more

trivial_flag_transfer_protocol/_program.deb.extracted/5A2.d/usr/share/doc/steghide/BUGS

@@ -0,0 +1,10 @@
+
+* .au mu-law audio data is treated as linear 8 bit unsigned value in the neighbourhood relation (with radius 1).
+  The neighbourhood relation should be defined with respect to the logarithmic nature of mu-law data.
+
+* steghide uses the classes hash_set and hash_map from sgi's implementation of
+  the standard template library. These two classes are not part of the official
+  C++ standard but part of the GNU's libstdc++. If you happen to be on a system
+  that does not include theses classes you won't be able to compile steghide.
+
+If you find a bug, please tell me (shetzl@chello.at) about it.

trivial_flag_transfer_protocol/_program.deb.extracted/5A2.d/usr/share/doc/steghide/CREDITS

@@ -0,0 +1,17 @@
+Stefan Hetzl <shetzl@chello.at>             author, maintainer
+
+I would like to thank...
+
+Petra Mutzel <mutzel@ads.tuwien.ac.at>             for being a great guide trough graph theory
+Christine Pippan <christine_pippan@chello.at>      for designing the logo
+Trimbitas Sorin <lacroix-iv@go.ro>                 romanian translation
+Alberto A. Schiano <chanio@users.sourceforge.net>  spanish translation
+Cedric Gross <cgross@wanadoo.fr>                   french translation
+Julien Catanese <julien_catanese@yahoo.fr>         french translation
+Tilman Linneweh <arved@freebsd.org>                freebsd port
+Rasputin <rara.rasputin@virgin.net>                freebsd port
+Brian Russo <wolfie@debian.org>                    debian package
+Guenter Bechly <gbechly@gmx.de>                    debian package
+
+and numerous others who have contributed by sending bug reports
+or interesting suggestions.

trivial_flag_transfer_protocol/_program.deb.extracted/5A2.d/usr/share/doc/steghide/HISTORY

@@ -0,0 +1,122 @@
+steghide 0.5.1 :
+================
+
+* new algorithm that maintains first-order statistics for all file formats
+
+* support for all types of jpeg files (using libjpeg)
+
+* compression of embedded data (using zlib)
+
+* use of permutation as distribution function
+
+* a 'info' command to display the information about a cover- or stego- file (including it's capacity)
+
+* random data can be taken from /dev/urandom
+
+* spanish translation
+
+* romanian translation
+
+
+steghide 0.4.6b :
+=================
+
+* bugfix (did not compile on some systems)
+
+
+steghide 0.4.6 :
+================
+
+* support for the jpeg file format
+
+* switched from C to C++ (partial rewrite)
+
+* bugfixes	
+
+
+steghide 0.4.5 :
+================
+
+* internationalization (GNU gettext)
+
+* german locale
+
+* french locale
+
+
+steghide 0.4.4 :
+================
+
+* performance rewrite of memory management code
+
+
+steghide 0.4.3 :
+================
+
+* support for crc32 checksum of the plain data
+
+* switch to enable/disable embedding of plain file name
+
+* rewrite of some parts
+
+
+steghide 0.4.2 :
+================
+
+* interval length defaults to the maximum possible
+
+* verbosity, quiet and force switches
+
+* prompt for passphrase if not given on command line
+
+
+steghide 0.4.1 :
+================
+
+* more secure embedding algorithm
+
+* libmcrypt is used for encryption
+
+* libmhash is used for hashing
+
+* command line syntax revision
+
+* reorganisation and partial rewrite
+
+* bugfixes
+
+
+steghide 0.3 :
+==============
+
+* blowfish encryption
+
+* md5 for generating 128 bit keys from passphrase
+
+* autconf and automake
+
+* rpm packages
+
+* support for au files
+
+* man page
+
+* interactive mode
+
+* command line syntax revision
+
+* fixed a bug that prevented the use of stdin as cover or stego data stream
+
+
+steghide 0.2 :
+==============
+
+* support for wav (pcm) files
+
+* support for bmp files that use color tables
+
+* support for OS/2 1.x bmp files
+
+* file format auto-detection
+
+* internal changes (better buffer-management)

trivial_flag_transfer_protocol/_program.deb.extracted/5A2.d/usr/share/doc/steghide/TODO

@@ -0,0 +1,27 @@
+These are things that I plan to implement in the future:
+
+* partition code into library and frontend
+
+* graphical user interface
+
+* user-friendly installer for Windows version (InnoSetup)
+
+* use libaudiofile for audio file format support
+
+* make embedding data in audio cds possible (embed markers for synchronization)
+
+* rewrite memory management such that cover-/stego-file must no longer be kept in memory as a whole
+
+* support for other file formats (mp3, png, gif, avi)
+
+* user's guide (sgml?, docbook?, gnu texinfo?)
+
+* support for RLE-encoded bmps
+
+* matrix encoding
+
+? support for spreading one secret file into a set of >= 1 cover files
+
+? support for embedding more than one message into one cover file (different passphrases)
+
+? allow PGP encryption of embedded data (gpgme?)

trivial_flag_transfer_protocol/_program.deb.extracted/5A2.d/usr/share/doc/steghide/copyright

@@ -0,0 +1,28 @@
+This package was debianized by Dr. Guenter Bechly <gbechly@debian.org> on
+Mon,  1 Jan 2001 20:24:27 +0100.
+
+It was downloaded from
+	http://steghide.sourceforge.net/download/
+
+Upstream Author:
+	Stefan Hetzl <shetzl@teleweb.at>
+
+Copyright: GPL
+
+This software is copyright (c) by Stefan Hetzl
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ with your Debian GNU system, in /usr/share/common-licenses/GPL, or
+ with the Debian GNU steghide source package as the file COPYING. If
+ not, write to the Free Software Foundation, Inc., 51 Franklin St,
+ Fifth Floor, Boston, MA 02110-1301, USA.

trivial_flag_transfer_protocol/_program.deb.extracted/84.d/control

@@ -0,0 +1,18 @@
+Package: steghide
+Source: steghide (0.5.1-9.1)
+Version: 0.5.1-9.1+b1
+Architecture: amd64
+Maintainer: Ola Lundqvist <opal@debian.org>
+Installed-Size: 426
+Depends: libc6 (>= 2.2.5), libgcc1 (>= 1:4.1.1), libjpeg62-turbo (>= 1:1.3.1), libmcrypt4, libmhash2, libstdc++6 (>= 4.9), zlib1g (>= 1:1.1.4)
+Section: misc
+Priority: optional
+Description: A steganography hiding tool
+ Steghide is steganography program which hides bits of a data file
+ in some of the least significant bits of another file in such a way
+ that the existence of the data file is not visible and cannot be proven.
+ .
+ Steghide is designed to be portable and configurable and features hiding
+ data in bmp, wav and au files, blowfish encryption, MD5 hashing of
+ passphrases to blowfish keys, and pseudo-random distribution of hidden bits
+ in the container data.

trivial_flag_transfer_protocol/_program.deb.extracted/84.d/md5sums

@@ -0,0 +1,17 @@
+71bdab1263ab4b8d28f34afa5f0ab121  usr/bin/steghide
+11db80c2a5dbb9c6107853b08aeacc49  usr/share/doc/steghide/ABOUT-NLS.gz
+57deb17212483b49f89587180d4d67d4  usr/share/doc/steghide/BUGS
+72c7831222483f5c6d96ac2a8ca7ad48  usr/share/doc/steghide/CREDITS
+adbb29f44a5e5eefda3c3d756cc15ab1  usr/share/doc/steghide/HISTORY
+fe7cac39a1a1ef0975d24dfcf02f09b7  usr/share/doc/steghide/LEAME.gz
+85587b9213ca2301eb450aad574d5f87  usr/share/doc/steghide/README.gz
+a9e03fa8166b8fa918c81db1855b68d1  usr/share/doc/steghide/TODO
+09d7710e276a06c4a3f3bc81b3b86a41  usr/share/doc/steghide/changelog.Debian.amd64.gz
+e454b20fdc2208f8170e28b90b6d43f7  usr/share/doc/steghide/changelog.Debian.gz
+1a2e10366a3a55d7a4cb5fc3c87a6bf7  usr/share/doc/steghide/changelog.gz
+df8c0ea893b3f6f64a917824c6c9d224  usr/share/doc/steghide/copyright
+fc53645374c583f11f628331be710d9a  usr/share/locale/de/LC_MESSAGES/steghide.mo
+b8ceabc96f9bffd9157103e1a86be33f  usr/share/locale/es/LC_MESSAGES/steghide.mo
+87ee9a19bb49b217dad67b5a889bb1d1  usr/share/locale/fr/LC_MESSAGES/steghide.mo
+dbc3a8e974ccf7e91da81aca4a5c1605  usr/share/locale/ro/LC_MESSAGES/steghide.mo
+921a5afd279097e4ed359ce3767068f5  usr/share/man/man1/steghide.1.gz

trivial_flag_transfer_protocol/flag.txt

@@ -0,0 +1 @@
+picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}

trivial_flag_transfer_protocol/instructions.txt

@@ -0,0 +1 @@
+GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA

trivial_flag_transfer_protocol/plan

@@ -0,0 +1 @@
+VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF

vault-door-1/VaultDoor1.java

@@ -0,0 +1,57 @@
+import java.util.*;
+
+class VaultDoor1 {
+    public static void main(String args[]) {
+        VaultDoor1 vaultDoor = new VaultDoor1();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+	String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+	}
+    }
+
+    // I came up with a more secure way to check the password without putting
+    // the password itself in the source code. I think this is going to be
+    // UNHACKABLE!! I hope Dr. Evil agrees...
+    //
+    // -Minion #8728
+    public boolean checkPassword(String password) {
+        return password.length() == 32 &&
+               password.charAt(0)  == 'd' &&
+               password.charAt(29) == '3' &&
+               password.charAt(4)  == 'r' &&
+               password.charAt(2)  == '5' &&
+               password.charAt(23) == 'r' &&
+               password.charAt(3)  == 'c' &&
+               password.charAt(17) == '4' &&
+               password.charAt(1)  == '3' &&
+               password.charAt(7)  == 'b' &&
+               password.charAt(10) == '_' &&
+               password.charAt(5)  == '4' &&
+               password.charAt(9)  == '3' &&
+               password.charAt(11) == 't' &&
+               password.charAt(15) == 'c' &&
+               password.charAt(8)  == 'l' &&
+               password.charAt(12) == 'H' &&
+               password.charAt(20) == 'c' &&
+               password.charAt(14) == '_' &&
+               password.charAt(6)  == 'm' &&
+               password.charAt(24) == '5' &&
+               password.charAt(18) == 'r' &&
+               password.charAt(13) == '3' &&
+               password.charAt(19) == '4' &&
+               password.charAt(21) == 'T' &&
+               password.charAt(16) == 'H' &&
+               password.charAt(27) == 'f' &&
+               password.charAt(30) == 'b' &&
+               password.charAt(25) == '_' &&
+               password.charAt(22) == '3' &&
+               password.charAt(28) == '6' &&
+               password.charAt(26) == 'f' &&
+               password.charAt(31) == '0';
+    }
+}

vault-door-1/sol.py

@@ -0,0 +1,41 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+S = '''
+               password.charAt(0)  == 'd' &&
+               password.charAt(1)  == '3' &&
+               password.charAt(2)  == '5' &&
+               password.charAt(3)  == 'c' &&
+               password.charAt(4)  == 'r' &&
+               password.charAt(5)  == '4' &&
+               password.charAt(7)  == 'b' &&
+               password.charAt(17) == '4' &&
+               password.charAt(23) == 'r' &&
+               password.charAt(29) == '3' &&
+               password.charAt(10) == '_' &&
+               password.charAt(9)  == '3' &&
+               password.charAt(11) == 't' &&
+               password.charAt(15) == 'c' &&
+               password.charAt(8)  == 'l' &&
+               password.charAt(12) == 'H' &&
+               password.charAt(20) == 'c' &&
+               password.charAt(14) == '_' &&
+               password.charAt(6)  == 'm' &&
+               password.charAt(24) == '5' &&
+               password.charAt(18) == 'r' &&
+               password.charAt(13) == '3' &&
+               password.charAt(19) == '4' &&
+               password.charAt(21) == 'T' &&
+               password.charAt(16) == 'H' &&
+               password.charAt(27) == 'f' &&
+               password.charAt(30) == 'b' &&
+               password.charAt(25) == '_' &&
+               password.charAt(22) == '3' &&
+               password.charAt(28) == '6' &&
+               password.charAt(26) == 'f' &&
+               password.charAt(31) == '0'
+ '''
+
+l = list(map(lambda a: [int(a[0]), a[1]], map(lambda a: a.strip().replace("  ", ' ').split(' '), S.strip().replace("password.charAt(", '').replace(')', '').replace(" &&", '').replace("== ", '').splitlines())))
+l.sort()
+print(''.join(map(lambda a: a[1].replace('\'', ''), l)))
+

vault-door-3/VaultDoor3.java

@@ -0,0 +1,44 @@
+import java.util.*;
+
+class VaultDoor3 {
+    public static void main(String args[]) {
+        VaultDoor3 vaultDoor = new VaultDoor3();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+        }
+    }
+
+    // Our security monitoring team has noticed some intrusions on some of the
+    // less secure doors. Dr. Evil has asked me specifically to build a stronger
+    // vault door to protect his Doomsday plans. I just *know* this door will
+    // keep all of those nosy agents out of our business. Mwa ha!
+    //
+    // -Minion #2671
+    public boolean checkPassword(String password) {
+        if (password.length() != 32) {
+            return false;
+        }
+        char[] buffer = new char[32];
+        int i;
+        for (i=0; i<8; i++) {
+            buffer[i] = password.charAt(i);
+        }
+        for (; i<16; i++) {
+            buffer[i] = password.charAt(23-i);
+        }
+        for (; i<32; i+=2) {
+            buffer[i] = password.charAt(46-i);
+        }
+        for (i=31; i>=17; i-=2) {
+            buffer[i] = password.charAt(i);
+        }
+        String s = new String(buffer);
+        return s.equals("jU5t_a_sna_3lpm18gb41_u_4_mfr340");
+    }
+}

vault-door-3/sol.py

@@ -0,0 +1,19 @@
+#!/home/maxime/.pyvenv/bin/python3
+S = "jU5t_a_sna_3lpm18gb41_u_4_mfr340"
+
+flag = ['']*32
+
+for i in range(31, 16, -2):
+    flag[i] = S[i]
+
+for i in range(16, 32, 2):
+    flag[46-i] = S[i]
+
+for i in range(8, 16):
+    flag[23-i] = S[i]
+
+for i in range(8):
+    flag[i] = S[i]
+
+print(''.join(flag))
+

vault-door-4/VaultDoor4.java

@@ -0,0 +1,45 @@
+import java.util.*;
+
+class VaultDoor4 {
+    public static void main(String args[]) {
+        VaultDoor4 vaultDoor = new VaultDoor4();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+        }
+    }
+
+    // I made myself dizzy converting all of these numbers into different bases,
+    // so I just *know* that this vault will be impenetrable. This will make Dr.
+    // Evil like me better than all of the other minions--especially Minion
+    // #5620--I just know it!
+    //
+    //  .:::.   .:::.
+    // :::::::.:::::::
+    // :::::::::::::::
+    // ':::::::::::::'
+    //   ':::::::::'
+    //     ':::::'
+    //       ':'
+    // -Minion #7781
+    public boolean checkPassword(String password) {
+        byte[] passBytes = password.getBytes();
+        byte[] myBytes = {
+            106 , 85  , 53  , 116 , 95  , 52  , 95  , 98  ,
+            0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
+            0142, 0131, 0164, 063 , 0163, 0137, 0143, 061 ,
+            '9' , '4' , 'f' , '7' , '4' , '5' , '8' , 'e' ,
+        };
+        for (int i=0; i<32; i++) {
+            if (passBytes[i] != myBytes[i]) {
+                return false;
+            }
+        }
+        return true;
+    }
+}

vault-door-4/sol.py

@@ -0,0 +1,14 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+row_1 = [106 , 85  , 53  , 116 , 95  , 52  , 95  , 98]
+row_2 = [0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f]
+row_3 = [0o142, 0o131, 0o164, 0o63 , 0o163, 0o137, 0o143, 0o61]
+row_4 = ['9' , '4' , 'f' , '7' , '4' , '5' , '8' , 'e']
+
+print(''.join(
+    list(map(lambda a: chr(a), row_1)) +
+    list(map(lambda a: chr(a), row_2)) + 
+    list(map(lambda a: chr(a), row_3)) +
+    row_4
+))
+

vault-door-5/VaultDoor5.java

@@ -0,0 +1,49 @@
+import java.net.URLDecoder;
+import java.util.*;
+
+class VaultDoor5 {
+    public static void main(String args[]) {
+        VaultDoor5 vaultDoor = new VaultDoor5();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+        }
+    }
+
+    // Minion #7781 used base 8 and base 16, but this is base 64, which is
+    // like... eight times stronger, right? Riiigghtt? Well that's what my twin
+    // brother Minion #2415 says, anyway.
+    //
+    // -Minion #2414
+    public String base64Encode(byte[] input) {
+        return Base64.getEncoder().encodeToString(input);
+    }
+
+    // URL encoding is meant for web pages, so any double agent spies who steal
+    // our source code will think this is a web site or something, defintely not
+    // vault door! Oh wait, should I have not said that in a source code
+    // comment?
+    //
+    // -Minion #2415
+    public String urlEncode(byte[] input) {
+        StringBuffer buf = new StringBuffer();
+        for (int i=0; i<input.length; i++) {
+            buf.append(String.format("%%%2x", input[i]));
+        }
+        return buf.toString();
+    }
+
+    public boolean checkPassword(String password) {
+        String urlEncoded = urlEncode(password.getBytes());
+        String base64Encoded = base64Encode(urlEncoded.getBytes());
+        String expected = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm"
+                        + "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2"
+                        + "JTM0JTVmJTMwJTYyJTM5JTM1JTM3JTYzJTM0JTY2";
+        return base64Encoded.equals(expected);
+    }
+}

vault-door-5/sol.py

@@ -0,0 +1,9 @@
+#!/home/maxime/.pyvenv/bin/python3
+from base64 import b64decode
+from urllib.parse import unquote
+
+S = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm" + "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2" + "JTM0JTVmJTMwJTYyJTM5JTM1JTM3JTYzJTM0JTY2"
+S = b64decode(S)
+S = unquote(S)
+print(S)
+

vault-door-6/VaultDoor6.java

@@ -0,0 +1,42 @@
+import java.util.*;
+
+class VaultDoor6 {
+    public static void main(String args[]) {
+        VaultDoor6 vaultDoor = new VaultDoor6();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+        }
+    }
+
+    // Dr. Evil gave me a book called Applied Cryptography by Bruce Schneier,
+    // and I learned this really cool encryption system. This will be the
+    // strongest vault door in Dr. Evil's entire evil volcano compound for sure!
+    // Well, I didn't exactly read the *whole* book, but I'm sure there's
+    // nothing important in the last 750 pages.
+    //
+    // -Minion #3091
+    public boolean checkPassword(String password) {
+        if (password.length() != 32) {
+            return false;
+        }
+        byte[] passBytes = password.getBytes();
+        byte[] myBytes = {
+            0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d,
+            0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa ,
+            0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27,
+            0xa , 0x6c, 0x60, 0x37, 0x30, 0x60, 0x31, 0x36,
+        };
+        for (int i=0; i<32; i++) {
+            if (((passBytes[i] ^ 0x55) - myBytes[i]) != 0) {
+                return false;
+            }
+        }
+        return true;
+    }
+}

vault-door-6/sol.py

@@ -0,0 +1,9 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+B = [0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d,
+     0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa ,
+     0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27,
+     0xa , 0x6c, 0x60, 0x37, 0x30, 0x60, 0x31, 0x36]
+
+print(''.join(map(lambda a: chr(a^0x55), B)))
+

vault-door-7/VaultDoor7.java

@@ -0,0 +1,67 @@
+import java.util.*;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.*;
+
+class VaultDoor7 {
+    public static void main(String args[]) {
+        VaultDoor7 vaultDoor = new VaultDoor7();
+        Scanner scanner = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+        }
+    }
+
+    // Each character can be represented as a byte value using its
+    // ASCII encoding. Each byte contains 8 bits, and an int contains
+    // 32 bits, so we can "pack" 4 bytes into a single int. Here's an
+    // example: if the hex string is "01ab", then those can be
+    // represented as the bytes {0x30, 0x31, 0x61, 0x62}. When those
+    // bytes are represented as binary, they are:
+    //
+    // 0x30: 00110000
+    // 0x31: 00110001
+    // 0x61: 01100001
+    // 0x62: 01100010
+    //
+    // If we put those 4 binary numbers end to end, we end up with 32
+    // bits that can be interpreted as an int.
+    //
+    // 00110000001100010110000101100010 -> 808542562
+    //
+    // Since 4 chars can be represented as 1 int, the 32 character password can
+    // be represented as an array of 8 ints.
+    //
+    // - Minion #7816
+    public int[] passwordToIntArray(String hex) {
+        int[] x = new int[8];
+        byte[] hexBytes = hex.getBytes();
+        for (int i=0; i<8; i++) {
+            x[i] = hexBytes[i*4]   << 24
+                 | hexBytes[i*4+1] << 16
+                 | hexBytes[i*4+2] << 8
+                 | hexBytes[i*4+3];
+        }
+        return x;
+    }
+
+    public boolean checkPassword(String password) {
+        if (password.length() != 32) {
+            return false;
+        }
+        int[] x = passwordToIntArray(password);
+        return x[0] == 1096770097
+            && x[1] == 1952395366
+            && x[2] == 1600270708
+            && x[3] == 1601398833
+            && x[4] == 1716808014
+            && x[5] == 1734291511
+            && x[6] == 960049251
+            && x[7] == 1681089078;
+    }
+}

vault-door-7/sol.py

@@ -0,0 +1,6 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+I = [1096770097, 1952395366, 1600270708, 1601398833, 1716808014, 1734291511, 960049251, 1681089078]
+
+print(''.join(map(lambda a: (chr(a>>24) + chr((a%(2**24))>>16) + chr((a%(2**16))>>8) + chr(a%(2**8))), I)))
+

vault-door-8/VaultDoor8.java

@@ -0,0 +1,75 @@
+// These pesky special agents keep reverse engineering our source code and then
+// breaking into our secret vaults. THIS will teach those sneaky sneaks a
+// lesson.
+//
+// -Minion #0891
+import java.util.*;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.*;
+
+class VaultDoor8 {
+    public static void main(String args[]) {
+        Scanner b = new Scanner(System.in);
+        System.out.print("Enter vault password: ");
+        String c = b.next();
+        String f = c.substring(8,c.length()-1);
+        VaultDoor8 a = new VaultDoor8();
+        if (a.checkPassword(f)) {
+            System.out.println("Access granted.");
+        }
+        else {
+            System.out.println("Access denied!");
+        }
+    }
+
+    public char[] scramble(String password) {
+        /* Scramble a password by transposing pairs of bits. */
+        char[] a = password.toCharArray();
+        for (int b=0; b<a.length; b++) {
+            char c = a[b];
+            c = switchBits(c,1,2);
+            c = switchBits(c,0,3);
+            /* c = switchBits(c,14,3);
+             * c = switchBits(c, 2, 0); */
+            c = switchBits(c,5,6);
+            c = switchBits(c,4,7);
+            c = switchBits(c,0,1);
+            /* d = switchBits(d, 4, 5);
+             * e = switchBits(e, 5, 6); */
+            c = switchBits(c,3,4);
+            c = switchBits(c,2,5);
+            c = switchBits(c,6,7);
+            a[b] = c;
+        }
+        return a;
+    }
+    
+    public char switchBits(char c, int p1, int p2) {
+        /* Move the bit in position p1 to position p2,
+         * and move the bit that was in position p2
+         * to position p1. Precondition: p1 < p2 */
+        char mask1 = (char)(1 << p1);
+        char mask2 = (char)(1 << p2);
+        /* char mask3 = (char)(1<<p1<<p2); mask1++; mask1--; */
+        char bit1 = (char)(c & mask1);
+        char bit2 = (char)(c & mask2);
+        /* System.out.println("bit1 " + Integer.toBinaryString(bit1));
+         * System.out.println("bit2 " + Integer.toBinaryString(bit2)); */
+        char rest = (char)(c & ~(mask1 | mask2));
+        char shift = (char)(p2 - p1);
+        char result = (char)((bit1<<shift) | (bit2>>shift) | rest);
+        return result;
+    }
+    
+    public boolean checkPassword(String password) {
+        char[] scrambled = scramble(password);
+        char[] expected = {
+            0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4,
+            0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
+            0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC2,
+            0xD2, 0x95, 0xA4, 0xF0, 0xD2, 0xD2, 0xC1, 0x95 };
+        return Arrays.equals(scrambled, expected);
+    }
+}
+

vault-door-8/sol.py

@@ -0,0 +1,41 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+def switch(i, a, b):
+    #print(bin(i))
+
+    mask_a = 1<<a
+    mask_b = 1<<b
+    #print(bin(mask_a), bin(mask_b))
+
+    bit_a = i & mask_a
+    bit_b = i & mask_b
+    #print(bin(bit_a), bin(bit_b))
+
+    rest = i & ((mask_a | mask_b) ^ 0xff)
+    #print(bin(rest))
+
+    if bit_a:
+        rest |= mask_b
+    if bit_b:
+        rest |= mask_a
+    #print(bin(rest))
+    #print()
+
+    return rest
+
+hex = [0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4, 0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
+       0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC2, 0xD2, 0x95, 0xA4, 0xF0, 0xD2, 0xD2, 0xC1, 0x95]
+
+for c in hex:
+    c = switch(c, 6, 7)
+    c = switch(c, 2, 5)
+    c = switch(c, 3, 4)
+    c = switch(c, 0, 1)
+    c = switch(c, 4, 7)
+    c = switch(c, 5, 6)
+    c = switch(c, 0, 3)
+    c = switch(c, 1, 2)
+    print(chr(c), end='')
+
+print()
+

vault_door_training/VaultDoorTraining.java

@@ -0,0 +1,26 @@
+import java.util.*;
+
+class VaultDoorTraining {
+    public static void main(String args[]) {
+        VaultDoorTraining vaultDoor = new VaultDoorTraining();
+        Scanner scanner = new Scanner(System.in); 
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+	}
+   }
+
+    // The password is below. Is it safe to put the password in the source code?
+    // What if somebody stole our source code? Then they would know what our
+    // password is. Hmm... I will think of some ways to improve the security
+    // on the other doors.
+    //
+    // -Minion #9567
+    public boolean checkPassword(String password) {
+        return password.equals("w4rm1ng_Up_w1tH_jAv4_eec0716b713");
+    }
+}