+    return decrypt(code.encode(), KEY)
+
+
+
+
+
+
+
+from Crypto.Cipher import AES
+
+
+# AES 'pad' byte array to multiple of BLOCK_SIZE bytes
+def pad(byte_array):
+    BLOCK_SIZE = 16
+    pad_len = BLOCK_SIZE - len(byte_array) % BLOCK_SIZE
+    return byte_array + (bytes([pad_len]) * pad_len)
+
+# Remove padding at end of byte array
+def unpad(byte_array):
+    last_byte = byte_array[-1]
+    return byte_array[0:-last_byte]
+
+def encrypt_for_delivery(message):
+    key = "ca1111c9f4a927971077eb12cf0a4fcb"[0:16]
+    """
+    Input String, return base64 encoded encrypted String
+    """
+
+    byte_array = message.encode("UTF-8")
+
+    padded = pad(byte_array)
+
+    # generate a random iv and prepend that to the encrypted result.
+    # The recipient then needs to unpack the iv and use it.
+    iv = os.urandom(AES.block_size)
+    cipher = AES.new( key.encode("UTF-8"), AES.MODE_CBC, iv )
+    encrypted = cipher.encrypt(padded)
+    # Note we PREPEND the unencrypted iv to the encrypted message
+    return base64.b64encode(iv+encrypted).decode("UTF-8")
+
+def decrypt_for_delivery_not_used(message):
+    key = "ca1111c9f4a927971077eb12cf0a4fcb"[0:16]
+    """
+    Input encrypted bytes, return decrypted bytes, using iv and key
+    """
+
+    byte_array = base64.b64decode(message)
+
+    iv = byte_array[0:16] # extract the 16-byte initialization vector
+
+    messagebytes = byte_array[16:] # encrypted message is the bit after the iv
+
+    cipher = AES.new(key.encode("UTF-8"), AES.MODE_CBC, iv )
+
+    decrypted_padded = cipher.decrypt(messagebytes)
+
+    decrypted = unpad(decrypted_padded)
+
+    return decrypted.decode("UTF-8");

dexer/compile.sh

+#!/bin/bash
+
+mkdir -p /code/app/be/dauntless/twofa
+
+# Decode base64 input
+echo $1 | base64 -d > /code/app/be/dauntless/twofa/Vault.java
+
+# Set up Android SDK environment variables
+export ANDROID_HOME=/opt/android-sdk
+export PATH=$PATH:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools
+
+# Compile Java source code to dex file
+javac -classpath $ANDROID_HOME/platforms/android-30/android.jar /code/app/be/dauntless/twofa/Vault.java
+dx --dex --output=Vault.dex /code/app
+
+# Output dex file as base64-encoded string
+cat Vault.dex | base64
+
+rm Vault.dex
+rm /code/app/be/dauntless/twofa/Vault.*
\ No newline at end of file

dexer/requirements.txt

+fastapi==0.68.1
+uvicorn==0.15.0
+requests
+pycrypto
+cryptography
+redis
\ No newline at end of file

docker-compose.yml

+version: '3'
+
+services:
+  redis:
+    image: redis
+    ports:
+      - '1234:6379'
+    restart: unless-stopped
+
+  compiler:
+    volumes:
+    - ./dexer/app:/code
+    build: ./dexer/
+    ports:
+    - "9009:8000"
+    restart: unless-stopped

pysolve.py

+
+import hashlib
+def Sha512Hash(pwd):
+    return  hashlib.sha512(pwd.encode('utf-8')).hexdigest()
+
+# a + pin + c + hardcoded
+hardcoded = "de287e29a4a38788ba96136d6c2f21d0"
+
+a = "fb2cc6e6d852e2511e1a83f6308e8b92"
+c = "046cb1151f64c420cfce01208ed915f4"
+b = "51c920909204ae2cd675f20b9e7237a651d693ff0fd4955d15e6c6c2a028b70093c793b4b857dc4024fb141bf673f512cd0348be5c8c25c32560de428ad39276"
+
+# sol = Sha512Hash(a + pin + c + hardcoded)
+for i in range(100000, 999999):
+    if Sha512Hash(a + str(i) + c + hardcoded) == b:
+        print(i)
\ No newline at end of file

sol.js

+var mmm = {}
+
+function dodo()
+{
+    
+    console.log(mmm)
+    for(var i = 100000; i<999999; i++){
+        res = mmm.vault.a(i + "", "de287e29a4a38788ba96136d6c2f21d0")
+
+        if(i % 100000 == 0){
+            console.log(i)
+        }
+        if(res)
+        {
+            console.log("Code: " + i)
+            return;
+        }
+    }
+}
+
+function test(){
+    Java.perform(function(){
+        Java.enumerateClassLoaders({
+            onMatch: function(loader){
+                Java.classFactory.loader = loader;
+                var TestClass;
+
+                try{
+                    var VaultClass = Java.use("be.dauntless.twofa.Vault");
+                    var v = VaultClass.$new();
+                    console.log("a = \"" + v._a.value + "\"")
+                    console.log("c = \"" + v.c.value + "\"")
+                    console.log("b = \"" + v.b.value + "\"")
+                    return;
+
+                }catch(error){
+                    console.log(error)
+                    
+                }
+            },
+            onComplete: function(){
+
+            }
+        });
+
+    })
+
+}
+setTimeout(test, 2000)