Posted January 10, 20205 yr Language : C# Platform : Windows x32/x64 OS Version : Windows 10 Packer / Protector : Modded ConfuserEx + a packer. Description : Basically, just find the key to decode the string. All I will be (probably) using this for is for is to garbage-up some .INI files for my apps to read/write to, so that way there's no plain text. This isn't for hiding some sensitive information lol. Also, if you could, rate the difficulty from 1/10. Thanks! Screenshot : CrackMe.rar Edited January 11, 20205 yr by Kris Updated the CrackMe.rar
January 11, 20205 yr I just unpacked and cleaned it up. I don't want to deal with decode koi-fixed.exe
January 11, 20205 yr Author Bump. I edited the CrackMe.rar with a slight change I'll be using for now on when I use this in my apps for .INI files. I cleaned up my code a little too instead of trying to try-hard for this challenge. I feel it was okay for me to edit this since a reply hasn't been posted yet. If it was wrong please let me know. Thanks!
March 19, 20205 yr Spoiler Key is AnotherSuperSecretMessage After unpacking, passed byte array of the new encoded string to the decode function.
May 3, 20205 yr Solution Spoiler Decoded: AnotherSuperSecretMessage Approach Spoiler Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1). Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2). Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3) Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols: Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct. Notice method is XOR with key "MjU1", so encrypt/decrypt is the same: Key: Encryption: Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"
May 29, 20205 yr On 5/3/2020 at 7:29 PM, Washi said: Hide contents Hide contents Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1). I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!
May 29, 20205 yr 2 hours ago, ruaden21 said: I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you! Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump. There are probably also other tools out there that can do the same. Edited May 29, 20205 yr by Washi
May 29, 20205 yr On 5/3/2020 at 2:29 PM, Washi said: Hide contents Decoded: AnotherSuperSecretMessage Approach Hide contents Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1). Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2). Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3) Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols: Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct. Notice method is XOR with key "MjU1", so encrypt/decrypt is the same: Key: Encryption: Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage" I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation !
Create an account or sign in to comment