I used to reverse stuff… catching up for Flare-On
As I mention in my last post, I’ve set up a machine to get back on track on some reversing/malware analysis tasks. On this journey I decided to remove the dust from some reversing tools and catching up with a few new trends.
After setting up a brand new Windows 10 VM, and installing most of the tools I once used, I started with the first challenge from the Flare-On from 2014. I won’t lie and my memory stills keeps some good knowledge from my days at ESET and some of the tools for analysing .NET malware.
The binary that needs to be analysed it’s pretty straightforward, it’s a Form with a single button “DEDODE” that after you execute it you get something like this:
Binary behaviour does not change after every execution, so at this stage we know that we need to find the correct routine and figure out what it does. F
First step after identifying the type of binary that we’ve here and what it does, it’s easy to choose the right tool for the job, dnSpy is one of my favourite tools for analysing .NET samples, it’s simple, easy and useful as it helps to decompile and debug binaries.
Once you start dnSpy and load the binary you’ll be able to see it’s disassembled code and look up for the method that does the trick. As we previously checked, we have a single Form with only one button so after checking the code we can find the routine that we were looking for:
The btnDecode_Click routine pull out two elements from the binary resources. The first one is the image wed see after we click on the button. The second one is an array with the information that apparently will transform into the flag we needed.
As it can be read in the code, there are three for loops that modifies the content of the dat_secret and stores it in variables text, text2 and text3. The one that we’re interested in is the first one:
for (int i = 0; i < dat_secret.Length; i++)
byte b = dat_secret[i];
text += (char) (( b >> 4 | ((int) b << 4 & 240)) ^ 41)
text += "\0"
Now that we got the variable that we’re interested in and the decoding loop there are two paths that we can follow. Long path is to save the value of dat_secret in a file and then use the language of choice to write our own decoding function. Short path is to set up a breakpoint at the end of the function and inspect the content of the three variables at the same time.
With dnSpy this is quite straight forward, and then we can check the contents:
The flag that we were looking for is “email@example.com\0” and there’s where this first challenge ends.