From 9c73ebae99952c7fff6f561643a301461d062a9c Mon Sep 17 00:00:00 2001
From: haskal <haskal@awoo.systems>
Date: Tue, 14 Jul 2020 03:04:55 -0400
Subject: [PATCH] 2020: rgbctf: oop

---
 2020/rgbctf/oop/README.md | 116 ++++++++++++++++++++++++++++++++++++++
 2020/rgbctf/oop/decode.py |  46 +++++++++++++++
 2020/rgbctf/oop/src.zip   | Bin 0 -> 7011 bytes
 3 files changed, 162 insertions(+)
 create mode 100644 2020/rgbctf/oop/README.md
 create mode 100644 2020/rgbctf/oop/decode.py
 create mode 100644 2020/rgbctf/oop/src.zip

diff --git a/2020/rgbctf/oop/README.md b/2020/rgbctf/oop/README.md
new file mode 100644
index 0000000..7d33bbe
--- /dev/null
+++ b/2020/rgbctf/oop/README.md
@@ -0,0 +1,116 @@
+# Object Oriented Programming
+
+writeup by [haskal](https://awoo.systems) for [BLÅHAJ](https://blahaj.awoo.systems)
+
+**Pwn/Rev**
+**413 points**
+**88 solves**
+
+>There's this small up and coming language called java I want to tell you about
+
+provided file: <src.zip>
+
+## writeup
+
+we are given a zip file with java source. there's a Main.java and a bunch of 2-character source
+files, with classes that contain a bunch of 2-character methods that return 2-character strings.
+examining Main, we see it uses reflection to call into these classes and methods to map the input
+string to the output.
+
+```java
+		String userInput = getUserInputMethodFromScannerAndInvokeAndReturnOutput(scanner);
+		if (userInput.length() != SIXTEEN)
+			System.exit(0);
+		
+		if (executeCodeThatDoesSomethingThatYouProbablyNeedToFigureOut(userInput).equals(scanner.getClass().getPackageName().replace(".", ""))) {
+			invokePrintLineMethodForOutputPrintStream(outputPrintStream, printLineMethod, "Nice. Flag: rgbCTF{" + userInput + "}");
+		} else {
+			invokePrintLineMethodForOutputPrintStream(outputPrintStream, printLineMethod, "Try again.");
+		}
+```
+
+this code shows us the user input must be 16 chars exactly, and then a transformation function is
+called (with the parameter `javautil`, the package of Scanner without periods).
+
+```java
+	public static String executeCodeThatDoesSomethingThatYouProbablyNeedToFigureOut(String stringToExecuteAforementionedCodeOn) throws Exception {
+		String encryptedString = reallyBasicQuoteUnquoteEncryptionFunctionThatWillOnlyTakeTimeToFigureOutIfYouKeepReadingTheseRidiculouslyLongMethodNames(stringToExecuteAforementionedCodeOn);
+		String returnValueOfThisFunction = new String();
+		String[] chunksOfEncryptedStringOfLengthFour = splitStringIntoChunksOfLength(encryptedString, FOUR);
+		for (String chunkOfEncryptedStringOfLengthFour : chunksOfEncryptedStringOfLengthFour) {
+			String[] chunksOfChunkOfEncryptedStringOfLengthFourOfLengthTwo = splitStringIntoChunksOfLength(chunkOfEncryptedStringOfLengthFour, TWO);
+			String firstChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo = chunksOfChunkOfEncryptedStringOfLengthFourOfLengthTwo[0];
+			String secondChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo = chunksOfChunkOfEncryptedStringOfLengthFourOfLengthTwo[1];
+			Class<?> classAndExtraCharactersSoItsNotAKeyword = Class.forName(firstChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo);
+			Object object = classAndExtraCharactersSoItsNotAKeyword.getConstructors()[ZERO].newInstance();
+			for (int loopArbitraryCounterIterator = 0; loopArbitraryCounterIterator < THREE; loopArbitraryCounterIterator++) {
+				Method method = classAndExtraCharactersSoItsNotAKeyword.getMethod(secondChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo);
+				secondChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo = (String)method.invoke(object);
+			}
+			returnValueOfThisFunction = new String(returnValueOfThisFunction + secondChunkOfChunkOfEncryptedStringOfLengthFourOfLengthTwo);
+		}
+		return returnValueOfThisFunction;
+	}
+```
+
+looking at the transformation function, we find it calls a method that XORs all the characters in
+the input with a key, which turns out to be `2` (found by modifying the code to print it out). then,
+it splits the input into chunks of 4, uses the first 2 chars as a class name, and iterates 3 times
+to transform the second 2 chars by calling the method in the class. the result is concatenated
+together. this can be solved with a simple script to parse the java files to map the
+transformations, then reversing the transformation by doing the opposite of this operation.
+
+first, parse the java. it's very regular so this isn't too hard
+
+```python
+mapping = {}
+
+for file in pathlib.Path("src").iterdir():
+    if "Main" in file.name:
+        continue
+    name = file.name.replace(".java", "")
+    with file.open("r") as f:
+        data = f.read()
+    thisfile = {}
+    mname = None
+    for line in data.split("\n"):
+        if mname is None:
+            if "public String" in line:
+                mname = line.strip().split(" ")[2].replace("()", "")
+        else:
+            val = line.strip().split(" ")[1].replace('"', "").replace(";", "")
+            thisfile[mname] = val
+            mname = None
+    mapping[name] = thisfile
+
+```
+
+next, go through backwards to find which class has 3 methods that can be chained to produce the
+required output. (implemented this with horrible CTF spaghetti code, please don't tell my fundies
+professor :)
+
+```python
+start = "javautil"
+
+def rfind(what):
+    for file,data in mapping.items():
+        for k,v in data.items():
+            if v == what and k in data.values():
+                for k2, v2 in data.items():
+                    if v2 == k and k2 in data.values():
+                        for k3, v3 in data.items():
+                            if v3 == k2:
+                                return file + k3
+
+data = rfind("ja") + rfind("va") + rfind("ut") + rfind("il")
+```
+
+finally compute XOR for the flag
+
+```python
+data = bytearray(data.encode())
+for i in range(len(data)):
+    data[i] ^= 2
+
+print(data)
+```
diff --git a/2020/rgbctf/oop/decode.py b/2020/rgbctf/oop/decode.py
new file mode 100644
index 0000000..596ae38
--- /dev/null
+++ b/2020/rgbctf/oop/decode.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+
+import pathlib
+
+mapping = {}
+
+for file in pathlib.Path("src").iterdir():
+    if "Main" in file.name:
+        continue
+    name = file.name.replace(".java", "")
+    with file.open("r") as f:
+        data = f.read()
+    thisfile = {}
+    mname = None
+    for line in data.split("\n"):
+        if mname is None:
+            if "public String" in line:
+                mname = line.strip().split(" ")[2].replace("()", "")
+        else:
+            val = line.strip().split(" ")[1].replace('"', "").replace(";", "")
+            thisfile[mname] = val
+            mname = None
+    mapping[name] = thisfile
+
+import pprint
+pprint.pprint(mapping)
+
+start = "javautil"
+
+def rfind(what):
+    for file,data in mapping.items():
+        for k,v in data.items():
+            if v == what and k in data.values():
+                for k2, v2 in data.items():
+                    if v2 == k and k2 in data.values():
+                        for k3, v3 in data.items():
+                            if v3 == k2:
+                                return file + k3
+
+data = rfind("ja") + rfind("va") + rfind("ut") + rfind("il")
+
+data = bytearray(data.encode())
+for i in range(len(data)):
+    data[i] ^= 2
+
+print(data)
diff --git a/2020/rgbctf/oop/src.zip b/2020/rgbctf/oop/src.zip
new file mode 100644
index 0000000000000000000000000000000000000000..38e54a2e07fe8cc93b58183d48620157627c4a4b
GIT binary patch
literal 7011
zcma)AcRbYpALq`NJu;)Akafr&k&%6f4$*N&b~qy;GRq~|GWu4=*Ej3zNZETGkv$?`
zBs)9(?z+-l<@fmBJq~|(Js<Dq=k>bx>-l_wwSYtv1en)-@DTXhAK!lv5zrENxWj~v
zAjb%V-)vY+=WkeiCS)W4qbnE*$k1<oef$c_?-gD*gd8lrEHQ<ug&P($=ntmQ86`^{
zEJ91vGoB66=do)6xdRrVq(dxs^l9HOF~Vc*uj-xe)LxM3P}62{jQ?~#++bdz+AR4w
z!!(zkw2DTusjz;SJ%`1D%B)}^4`@JC#E#X27~+nYr*NW1BvT7mH>m+T*qRjBAlVvs
z*wqI4%vQ~8oOaHK<b&OEbxoXVtYEo|HEWvL%^8goi?7f`NXfQD*M_3egv|j2IK()P
zAm;6hM{K*`JF%YMh!qN2HFB+}2hw?GU;YPG@*+DKCFH!O8@UPNEAo_%Hx0=4?iA{Z
zS)As}=4~x2<FJ`)UNJac^qJCW0TB;OT1V^<b%4u=1^N-0tb>|;9n{*gj|YN6(~yBq
z&+YRG_j<OBwTt6e{ag|75wcvAb0dsTCz1`a<67l{p>=CJx;yGOS}wnI_(#9&obYHB
zd~dWfN{c?28{IGY>?HU2)RWCE<V57k5%jb=mbbi*FUeG=`CfRVYozYl(D0hkP2VfC
z*T`3BNKbcT%PY}5&bsQYoW{TATVT?nHQ)d}%$b;(0yY3lA#EyZa*>CvPq@S*#ep8K
zO<@$dek^93g`J|C6gAA3yhm>GR=<Unqr}QgpeB8cYT7{ug5uD6U*t3qhFXxrX`7h;
zOwHEr2x>~y!Q6}(YTIu8=}(*I$a(3A=$JAx*_OvctLB~VSlF(KY5A+VHmI22hnx#H
zX!rDW89H~)t8(lEEzipd2i@M#xAJfAbx1>FVYxg|9x!tu+`2;o8f@9|Cdi*JWhK-^
zY=9jK5-T%<-plG_OL~a#Kj>wHSrXd{z#>V@sNsgGuTkQPK=zM~U0fJqjby_6zmFpI
z5u@nribrhZ$0(wER`<PUZJOPaAUQ%6@dg47GTsb#@8d(In4ZZ$kxps-+^Z+Uvx;uo
zY%zSo__)QI-?jXr$e4bYTU5O}y<=}zn*oK-SSgtx4-lOskP(*iuFzIc0tpmmlRK5=
zYt<oGlWUo)292~6xD!Y$lj2n)`pK4E)VDnB>84hdjUO`==L#iH>f$ybhFV0X)#?A<
zGdmwVYCp#j^DScmPNI9(`1V`R0>duS^PHqHy*OHZN!G+7Pp`;2TVmTL4z-mTvD1=s
zWmmQPaU!%KYs6evKgQEp`tm!gE%5Q8QQ-Nw&$5M{FsJh^XPY)z2SI%XR89dP+i2--
z2waNHhS-~(AJ#{hYudEWp7bG;o!V;7ge1ue5z3@Ug(xKx_^MSPjN$cU)aUBM|2&Is
zN6lgtRlUeDq8<xF+WZ(+QMI$txez*QzTKe}(sB9Fs`}CfV3hi7V@E)o+d!U%n>&B}
zGOFt8lhm1QpEf?tg>2yqt&?k*+v7%{U>b4^D0>RlN@(WYv_O-jgBSuPWk2NseiXkl
ztyI=DI1s2>4_WdlzXy8Abe8QOV4(r4nV<v}BJ_Th|NL<Zk>at%T_A?qv3tXM|Gj1Q
zw~lC;5_LWIF`^pTf<kwPi5|NRVxmWJ5vFfLRL-<b+`ggrqWamR)qE{>4+{FC0waUO
zzL#saee)CG3Hjw!sqY)!4{O^bZB9)IS)&3w(?KJF@t3px0|n!DNVLzx1PMO24VC~$
z=wZH-E=`aV$np+ItunnZk#~C<v*<JvGuu-FvE3ZY-mS>94{D;mmVBhd5c9YGi{$sO
zS&<3;Dx><o%5*I4T@I=3zTU9lLT^IMGHYZVaeuG2IdpKJVe_Pcc7soBoAHBB8bd_<
zPPQGno!Va0YsME0fSi#onN>F0Iy(~{yQgTC>jq=n<C-CP9&fgu_OaF==#y*Sw8{rf
z!=Myd%4eJ}=NuR)<@3(5qQafh$#bTz5=ACOyp|b~N@kFMk^bRvW`A+qiv5}SGnvRH
z@3g3NPyngbUF~Qw{S}&~X>mQ?RQ@#X=R+wHh<jEbjXs{9+x&^q8lZS<>eOBp!afl?
zdXoD3dI7F%fiNi^&05(yDL)yxId~E(B!jXD-gc6Z-jVsa1AzYiWQ?*vMQ@0sP0j~i
z;$h-h>-$8@8jlS<eJ1Bmb6C}fxWxdb*#hRxsiuwz4Z>?Kq#3Z9Ag0dvFsYHPpyY^8
zE>w{qokTTYSxJ+fCE<zHzP-)t87bt50GH@bPxk1ySO0m(T`ze%W{yVjTEF48mmbBt
z>W9_szVu&*6B{PqJhxzYG`-A!<sbMGv6cu23r&8hwV$sCrHZam#G~_#%1X;8vy#=W
z)}5P!TX#tVUY69g=!&f5Furscf!Fz5>+q9GVN7DaLUx@&Mox-lMc`e_L#vXMIc*W6
zc00QyAZ5jPfY{C2jtFK^vgdsL7cTmD08S=8SkB|rKJb%neuXrk=$VNE5MHRyi1K*w
z;gW&2z6^u?T~lyN1K>Hk;jpz_hLgZO>npYI{vu+F7G6b67oXY^-vO{*YYy>H(LY!}
zwy$B$Fhut5LMxxgX%{ezl+p@X&3{YH=Gs>dwHqM2w4?!4k<4`WZMeIo?ITCO>k4jR
zT*lqyov(?DEI0DXyJnXEP9G8t{nr%*IoLTy`{B#1<@FZlQ)X+X{~#tJWp_{Qdl@B2
zl#pCv7`)5wswT+A@8hH6nJ&#<sSVOmF{PBHQeb>&0pOb*pZb?W-ZG>?F+UnHqgz%J
z9%cvw)ZVv>Gf?O+<_;0=x=%zyH#g~<Bc7(d5o9k=H=cbWMFEVsHq1oMX(@WZ{dXm^
zhXVtOV_$D(Ig=&Ut@2d^vlzX<L?@4`$pE50;vgaR3ez(q<rVpR%PnyhG1A5ii#{fr
zBBQ4IlvM91>U+eq6h}`d4)&g!%eLNSn}LsVepW1<{M-8A^bL6#J$Zl*vh*vf0iy6y
zEFZHb7vsb5*=$o?{~LZ`=jDiP6xE*n%bNx>%k*f|A<Vq@RCdPmf-h%UT(f(!{p0O_
z#V&T<9IOyAY`)|Ebe{AeWoJ(MqRR5L4^-hnh+?rg=NeqPu2Ra%!<61lL}~TTGx4ft
zXOI;7ss)g`_i~NK(Lxgx3Z7nKL3fcQ;X>yeTQhYYJ<Jb&a5Ip9#`H5WkU0)qXx~_z
zI*~J#QJ%ATb8W!Z;QCA!;DvzAaCNONU*(C`S|X;{Qs+D6P90!FpC<R=&biMD@3*ao
zdjHxx^X2_AN?9(audlbPlh>wHfJ4O6z+Sk?BlFfHX2}AV_I;+toC`Zz#8O^>K?CpI
zFYJ<zu$N2nH#926tj;>}gYJ=<np5~6FqjL4h*!5iQ(@sQ<9$5{?;@;UE$|5?m{RE4
zWO^>D1x3CF74Lm&0#8Z}UY3Bt_*J}wnvapU+gzQIl4>J7kd!|m{YGYp%57ox-!ZVd
zx<X6jfTFO>ff%F5-?i<*b$kIUCi)*@72y;r`Q=1idQk_@cS`N%9Y|z%5tG8hF^SJ!
zMx`_6X<6;4SDjPcx{sn$BgkF<m>-xgMR;fAnq`UQS>{4UY2BVwh6q%U_iR^N<NLj)
zvh8xuzcdZ=EXRAa9T8LJFWt)Ixm{n4vqVXbSLAM#OE>{uFvEp-OrjcyKRs)`;f{p!
z#}$pX>rXEAIA72i&-XRaCnS-3N|RY4X)~QM+c_^Zk~jAbny*<SCSEo4%-wN!l$ua`
zGW{czQh5K4x%i&AiQRoB4OP?a{f%ywY8y?`?r1qg+?!<;j~HUYwFId-A1>Cn-e=lx
z(AT|l<rXmre;|^1Th?N^q;NFYDDTxv|1WG`xbmA;*2SqhI9$|MFMoj96;4)ECoUIm
z9234h)f$Clp7z)()Ym9>1df(zQ8YImFDVqyKGpf<{%j{nf9YVF&hW@dmxsdZJ3i0f
z<N>RfzVIzJ=RK<9Uu2K3vab;cuY|q!vWcy@?yTAG^7aKFLSX{lu`Wwib?$NgZul5j
z!dT6bjtk=XnU3wF?NGu<zc;aQ+oEz2+an5>1Y4xpg*4YHslE9|u}yMEugdt_ZizQ*
zJ4N43ApGTvM&vs@2e}$&{^H`LK3KVv>G;t%Ti;27&3Ch1f<6Aj)l1%jiwof|cGH5N
zd^Jr~7-YY7UZAO<cQ+%;cBpgqKr1jU5-IU^IbW?VXCh2<zUro&PVC<zt|F?yss4<Y
zf~XU@3sloaLmu;GeL^E`aif*QW0Q~<zHMfqbYlVHqb4w~eBO4?EPH)&*~Fw$hxm_r
zVh%7Whq#Pu;cWx?*E0sfyJZsF##cw``d{ymZe@ad?Zj2<p9h-`Fc5b4!TlfH8nxLu
zSGHy|BDp*}b+6MuIEIIGvCaivOC8jv%X^0jwZT+p=)zkt{^TZby3@i(Zl4pg&HvVh
z8w8UQ5Oi>0{TtTGR{pZh$<f>V`gI+pOL~ToLqCi0v_JgppUW^J;IItW3gebyt?;k<
zf#ugyq3cIV2^f?KW(T!`uIOkRuh1ArfCB;1EWmTL?1XNdw87i#ED?aHlP8tHXD>Gc
zxS1~+)<w`JYIb$^YYFhSX!N&h2ng{B>gs4{2xu5llacW4mo95@M7&-%1yid4znNU(
zamsV%Xqj4w{`_?B`$xDzpPPq*2jkwW4xPnsCfA8OjAbRUphA{-?8b0^tgZORNUv(T
z>4iA!b$9*`Px>UA19mlHEnKBlHJm)|#a?-uqp+ZiHt+Hx#xym<9Z9v|7p%n>3Z3n=
zk3&g6Z9WNl8HxlEL?#q54MJHc2c6AWJtzy6y+_=}J#BMaYy6rai-GpLyKn;by>N3$
zO#6G(8<!sacL8pR$L!Ep^t?n1a7G|nfcsTw+P1JHUkuM{k+3#Vr)C|OS2dt>Qao|l
zFUxiS+L&L-I8@4^nK?0U;Spi6@Ab0nq~;pLEJ{?szaobr*(4~lDM_ow&oUR5LxZrP
z%sp$$7C1x$8;7#_D=7w6A8&dFWL9r-BAJztSw`4LErkV3neGk;B_|_u04eG4Xlkdg
z*=g4?%=pG{+WpR~_K2QYdEqhB_|dZ-S^8j%wHVLt0b>&vc0{dI)HKZ*kx_Z#v97Ym
zlD!UwVwOvpG?k2?7ieaV8@aclbl>|`wV%{1$`e$dSDrtypptOCg#+e7ngE1Vk<4Cg
zQecMciP~}&f<U$_p{-&AD{~Sev*!dtTt=9oRki~85HcIHIw#7!assggBw?{mJd&$u
z)gQS|gJBkx9?ktbvm>(!H#}yCJ?s6=G=)ICPR-f*PqK`UsTy$R^PE^ByPL!M#uRDc
zno=Qv4wEE(2Z~6}<&7@6N5riClSh<nkc6g|B_>k9IwD&Xic|phB_nwVM)+Y<K&PJG
z3c$w_aT@4eB2pjZY`e%A)L55<su}Krh$Y$1k8u=rB{lX=&Aa$WZhehj2Vj_;w>=~G
z-<jQX|1-00CHlLVY4q1y4UbQ+h56hCWHOuOzEQmxR#gQ(UflUg<LoUL*jz?r8DlGd
z6=(;sWK=(6gG_v}Xr*GF<{4wF+1bg_vc>@MMC_0js+e#DhQ=dzl?M!F0|igR=9lkg
zIswZ*Bb<pLiXvr*8U=U>iJvL2A@pNn)ca7CkzL6$)us}_`dDk!w_L)P*c<iWx9`~E
z5t9hB#$%OwIEh-Az$J7_`bCA?+x(~Pa}+aEv8Mp0k#5VJQnJ#9Yai108+7(i5v$H!
zR=KH~jeGOvy)3@1yQ^`Aac8cUF=h;Dt)o3I2tdgRGp7_NKn#&XJ|lQI%mJ|C`j7<B
z7~vkuz;JcAZqOl6M;<17wn0;!6zXM_>kADFSY9Q}vagdQOyPt9qY|cV-+g1Y#7cYW
z_kML9!ORDL60LtQLw%b>Rn$-W9@0=4Q1&^9l?8Kq$iGUE`U_s`Tv6h)+FEwDvfaL8
zlU@F{d7FUr*pmDGN4pEpnUk-jo|sk6Vumasb^uO9O^bw!;HDUWVK<~X<Q8}~Fg_j>
zPVQ!xn_F|&W>GBAXt#V63AbH*K(5JETG46zn6|J4#JobWdS@5waY<kIKmO@)2?0#N
zqaxm8=*E6~UHqhk`HkIjWQTz-SPN7AGw#LBODPF{R%Zl>ey=_Zf5{HRUtADOw2GTf
z;)75UVvlebv|>RpK`Sl@=CZ)e0r5fJe+M~?HL)O=tK(M?+{_Ihq#7LvV;;s~fcR$+
zOgx91ZsCI@0I?v4VI39(6W0BD65J>WAH<Ca3vw8X{rM!AXM!8r;DcxoV?hoxsG~t}
z0}_0YGbC7$!?fqmAQ&x#tIMeH=H$zF5F9x~M(`t9!9JBgt1)sMm@i80)C51ZnGpm#
zu^3(U{~&Nr@<j<ig9Cv(_&;HOiaT5l#e#E^j3D`6Veq8huiUVR8103tUGSgt3K|h}
zo<k*uea;vq_UqW-$^?9nHrnqU{~>z*+$@Zuz}?9BAQ^O6kVAce1;OZxUr&O&{O~~n
z=&>MnKQ7Qep9C|&xVr`)1j2v?Ioz6m2EnW)+-n^lM2Ha!a=4_hAebeEO9!(7aIa8&
k5Hcn#$l*S~f?)OmSc@1v-2?=T=(iL48#jgiR|10n0sV%fi~s-t

literal 0
HcmV?d00001