# AES Key decryption ### 01. Introduction In this exercise we'll try to decrypt the the password of the CrackMeSimple Challenge, by analysing the ProgramCode.

APK File: {% embed url="" %} ### 02. Code analysis Open the package with jadx-gui. The following AES Util Part looks interessting:

``` package org.bfe.crackmesimple.util; import java.io.UnsupportedEncodingException; import java.security.Key; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; public class AESUtil { private static final String ENCRYPTION_IV = "SHCUOkfd89ut7777"; private static final String ENCRYPTION_KEY = "Simpleji4todnkfL"; public static byte[] encrypt(byte[] bArr) { try { Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding"); instance.init(1, makeKey(), makeIv()); return instance.doFinal(bArr); } catch (Exception e) { throw new RuntimeException(e); } } public static byte[] decrypt(byte[] bArr) { try { Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding"); instance.init(2, makeKey(), makeIv()); return instance.doFinal(bArr); } catch (Exception e) { throw new RuntimeException(e); } } static AlgorithmParameterSpec makeIv() { try { return new IvParameterSpec(ENCRYPTION_IV.getBytes("UTF-8")); } catch (UnsupportedEncodingException e) { e.printStackTrace(); return null; } } static Key makeKey() { try { return new SecretKeySpec(MessageDigest.getInstance("SHA-256").digest(ENCRYPTION_KEY.getBytes("UTF-8")), "AES"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); return null; } catch (UnsupportedEncodingException e2) { e2.printStackTrace(); return null; } } } ``` We can see the `AES encryption key` and the `initialization vector`: ``` public class AESUtil { private static final String ENCRYPTION_IV = "SHCUOkfd89ut7777"; private static final String ENCRYPTION_KEY = "Simpleji4todnkfL"; ``` I also took notice about the cipher instance: AES/**CBC**/PKCS5Padding From the encryption key a SHA-256 cryptographic hash(!) will be generated: ``` static Key makeKey() { try { return new SecretKeySpec(MessageDigest.getInstance("SHA-256").digest(ENCRYPTION_KEY.getBytes("UTF-8")), "AES"); ``` The second interessting part is the LoginView Model class:

``` public class LoginViewModel extends ViewModel { private static byte[] exs = {-28, 73, 79, 78, 113, 73, 101, 98, 115, 6, 27, -35, 111, -55, -114, -11, -29, 0, -73, 91, 115, -24, -4, -94, -59, 43, -57, 112, 11, -54, -115, 2}; protected DexClassLoader dexClassLoader = null; private MutableLiveData loginFormState = new MutableLiveData<>(); private MutableLiveData loginResult = new MutableLiveData<>(); ``` ### 03. Decode with Cyberchef First I generate a SHA-256 hash from the encryption key: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FmiRG0gK2S8z7BrxvyuR2%2Faes03.png?alt=media\&token=f0a4bbc5-2ab7-49a6-b2ee-7c172ec7aad0) Output:

Now we have all pieces together. The final Cyberchef Recipe looks like this: Input value: ``` -28, 73, 79, 78, 113, 73, 101, 98, 115, 6, 27, -35, 111, -55, -114, -11, -29, 0, -73, 91, 115, -24, -4, -94, -59, 43, -57, 112, 11, -54, -115, 2 ``` ``` From_Decimal('Comma',true) AES_Decrypt({'option':'Hex','string':'d6eadb48382e79d35f25cbca4fb55ef69d842ee79ad843b4bae757fa99344d1a'}, {'option':'UTF8','string':'SHCUOkfd89ut7777'},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''}) ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FHMIn9ryb3deUXu94XTDh%2Faes05.png?alt=media\&token=5cc05af9-edb9-411a-a9bd-c9d6591de2c6) Output: `HL{R3v3rsing.FUN}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cas-cyber.gitbook.io/cas-cybersecurity/android-malware/aes-key-decryption.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.