# Toast clicker 3 (96p, 21 solved) The last part of the challenge comes from: ```java public void loadClass() { String methodToInvoke = "printThirdFlag"; try { Class loadedClass = new DexClassLoader(Uri.fromFile(new File(getExternalFilesDir(null), "bacon-final.dex")).toString(), null, null, ClassLoader.getSystemClassLoader().getParent()).loadClass("bacon.ToastDynamicFlag"); Object obj = loadedClass.newInstance(); String str = (String) loadedClass.getMethod(methodToInvoke, new Class[]{String.class, String.class}).invoke(obj, new Object[]{"ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji"}); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (InstantiationException e2) { e2.printStackTrace(); } catch (IllegalAccessException e3) { e3.printStackTrace(); } catch (NoSuchMethodException e4) { e4.printStackTrace(); } catch (IllegalArgumentException e5) { e5.printStackTrace(); } catch (InvocationTargetException e6) { e6.printStackTrace(); } } ``` It looks weird, but in reality this is simply loading a new class `bacon.ToastDynamicFlag` at runtime from `bacon-final.dex` and calls method `printThirdFlag` on object of this class with arguments `"ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji"`. This dex file comes from: ```java public void downloadFile() { File file = new File(getExternalFilesDir(null), "bacon-final.dex"); DownloadManager downloadmanager = (DownloadManager) getSystemService("download"); Request request = new Request(Uri.parse("https://storage.googleapis.com/bsides-sf-ctf-2020-attachments/bacon-final.dex")); request.setTitle("Dex File"); request.setDescription("Downloading update"); request.setNotificationVisibility(1); request.setVisibleInDownloadsUi(false); request.setDestinationUri(Uri.fromFile(file)); request.setAllowedOverRoaming(false); request.setAllowedOverMetered(false); Log.d("File path", Uri.fromFile(file).toString()); this.downloadID = downloadmanager.enqueue(request); } ``` We can just grab the [dex](https://raw.githubusercontent.com/TFNS/writeups/master/2020-02-23-BSidesSF/toast/bacon- final.dex) from the URL and decompile it just as we did with the apk. There is only [one class](https://raw.githubusercontent.com/TFNS/writeups/master/2020-02-23-BSidesSF/toast/ToastDynamicFlag.java) there. As mentioned, we only need to call the function there to get the flag, so we do just that, add a main method with: ```java public static void main(String[] args) { ToastDynamicFlag toastDynamicFlag = new ToastDynamicFlag(); System.out.println(toastDynamicFlag.printThirdFlag("ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji")); } ``` And run this to get `CTF{makingbaconpancakes}` Original writeup (https://github.com/TFNS/writeups/blob/master/2020-02-23-BSidesSF/toast/README.md).# Toast clicker 3 (96p, 21 solved) The last part of the challenge comes from: ```java public void loadClass() { String methodToInvoke = "printThirdFlag"; try { Class loadedClass = new DexClassLoader(Uri.fromFile(new File(getExternalFilesDir(null), "bacon-final.dex")).toString(), null, null, ClassLoader.getSystemClassLoader().getParent()).loadClass("bacon.ToastDynamicFlag"); Object obj = loadedClass.newInstance(); String str = (String) loadedClass.getMethod(methodToInvoke, new Class[]{String.class, String.class}).invoke(obj, new Object[]{"ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji"}); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (InstantiationException e2) { e2.printStackTrace(); } catch (IllegalAccessException e3) { e3.printStackTrace(); } catch (NoSuchMethodException e4) { e4.printStackTrace(); } catch (IllegalArgumentException e5) { e5.printStackTrace(); } catch (InvocationTargetException e6) { e6.printStackTrace(); } } ``` It looks weird, but in reality this is simply loading a new class `bacon.ToastDynamicFlag` at runtime from `bacon-final.dex` and calls method `printThirdFlag` on object of this class with arguments `"ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji"`. This dex file comes from: ```java public void downloadFile() { File file = new File(getExternalFilesDir(null), "bacon-final.dex"); DownloadManager downloadmanager = (DownloadManager) getSystemService("download"); Request request = new Request(Uri.parse("https://storage.googleapis.com/bsides-sf- ctf-2020-attachments/bacon-final.dex")); request.setTitle("Dex File"); request.setDescription("Downloading update"); request.setNotificationVisibility(1); request.setVisibleInDownloadsUi(false); request.setDestinationUri(Uri.fromFile(file)); request.setAllowedOverRoaming(false); request.setAllowedOverMetered(false); Log.d("File path", Uri.fromFile(file).toString()); this.downloadID = downloadmanager.enqueue(request); } ``` We can just grab the [dex](https://raw.githubusercontent.com/TFNS/writeups/master/2020-02-23-BSidesSF/toast/bacon- final.dex) from the URL and decompile it just as we did with the apk. There is only [one class](https://raw.githubusercontent.com/TFNS/writeups/master/2020-02-23-BSidesSF/toast/ToastDynamicFlag.java) there. As mentioned, we only need to call the function there to get the flag, so we do just that, add a main method with: ```java public static void main(String[] args) { ToastDynamicFlag toastDynamicFlag = new ToastDynamicFlag(); System.out.println(toastDynamicFlag.printThirdFlag("ijiijiiijjjjjijijijiiijjijjjji", "jjjiiiiijjjijijijjijiijji")); } ``` And run this to get `CTF{makingbaconpancakes}` Original writeup (https://github.com/TFNS/writeups/blob/master/2020-02-23-BSidesSF/toast/README.md).