# AES Key decryption ### 01. Introduction In this exercise we'll try to decrypt the the password of the CrackMeSimple Challenge, by analysing the ProgramCode.

APK File: {% embed url="" %} ### 02. Code analysis Open the package with jadx-gui. The following AES Util Part looks interessting:

``` package org.bfe.crackmesimple.util; import java.io.UnsupportedEncodingException; import java.security.Key; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; public class AESUtil { private static final String ENCRYPTION_IV = "SHCUOkfd89ut7777"; private static final String ENCRYPTION_KEY = "Simpleji4todnkfL"; public static byte[] encrypt(byte[] bArr) { try { Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding"); instance.init(1, makeKey(), makeIv()); return instance.doFinal(bArr); } catch (Exception e) { throw new RuntimeException(e); } } public static byte[] decrypt(byte[] bArr) { try { Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding"); instance.init(2, makeKey(), makeIv()); return instance.doFinal(bArr); } catch (Exception e) { throw new RuntimeException(e); } } static AlgorithmParameterSpec makeIv() { try { return new IvParameterSpec(ENCRYPTION_IV.getBytes("UTF-8")); } catch (UnsupportedEncodingException e) { e.printStackTrace(); return null; } } static Key makeKey() { try { return new SecretKeySpec(MessageDigest.getInstance("SHA-256").digest(ENCRYPTION_KEY.getBytes("UTF-8")), "AES"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); return null; } catch (UnsupportedEncodingException e2) { e2.printStackTrace(); return null; } } } ``` We can see the `AES encryption key` and the `initialization vector`: ``` public class AESUtil { private static final String ENCRYPTION_IV = "SHCUOkfd89ut7777"; private static final String ENCRYPTION_KEY = "Simpleji4todnkfL"; ``` I also took notice about the cipher instance: AES/**CBC**/PKCS5Padding From the encryption key a SHA-256 cryptographic hash(!) will be generated: ``` static Key makeKey() { try { return new SecretKeySpec(MessageDigest.getInstance("SHA-256").digest(ENCRYPTION_KEY.getBytes("UTF-8")), "AES"); ``` The second interessting part is the LoginView Model class:

``` public class LoginViewModel extends ViewModel { private static byte[] exs = {-28, 73, 79, 78, 113, 73, 101, 98, 115, 6, 27, -35, 111, -55, -114, -11, -29, 0, -73, 91, 115, -24, -4, -94, -59, 43, -57, 112, 11, -54, -115, 2}; protected DexClassLoader dexClassLoader = null; private MutableLiveData loginFormState = new MutableLiveData<>(); private MutableLiveData loginResult = new MutableLiveData<>(); ``` ### 03. Decode with Cyberchef First I generate a SHA-256 hash from the encryption key: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FmiRG0gK2S8z7BrxvyuR2%2Faes03.png?alt=media\&token=f0a4bbc5-2ab7-49a6-b2ee-7c172ec7aad0) Output:

Now we have all pieces together. The final Cyberchef Recipe looks like this: Input value: ``` -28, 73, 79, 78, 113, 73, 101, 98, 115, 6, 27, -35, 111, -55, -114, -11, -29, 0, -73, 91, 115, -24, -4, -94, -59, 43, -57, 112, 11, -54, -115, 2 ``` ``` From_Decimal('Comma',true) AES_Decrypt({'option':'Hex','string':'d6eadb48382e79d35f25cbca4fb55ef69d842ee79ad843b4bae757fa99344d1a'}, {'option':'UTF8','string':'SHCUOkfd89ut7777'},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''}) ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FHMIn9ryb3deUXu94XTDh%2Faes05.png?alt=media\&token=5cc05af9-edb9-411a-a9bd-c9d6591de2c6) Output: `HL{R3v3rsing.FUN}`