Jump to content
Tuts 4 You

Edit History

Please note that revisions older than -1 days are pruned and will no longer show here
Washi

Washi

Since the challenge description allows it, I'm going for the quick serial fish for now :)

Spoiler

Secret Key: AWX610881RFFJSDJSZV
URL: http://localhost:52735/
Vendor: Fadi Sami Khalid
Address: Jordan - Amman - Khalda

Approach:

Spoiler

Obfuscation does not really matter if your methods are just simple string comparisons. The x86 generated by the JIT compiler still reveals everything ;)

  • Run app, enter random stuff in textboxes, press Validate to trigger the JIT compiler to compile the validation method. Notice text of the label changes to Not Correct.
  • Attach WinDbg, set breakpoint on Control.set_Text (use !name2ee System.Windows.Forms.dll System.Windows.Control.set_Text to get the address to breakpoint). Continue execution and press Validate again.
  • Type !clrstack to notice the click handler is in Form1._01.01.  Copy the address of the handler and dump the x86 code using !U <address>. (dump here https://pastebin.com/br3s09Gv)
  • Notice in x86 code its just a bunch of string.Equals calls. Set a breakpoint on all string.Equals(string, string) calls in the method. Continue execution and press Validate one more time again.
  • Use !dumpstackobjects to read out the correct values for every one of these calls.

 

Washi

Washi

Since the challenge description allows it, I'm going for the quick serial fish for now :)

Spoiler

Secret Key: AWX610881RFFJSDJSZV
URL: http://localhost:52735/
Vendor: Fadi Sami Khalid
Address: Jordan - Amman - Khalda

Approach:

Spoiler

Obfuscation does not really matter if your methods are just simple string comparisons. The x86 generated by the JIT compiler still reveals everything ;)

  • Run app, enter random stuff in textboxes, press Validate to trigger the JIT compiler to compile the validation method. Notice text of the label changes to Not Correct.
  • Attach WinDbg, set breakpoint on Control.set_Text (use !name2ee System.Windows.Forms.dll System.Windows.Control.set_Text to get the address to breakpoint). Continue execution and press Validate again.
  • Type !clrstack to notice the click handler is in Form1._01.01.  Copy the address of the handler and dump the x86 code using !U <address>.
  • Notice in x86 code its just a bunch of string.Equals calls. Set a breakpoint on all string.Equals(string, string) calls in the method. Continue execution and press Validate one more time again.
  • Use !dumpstackobjects to read out the correct values for every one of these calls.

 

Washi

Washi

Going for the quick serial fish for now :)

Spoiler

Secret Key: AWX610881RFFJSDJSZV
URL: http://localhost:52735/
Vendor: Fadi Sami Khalid
Address: Jordan - Amman - Khalda

Approach:

Spoiler

Obfuscation does not really matter  if your methods are just simple string comparisons. The x86 generated by the JIT compiler still reveals everything ;)

  • Run app, enter random stuff in textboxes, press Validate to trigger the JIT compiler to compile the validation method. Notice text of the label changes to Not Correct.
  • Attach WinDbg, set breakpoint on Control.set_Text (use !name2ee System.Windows.Forms.dll System.Windows.Control.set_Text to get the address to breakpoint). Continue execution and press Validate again.
  • Type !clrstack to notice the click handler is in Form1._01.01.  Copy the address of the handler and dump the x86 code using !U <address>.
  • Notice in x86 code its just a bunch of string.Equals calls. Set a breakpoint on all string.Equals(string, string) calls in the method. Continue execution and press Validate one more time again.
  • Use !dumpstackobjects to read out the correct values for every one of these calls.

 

×
×
  • Create New...