Task 4 requires you to determine the pin to unlock the cached credentials in the recovered database. Originally, this task also required you to determine the action planned by analyzing their code words. This requirement was later removed. To complete this task you need to submit

The first step is to analyze the TerrorTime app to determine how the user logs in. I used android studio to emulate a Nexus S android phone running Oreo. Android Virtual Device (AVD) manager, under Tools, can create the device. To create a device


The AVD manager or command line tool emulator.exe can start the emulator. Installing or copying a file is as simple as dragging the file onto the phone screen. After installing TerrorTime, I opened it and tried to log in, which requires a username and a pin. I only had the username from the database but not the matching pin. I decided to follow the code that handles the login to determine how the pin is checked. The Activity Class in an app handles the window the app draws it’s UI in. TerrorTime contains six Activity Classes:

The LoginActivity handles the UI for the login screen and handles the login validation. The tool jadx was not able to correctly decompile the UserLoginTask Class so it dumps the instructions to the screen.


Looking through the instructions, I saw calls to initialize the Client Class and then set encryptPin to the entered pin.


Further in LoginActivity is a function called doInBackground, which uses the created Client Class to generate a symmetric key and validate a access token. I determined this function to be interesting since it contained error messages referring to logging in, client ID, and pin.


The Client.generateSymmetricKey function

I remembered from task 2, that the database contains the client secret. The code indicates that the stored secret is the SHA256 hash of the pin. To determine the length of the field I checked the ParameterValidatorClass. The function isValidPin checks if the entered pin is six digits long.


The number of possible combinations for the pin is 10^6 or 1,000,000, which is simple to brute force. I wrote a python script to brute force the pin.

from hashlib import sha256
hash_pin = "\xa9\x9d\x19\x16\x2a\xaa\xa4\x0a\xfa\xe0\xd6\xe3\xd0\x08\x40\x56\xce\xc1\x4a\x11\x54\x75\xb5\xxf7\x1f\x7b\xc1\x3e\xc9\xd8\x99\x8a"

for pin in range(0, 1000000):
    if hash_pin == sha256(str(pin)).digest():
        print pin

# output 123793

I used adb.exe to interact with the phone file system. When I dragged the database file to the phone, it was downloaded to /sdcard/Downloads.

I used adb.exe to move the file from the Downloads folder to /data/user/0/com.badguy.terrortime/database/clientDB.db.
Commands to connect adb.exe to Android.

.\adb.exe root
.\adb.exe remount
.\adb.exe shell

Commands executed with adb.exe.

cd /data/user/0/com.badguy.terrortime
ls -al
su <app user>
cp /sdcard/Downloads/clientDB.db database/clientDB.db


When the codebreaker creators designed the challenge they set the app to wait for 5 secs before timing out. This was not enough time due to the amount of participants. They released an updated version that waited 30 secs.

I launched the TerrorTime and input the pin, enabling me to impersonate the terrorist, Kingsley, who has two contacts,

Clicking on each contact’s name retrieves their past messages.

I figured out that Arianna is the cell leader due to the following messages

From To Message Reason
Arianna Kingsley Is everything set? She's checking on the status of the op
Arianna Kingsley Be grateful for your role in this, Kingsley She's telling him to be grateful
Kingsley Arianna yes ma'am He is very formal with her


From To Message Reason
Kingsley Devora want to make sure the ma'am is pleased and confident in us. Wants to impress Arianna
Kingsley Devora see you after New Years Day Is meeting Devora for the op


I used the following messages to determine the date.

From To Message Reason
Arianna Kingsley Exactly. after the holiday, 1 day She's telling him when the op is to happen
Kingsley Devora see you after New Years Day Is meeting Devora for the op. Mentions the holiday New Year's Day
Kingsley Devora we're to acquire the engagement ring at 1523 Mentions a time for an action

I now knew the date of the upcoming operation, 01/02/2020, and the time, 1523. I used an online epoch converter to convert the date to epoch. 01/02/2020 15:23 Z == 1577978580

Through Google, I was only able to determine that wedding usually refers to a big attack.


After completing task 7 and decrypting the messages, I can see keywords, such as “acquire”, that might indicate its a kidnapping.

Back to Overview