Cyberarmy – Sered Safe Lock

Posted on April 24, 2008 | 45 Comments

To beat the Safe @http://www.cyberarmy.net/sered/sered2/safe

You need to look at the source code and notice the java file is exposed.

<P><BR>
<center>
<applet code="net.cyberarmy.sered.SafeLockApplet.class" archive="/includes/sered/safelock2.jar" width=256 height=96>
<param name=background value="http://www.cyberarmy.net/includes/sered/background.jpg">
<param name=checksum value="efb5d7a5db4ff3e9f2882ebae41042b382c59073">
<param name=digits value="http://www.cyberarmy.net/includes/sered/digits.jpg">
<param name=url_base value="http://www.cyberarmy.net/sered/sered2/safe/">
<param name=click value="http://www.cyberarmy.net/includes/sered/click.au">
<./applet>
<./center>

Hence the .jar file is located on the servers here
http://www.cyberarmy.net/includes/sered/safelock2.jar

Download the Jar file and then rename the extension to .zip

This will allow you to see the directories of the jar file and let you extract them.

So go ahead and extract those with winrar and then use a

Then we will probably need to decompile the class file! So lets do it!

Continued August 2nd 2008

Ok so go download http://www.bysoft.se/sureshot/cavaj/index.html

Cavaj Java Decompiler V1.11

When you are done with that .. throw both class files into it.

package net.cyberarmy.sered;

import java.applet.AppletContext;
import java.applet.AudioClip;
import java.awt.*;
import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.swing.JApplet;
import javax.swing.JRootPane;

public class SafeLockApplet extends JApplet
{

private final int NUM_BARRELS = 6;
private Image digits;
private Image bg;
private int barrel_values[];
private int offsets[];
private String checksum;
private String url_base;
private AudioClip ac;

public SafeLockApplet()
throws HeadlessException
{
}

public void init()
{
String digits_url = getParameter(“digits”);
String background_url = getParameter(“background”);
String click_url = getParameter(“click”);
checksum = getParameter(“checksum”);
url_base = getParameter(“url_base”);
if(digits_url == null)
{
throw new RuntimeException(“digits image not specified”);
}
if(background_url == null)
{
throw new RuntimeException(“background image not specified”);
}
if(click_url == null)
{
throw new RuntimeException(“click sound not specified”);
}
if(checksum == null)
{
throw new RuntimeException(“checksum not specified”);
}
if(url_base == null)
{
throw new RuntimeException(“url_base not specified”);
}
try
{
digits = getToolkit().getImage(new URL(digits_url));
}
catch(MalformedURLException mue)
{
throw new RuntimeException(“malformed digits url”);
}
prepareImage(digits, null);
barrel_values = new int[6];
offsets = new int[6];
for(int i = 0; i < 6; i++)
{
barrel_values[i] = 0;
offsets[i] = (int)(Math.random() * 5D – 2D);
}

try
{
bg = getToolkit().getImage(new URL(background_url));
}
catch(MalformedURLException mue)
{
throw new RuntimeException(“malformed background url”);
}
prepareImage(bg, null);
try
{
ac = JApplet.newAudioClip(new URL(click_url));
}
catch(MalformedURLException e)
{
throw new RuntimeException(“click URL malformed”);
}
}

public void paint(Graphics g)
{
while((checkImage(bg, null) & 0x20) != 32) ;
getRootPane().getContentPane().getGraphics().drawImage(bg, 0, 0, null);
while((checkImage(digits, null) & 0x20) != 32) ;
for(int i = 0; i < 6; i++)
{
getRootPane().getContentPane().getGraphics().drawImage(digits, 34 * i + 28, 25 + offsets[i], 32 + 34 * i + 28, 72 + offsets[i], barrel_values[i] * 32, 0, 32 + barrel_values[i] * 32, 47, null);
}

}

public void start()
{
getRootPane().addMouseListener(new MouseAdapter() {

public void mouseClicked(MouseEvent e)
{
handleClick(e.getX(), e.getY());
}

});
repaint();
}

public void handleClick(int x, int y)
{
int barrel = -1;
if(y >= 12 && y <= 22)
{
if(x >= 33 && x <= 52)
{
barrel = 0;
} else
if(x >= 67 && x <= 86)
{
barrel = 1;
} else
if(x >= 101 && x <= 121)
{
barrel = 2;
} else
if(x >= 136 && x <= 154)
{
barrel = 3;
} else
if(x >= 170 && x <= 190)
{
barrel = 4;
} else
if(x >= 204 && x <= 222)
{
barrel = 5;
}
if(barrel != -1)
{
barrel_values[barrel] = (barrel_values[barrel] + 1) % 10;
}
} else
if(y >= 75 && y <= 83)
{
if(x >= 33 && x <= 52)
{
barrel = 0;
} else
if(x >= 67 && x <= 86)
{
barrel = 1;
} else
if(x >= 101 && x <= 121)
{
barrel = 2;
} else
if(x >= 136 && x <= 154)
{
barrel = 3;
} else
if(x >= 170 && x <= 190)
{
barrel = 4;
} else
if(x >= 204 && x <= 222)
{
barrel = 5;
}
if(barrel != -1)
{
barrel_values[barrel] = (barrel_values[barrel] + 9) % 10;
}
}
if(barrel != -1)
{
ac.play();
offsets[barrel] = (int)(Math.random() * 5D – 2D);
repaint();
if(getChecksumWithPrefix(“LOCKED”).equals(checksum))
{
try
{
getAppletContext().showDocument(new URL(url_base + getChecksumWithPrefix(“OPEN”)));
}
catch(MalformedURLException e)
{
throw new RuntimeException(“could not access ” + url_base + getChecksumWithPrefix(“OPEN”));
}
}
}
}

private String getChecksumWithPrefix(String prefix)
{
MessageDigest md;
try
{
md = MessageDigest.getInstance(“SHA-1”);
}
catch(NoSuchAlgorithmException e)
{
throw new RuntimeException(“Could not find SHA-1 algorithm”);
}
md.update(prefix.getBytes());
for(int i = 0; i < 6; i++)
{
md.update((byte)(barrel_values[i] + 48));
}

byte b[] = md.digest();
StringBuffer hexString = new StringBuffer();
for(int i = 0; i < b.length; i++)
{
String o = Integer.toHexString(0xff & b[i]);
if(o.length() < 2)
{
o = “0” + o;
}
hexString.append(o);
}

String h = hexString.toString();
return hexString.toString();
}
}

Sexy right

2nd class file

package net.cyberarmy.sered;

import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;

// Referenced classes of package net.cyberarmy.sered:
// SafeLockApplet

private final class extends MouseAdapter
{

public void mouseClicked(MouseEvent e)
{
handleClick(e.getX(), e.getY());
}

()
{
}
}

This entry was posted in Breaking News. Bookmark the permalink.

45 responses to “Cyberarmy – Sered Safe Lock”

Jeff Archer | May 7, 2008 at 9:35 am | Reply

Also, the two .class files are very much incomplete, they appear to only be empty shells.

Does this help:

Completed Sered 2 (from CyberArmy::WWW::Request::User=HASH(0x8e23b68)->session_ip)

Completed Sered 2 (from CyberArmy::WWW::Request::User=HASH(0x8d1ffac)->session_ip)
dltv | May 8, 2008 at 4:25 am | Reply

it does not help me. whats it mean or where did you get it from. looks almost like someone opened the files with a hex editor and got the http request. or better yet they change what the submit request value to equal the correct value.
Jeff Archer | May 8, 2008 at 6:22 am | Reply

It is from a captured site log I think. Got it from old Gen. on the site. That’s the only hint he gave me :c(
fjasuhv s | July 13, 2008 at 12:51 pm | Reply

The answer is in the cheksum. I may be wrong but the jar files generate a random lock everytime but when the right combination is inserted it adds a value based on the cheksum to the url saved in the applet’s parameters. If you can crack the cheksum please post it here.
anonymous | July 23, 2008 at 2:01 am | Reply

send me your checksum and five hundred million dollars and I’ll crack it for you
fjasuhv s | July 28, 2008 at 12:02 pm | Reply

hilarious
justWW | July 30, 2008 at 7:47 am | Reply

As the writers said above , you have to decompile the class files. There is a simple encryption with SHA-1 algorithm.

All you have to do brute force in code .And it is done!!!

But at gamma phase , things are getting complicated. I’m stuck :$
fjasuhv s | August 1, 2008 at 5:55 pm | Reply

where’s the encryption?
justWW | August 2, 2008 at 7:22 pm | Reply

It ‘s just in the one of the class files in .jar file.
Decrypt it with a program.
dltv | August 2, 2008 at 7:50 pm | Reply

Ok gents. I haven’t had time to look at this for quite some time. I can see where JustWW says its SHA-1. From Safelockapplet.class you can tell it references SHA-1 callings
Ï Ò could not access Ô x y barrel SHA-1 Ù java/security/MessageDigest Û
getInstance 1(Ljava/lang/String;)Ljava/security/MessageDigest; Ý Þ

And then checks getChecksumWithPrefix …

From what i gather…Something like this was used…which you are not encrypting anything instead you are hashing using message digest.
MessageDigest oMessageDigest = MessageDigest.getInstance(“SHA-1”);
oMessageDigest.reset();
byte[] bPasswordInBytes = sPassword.getBytes();
oMessageDigest.update(bPasswordInBytes);
byte[] bPasswordOutBytes = oMessageDigest.digest(); // encrpyted string

http://www.yellowpipe.com/yis/tools/encrypter/index.php is a online SHA-1 decrypter
dltv | August 2, 2008 at 8:38 pm | Reply

So.. im curious did you guess at the numbers based on values between the set numbers?
fjasuhv s | August 7, 2008 at 1:37 pm | Reply

justWW can you be more specific?
justWW | August 14, 2008 at 8:55 am | Reply

///////////////////////////////////////////
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

class SafeLockApplet
{
public SafeLockApplet(){
barrel_values=new int[6];
}
public String getChecksumWithPrefix(String prefix)
{
MessageDigest md;
try
{
md = MessageDigest.getInstance(“SHA-1”);
}
catch(NoSuchAlgorithmException e)
{
throw new RuntimeException(“Could not find SHA-1 algorithm”);
}
md.update(prefix.getBytes());
for(int i = 0; i < 6; i++)
md.update((byte)(barrel_values[i] + 48));

byte b[] = md.digest();
StringBuffer hexString = new StringBuffer();
for(int i = 0; i < b.length; i++)
{
String o = Integer.toHexString(0xff & b[i]);
if(o.length() < 2)
o = “0” + o;
hexString.append(o);
}

String h = hexString.toString();
return hexString.toString();
}

private final int NUM_BARRELS = 6;
public int barrel_values[];
private String checksum;
}

class deneme{
public static void main(String args[]){

SafeLockApplet sa =new SafeLockApplet();
for(int x=0;x<=9;x++){
System.out.println(“Trying ” +x+”…”);
for(int y=0;y<=9;y++){
for(int z=0;z<=9;z++){
for(int k=0;k<=9;k++){
for(int l=0;l<=9;l++){
for(int m=0;m<=9;m++){
sa.barrel_values[0]=x;
sa.barrel_values[1]=y;
sa.barrel_values[2]=z;
sa.barrel_values[3]=k;
sa.barrel_values[4]=l;
sa.barrel_values[5]=m;
if(sa.getChecksumWithPrefix(“LOCKED”).equals(“typeyourchecksumhere”)){
System.out.println(“Here is your password : “+x+” “+y+” “+z+” “+k+” “+l+” “+m);
return;
}
}
}
}
}
}
}
}
}
////////////////////////////////////

Here is the solution. Just write your checksum that you can find source of the web page and compile. I dont know how i can be more specific than that 😉 Enjoy…
SystemCrash | September 9, 2008 at 11:52 pm | Reply

Just download a macro recorder and create a macro that increases the number starting from 000000. It won’t take any longer than 6 hours on a decent machine. Don’t need to make it more complicated than it is.
SystemCrash | September 9, 2008 at 11:53 pm | Reply

Good luck with gamma…
thejerkoff | September 10, 2008 at 6:51 am | Reply

First we need to look in the source code of the website for the checksum that i believe is encrypted (don’t know with what key), then we need to download the java file and decompile it, then i’m stuck, anyone can help me?
SystemCrash | September 11, 2008 at 2:53 am | Reply

Read my post again… you do not need to be a cryptologist or programmer to solve this challenge. Hacking is all about creativity. The easy way is to get a program that will allow your computer to manually solve this challenge. If you want to crack the hash, go for it. If you know how, it wont take you more than a minute to solve.
Null | September 13, 2008 at 4:06 pm | Reply

Can we get the cheat to sered 4???
JunIper | September 13, 2008 at 4:08 pm | Reply

Was wondering the same thing if this can be done… nice work on the code, worked great!
idiot | September 13, 2008 at 4:33 pm | Reply

Juniper can you be more specific to what worked?

what code?

From what is posted i can assume that the url will be something like
http://www.cyberarmy.net/sered/sered2/safe/open?hashcheck
thejerkoff | September 19, 2008 at 7:27 am | Reply

still not figured this one
SystemCrash | September 19, 2008 at 1:44 pm | Reply

Try something more like: http://www.cyberarmy.net/sered/sered2/safe/(hash)
SystemCrash | September 19, 2008 at 1:48 pm | Reply

The next one is difficult… steganography is not my strong suit.
thejerkoff | September 29, 2008 at 7:34 pm | Reply

SystemCrash don’t understand, i have my checksum but don’t understand what to do with it
thejerkoff | September 29, 2008 at 7:39 pm | Reply

how to do the macro to input numbers from 000001 to 999999 on the java safe?
bubu | October 3, 2008 at 10:52 am | Reply

anyone did delta? this is stupid =) any ideas?
SystemCrash | October 6, 2008 at 12:15 am | Reply

thejerkoff – First you have to download a macro recorder Jbit Macro is what I used. Then you have to make your own macro manually.

I’ll upload the macro that I made so that you don’t have to go through that whole process. You’ll just have to place the browser winder with the java applet in the right place on your screen and it’ll work just fine. Download JbitMacro and open my macro with it. Then find the coordinates on your screen that I used in my macro. Then play the macro… and in about 3-7 hours, you’ll have cracked it.

Actually, you’ll need to check it every hour and click the last button up once… you’ll see what I mean when you play it.

works.mcr
SystemCrash | October 6, 2008 at 12:16 am | Reply

hmm…

Yes? … No? …
SystemCrash | October 6, 2008 at 12:20 am | Reply

btw – bubu. I would be glad to help you if you’ll help me out with the beginning of the gamma challenge. I’m on the steganography part. I can do anything… but steganography.

alert(‘testing123’);
? | October 26, 2008 at 10:04 pm | Reply

?sered-beta?help?
? | October 27, 2008 at 10:25 pm | Reply

plz help me with level beta…?
Tyler | December 3, 2008 at 11:00 pm | Reply

One Word. Rainbow
dltv | December 4, 2008 at 5:53 am | Reply

looks like tyler helped me solve this problem

http://www.cyberarmy.net/sered/sered3

http://sered-safe.appspot.com/

find your hash! and insert there
dltv | December 4, 2008 at 5:56 am | Reply

I have a feeling this next challenge is a hidden message in the gif image.
iSad | December 10, 2008 at 8:12 pm | Reply

i got the both classes but wot i should do after ?? confused
Pingback: Sered Beta, Safe part [THEORY] « CyberArmy Sered Discussion
Pingback: Sered Beta, Safe part [Python SOLUTION] « CyberArmy Sered Discussion
A.nonymous | February 14, 2009 at 11:34 am | Reply

Here’s a php source that gives you the solution
Execute it in command line => php myscript.php

<?php
$csum=”26f3ca59cc7faf4e25f86676f76af40ac835f12f”;
for($a=0;$a<=9;$a++)
{
for($b=0;$b<=9;$b++)
{
for($c=0;$c<=9;$c++)
{
for($d=0;$d<=9;$d++)
{
for($e=0;$e<=9;$e++)
{
for($f=0;$f
A.nonymous | February 14, 2009 at 11:34 am | Reply
A.nonymous | February 14, 2009 at 11:35 am | Reply

2nd part of the script
A.nonymous | February 14, 2009 at 11:36 am | Reply

$str=”LOCKED”.$a.$b.$c.$d.$e.$f;
$test=sha1($str);
if($test==$csum)
{
echo “Code found: “.$a.$b.$c.$d.$e.$f.”\n”;
exit;
}
Raslin | February 19, 2009 at 3:21 pm | Reply

Ok lets make this really easy. First here is a link for Cain&Able – hxxp://www.oxid.it/cain.html
download cain v4.9.xxx and install it to your pc. If you like security and you are a windows user you should have this tool(Very cool tool). Second Dl Sered2.txt from Rapidshare. This url is hxxp://rapidshare.com/files/199999858/Sered2.txt.html. This file is a dictionary for bruteforcing. 3rd goto the sered webpage and view the source. There will be a crc hash file, copy it and paste it into Cain under cracking and SHA1. then right click the hash and choose dictionary attack. use the sered2.txt file and the password will be cracked in 10 seconds. Very easy…
also please could someone host the sered2.txt
Looking for SystemCrash | April 1, 2009 at 8:32 am | Reply

I’m looking for SystemCrash, or anyone that can help.
It’s not about Sered, it’s about Macro recorders. I want to learn about them, I can’t seem to be able to find Jbit Macro anywhere, and I need any sample macro file to learn how they wok.
Thanks.

btw, I can assist anyone with Sered, if you still need help after reading the thread, post a message after me with your question.

Regards
X2600 | April 23, 2009 at 10:00 pm | Reply

You’re looking for systemcrash? Email me and I’ll send you his contact information. That might piss him off, but whatever.
Mr. ds | July 16, 2009 at 11:09 am | Reply

i’ve got my six digit number but what should i do with it???