Challenge 'Bitecode' give us a simple java class file. We can simply get java class file by compiling java source code file.
On the other hand, we can simply get java source code file by decompiling java class file.
I can find online java decompiler site. [http://www.javadecompilers.com/]
There are several versions of decompiler. I tried all of them, but only second one "CFR" was working.
I got the java source code like above.
Full decompiled java source code is below.
/*
* Decompiled with CFR 0.139.
*
* Could not load the following classes:
* \u0000java.lang.System
*/
import \u0000java.lang.System;
import java.io.PrintStream;
/*
* Class file version 45.0 predates 45.3 (Java 1.0), recompilation may lose compatibility!
*/
public class BiteCode {
private static /* synthetic */ int a;
/*
* Unable to fully structure code
*/
public static void main(String[] var0) {
block83 : {
block67 : {
block82 : {
block77 : {
block81 : {
block54 : {
block80 : {
block79 : {
block57 : {
block78 : {
block74 : {
block76 : {
block75 : {
block60 : {
block73 : {
block62 : {
block72 : {
block56 : {
block71 : {
block64 : {
block70 : {
block69 : {
block68 : {
block66 : {
block65 : {
block63 : {
block61 : {
block55 : {
block59 : {
block58 : {
var1_1 = var0.length;
var2_2 = BiteCode.a;
if (var1_1 - 1 != 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
var3_3 = var0[0].toCharArray();
var4_4 = var3_3.length;
if ((var4_4 ^ 927739485 ^ 927739457) != 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
lbl15: // 1 sources:
do {
switch (var2_2) {
default:
}
java.lang.System.out.println("Yeah");
return;
break;
} while (true);
}
v0 = var3_3;
if ((v0[0] ^ 189074585) - 189074673 != 0) lbl-1000: // 3 sources:
{
do {
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block54;
break;
} while (true);
}
if ((v0[1] ^ -227215135) - -227215214 != 0) lbl-1000: // 2 sources:
{
do {
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block55;
break;
} while (true);
}
if ((v0[2] ^ 19240864) - 19240899 == 0) break block58;
if (var2_2 != 0) ** GOTO lbl-1000
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[3] ^ 245881291) - 245881279 == 0) break block59;
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block60;
}
if ((v0[4] ^ 233391094) - 233390992 == 0) break block61;
}
lbl54: // 2 sources:
while (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block62;
}
if ((v0[5] ^ 56978353) - 56978378 == 0) break block63;
lbl62: // 2 sources:
while (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block64;
}
if ((v0[6] ^ -213838484) - -213838565 != 0) lbl-1000: // 4 sources:
{
do {
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block56;
break;
} while (true);
}
if ((v0[7] ^ -231671677) - -231671605 == 0) break block65;
lbl78: // 3 sources:
do {
if (var2_2 != 0) ** GOTO lbl-1000
(System)null;
java.lang.System.out.println("Nah");
return;
break;
} while (true);
}
if ((v0[8] ^ -132473862) - -132473910 == 0) break block66;
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block67;
}
if ((v0[9] ^ 143449065) - 143449053 == 0) break block68;
lbl94: // 2 sources:
while (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block56;
}
if ((v0[10] ^ 108102484) - 108102411 == 0) break block69;
do {
if (var2_2 != 0) ** GOTO lbl-1000
(System)null;
java.lang.System.out.println("Nah");
return;
break;
} while (true);
}
if ((v0[11] ^ 71123188) - 71123073 == 0) break block70;
if (var2_2 != 0) ** GOTO lbl62
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[12] ^ 146096006) - 146096089 == 0) break block71;
}
if (var2_2 != 0) ** GOTO lbl94
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[13] ^ -173487738) - -173487628 == 0) break block72;
}
if (var2_2 != 0) ** GOTO lbl54
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[14] ^ -116507045) - -116507132 == 0) break block73;
}
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block74;
}
if ((v0[15] ^ -68013365) - -68013319 == 0) break block75;
}
lbl143: // 2 sources:
do {
if (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block57;
break;
} while (true);
}
if ((v0[16] ^ 171414622) - 171414529 != 0) {
do {
if (var2_2 != 0) ** continue;
(System)null;
java.lang.System.out.println("Nah");
return;
break;
} while (true);
}
if ((v0[17] ^ 94412444) - 94412524 == 0) break block76;
lbl159: // 2 sources:
while (var2_2 == 0) {
(System)null;
java.lang.System.out.println("Nah");
return;
}
break block77;
}
if ((v0[18] ^ 197453081) - 197453163 == 0) break block78;
}
** while (var2_2 != 0)
lbl169: // 1 sources:
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[19] ^ -50622153) - -50622201 == 0) break block79;
}
if (var2_2 != 0) ** GOTO lbl159
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[20] ^ 190140381) - 190140290 == 0) break block80;
if (var2_2 != 0) ** GOTO lbl78
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[21] ^ 77383944) - 77383996 == 0) break block81;
}
** while (var2_2 != 0)
lbl192: // 1 sources:
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[22] ^ -41590082) - -41590047 == 0) break block82;
}
** while (var2_2 != 0)
lbl200: // 1 sources:
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[23] ^ 61204303) - 61204283 != 0) lbl-1000: // 2 sources:
{
do {
if (var2_2 != 0) ** continue;
(System)null;
java.lang.System.out.println("Nah");
return;
break;
} while (true);
}
if ((v0[24] ^ -24637751) - -24637791 != 0) {
if (var2_2 != 0) ** continue;
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[25] ^ 61697107) - 61697122 != 0) {
if (var2_2 != 0) ** continue;
(System)null;
java.lang.System.out.println("Nah");
return;
}
if ((v0[26] ^ 267894989) - 267895017 == 0) break block83;
}
while (var2_2 != 0) {
}
(System)null;
java.lang.System.out.println("Nah");
return;
}
** while ((v0[27] ^ -13480562) - -13480461 == 0)
lbl234: // 1 sources:
** while (var2_2 != 0)
lbl235: // 1 sources:
(System)null;
java.lang.System.out.println("Nah");
}
}Analyzing overall source code with peek, the java program get a single main function argument input called 'var0'
We can simply guess, printing "Nah" means invalid input.
The number of argument (var1_1) should be 1,
The length of first argument (var4_4) should be 927739485 ^ 927739456 => 28
With similar pattern, the first character of argument (v0[0]) shoudl be 189074585 ^ 189074673
The second character of argument (v0[1]) should be -227215135 ^ -227215214
Proceeding this work, we can easily find not only the header of flag "hsctf{", but also the rest part of the flag.
You can do it manualy one by one, or write a python script to extract the source code line contains the pattern like "v0[index] ^ A - B != 0" and evaluate the each letter on flag.
But I did with hand one by one.
'해킹 & 보안 > CTF Write-ups' 카테고리의 다른 글
| [NeverLAN CTF 2020] Web - SQL Breaker 1 / SQL Breaker 2 / DasPrime (0) | 2020.02.15 |
|---|---|
| [Insomni'hack teaser 2020] web - Low Deep write-up (0) | 2020.01.20 |
| [X-mas CTF 2019] Emulator - Emu 2.0 Write-up (0) | 2019.12.26 |
| [X-mas CTF 2019] MISC - SNT DCR SHP Write-up (0) | 2019.12.22 |
| [Newbie CTF 2019] Web - Normal Host. write-ups (4) | 2019.11.04 |