Double-click it to run it. It's a simple password-guessing game, as shown below.
Open this page:
Fill in the form and click the "Download Trial" button.
Install the software with the default options.
In the "Welcome to .NET Reflector" box, click Close.
In the "Start 'Dafault' Assembly List" box, click OK.
In the ".NET Reflector 10.1 Trial" window, from the menu bar, click File, "Open Assembly...".
Navigate to the ED331-1.exe file and double-click it.
In the left pane of .NET Reflector, expand the "WindowsFormsApp5 (184.108.40.206)" container and the containers inside it and click the "button1_Click(Object, EventArgs) : Void" item.
The decompiled C# source code containing the password appears, as shown below.
This is the actual code in a .NET app. It's in "Microsoft Intermediate Language" or MSIL, which is executed in a runtime environment named Common Language Runtime (CLR), and converted to x86 or x86-64 native instructions by a Just In Time (JIT) compiler.
Notice the outlined instructions in the image above:
Here are the hexadecimal codes for those MSIL instructions, with ?? indicating an unknown byte:
L_0016: stloc.0 L_0017: ldloc.0 L_0018: brfalse.s L_0027 L_001a: ldstr "WIN!"
If we change "brfalse.s" to "brtrue.s", the program will accept any password except the correct one.
stloc.0 0A ldloc.0 06 brfalse.s 2C ?? ldstr "WIN!" 72 ?? ?? ?? ??
The hexadecimal code for "brtrue.s" is 2D, as you can verify on this list of MSIL hex codes:
Open the ED331-1.exe file.
Press Ctrl+F. On the Hex-Values tab, search for these hex values:
Click OK. The hex values are found, as shown below. Notice that the 72 byte appears in the correct place. There are two other places in the code with this three-byte pattern, but they don't have the 72 in the correct place.
0A 06 2C
As shown above, brfalse.s is 2C. brtrue.s is 2D.
In HxD, click on the 2C byte and change it to 2D. That byte turns red, as shown below.
In HxD, from the menu bar, click File, "Save As...". Save the file on your desktop as WindowsFormsApp5mod.exe.
Enter any password, such as aa. You see "WIN!", as shown below.
The flag is covered by a green rectangle in the image below.
Unzip it and analyze the ED331-2.exe app. Find the flag.
Typo fixed 10-30-19
Filename fixed to open in HxD 11-6-19