BlackHat Posted June 22, 2021 Share Posted June 22, 2021 View File DumpMe / DebugMe Hi, This Unpackme is Protected by Poe with an Anti-Dump / Anti-Debug Method. Your Job is to find the Password either by Dumping or Debugging It. Bronze - Find the Password either by Debugging or Dumping Silver - Complete Unpack the File. Gold - A Full Description + Silver Download from Attachment or from File Section. Hybrid Analysis - https://www.hybrid-analysis.com/sample/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/60c16b6ab0565951c6619493 Virustotal - https://www.virustotal.com/gui/file/2bc04a9242f385308d2425ba10966bc41b12646676fccd121144170abe01f0bf/detection Wannabe1337_DumpMe.exe Submitter BlackHat Submitted 06/22/2021 Category UnPackMe (.NET) 1 Link to comment Share on other sites More sharing options...
Washi Posted June 22, 2021 Share Posted June 22, 2021 (edited) Spoiler Password: Microsoft::ILDasm->PopCode(0x1337); Approach Spoiler Open program Suspend using process explorer Attach WinDbg, load SOS extension (.loadby sos clr) (takes a while to attach because of being suspended) Dump main module (First use !dumpdomain to find module address, then !savemodule <module_address> <path>) Manually fix up dump by looking in hex editor and observing artifacts of original sections and metadata directory, and then change the section headers and data directory rvas accordingly. Open in dnSpy after, observe hardcoded ciphertext and simple xor decryption routine. Simple python script that does the exact same thing will give the answer. Btw it's quite annoying that it deletes itself after detecting a debugger. Not sure what value it adds to the challenge. EDIT: Dumped program dump.fixed.exe Edited June 22, 2021 by Washi Added dumped file 4 2 Link to comment Share on other sites More sharing options...
Solution BlackHat Posted June 23, 2021 Author Solution Share Posted June 23, 2021 (edited) My Approach - A Complete Noob Ready Tutorial 😃 Spoiler Our Target detects the Assembly Name running in your System and automatically hit the Error If it find any RCE Tools. (Rename the Extreme Dumper with Something else to Dump the Target.) Open Resource Hacker and Rename the Extreme Dumper Details to something else. Open the Extreme Dumper in dnSpy and Change the Extreme Dumper to something else. Now Execute the Target & Run Extreme Dumper. (It will work fine without hitting any Error.) Open Extreme Dumper & Select Dumper Type to Anti-AntiDump Select the Target & Click on View Module Dump the Wannabe1337.exe Open the Dumped File into dnSpy and Go to Module.cctor Put a nop Now Save the Assembly and It's ready to use. Here's the Solution - Spoiler Here's the File - Wannabe1337_BlackHat.exe Edited July 9, 2021 by BlackHat 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now