![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqsMUuc8rruttOKKCxG-pU6X1M7A6MYxRFakTEJZXFZ_D5W6Qr1MKyuK1QmrZQksc10AuBYGneOcroB1g_MKezunU6_k4_WbuF_UgbS2WCqPkqrlyb9NcjQGIuTKEKgEN21p0J6vtgckw/s640/crackme2.jpg)
When I downloaded the challenge file,
the challenge provided with two files( binary exe and library dll ) all are written with c#.
I quick lookup with CFF Explorer.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR1CaCbHd-RFZCyR6TpdRTcLIhvUUweUJDeq0E9HiWqhZWHAHgBlVOjQI8jlVgw25HTqLWOMdJ3pSvptk1iY3Psb25S7aSRkZuwglANw20h4cDonZ-D5oDTqV65B-pzburWo5hcERPHig/s640/Screenshot+from+2018-01-28+23-10-49.png)
So we need to debug/decompiler.
And I used dnspy, that is a great tool for debug for c# program.
When I open binary exe with dnspy, I click the main entry point,
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC0utecoTXutCKxwPBlR3ebM4ZAcqZ9oknthFi3wkTBK5Xllca8OHTqxTLRtInxEHVLuGjBsFxRBDyoE-FbpHLMFjPTKDOYCHsDPpM-VPzjCr_PfpfZNh2_6BJA5jXhraH_RD7vETR2n8/s640/Screenshot+from+2018-01-28+23-23-00.png)
the main binary load another dll file ( System.Data.Win32.dll ) with ( Systems.Load.
And I clicked on "new D34783ADEFF89289127037FED9()", that debugger load another dll file ( System.Data.Win32.dll ), cool!
When dll file loaded, the program will start "InitializeComponent()"
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Gwa36251R0ZlXwLJZJCBt6djMxc1kGVx8UMggd8Pp5aAVF87dEwL98zfTP1HU5GFga0F_kiVzH4_lhU-o6uCG5ZXSa2DEH5twdc3D8fo_t71jaPEpxfrDqJJjM0b54cTESbTuLT7SZE/s640/Screenshot+from+2018-01-28+23-28-13.png)
wait!
In Line num 55 : this.label1.Text = Window.Forms("Sqfpp#Bmz#Hfz#wl#dvfpp##FBPWFQ#FDD-", 3);
That should be a plain text!
So there must decrypt function in dll file.
but there is another interesting key event hander
1 > base.KeyDown += new KeyEventHandler(this.D34783ADEFF89289127037FED9_2);
2 > base.KeyPress += new KeyPressEventHandler(this.D34783ADEFF89289127037FED9_1);
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNWf514COd9jnJpYC3I7STqRm3lHxX4OEiLqiOkJ9gOxEI9H2LZQOYdI6adyLfXtG2LRTxhQ5RA42Fw3JmdogFmJUVXZFayvQKKJ5Q_Zuwq8S46YuqE7jtRV8PjjOlXgCDa3u4YGiZAaI/s640/Screenshot+from+2018-01-28+23-35-31.png)
hum!
when we press Control+Alt+Shit+Keys.0D(0)
Applications.Exit() function will execute
OR
when press any key
Applications.Resume() function will execute
Note : " don't confuse with Application.Exit(), this just Application no char s"
let check what are these!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJUxQYxpxjI1nZzziETRrI49IZ4thKPeQbf2o4vlCUbGpOwvTcwxwDYoztv3zPKSHYhnd7MSzECgRBfHL7wr9-6Bon21_Jc4RkHeoUBlpuhxtOHLjUAyz89d5dUhqDNa7RBf5ayLBYqGU/s640/Screenshot+from+2018-01-28+23-40-21.png)
And I set the break point on both function.
And I debug the program, I press any key on my keyboard because I want to debug the Applications.Resume() function first.
The debugger break in Resume() breakpoint.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEM-3vNnTr8jcG4woL4d70655RV0q4ZuotD4Q79hyphenhyphenIi9RWKPbpL4bRRT2jiyV1IgP-5_Cd5X4Dwz2k8a5ae-5fiu3nGe_AMs6P8sjpn8Vyvf5IWqjtBs7P7i2YVLiJFi9gTmeXOoOqzto/s640/Screenshot+from+2018-01-28+23-48-10.png)
Press F11 on debugger ( that will debug to step into)
And I saw the decrypt function.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLNtof0UN3RsbN4ixmaxTn4WTd-ZtsQkyR5lY8j4Vh5mLgeyd4Qh9vt4YMEScSQXlJOcRoZNdYs_zsn0P4M_fhsZFQNoiTpwgC7fQz5ycBwA1WZJbuKeFTmtUxk6RefTVFTxmRipysGXI/s640/Screenshot+from+2018-01-28+23-50-19.png)
After set breakpoint in return line the stringbuilder2 variable, and I Press F5 stringbuilder2 variable become "wrong key"
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrtnu-fQiuVAmbzA4vDMkeeeIaPXnIgKXxJNKJcmYhrXZ-Kq3XK5YMmfqQ80JbvKV3sHx_-XS27ffN2oKvvuQ13OX3AkNqTmz3TbTgNKmWbjsBbqEq9PN4eIvGG8K7aitlrWLxE_s0eAg/s640/Screenshot+from+2018-01-28+23-52-53.png)
ok just press F5 to continue the program.
let debug the Applications.Exit() function, So I press Ctrl+Alt+Shit+0,
The debugger break at Applications.Exit() function.
press F5 to continue,the debugger break at return stringBuilder2.ToString()
and I saw the flag in stringBuilder2 variable.
Yay!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM1Y3xfgsLapD1mCL0dOo-Jh3Ezb4jx664M_F33vJKAapardxXZaG8xLiPecCqkPBuiiL2ldq5cWP4A9fSPaVwJNaQvJ8M6iknFBxc88v5h7J9XMsz-uS74175NRYtnqkQw9H7sGhdaPo/s640/Screenshot+from+2018-01-29+00-00-18.png)
flag : Myanmar_Cyber_Security_Challenge
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYgI-vvgMrUWevYwMsheLDU1M_1Vp8tUC0-o8lguWlbXY8WXNv2K3EJGl3zgySvXtyp3D_zvNAuWfkE3sqOmgGRLn4LMtdfNHZv0xtmuLsSVkZXw2wVLMsLXe7qp2kobymZHlX46OwqVc/s640/crackme02-so.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW5UvNQEtswsbDnjdSuahmrVyuM5YHJP9yV9iq5KFnTRcRJLRyb8zztwpH9gejOjmU_vcnK9Ba9E9bXGgk3DWectED3lqRzIFQIRDLZ8LU63NY7L9266jz3BnvL5orwFxJmVX3nhYeazc/s640/Screenshot+from+2018-01-29+00-17-55.png)
Thank For Reading.
This is third challenge that I solved in MCSC2018.
And the first solver team of that challenge, so we got another bonus (1 point ).
I want to say thank you to Ko Myo Myint Htike who created this challenge.
No comments:
Post a Comment