Tags: blackberry 

Rating:

from the simulator, "9930-nv.dmp" is the file we want to look into, but where is the password?

1. in order to find the location of the password, let's set one on our own first, open simulator, do factory reset, so we can set our password

2. set screen lock password --> "password", generate SHA1 hash, which is "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"

3. use winhex, go to 9930-nv.dmp, search for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
the offset is 00053020

4. check the original 9930-nv.dmp, go to the same offset, got the hash "3E270F54C6EB3175B4EF8B20080795EF2EE15589"

5. search "3E270F54C6EB3175B4EF8B20080795EF2EE15589", we got "fuckfuckfuckyouhahaha"...

6. unlock with "fuckfuckfuckyouhahaha", and to go contact for  hints

7. we got the contact "Plaid CTF", and the answer is there...

8... perm.ly/h0grm, blackberry.dmp, open winhex, search for the same pattern, "3C000000" which is before the SHA1, we got "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8" again, which is "password"...

9. oh well, password is not correct, let's continue to search (with patience), we got "AC0CFE7BD0AE22B44722F1A01ECB6CE102CA27C5"

<span>10. google it... "BerryGood"

</span>Ref:
http://crackberry.com/security-blackberry-balance
The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key

http://www.forensicfocus.com/Forums/viewtopic/t=7055/
password should be in SHA1

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 - password
<span>3E270F54C6EB3175B4EF8B20080795EF2EE15589 - fuckfuckfuckyouhahaha

full writeup with screens will be provided soon</span>

Original writeup (http://vxalanh0.blogspot.hk/2014/05/plaidctf-2014-for-350-write-up.html).