Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DumpMe / DebugMe

BlackHat
BlackHat
in UnPackMe (.NET)

Featured Replies

Posted

DumpMe / DebugMe

Hi, This Unpackme is Protected by Poe with an Anti-Dump / Anti-Debug Method.

Your Job is to find the Password either by Dumping or Debugging It.

Bronze - Find the Password either by Debugging or Dumping
Silver - Complete Unpack the File.
Gold - A Full Description + Silver

Download from Attachment or from File Section.

Hybrid Analysis - https://www.hybrid-analysis.com/sample/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/60c16b6ab0565951c6619493
Virustotal - https://www.virustotal.com/gui/file/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/detection
 

Wannabe1337_DumpMe.exe

File Information

Submitter BlackHat

Submitted 06/22/2021

Category UnPackMe (.NET)

View File

DumpMe / DebugMe

    •
    • Like 1

    Solved by BlackHat

    Go to solution

     

    Spoiler

    Password: Microsoft::ILDasm->PopCode(0x1337);

    Screenshot_20210622_142104.png.3bdf2c32ce61638e0c44b6239694d5ba.png

    Approach

    Spoiler
    • Open program
    • Suspend using process explorer
    • Attach WinDbg, load SOS extension (.loadby sos clr) (takes a while to attach because of being suspended)
    • Dump main module (First use !dumpdomain to find module address, then !savemodule <module_address> <path>)
    • Manually fix up dump by looking in hex editor and observing artifacts of original sections and metadata directory, and then change the section headers and data directory rvas accordingly.
    • Open in dnSpy after, observe hardcoded ciphertext and simple xor decryption routine.
    • Screenshot_20210622_142123.png.9c74511090d2d62872468a50240e701c.png
    • Simple python script that does the exact same thing will give the answer.

      Btw it's quite annoying that it deletes itself after detecting a debugger. Not sure what value it adds to the challenge.

    • EDIT: Dumped program dump.fixed.exe

     

     

    Edited by Washi
    Added dumped file

    • Like 4
    • Thanks 2
    • Author
    • Solution

    My Approach - A Complete Noob Ready Tutorial 😃

    Spoiler
    • Our Target detects the Assembly Name running in your System and automatically hit the Error If it find any RCE Tools. (Rename the Extreme Dumper with Something else to Dump the Target.)
    • Open Resource Hacker and Rename the Extreme Dumper Details to something else.
    • Open the Extreme Dumper in dnSpy and Change the Extreme Dumper to something else.

    1.png.2bd8f75d68c8a50b8ca4fbdf682b2de1.png

     

    • Now Execute the Target & Run Extreme Dumper. (It will work fine without hitting any Error.)
    • Open Extreme Dumper & Select Dumper Type to Anti-AntiDump
    • Select the Target & Click on View Module
    • Dump the Wannabe1337.exe

    2.png.94c93cff90d950b286c1ef36b210aa26.png

    • Open the Dumped File into dnSpy and Go to Module.cctor
    • Put a nop
    • Now Save the Assembly and It's ready to use.

    3.png.56cb7f03b35d498937f54d35a8287409.png


    Here's the Solution -

    Spoiler

    4.png.cf00a07095f4ce16245a7d01a849e9b4.png

     

    Here's the File - Wannabe1337_BlackHat.exe

    Edited by BlackHat

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.