Jump to content
Tuts 4 You

DNGuard HVM v3.953

Mohd

By Mohd,
in UnPackMe (.NET)

Followers 1

Recommended Posts

  • Teddy Rogers changed the title to DNGuard HVM v3.953
Washi

Washi 81

Posted
Posted (edited)

Since the challenge description allows it, I'm going for the quick serial fish for now :)

Spoiler

Secret Key: AWX610881RFFJSDJSZV
URL: http://localhost:52735/
Vendor: Fadi Sami Khalid
Address: Jordan - Amman - Khalda

Approach:

Spoiler

Obfuscation does not really matter if your methods are just simple string comparisons. The x86 generated by the JIT compiler still reveals everything ;)

  • Run app, enter random stuff in textboxes, press Validate to trigger the JIT compiler to compile the validation method. Notice text of the label changes to Not Correct.
  • Attach WinDbg, set breakpoint on Control.set_Text (use !name2ee System.Windows.Forms.dll System.Windows.Control.set_Text to get the address to breakpoint). Continue execution and press Validate again.
  • Type !clrstack to notice the click handler is in Form1._01.01.  Copy the address of the handler and dump the x86 code using !U <address>. (dump here https://pastebin.com/br3s09Gv)
  • Notice in x86 code its just a bunch of string.Equals calls. Set a breakpoint on all string.Equals(string, string) calls in the method. Continue execution and press Validate one more time again.
  • Use !dumpstackobjects to read out the correct values for every one of these calls.

 

Edited by Washi (see edit history)
  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Followers 1
Go to topic listing
×
×
  • Create New...