Challenge 66 ☆☆☆☆☆

Welcome to challenge Challenge 66.

Hiding in binaries part 7: the obfuscated Java CLI

Obfuscation might slow someone down, but it does not stop them from recovering embedded secrets. Can you find the harder secret in our obfuscated Java CLI?

To solve it:

  1. Download and inspect wrongsecrets-java-obfuscated.jar.

  2. Decompile the JAR with a Java decompiler such as CFR, JADX, or IntelliJ IDEA and trace the main class.

  3. Look for the encoded byte array, XOR key, and helper methods that reconstruct the secret at runtime.

  4. Once you recover the secret, submit it with java -jar wrongsecrets-java-obfuscated.jar <your answer>.

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

This challenge uses an obfuscated Java CLI JAR.

You can solve it by:

  1. Find where the obfuscated data lives:

    • Download wrongsecrets-java-obfuscated.jar.

    • Run jar tf wrongsecrets-java-obfuscated.jar and locate io/github/owasp/wrongsecrets/WrongSecretsObfuscated.class.

    • Open that class in CFR, JADX, IntelliJ IDEA, or another decompiler.

    • Look for the static fields that hold the XOR key and the encoded secret bytes.

  2. Inspect the exact decoding logic:

    • Run javap -c -p -classpath wrongsecrets-java-obfuscated.jar io.github.owasp.wrongsecrets.WrongSecretsObfuscated.

    • In the output, find the static { …​ } block that fills XOR_KEY_CHARS and ENCODED_SECRET.

    • Then find decodeSecret() and note that each encoded byte is XORed with one byte from the key, repeating the key with modulo arithmetic.

  3. Rebuild the secret yourself:

    • Convert the XOR_KEY_CHARS values into bytes.

    • Copy the ENCODED_SECRET byte values from the bytecode or decompiled source.

    • XOR each encoded byte with the matching key byte, wrapping around when you reach the end of the key.

    • Decode the resulting byte array as UTF-8 to recover the secret, then submit that value as the answer.

Why obfuscation is only a speed bump.

Encoding, reflection, and light obfuscation can make reverse engineering less convenient, but they do not create real secrecy. The executable still contains everything it needs to recover the secret.

If the application can derive the secret locally, a determined attacker can do the same. Protect secrets by moving trust decisions and secret material to controlled server-side systems.


⬅️ Previous
🏠 Main Page
Next ➡️
0