Monday, January 29, 2018

[MCSC] CrackMe02-100pts - Writeup [/REVERSING]

At that time, I decided to solve that challenge!







When I downloaded the challenge file,
the challenge provided with two files( binary exe and library dll ) all are written with c#.
I quick lookup with CFF Explorer.



So we need to debug/decompiler.
And I used dnspy, that is a great tool for debug for c# program.

When I open binary exe with dnspy, I click the main entry point,



the main binary load another dll file ( System.Data.Win32.dll ) with ( Systems.Load.
And I clicked on "new D34783ADEFF89289127037FED9()", that debugger load another dll file ( System.Data.Win32.dll ), cool!
When dll file loaded, the program will start "InitializeComponent()"

 

wait!

In Line num 55 : this.label1.Text = Window.Forms("Sqfpp#Bmz#Hfz#wl#dvfpp##FBPWFQ#FDD-", 3);
That should be a plain text!
So there must decrypt function in dll file.

but there is another interesting key event hander
1 >           base.KeyDown += new KeyEventHandler(this.D34783ADEFF89289127037FED9_2);
2 >            base.KeyPress += new KeyPressEventHandler(this.D34783ADEFF89289127037FED9_1);

 

hum!
when we press Control+Alt+Shit+Keys.0D(0)

Applications.Exit() function will execute

OR
when press any key
Applications.Resume() function will execute

Note : " don't confuse with Application.Exit(), this just Application no char s"
let check what are these!



And I set the break point on both function.

And I debug the program, I press any key on my keyboard because I want to debug the Applications.Resume() function first.

The debugger break in Resume() breakpoint.



Press F11 on debugger ( that will debug to step into)
And I saw the decrypt function.



After set breakpoint in return line the stringbuilder2 variable, and I Press F5 stringbuilder2 variable become "wrong key"



ok just press F5 to continue the program.
let debug the Applications.Exit() function, So I press Ctrl+Alt+Shit+0,
The debugger break at Applications.Exit() function.
press F5 to continue,the debugger break at return stringBuilder2.ToString()
and I saw the flag in stringBuilder2 variable.
Yay!



flag : Myanmar_Cyber_Security_Challenge






Thank For Reading.

This is third challenge that I solved in MCSC2018.
And the first solver team of that challenge, so we got another bonus (1 point ).

I want to say thank you to Ko Myo Myint Htike who created this challenge.

No comments:

Post a Comment