PMA 132: Reversing a .NET Executable (40 pts extra)

What you need

A Windows 10 machine

Purpose

To understand how .NET files are constructed and practice reversing them. We'll use a file from the first FLARE-ON challenge in 2014.

Download the Samples

Download this file:

PMA132.zip

Unzip it to get two files: Challenge1.exe and PMA132.exe.

Installing x64dbg, CFF Explorer, ILSpy, and Immunity

If you are using the "Windows 10 w Tools" VM, all these tools are already installed. If you are using some other machine, install them as shown below.

CFF Explorer: install "Explorer Suite" from https://ntcore.com/?page_id=388
ILSpy: download the latest release from https://github.com/icsharpcode/ILSpy
As of Nov 9, 2021, it was "ILSpy_binaries_7.2.0.6702-preview2.zip"
Double-click the zip file.
Create a C:\Tools folder.
Drag all the contents to C:\Tools
Right-click C:\Tools\ILSpy.exe, "Pin to Start"
Immunity: download it from the link below and install it. It will also install Python 2.7.
https://www.immunityinc.com/products/debugger/

Running the Challenge1 Program

Double-click the Challenge1.exe file.

If a window appears asking you to install DOT NET, do that.

If you are using my "Windows 10 with tools" image, the installation will probably fail. Download and run the offline installer from this page:

https://sourceforge.net/projects/framework-3-offline

It's a Bob Ross photo with a DECODE! button. Click that button to see the picture change, as shown below.

The text changed to unreadable characters. We want to analyze that decoding process.

Close the Challenge program.

Using CFF Explorer

Right-click Challenge1.exe and click "Open with CFF Explorer".

The File Type is "Portable Executable 32 .NET Asembly", as shown below.

Close CFF Explorer.

Using ILSpy

.NET files use a partially compiled binary language called "Microsoft Intermediate Language" or MSIL.

To decompile them, we'll use ILSpy.

Launch ILSpy. In ILSpy, open Challenge1.exe.

In the left pane, navigate to the btnDecode.Click method and click it.

Decompiled C# code appears in the right pane.

The first decoding step uses the line of C# code outlined in red in the image below.

Now we need to find the input data to decode, which is in the Resource dat_secret.

In the left pane, navigate to dat_secret.encode and click it.

In the right pane, click the Save button.

Save the file in the same folder as Challenge1.exe with the name dat_secret

PMA 132.1: Decoding with Python (10 pts)
In Notepad, create a solution.py script, as shown below, and run it to find the flag, which is covered by a green rectangle in the image below.

PMA 132.2: Second File (10 pts)
Repeat the process to find the flag in the PMA132.exe file.
Hint: Look carefully at the left pane of ILSpy. It retains old files there unless you manually remove them.
It's easy to keep looking at the old file when you are trying to analyze a new one.

PMA 132.3: MemeCat (20 pts)
Download this file:
MemeCatBattlestation.exe
The game asks for two "weapon arming codes". To find them, examine the two methods shown below.

After entering both the correct arming codes and shooting the enemies, you win, revealing the flag, covered by a green box in the image below.

Sources

The FLARE On Challenge Solutions: Part 1 of 2
CyberDefenders Blue Team CTF Challenges

Posted 4-6-2021
References to FLARE-VM removed and software installation instructions added 11-9-21
Minor updates to links 11-1-22
.NET offline installer link added 6-21-23