picoCTF Solutions
picoCTF 2022Reverse EngineeringMedium

Fresh Java

Published: July 20, 2023

Description

The compiled KeygenMe.class contains the flag in reverse order. Decompile (or strings/grep) and reverse the characters to reveal it.

Setup

Download KeygenMe.class

Use jd-gui (or another Java decompiler) to view KeygenMe.class and export it as KeygenMe.java.

Grep for `str.charAt` to extract the characters, then reverse the string.

cat KeygenMe.java | grep "str.char" | cut -d "'" -f2 | tr -d '\n' | rev

Solution

  1. Step 1Decompile or strings
    jd-gui quickly shows the obfuscated code: the flag is built via repeated `str.charAt` calls, but in reverse order.
    Learn more

    Java .class files contain bytecode - a platform-independent intermediate representation that the JVM executes. Unlike native binaries, bytecode retains rich structural information: class names, method names, field names, and string literals survive compilation largely intact. This makes Java bytecode much easier to reverse engineer than compiled C or C++ code.

    jd-gui is a popular graphical Java decompiler that reconstructs near-perfect Java source from bytecode. Other tools include Procyon, CFR, and Fernflower (the engine inside IntelliJ IDEA). For CTF purposes, even strings KeygenMe.class often reveals string literals embedded in the bytecode without needing full decompilation.

    The str.charAt(n) pattern is a simple character-by-character string construction technique sometimes used to obfuscate string literals, since the full string never appears as a single contiguous literal in the bytecode. However, the characters are still all present - just scattered across multiple calls - making grep-based extraction straightforward.

  2. Step 2Reverse the characters
    Extract the characters (via grep/cut) and pipe them through `rev` to recover picoCTF{...}.
    Learn more

    The flag is stored character by character in reverse order, so after extracting all the individual characters from the charAt calls and concatenating them, the resulting string is the flag backwards. The rev utility reverses lines of text character by character - piping the concatenated string through it gives the correct flag immediately.

    Storing data reversed (or with characters interleaved, scrambled, or split) is a trivial obfuscation technique that appears often in CTFs and in real malware. Tools like rev, Python's slice notation s[::-1], and string manipulation in any scripting language make it trivial to undo once identified.

    The pipeline grep | cut | tr -d | rev is a good example of Unix philosophy in action: each tool does one thing well, and they compose cleanly through pipes to accomplish a task that would require significantly more code in a self-contained program.

Flag

picoCTF{700l1ng_r3qu1r3d_2bf...}

The challenge name is a hint: you need fresh Java tooling to read the class file.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Reverse Engineering

Related reading

What to try next