PMA 132: Reversing a .NET Executable (20 pts + 20 extra)

What you need

Purpose

To understand how .NET files are constructed and practice reversing them. We'll use a file from the first FLARE-ON challenge in 2014.

Download the Samples

Download this file:

PMA132.zip

Unzip it to get two files: Challenge1.exe and PMA132.exe.

Running the File in x64dbg

From your desktop, open the FLARE folder. In the Debuggers folder, launch x64dbg.

In x64dbg, open Challenge1.exe. Click Debug, Run to run it.

Bring the running program to the front. It's a Bob Ross photo with a DECODE! button. Click that button to see the picture change, as shown below.

The text changed to unreadable characters. We want to analyze that decoding process.

Close x64dbg.

Using CFF Explorer

Right-click Challenge1.exe and click "Open with CFF Explorer".

The File Type is "Portable Executable 23 .NET Asembly", as shown below.

Close CFF Explorer.

Using ILSpy

.NET files use a partially compiled binary language called "Microsoft Intermediate Language" or MSIL.

To decompile them, we'll use ILSpy, which is included in the FLARE-VM.

Launch ILSpy. In ILSpy, open Challenge1.exe.

In the left pane, navigate to the btnDecode.Click method and click it.

Decompiled C# code appears in the right pane.

The first decoding step uses the line of C# code outlined in red in the image below.

Now we need to find the input data to decode, which is in the Resource dat_secret.

In the left pane, navigate to dat_secret.encode and click it.

In the right pane, click the Save button.

Save the file in the same folder as Challenge1.exe with the name dat_secret

PMA 132.1: Decoding with Python (10 pts)

In Notepad, create a solution.py script, as shown below, and run it to find the flag, which is covered by a green rectangle in the image below.

PMA 132.2: Second File (10 pts)

Repeat the process to find the flag in the PMA132.exe file.

Hint: Look carefully at the left pane of ILSpy. It retains old files there unless you manually remove them.

It's easy to keep looking at the old file when you are trying to analyze a new one.

PMA 132.3: MemeCat (20 pts)

Download this file:

MemeCatBattlestation.exe

The game asks for two "weapon arming codes". To find them, examine the two methods shown below.

After entering both the correct arming codes and shooting the enemies, you win, revealing the flag, covered by a green box in the image below.

Sources

The FLARE On Challenge Solutions: Part 1 of 2
CyberDefenders Blue Team CTF Challenges

Posted 4-6-2021