# RE - Crackity

## Description

I made a module for my application, and I am sure no one can crack it! I even handed it out for free, because I was so sure no one could get my data for free, without paying me first to decode it. So I'm sure you can't crack it either. You can try tho! Here.

## Solution

We are presented with a Java Archive (.jar) file and to view the file content, I used [jd-gui](http://java-decompiler.github.io/) a Java decompiler. The file had all of its class names obfuscated with a series of **i** and **l** characters.

![](/files/dhLUdncge8T2dYRZhcAo)

Because there were not a lot of classes, I manually looked through all the classes and most of them had content in this format: `public static final String x = "<Gibberish string>"`

![](/files/Uex5YjPLYe39Ja4l4AIC)

All except one class that looks like this.

![](/files/3VQV32WiCo0i6fPmoMjl)

I copied the code out into Sublime Text and replaced the long obfuscated class name with **x**.

![](/files/pShHwRlRdQUFAjYzCThP)

I tried to compute the value of **x** using an online Java compiler and it seems that **x** will always evaluate to a constant string **"Nr0.27465307216702745"**. So again, the code can be further simplified to:

![](/files/NgQjgBX7a2TkNWAkEmBe)

Remember the gibberish string that all the other classes have? I guessed that they would be passed in to this function as argument. Using [jd-gui](http://java-decompiler.github.io/), I could not copy the gibberish string out so, I used an online [Java Decompiler](https://jdec.app/) to copy the string. While I probably should have done this in Java, I wrote a python equivalent of the above code and used the gibberish string from the previous class as argument.

```python
# Java code
# public static String x(String paramString) {
#   char[] arrayOfChar = new char[paramString.length()];
#   for (byte b = 0; b < paramString.length(); b++)
#     arrayOfChar[b] = (char)(paramString.charAt(b) - "Nr0.27465307216702745".charAt(b % 21)); 
#   return new String(arrayOfChar);
# }

# In python
paramString = "¢¸sq\u0086}¯ i©d\u0096b\u0093\u009c¬£\u0095k¨f~à\u008f_¥\u0096¤¨h§¤°\u0091\u009ff«\u008f¢©g©Âë\u00ad"
conststring = "Nr0.27465307216702745"

arrayOfChar = ""
for i in range(len(paramString)):
  try:
    arrayOfChar += chr(ord(paramString[i]) - ord(conststring[(i % 21)]))
    print(arrayOfChar)
  except:
    print("error")
    pass
```

![](/files/dvWpvrLYrFyt7fljTwbV)

Got the above using the above code but realised that the flag was incorrect. It was obvious what's wrong though, so I appended a **j** in front so that the flag makes more sense and turns out its correct!

Flag: `TFCCTF{j4v4_0bfusc4t10n_1s_pr3tty_n0t_pr3tty}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://arne-ctf.gitbook.io/ctf/2021/tfc-ctf-2021/re-crackity.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.