Language : C#
Platform : Windows x32/x64
OS Version : Windows 10
Packer / Protector : Modded ConfuserEx + a packer.

Description :

Basically, just find the key to decode the string.

All I will be (probably) using this for is for is to garbage-up some .INI files for my apps to read/write to, so that way there's no plain text.

This isn't for hiding some sensitive information lol. 

Also, if you could, rate the difficulty from 1/10. Thanks!

Screenshot :

 

CrackMe.rar

Edited January 11, 20205 yr by Kris
Updated the CrackMe.rar

I just unpacked and cleaned it up. I don't want to deal with decode

koi-fixed.exe

Bump.
I edited the CrackMe.rar with a slight change I'll be using for now on when I use this in my apps for .INI files. I cleaned up my code a little too instead of trying to try-hard for this challenge.
I feel it was okay for me to edit this since a reply hasn't been posted yet. If it was wrong please let me know. Thanks!
 

used your decode func to decode
Decoded: AnotherSuperSecretMessage

Spoiler

Key is AnotherSuperSecretMessage

After unpacking, passed byte array of the new encoded string to the decode function.

Spoiler

Decoded: AnotherSuperSecretMessage

Approach

Spoiler

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Encryption:

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

On 5/3/2020 at 7:29 PM, Washi said:

  Hide contents

 

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

 

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

2 hours ago, ruaden21 said:

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump.

There are probably also other tools out there that can do the same.

Edited May 29, 20205 yr by Washi

On 5/3/2020 at 2:29 PM, Washi said:

  Hide contents

Decoded: AnotherSuperSecretMessage

Approach

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Encryption:

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation ! 

Nice  Challenge send me source for this app