Jump to content
Tuts 4 You

.NET CrackMe (First Attempt)


Kris
Go to solution Solved by Washi,

Recommended Posts

Language : C#
Platform : Windows x32/x64
OS Version : Windows 10
Packer / Protector : Modded ConfuserEx + a packer.

Description :

Basically, just find the key to decode the string.

All I will be (probably) using this for is for is to garbage-up some .INI files for my apps to read/write to, so that way there's no plain text.

This isn't for hiding some sensitive information lol. 

Also, if you could, rate the difficulty from 1/10. Thanks!

Screenshot :

tfbcvnL.png

 

CrackMe.rar

Edited by Kris
Updated the CrackMe.rar (see edit history)
Link to post

Bump.
I edited the CrackMe.rar with a slight change I'll be using for now on when I use this in my apps for .INI files. I cleaned up my code a little too instead of trying to try-hard for this challenge.
I feel it was okay for me to edit this since a reply hasn't been posted yet. If it was wrong please let me know. Thanks!
 

Link to post
  • 1 month later...
  • 2 weeks later...
SirKebab
Spoiler

Key is AnotherSuperSecretMessage

After unpacking, passed byte array of the new encoded string to the decode function.

Link to post
  • 1 month later...
  • Solution
Washi
Spoiler

Decoded: AnotherSuperSecretMessage

Approach

Spoiler

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

  • Like 3
  • Thanks 3
Link to post
  • 4 weeks later...
ruaden21
On 5/3/2020 at 7:29 PM, Washi said:
  Hide contents

 

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

 

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Link to post
Washi
Posted (edited)
2 hours ago, ruaden21 said:

I'm a noob. I searched but I do not know how to dump the .NET binary. Could you send me any source about this. Thank you!

Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump.

There are probably also other tools out there that can do the same.

Edited by Washi (see edit history)
  • Like 2
  • Thanks 1
Link to post
MindSystem
On 5/3/2020 at 2:29 PM, Washi said:
  Hide contents

Decoded: AnotherSuperSecretMessage

Approach

  Hide contents

Open in x64dbg, set breakpoint on mscoree.dll _CorExeMain, then dump .NET binary (dump1).

Open dump1, notice in entrypoint it decompresses and loads a new module. Run until decompression finishes, dump module (dump2).

Open dump2, notice all but <Module>::.cctor are unreadable/encrypted. In a typical ConfuserEx fashion, the method bodies are decrypted by the first call in <Module>::.cctor. Let the program execute this, and then dump executable again (dump3)

Open dump3, notice how references to external methods in corlib are extracted to stub methods. Below all renamed symbols:

Screenshot_20200503_142129.png.cb6dd57d2f6be7044fd0a8591310d577.png

Switch to ILSpy because it has a far superior decompiler engine. We then don't need to deobfuscate anything else. Copy/paste the encode method in a new C# project, test on sample "SuperSecretMessageLOL", and notice the output is equal to the encoded message. Decompiled code is therefore correct.

Notice method is XOR with key "MjU1", so encrypt/decrypt is the same:

Key:

Screenshot_20200503_142607.png.bfb4db8718602ed0a38b1e51d1143744.png

Encryption:

Screenshot_20200503_142720.png.c860814dc069522a2e8e9809be8b5bc9.png

Plug in the second encoded message as input for this method. Observe flag "AnotherSuperSecretMessage"

 

I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation ! 

  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...