Jump to content
Tuts 4 You
Sign in to follow this  
Kris

.NET CrackMe (First Attempt)

Recommended Posts

Kris

Language : C#
Platform : Windows x32/x64
OS Version : Windows 10
Packer / Protector : Modded ConfuserEx + a packer.

Description :

Basically, just find the key to decode the string.

All I will be (probably) using this for is for is to garbage-up some .INI files for my apps to read/write to, so that way there's no plain text.

This isn't for hiding some sensitive information lol. 

Also, if you could, rate the difficulty from 1/10. Thanks!

Screenshot :

tfbcvnL.png

 

CrackMe.rar

Edited by Kris
Updated the CrackMe.rar (see edit history)

Share this post


Link to post
Rhotav

I just unpacked and cleaned it up. I don't want to deal with decode

koi-fixed.exe

Share this post


Link to post
Kris

Bump.
I edited the CrackMe.rar with a slight change I'll be using for now on when I use this in my apps for .INI files. I cleaned up my code a little too instead of trying to try-hard for this challenge.
I feel it was okay for me to edit this since a reply hasn't been posted yet. If it was wrong please let me know. Thanks!
 

Share this post


Link to post
aslan4747

used your decode func to decode
Decoded: AnotherSuperSecretMessage

Share this post


Link to post
SirKebab
Spoiler

Key is AnotherSuperSecretMessage

After unpacking, passed byte array of the new encoded string to the decode function.

Share this post


Link to post
Washi
Spoiler

Decoded: AnotherSuperSecretMessage

Approach

Spoiler

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

  • Like 2
  • Thanks 3

Share this post


Link to post
ruaden21
On 5/3/2020 at 7:29 PM, Washi said:
  Hide contents

 

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

 

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Share this post


Link to post
Washi
Posted (edited)
2 hours ago, ruaden21 said:

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump.

There are probably also other tools out there that can do the same.

Edited by Washi (see edit history)
  • Like 2
  • Thanks 1

Share this post


Link to post
MindSystem
On 5/3/2020 at 2:29 PM, Washi said:
  Hide contents

Decoded: AnotherSuperSecretMessage

Approach

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation ! 

  • Like 1

Share this post


Link to post
Uacoder

Nice  Challenge send me source for this app 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...