Jump to content
Tuts 4 You

.NET CrackMe (First Attempt)

Kris

By Kris
in CrackMe

 Share
Go to solution Solved by Washi,

Recommended Posts

Kris

Kris

Posted
Posted (edited)

Language : C#
Platform : Windows x32/x64
OS Version : Windows 10
Packer / Protector : Modded ConfuserEx + a packer.

Description :

Basically, just find the key to decode the string.

All I will be (probably) using this for is for is to garbage-up some .INI files for my apps to read/write to, so that way there's no plain text.

This isn't for hiding some sensitive information lol. 

Also, if you could, rate the difficulty from 1/10. Thanks!

Screenshot :

tfbcvnL.png

 

CrackMe.rar

Edited by Kris
Updated the CrackMe.rar
Link to comment
Share on other sites
Kris

Kris

Posted
  • Author
Posted

Bump.
I edited the CrackMe.rar with a slight change I'll be using for now on when I use this in my apps for .INI files. I cleaned up my code a little too instead of trying to try-hard for this challenge.
I feel it was okay for me to edit this since a reply hasn't been posted yet. If it was wrong please let me know. Thanks!
 

Link to comment
Share on other sites
  • 1 month later...
  • 2 weeks later...
SirKebab

SirKebab

Posted
Posted
Spoiler

Key is AnotherSuperSecretMessage

After unpacking, passed byte array of the new encoded string to the decode function.

Link to comment
Share on other sites
  • 1 month later...
  • Solution
Washi

Washi

Posted
  • Solution
Posted
Spoiler

Decoded: AnotherSuperSecretMessage

Approach

Spoiler

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

  • Like 5
  • Thanks 3
Link to comment
Share on other sites
  • 4 weeks later...
ruaden21

ruaden21

Posted
Posted
On 5/3/2020 at 7:29 PM, Washi said:
  Hide contents

 

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

 

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Link to comment
Share on other sites
Washi

Washi

Posted
Posted (edited)
2 hours ago, ruaden21 said:

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump.

There are probably also other tools out there that can do the same.

Edited by Washi
  • Like 2
  • Thanks 1
Link to comment
Share on other sites
MindSystem

MindSystem

Posted
Posted
On 5/3/2020 at 2:29 PM, Washi said:
  Hide contents

Decoded: AnotherSuperSecretMessage

Approach

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation ! 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...