Bug Hunting LUHack

There are two apps for you to choose from. Both are essentially whitebox testing, but one is more whitebox than the other. The second one is harder than the first one.

Todo App

Line 15

Line 17

Line 11

Line 18

Line 47

Password Manager

import base64 as _

__ = lambda s: _.b64decode(s).decode()
___ = lambda č: __import__(__(č))
____ = lambda d: ''.join(chr(ord(c) ^ 0x55) for c in d)


def _____(_____0, _____1, *______):
    if ______:
        return _____(_____(_____0, _____1), *______)
    return getattr(_____0, __(_____1))


b3Blbg = _____(___('YnVpbHRpbnM='), 'b3Blbg==')
b3M = ___('b3M=')
k, l, m = 16, 32, 5
Z2V0cGFzcw = ___('Z2V0cGFzcw==')
YXJncGFyc2U = ___('YXJncGFyc2U=')
Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmtkZi5wYmtkZjI = _____(
    ___('Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmtkZi5wYmtkZjI='),
    'aGF6bWF0', 'cHJpbWl0aXZlcw==', 'a2Rm', 'cGJrZGYy', 'UEJLREYySE1BQw=='
)
Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVz = _____(
    ___('Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVz'),
    'aGF6bWF0', 'cHJpbWl0aXZlcw==', 'aGFzaGVz'
)
Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmNpcGhlcnM = _____(
    ___('Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmNpcGhlcnM='),
    'aGF6bWF0', 'cHJpbWl0aXZlcw==', 'Y2lwaGVycw==',
)
Q2lwaGVy = _____(Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmNpcGhlcnM, 'Q2lwaGVy')
YWxnb3JpdGhtcw = _____(Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmNpcGhlcnM, 'YWxnb3JpdGhtcw==')
bW9kZXM = _____(Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmNpcGhlcnM, 'bW9kZXM=')
Y3J5cHRvZ3JhcGh5Lmhhem1hdC5iYWNrZW5kcw = _____(
    ___('Y3J5cHRvZ3JhcGh5Lmhhem1hdC5iYWNrZW5kcw=='),
    'aGF6bWF0', 'YmFja2VuZHM=', 'ZGVmYXVsdF9iYWNrZW5k',
)



def n(o, p):
    return _____(Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVzLmtkZi5wYmtkZjI(_____(Y3J5cHRvZ3JhcGh5Lmhhem1hdC5wcmltaXRpdmVz, 'U0hBMjU2')(), l, p, m, Y3J5cHRvZ3JhcGh5Lmhhem1hdC5iYWNrZW5kcw()), 'ZGVyaXZl')(_____(o, 'ZW5jb2Rl')())


def r(s, t):
    v = _____(Q2lwaGVy(_____(YWxnb3JpdGhtcw, 'QUVT')(t), _____(bW9kZXM, 'RUNC')(), Y3J5cHRvZ3JhcGh5Lmhhem1hdC5iYWNrZW5kcw()), 'ZW5jcnlwdG9y')()
    return v.update(_____(s + (16 - len(s) % 16) * chr(16 - len(s) % 16), 'ZW5jb2Rl')()) + _____(v, 'ZmluYWxpemU=')()


def x(y, z):
    v = _____(Q2lwaGVy(_____(YWxnb3JpdGhtcw, 'QUVT')(z), _____(bW9kZXM, 'RUNC')(), Y3J5cHRvZ3JhcGh5Lmhhem1hdC5iYWNrZW5kcw()), 'ZGVjcnlwdG9y')();a = v.update(y) + _____(v, 'ZmluYWxpemU=')()
    return _____(a[:-a[-1]], 'ZGVjb2Rl')()


def c1(d2, d3, d4):
    d5 = _____(b3M, 'dXJhbmRvbQ==')(k)
    d8 = b3Blbg(d2 + ____('{%"1'), ____('"7'))
    _____(d8, 'd3JpdGU=')(d5 + r(d3, n(d4, d5)))
    _____(d8, 'Y2xvc2U=')()


def c9(d2, d4):
    d8 = b3Blbg(d2 + ____('{%"1'), ____("'7"))
    d9 = _____(d8, 'cmVhZA==')()
    _____(d8, 'Y2xvc2U=')()
    return x(d9[k:], n(d4, d9[:k]))


def main():
    p = YXJncGFyc2U.ArgumentParser(description="Final Pass")
    p.add_argument("action", choices=["save", "load"], help="Action to perform")
    p.add_argument("service", help="Service name")
    p.add_argument("password", nargs="?", help="Password to save (only for save action)")

    q = p.parse_args()

    r = Z2V0cGFzcw.getpass("Enter master password: ")

    if q.action == "save":
        if q.password is None:
            print("Password is required for saving.")
            return
        c1(q.service, q.password, r)
        print(f"Password for {q.service} saved successfully.")
    elif q.action == "load":
        try:
            s = c9(q.service, r)
            print(f"Password for {q.service}: {s}")
        except FileNotFoundError:
            print(f"No password found for {q.service}.")
        except Exception as e:
            print(f"Error loading password: {e}")


if __name__ == "__main__":
    main()

How hard would it be to exploit the cryptography problems, assuming you have enough computational power, time and all the information you need?