Hackfest 2023: Vaults of Time

Writeup for the “Vaults of Time” challenge created by muemmemlmoehre for the Hackfest CTF 2023.

For this challenge, the file mobile2.apk is provided. And as always, the first step is to decompile the Android application using a software such as JADX:

% jadx mobile1.apk

From the decompiled code, we can see two activities, SecureArea and SecretActivity which are not easily accessible to users. These activities display text from the BTTFQuoteGenerator class.

This generator produces the text character by character in the following way:

public final String generateQuote(Resources resources) {
    Intrinsics.checkNotNullParameter(resources, "resources");
    String randomString = resources.getString(R.string.c);
    Intrinsics.checkNotNullExpressionValue(randomString, "resources.getString(R.string.c)");
    StringBuilder quote = new StringBuilder();
    quote.append(randomString.charAt(6));
    quote.append(randomString.charAt(52));
    quote.append(randomString.charAt(70));
    quote.append(randomString.charAt(42));
    /// ....
    String sb = quote.toString();
    Intrinsics.checkNotNullExpressionValue(sb, "quote.toString()");
    return sb;
}

public final String generateQuote2(Resources resources) {
    Intrinsics.checkNotNullParameter(resources, "resources");
    String randomString = resources.getString(R.string.c);
    Intrinsics.checkNotNullExpressionValue(randomString, "resources.getString(R.string.c)");
    StringBuilder quote = new StringBuilder();
    quote.append(randomString.charAt(55));
    quote.append(randomString.charAt(27));
    quote.append(randomString.charAt(1));
    quote.append(randomString.charAt(33));
    /// ....
    String sb = quote.toString();
    Intrinsics.checkNotNullExpressionValue(sb, "quote.toString()");
    return sb;
}

The variable randomString comes from the XML resources mobile2/resources/res/values/strings.xml

<string name="c">v lj8QHIukUO35PmiTwLoRGBX2N7VAgWMyhK4nYfFts0dzxCprZ.e,q1Jb-D?6c!9;\'EaS’</string>

We have everything we need to reconstruct the two quotes. For instance, with a bit of find and replace, we can copy the code and convert it into a simple Python script that’s easy to execute to obtain the two flags.

quote = ""
randomString = "v lj8QHIukUO35PmiTwLoRGBX2N7VAgWMyhK4nYfFts0dzxCprZ.e,q1Jb-D?6c!9;\'EaS’"

quote += randomString[6]
quote += randomString[52]
quote += randomString[70]
quote += randomString[42]
quote += randomString[1]

# .....

print(quote)

01 - Safeguarded Secrets

He’s a peeping tom!The appropriate question is, ‘When the hell are they’.Marty, you’re beginning to sound just like my mother.Wait, you don’t understand. If you don’t play, there’s no music. If there’s no music, they don’t dance. If they don’t dance, they don’t kiss and fall in love and I’m history.Lorraine! Lorraine, what are you doing?HF-9d35af44df126a0a6825232872251013Yes. Yes. I’m George. George McFly. I’m your density. I mean, your destiny.Jesus, George, it was a wonder I was even born.Roads? Where we’re going, we don’t need roads.Lorraine. My density has brought me to you.Silence, Earthling! My Name Is Darth Vader. I Am An Extraterrestrial From The Planet Vulcan!I noticed your band is on the roster for the dance auditions after school today. Why even bother, McFly? You don’t have a chance! You’re too much like your old man. NO MCFLY EVER AMOUNTED TO ANYTHING IN THE HISTORY OF HILL VALLEY!!!Course! From a group of Lybian Nationalists. They wanted me to build them a bomb, so I took their plutonium and, in turn, I gave them a shiny bomb casing full of used pinball machine parts!You caused 300 bucks damage to my car, you son of a bitch. And I’m gonna take it out of your ass.Because you - you might regret it later in life.Believe me, it makes perfect sense.What if I send it in and they don’t like it? What if they say I’m no good? What if they say ‘Get out of here, kid. You got no future.’? I mean, I just don’t think I can take that kind of rejection. Jesus, I’m starting to sound like my old man! I need a nuclear reaction to generate the 1.21 gigawatts of electricity I need.I swiped it from the old lady’s liquor cabinet.No, I know; you did send me back to the future. But I’m back - I’m back from the future.1.21 Gigawatts!?!Ronald Reagan? The actor? Then who’s vice president? Jerry Lewis? I suppose Jane Wyman is the first lady.The-the-the bruise on your head, I know how that happened. You told me the whole story. You were standing on your toilet and you were hanging a clock, and you fell and you hit your head on the sink. And that’s when you came up with the idea for the flux capacitor.Jeez! You smoke, too?Don’t worry. As long as you hit that wire with the connecting hook at precisely eighty-eight miles per hour the instant the lightning strikes the tower… everything will be fine. Next Saturday night, we’re sending you back to the future!Jesus, Didn’t That Guy Ever Have Hair?I’ve had enough practical jokes for one evening. Good night, future boy!Doc, I’m from the future. I came here in a time machine that you invented. Now I need your help to get back to the year 1985.You bet your ass it works.No wonder your president has to be an actor. He’s gotta look good on television.Why Don’t You Make Like A Tree And Get Outta Here?Wait a minute. Don’t I know you from somewhere?Doc, you gotta listen to me.Oh. One other thing. If you guys ever have kids, and one of them, when he’s eight years old, accidentally sets fire to the living room rug… go easy on him.Hey, Doc. You’d better back up, we don’t have enough road to get up to 88.This is all wrong. I don’t know what it is. But when I kiss you, it’s like I’m kissing my brother. I guess that doesn’t make any sense, does it?So you’re my Uncle Joey. Better get used to these bars, kid.You’ve got a real attitude problem, McFly, you’re a slacker! You remind me of your father when he went here. He was a slacker, too.Dr. Brown, I brought this note back from the future and - now it’s erased.Marty, don’t be such a square. Everybody who’s anybody drinks.1.21 gigawatts! 1.21 gigawatts. Great Scott!It works! It works! I finally invent something that works!I guess you guys aren’t ready for that yet. But your kids are gonna love it.Things have certainly changed around here. I remember when this was all farmland as far as the eye can see! Old Mr. Peabody owned all of this! He had this crazy idea of … breeding pine trees.If you put your mind to it, you can accomplish anything.

HF-9d35af44df126a0a6825232872251013

02 - Hidden Treasure

17 year old Marty McFly got home early last night. 30 years early.He was never in time for his classes… He wasn’t in time for his dinner… Then one day… he wasn’t in his time at all.I’m sure that in 1985, plutonium is available at every corner drugstore, but in 1955 it’s a little hard to come by.Why are things so heavy in the future? Is there a problem with the Earth’s gravitational pull?If my calculations are correct, when this baby hits eighty-eight miles per hour… you’re gonna see some serious shit. HF-cbbcde2764234734cba92255b009aa3dGreat Scott!Traveling through time has become much too painful.The way I see it, if you’re going to build a time machine into a car, why not do it with some style? Of course, it’s erased! - But what does that mean?I’m your density. I mean, your destiny.This Is Heavy!Last night, Darth Vader came down from Planet Vulcan and told me that if I didn’t take Lorraine out, that he’d melt my brain. Where are my pants? - Over there, on my hope chest.Time traveling is just too dangerous. Better that I devote myself to study the other great mystery of the universe - women!Marty, you can’t go losing your judgment every time someone calls you a name. That’s exactly what causes you to get into that accident in the future.Oh, this is heavy, Doc. I mean, it’s like I was just here yesterday.Since when can weathermen predict the weather, let alone the future?Well, there are plenty worse places to be than the Old West. I could’ve ended up in the Dark Ages. They probably would have burned me at the stake as a heretic or something.Wait a minute. Wait a minute Doc, uh, are you telling me you built a time machine … out of a DeLorean?Doc, you don’t just walk into a store and buy plutonium! Did you rip that off?No! It can’t be; I just sent you back to the future!You want a Pepsi, pal, you’re gonna pay for it.What the hell is a gigawatt?Whatever you’ve got to tell me, I’ll find out through the natural course of time.Oh my god. They found me; I don’t know how but they found me. RUN FOR IT, MARTY!!Doc, about the future…Calvin? Wh… Why do you keep calling me Calvin? - Well, that is your name, isn’t it? Calvin Klein? It’s written all over your underwear.No! Marty! We’ve already agreed that having information about the future can be extremely dangerous. Even if your intentions are good, it can backfire drastically!There’s that word again. ‘Heavy.’ Why are things so heavy in the future? Is there a problem with the Earth’s gravitational pull?Since you’re new here, I’m gonna cut you a break… today. So, why don’t you make like a tree and get out of here?Hey, you! Get your damn hands off her!What happens to us in the future? Do we become assholes or something?It’s gonna be really hard waiting 30 years before I can talk to you about everything that’s happened in the past few days. I’m really gonna miss you, Marty.That I’m gonna have a chance to travel through time!I’ve never seen purple underwear before.What - what the hell is a gigawatt?You know, Marty, I’m gonna be very sad to see you go. You’ve really made a difference in my life. You’ve given me something to shoot for. Just knowing that I’m going to be around to see 1985. That I’m gonna succeed in this!Your future hasn’t been written yet. No one’s has. Your future is whatever you make it. So make it a good one.Then tell me, future boy, who’s President of the United States in 1985?He’s an idiot. Comes from upbringing. His parents are probably idiots, too. Lorraine, you ever have a kid who acts that way, I’ll disown you.I Hate Manure!Yeah, well, history is gonna change.Wait a minute, Doc, are you telling me that my mother has got the hots for me?He’s a peeping tom!The appropriate question is, ‘When the hell are they’.

HF-cbbcde2764234734cba92255b009aa3d