Cyberarmy – Sered Safe Lock

To beat the Safe @http://www.cyberarmy.net/sered/sered2/safe

You need to look at the source code and notice the java file is exposed.

<P><BR>
<center>
<applet code="net.cyberarmy.sered.SafeLockApplet.class" archive="/includes/sered/safelock2.jar" width=256 height=96>
<param name=background value="http://www.cyberarmy.net/includes/sered/background.jpg">
<param name=checksum value="efb5d7a5db4ff3e9f2882ebae41042b382c59073">
<param name=digits value="http://www.cyberarmy.net/includes/sered/digits.jpg">
<param name=url_base value="http://www.cyberarmy.net/sered/sered2/safe/">
<param name=click value="http://www.cyberarmy.net/includes/sered/click.au">
<./applet>
<./center>
Great tips to a fun game

Hence the .jar file is located on the servers here
http://www.cyberarmy.net/includes/sered/safelock2.jar

Download the Jar file and then rename the extension to .zip

This will allow you to see the directories of the jar file and let you extract them.

So go ahead and extract those with winrar and then use a

Then we will probably need to decompile the class file! So lets do it!

Continued August 2nd 2008

Ok so go download http://www.bysoft.se/sureshot/cavaj/index.html

Cavaj Java Decompiler V1.11

When you are done with that .. throw both class files into it.

package net.cyberarmy.sered;

import java.applet.AppletContext;
import java.applet.AudioClip;
import java.awt.*;
import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.swing.JApplet;
import javax.swing.JRootPane;

public class SafeLockApplet extends JApplet
{

private final int NUM_BARRELS = 6;
private Image digits;
private Image bg;
private int barrel_values[];
private int offsets[];
private String checksum;
private String url_base;
private AudioClip ac;

public SafeLockApplet()
throws HeadlessException
{
}

public void init()
{
String digits_url = getParameter(“digits”);
String background_url = getParameter(“background”);
String click_url = getParameter(“click”);
checksum = getParameter(“checksum”);
url_base = getParameter(“url_base”);
if(digits_url == null)
{
throw new RuntimeException(“digits image not specified”);
}
if(background_url == null)
{
throw new RuntimeException(“background image not specified”);
}
if(click_url == null)
{
throw new RuntimeException(“click sound not specified”);
}
if(checksum == null)
{
throw new RuntimeException(“checksum not specified”);
}
if(url_base == null)
{
throw new RuntimeException(“url_base not specified”);
}
try
{
digits = getToolkit().getImage(new URL(digits_url));
}
catch(MalformedURLException mue)
{
throw new RuntimeException(“malformed digits url”);
}
prepareImage(digits, null);
barrel_values = new int[6];
offsets = new int[6];
for(int i = 0; i < 6; i++)
{
barrel_values[i] = 0;
offsets[i] = (int)(Math.random() * 5D – 2D);
}

try
{
bg = getToolkit().getImage(new URL(background_url));
}
catch(MalformedURLException mue)
{
throw new RuntimeException(“malformed background url”);
}
prepareImage(bg, null);
try
{
ac = JApplet.newAudioClip(new URL(click_url));
}
catch(MalformedURLException e)
{
throw new RuntimeException(“click URL malformed”);
}
}

public void paint(Graphics g)
{
while((checkImage(bg, null) & 0x20) != 32) ;
getRootPane().getContentPane().getGraphics().drawImage(bg, 0, 0, null);
while((checkImage(digits, null) & 0x20) != 32) ;
for(int i = 0; i < 6; i++)
{
getRootPane().getContentPane().getGraphics().drawImage(digits, 34 * i + 28, 25 + offsets[i], 32 + 34 * i + 28, 72 + offsets[i], barrel_values[i] * 32, 0, 32 + barrel_values[i] * 32, 47, null);
}

}

public void start()
{
getRootPane().addMouseListener(new MouseAdapter() {

public void mouseClicked(MouseEvent e)
{
handleClick(e.getX(), e.getY());
}

});
repaint();
}

public void handleClick(int x, int y)
{
int barrel = -1;
if(y >= 12 && y <= 22)
{
if(x >= 33 && x <= 52)
{
barrel = 0;
} else
if(x >= 67 && x <= 86)
{
barrel = 1;
} else
if(x >= 101 && x <= 121)
{
barrel = 2;
} else
if(x >= 136 && x <= 154)
{
barrel = 3;
} else
if(x >= 170 && x <= 190)
{
barrel = 4;
} else
if(x >= 204 && x <= 222)
{
barrel = 5;
}
if(barrel != -1)
{
barrel_values[barrel] = (barrel_values[barrel] + 1) % 10;
}
} else
if(y >= 75 && y <= 83)
{
if(x >= 33 && x <= 52)
{
barrel = 0;
} else
if(x >= 67 && x <= 86)
{
barrel = 1;
} else
if(x >= 101 && x <= 121)
{
barrel = 2;
} else
if(x >= 136 && x <= 154)
{
barrel = 3;
} else
if(x >= 170 && x <= 190)
{
barrel = 4;
} else
if(x >= 204 && x <= 222)
{
barrel = 5;
}
if(barrel != -1)
{
barrel_values[barrel] = (barrel_values[barrel] + 9) % 10;
}
}
if(barrel != -1)
{
ac.play();
offsets[barrel] = (int)(Math.random() * 5D – 2D);
repaint();
if(getChecksumWithPrefix(“LOCKED”).equals(checksum))
{
try
{
getAppletContext().showDocument(new URL(url_base + getChecksumWithPrefix(“OPEN”)));
}
catch(MalformedURLException e)
{
throw new RuntimeException(“could not access ” + url_base + getChecksumWithPrefix(“OPEN”));
}
}
}
}

private String getChecksumWithPrefix(String prefix)
{
MessageDigest md;
try
{
md = MessageDigest.getInstance(“SHA-1”);
}
catch(NoSuchAlgorithmException e)
{
throw new RuntimeException(“Could not find SHA-1 algorithm”);
}
md.update(prefix.getBytes());
for(int i = 0; i < 6; i++)
{
md.update((byte)(barrel_values[i] + 48));
}

byte b[] = md.digest();
StringBuffer hexString = new StringBuffer();
for(int i = 0; i < b.length; i++)
{
String o = Integer.toHexString(0xff & b[i]);
if(o.length() < 2)
{
o = “0” + o;
}
hexString.append(o);
}

String h = hexString.toString();
return hexString.toString();
}
}

Sexy right

2nd class file

package net.cyberarmy.sered;

import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;

// Referenced classes of package net.cyberarmy.sered:
//            SafeLockApplet

private final class  extends MouseAdapter
{

public void mouseClicked(MouseEvent e)
{
handleClick(e.getX(), e.getY());
}

()
{
}
}

Advertisements

45 responses to “Cyberarmy – Sered Safe Lock

  1. Also, the two .class files are very much incomplete, they appear to only be empty shells.

    Does this help:

    Completed Sered 2 (from CyberArmy::WWW::Request::User=HASH(0x8e23b68)->session_ip)

    Completed Sered 2 (from CyberArmy::WWW::Request::User=HASH(0x8d1ffac)->session_ip)

  2. it does not help me. whats it mean or where did you get it from. looks almost like someone opened the files with a hex editor and got the http request. or better yet they change what the submit request value to equal the correct value.

  3. It is from a captured site log I think. Got it from old Gen. on the site. That’s the only hint he gave me :c(

  4. The answer is in the cheksum. I may be wrong but the jar files generate a random lock everytime but when the right combination is inserted it adds a value based on the cheksum to the url saved in the applet’s parameters. If you can crack the cheksum please post it here.

  5. send me your checksum and five hundred million dollars and I’ll crack it for you

  6. hilarious

  7. As the writers said above , you have to decompile the class files. There is a simple encryption with SHA-1 algorithm.

    All you have to do brute force in code .And it is done!!!

    But at gamma phase , things are getting complicated. I’m stuck :$

  8. where’s the encryption?

  9. It ‘s just in the one of the class files in .jar file.
    Decrypt it with a program.

  10. Ok gents. I haven’t had time to look at this for quite some time. I can see where JustWW says its SHA-1. From Safelockapplet.class you can tell it references SHA-1 callings
    Ï Ò could not access  Ô x y barrel SHA-1 Ù java/security/MessageDigest Û
    getInstance 1(Ljava/lang/String;)Ljava/security/MessageDigest; Ý Þ

    And then checks getChecksumWithPrefix …

    From what i gather…Something like this was used…which you are not encrypting anything instead you are hashing using message digest.
    MessageDigest oMessageDigest = MessageDigest.getInstance(“SHA-1”);
    oMessageDigest.reset();
    byte[] bPasswordInBytes = sPassword.getBytes();
    oMessageDigest.update(bPasswordInBytes);
    byte[] bPasswordOutBytes = oMessageDigest.digest(); // encrpyted string

    http://www.yellowpipe.com/yis/tools/encrypter/index.php is a online SHA-1 decrypter

  11. So.. im curious did you guess at the numbers based on values between the set numbers?

  12. justWW can you be more specific?

  13. ///////////////////////////////////////////
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;

    class SafeLockApplet
    {
    public SafeLockApplet(){
    barrel_values=new int[6];
    }
    public String getChecksumWithPrefix(String prefix)
    {
    MessageDigest md;
    try
    {
    md = MessageDigest.getInstance(“SHA-1”);
    }
    catch(NoSuchAlgorithmException e)
    {
    throw new RuntimeException(“Could not find SHA-1 algorithm”);
    }
    md.update(prefix.getBytes());
    for(int i = 0; i < 6; i++)
    md.update((byte)(barrel_values[i] + 48));

    byte b[] = md.digest();
    StringBuffer hexString = new StringBuffer();
    for(int i = 0; i < b.length; i++)
    {
    String o = Integer.toHexString(0xff & b[i]);
    if(o.length() < 2)
    o = “0” + o;
    hexString.append(o);
    }

    String h = hexString.toString();
    return hexString.toString();
    }

    private final int NUM_BARRELS = 6;
    public int barrel_values[];
    private String checksum;
    }

    class deneme{
    public static void main(String args[]){

    SafeLockApplet sa =new SafeLockApplet();
    for(int x=0;x<=9;x++){
    System.out.println(“Trying ” +x+”…”);
    for(int y=0;y<=9;y++){
    for(int z=0;z<=9;z++){
    for(int k=0;k<=9;k++){
    for(int l=0;l<=9;l++){
    for(int m=0;m<=9;m++){
    sa.barrel_values[0]=x;
    sa.barrel_values[1]=y;
    sa.barrel_values[2]=z;
    sa.barrel_values[3]=k;
    sa.barrel_values[4]=l;
    sa.barrel_values[5]=m;
    if(sa.getChecksumWithPrefix(“LOCKED”).equals(“typeyourchecksumhere”)){
    System.out.println(“Here is your password : “+x+” “+y+” “+z+” “+k+” “+l+” “+m);
    return;
    }
    }
    }
    }
    }
    }
    }
    }
    }
    ////////////////////////////////////

    Here is the solution. Just write your checksum that you can find source of the web page and compile. I dont know how i can be more specific than that 😉 Enjoy…

  14. Just download a macro recorder and create a macro that increases the number starting from 000000. It won’t take any longer than 6 hours on a decent machine. Don’t need to make it more complicated than it is.

  15. Good luck with gamma…

  16. First we need to look in the source code of the website for the checksum that i believe is encrypted (don’t know with what key), then we need to download the java file and decompile it, then i’m stuck, anyone can help me?

  17. Read my post again… you do not need to be a cryptologist or programmer to solve this challenge. Hacking is all about creativity. The easy way is to get a program that will allow your computer to manually solve this challenge. If you want to crack the hash, go for it. If you know how, it wont take you more than a minute to solve.

  18. Can we get the cheat to sered 4???

  19. Was wondering the same thing if this can be done… nice work on the code, worked great!

  20. Juniper can you be more specific to what worked?

    what code?

    From what is posted i can assume that the url will be something like
    http://www.cyberarmy.net/sered/sered2/safe/open?hashcheck

  21. still not figured this one :/

  22. The next one is difficult… steganography is not my strong suit.

  23. SystemCrash don’t understand, i have my checksum but don’t understand what to do with it :/

  24. how to do the macro to input numbers from 000001 to 999999 on the java safe?

  25. anyone did delta? this is stupid =) any ideas?

  26. thejerkoff – First you have to download a macro recorder Jbit Macro is what I used. Then you have to make your own macro manually.

    I’ll upload the macro that I made so that you don’t have to go through that whole process. You’ll just have to place the browser winder with the java applet in the right place on your screen and it’ll work just fine. Download JbitMacro and open my macro with it. Then find the coordinates on your screen that I used in my macro. Then play the macro… and in about 3-7 hours, you’ll have cracked it.

    Actually, you’ll need to check it every hour and click the last button up once… you’ll see what I mean when you play it.

    works.mcr

  27. btw – bubu. I would be glad to help you if you’ll help me out with the beginning of the gamma challenge. I’m on the steganography part. I can do anything… but steganography.

    alert(‘testing123’);

  28. ?sered-beta?help?

  29. plz help me with level beta…?

  30. looks like tyler helped me solve this problem

    http://www.cyberarmy.net/sered/sered3

    http://sered-safe.appspot.com/

    find your hash! and insert there

  31. I have a feeling this next challenge is a hidden message in the gif image.

  32. i got the both classes but wot i should do after ?? confused

  33. Pingback: Sered Beta, Safe part [THEORY] « CyberArmy Sered Discussion

  34. Pingback: Sered Beta, Safe part [Python SOLUTION] « CyberArmy Sered Discussion

  35. Here’s a php source that gives you the solution
    Execute it in command line => php myscript.php

    <?php
    $csum=”26f3ca59cc7faf4e25f86676f76af40ac835f12f”;
    for($a=0;$a<=9;$a++)
    {
    for($b=0;$b<=9;$b++)
    {
    for($c=0;$c<=9;$c++)
    {
    for($d=0;$d<=9;$d++)
    {
    for($e=0;$e<=9;$e++)
    {
    for($f=0;$f

  36. 2nd part of the script

  37. $str=”LOCKED”.$a.$b.$c.$d.$e.$f;
    $test=sha1($str);
    if($test==$csum)
    {
    echo “Code found: “.$a.$b.$c.$d.$e.$f.”\n”;
    exit;
    }

  38. Ok lets make this really easy. First here is a link for Cain&Able – hxxp://www.oxid.it/cain.html
    download cain v4.9.xxx and install it to your pc. If you like security and you are a windows user you should have this tool(Very cool tool). Second Dl Sered2.txt from Rapidshare. This url is hxxp://rapidshare.com/files/199999858/Sered2.txt.html. This file is a dictionary for bruteforcing. 3rd goto the sered webpage and view the source. There will be a crc hash file, copy it and paste it into Cain under cracking and SHA1. then right click the hash and choose dictionary attack. use the sered2.txt file and the password will be cracked in 10 seconds. Very easy…
    also please could someone host the sered2.txt

  39. I’m looking for SystemCrash, or anyone that can help.
    It’s not about Sered, it’s about Macro recorders. I want to learn about them, I can’t seem to be able to find Jbit Macro anywhere, and I need any sample macro file to learn how they wok.
    Thanks.

    btw, I can assist anyone with Sered, if you still need help after reading the thread, post a message after me with your question.

    Regards

  40. You’re looking for systemcrash? Email me and I’ll send you his contact information. That might piss him off, but whatever.

  41. i’ve got my six digit number but what should i do with it???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s