RE Series #8: CrackThis!

An interesting challenge with a tricky obfuscator. Honestly, once the code has been de-obfuscated, it’s quite straight forward!

Static Analysis

Running it through Exeinfo, we see that the binary has been packed with ConfuserEx. The hardest part actually is finding the deobfuscator

Opening the binary with DNSpy, this is what the obfuscated version looks like:

After digging the web for a de-obfuscater, we clean up the binary to get its original form

Much cleaner!

With this, we can continue with our dynamic analysis of the code

Dynamic Analysis

The code is pretty complex, and does contains switch cases which involves XOR-ing values together. Luckily, we can just step through those and look at the important pieces of code.

Following the flow, we see that to trigger the true case, we need to pass in 5 arguments to the binary.

Passing in 5 random CLI arguments

When 5 arguments are passed in, we get a prompt to enter the password.

For now, we enter any random password just to see what the password checking flow is

The code checks if the text we entered is equal to the return value of Class7.smethod_1()

When we look into Class7.smethod_1(), we see that there is a anti-debug trick that changes the value of the string

In case 6U, “Class7.smethod_7 – num <= 500” checks if the time elapsed is more than 500ms, or half a second. If it is, it returns this string: “Thisea$__Sup4H4k@!”

However, if we don’t step through the function, and step over it (hence making the check < 500ms), we get another string instead: “systemadmin”

We change the value of text to “systemadmin”, and we get the flag!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: