Ph0wn 2018 - Healing the Toothbrush 1


Category: Reverse

Challenge description

This challenge was based on the famous smart toothbrush of @cryptax / Axelle Apvrille!

Ph0wn aliens have abducted my smart toothbrush. My toothbrush has hidden this horrible episode far in its subconscious mind, but I know encrypted memories of the event are still there… My psychiatrist tells me I need to get my toothbrush talk, that it will help it heal.

To do so, the psychiatrist advises, as a first step, to find the decryption key to those events. This key is hidden within the official Android application (sha256: df8956a138a05230fb26be27a22dc767775b55b1d2250be25aa899c8bbee53b9).

My psychiatrist provides the following information:

Important :

Author: cryptax

Challenge resolution

We used the usual unzip, dex2jar and JD-GUI/Procyon tools to reverse the Java code of the app.

We were told to look for the BrushEvent class. There was a false lead with hexadecimal values that looked promising but were actually client_id and client_secret values for OAuth.

We then decided to simply look for “crypt” in all the files and indeed it was a good idea :wink:

As a bonus we found the exact encryption algorithm: AES, in ECB mode, without padding. We kept this in mind for the second stage.

Author: cnotin Clément Notin | @cnotin

Post date: 2018-12-16