30
Sep
2012

CSAW 2012 – Reversing 300

We’re given a Windows .NET executable (CSAWQualification.exe).

Let’s run it:
Do you really just run random binaries given to you in challenges?

(Yes I do – in a VM)

The output doesn’t seem all that useful, so whip out your favorite .NET decompiler (ILSpy or .NET Reflector) and decompile the executable:

static Program()
{
    data = new byte[] { 
        15, 0x53, 0xde, 0xcc, 130, 0xa9, 0xfd, 0x37, 0xa5, 0xe5, 0xdb, 240, 0xce, 0x4e, 0x66, 0x83, 
        0xf3, 100, 0x73, 0x66, 0xe7, 0x4c, 0xeb, 0xaf, 2, 0xc1, 0xf9, 0xac, 0xae, 0xac, 0xe3, 120, 
        0x43, 0x76, 0x57, 0xdd, 0x7c, 0x61, 0xca, 0x7c, 0xbf, 0xd1, 0xa4, 8, 0x3d, 0xe0, 0xc1, 0x53, 
        13, 0x89, 0x72, 140, 0x2a, 0x41, 0xf7, 0xed, 0xca, 0x47, 0x42, 0x26, 0x3a, 0xcd, 0x9e, 0xc7, 
        0xf6, 0xcd, 0xb2, 0xf8, 0x15, 0x37, 0x52, 0xef, 0x24, 0x6b, 0x68, 230, 0xc1, 0x3f, 0x9d, 0xb2, 
        0xe0, 0x30, 0xc6, 4, 0x42, 0xdd, 12, 0xd3, 0xd7, 0x67, 0xd1, 14, 0x75, 0x8b, 0x6f, 0xa2
     };
    marker = new byte[] { 0xff, 0x97, 0xa9, 0xfd, 0xed, 0xe0, 0x9e, 0xaf, 110, 0x1c, 0x8e, 0xc9, 0xf6, 0xa6, 0x1d, 0xd5 };
    target = @"C:\Program Files\";
}

private static void Main(string[] args)
{
    Console.WriteLine("Do you really just run random binaries given to you in challenges?");
    Console.ReadLine();
    Environment.Exit(0);
    MD5CryptoServiceProvider provider = new MD5CryptoServiceProvider();
    AesCryptoServiceProvider provider2 = new AesCryptoServiceProvider();
    foreach (string str in Directory.EnumerateDirectories(target))
    {
        if (provider.ComputeHash(Encoding.UTF8.GetBytes(str.Replace(target, ""))).SequenceEqual<byte>(marker))
        {
            byte[] rgbKey = provider.ComputeHash(Encoding.UTF8.GetBytes("sneakyprefix" + str.Replace(target, "")));
            byte[] bytes = provider2.CreateDecryptor(rgbKey, new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }).TransformFinalBlock(data, 0, data.Length);
            Console.Write(Encoding.UTF7.GetString(bytes));
        }
    }
    Console.ReadLine();
}

First, we notice that most of the code is never executed, as the third line of Main calls Environment.Exit(). We can easily fix this using a .NET IL editor – Reflexil is a great IL editing plugin, but unfortunately it’s only compatible with Reflector, a commercial .NET decompiler. The trial version suffices, though.

Navigate to CSAWQualification.Program.Main and fire up Reflexil, on offsets 04 and 05 you should find:

ldc.i4.0
call System.Void.System.Environment::Exit(System.Int32)

Simply delete these two IL instructions – problem solved.

Looking at the rest of the code, we observe that the program appears to traverse C:\Program Files\ looking for a directory of which its MD5 hash equals ff97a9fdede09eaf6e1c8ec9f6a61dd5. Google tells us the plaintext for this hash is “Intel”.

For simplicity’s sake, just create the C:\Program Files\Intel directory, then run the program again. The remainder of the application logic will AES decrypt some embedded data, using MD5(“sneakyprefix” + “Intel”) as the key along with a static IV ([0..15]).


Do you really just run random binaries given to you in challenges?

That was pretty easy, wasn't it? \key{6a6c4d43668404041e67f0a6dc0fe243}

{2 Responses to “CSAW 2012 – Reversing 300”}

  1. Hi guys,
    there’s also free up2date .net decompiler from Telerik which has Reflexil plugin.

    http://www.telerik.com/products/decompiler.aspx
    http://www.telerik.com/products/decompiler/extensions.aspx

  2. Hi guys,
    there’s also free up2date .net decompiler from Telerik which has Reflexil plugin.

    http://www.telerik.com/products/decompiler.aspx
    http://www.telerik.com/products/decompiler/extensions.aspx