Jump to content
Tuts 4 You

DumpMe / DebugMe


BlackHat
Go to solution Solved by BlackHat,

Recommended Posts

BlackHat

DumpMe / DebugMe


Hi, This Unpackme is Protected by Poe with an Anti-Dump / Anti-Debug Method.

Your Job is to find the Password either by Dumping or Debugging It.

Bronze - Find the Password either by Debugging or Dumping
Silver - Complete Unpack the File.
Gold - A Full Description + Silver

Download from Attachment or from File Section.

Hybrid Analysis - https://www.hybrid-analysis.com/sample/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/60c16b6ab0565951c6619493
Virustotal - https://www.virustotal.com/gui/file/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/detection
 

Wannabe1337_DumpMe.exe


 

  • Like 1
Link to comment

 

Spoiler

Password: Microsoft::ILDasm->PopCode(0x1337);

Screenshot_20210622_142104.png.3bdf2c32ce61638e0c44b6239694d5ba.png

Approach

Spoiler
  • Open program
  • Suspend using process explorer
  • Attach WinDbg, load SOS extension (.loadby sos clr) (takes a while to attach because of being suspended)
  • Dump main module (First use !dumpdomain to find module address, then !savemodule <module_address> <path>)
  • Manually fix up dump by looking in hex editor and observing artifacts of original sections and metadata directory, and then change the section headers and data directory rvas accordingly.
  • Open in dnSpy after, observe hardcoded ciphertext and simple xor decryption routine.
  • Screenshot_20210622_142123.png.9c74511090d2d62872468a50240e701c.png
  • Simple python script that does the exact same thing will give the answer.

    Btw it's quite annoying that it deletes itself after detecting a debugger. Not sure what value it adds to the challenge.

  • EDIT: Dumped program dump.fixed.exe

 

 

Edited by Washi
Added dumped file
  • Like 4
  • Thanks 2
Link to comment
  • Solution
BlackHat
Posted (edited)

My Approach - A Complete Noob Ready Tutorial 😃

Spoiler
  • Our Target detects the Assembly Name running in your System and automatically hit the Error If it find any RCE Tools. (Rename the Extreme Dumper with Something else to Dump the Target.)
  • Open Resource Hacker and Rename the Extreme Dumper Details to something else.
  • Open the Extreme Dumper in dnSpy and Change the Extreme Dumper to something else.

1.png.2bd8f75d68c8a50b8ca4fbdf682b2de1.png

 

  • Now Execute the Target & Run Extreme Dumper. (It will work fine without hitting any Error.)
  • Open Extreme Dumper & Select Dumper Type to Anti-AntiDump
  • Select the Target & Click on View Module
  • Dump the Wannabe1337.exe

2.png.94c93cff90d950b286c1ef36b210aa26.png

  • Open the Dumped File into dnSpy and Go to Module.cctor
  • Put a nop
  • Now Save the Assembly and It's ready to use.

3.png.56cb7f03b35d498937f54d35a8287409.png


Here's the Solution -

Spoiler

4.png.cf00a07095f4ce16245a7d01a849e9b4.png

 

Here's the File - Wannabe1337_BlackHat.exe

Edited by BlackHat
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...