ED 331: Dot Net Reflector (45 pts extra)

What You Need

Purpose

To practice reverse-engineering Dot NET apps using Reflector.

Downloading the Sample App

Download this file:

ED331-1.exe

Double-click it to run it. It's a simple password-guessing game, as shown below.

If Windows Defender blocks the file, right-click it and click Properties. Click Unblock. Click OK.

Downloading and Installing Reflector

In your Windows server, open a Web browser.

Open this page:

https://www.red-gate.com/dynamic/products/dotnet-development/reflector/download

Download and install the software with the default options.

It will say it can't install the Visual Studio extension, that's OK.

Loading the App in Reflector

Click Start. Open "Red Gate" and click ".NET REFLECTOR", as shown below.

In the "Welcome to .NET Reflector" box, click Close.

In the "Start 'Default' Assembly List" box, click OK.

In the ".NET Reflector 10.1 Trial" window, from the menu bar, click File, "Open Assembly...".

Navigate to the ED331-1.exe file and double-click it.

In the left pane of .NET Reflector, expand the "WindowsFormsApp5 (1.0.0.0)" container and the containers inside it and click the "button1_Click(Object, EventArgs) : Void" item.

The decompiled C# source code containing the password appears, as shown below.

Viewing IL Code

In the top center of .NET Reflector, in the first drop-down list box, change from C# to IL, as shown below.

This is the actual code in a .NET app. It's in "Microsoft Intermediate Language" or MSIL, which is executed in a runtime environment named Common Language Runtime (CLR), and converted to x86 or x86-64 native instructions by a Just In Time (JIT) compiler.

Notice the outlined instructions in the image above: 

    L_0016: stloc.0 
    L_0017: ldloc.0 
    L_0018: brfalse.s L_0027
    L_001a: ldstr "WIN!"
Here are the hexadecimal codes for those MSIL instructions, with ?? indicating an unknown byte: 
stloc.0        0A
ldloc.0        06
brfalse.s      2C ??
ldstr "WIN!"   72 ?? ?? ?? ??
If we change "brfalse.s" to "brtrue.s", the program will accept any password except the correct one.

The hexadecimal code for "brtrue.s" is 2D, as you can verify on this list of MSIL hex codes:

https://en.wikipedia.org/wiki/List_of_CIL_instructions

Using a Hex Editor

Launch HxD. If you don't have it, get it here:

https://mh-nexus.de/en/downloads.php?product=HxD20

Open the ED331-1.exe file.

Press Ctrl+F. On the Hex-Values tab, search for these hex values: 

0A 06 2C
Click OK. The hex values are found, as shown below. Notice that the 72 byte appears in the correct place. There are two other places in the code with this three-byte pattern, but they don't have the 72 in the correct place.

As shown above, brfalse.s is 2C. brtrue.s is 2D.

In HxD, click on the 2C byte and change it to 2D. That byte turns red, as shown below.

In HxD, from the menu bar, click File, "Save As...". Save the file on your desktop as WindowsFormsApp5mod.exe.

Running the Modified File

On your desktop, double-click WindowsFormsApp5mod.exe.

Enter any password, such as aa. You see "WIN!", as shown below.

Flag ED 331.1: CRC32 (10 pts extra)

Calculate the CRC32 hash of the modified file you just made, using Hashcalc, from

https://www.slavasoft.com/hashcalc/

The flag is covered by a green rectangle in the image below.

Flag ED 331.2 (10 pts extra)

Download this file:

ED331-2-4.zip

Unzip it and analyze the ED331-2.exe app. Find the flag.

Flag ED 331.3 (5 pts extra)

From the archive you downoaded in ED 331.2, analyze the ED331-3.exe app. Find the flag.

Flag ED 331.4 (20 pts extra)

From the archive you downoaded in ED 331.2, analyze the ED331-4.exe app. Find the flag.

References

Demystifying Dot NET Reverse Engineering, Part 1: Big Introduction
Demystifying dot NET reverse engineering - PART 2: Introducing Byte Patching
Demystifying dot NET reverse engineering - PART 3: Advanced Byte Patching

Posted 10-16-19
Typo fixed 10-30-19
Filename fixed to open in HxD 11-6-19
Tested with FLARE-VM 4-26-2021
Tested with Win 10 4-26-22
Tested with Win 11 ARM64 (failed) 4-4-23
Video added 4-5-23