Monday, September 23, 2013

CSAW CTF 2013 :: Reversing: DotNet (100 points)

For this challenge, a .net executable file is given. I have uploaded the file to mediafire and its downloadable from here. The image below shows how it looks like when it is executed and its a console application.




The objective of this challenge is to reverse the executable file to obtain the passcode to unlock the flag.

For this challenge, I used the Red Gate .NET Reflector to open the executable and view the source code.




The program validates the passcode by performing a bitwise XOR with a preset value (num2) and ensure it equal to another preset value (num3). In order to get the passcode, I just perform a bitwise XOR with num2 and num3.

0xc5ec4d790L ^ 0xf423abdb7L = 0xf1cfe6a27L

Convert the value to decimal value = 13371337255

Enter the passcode and ...




 flag{I'll create a GUI interface using visual basic...see if I can track an IP address.}

Enter the flag and captured. 100 points


Once upon a time ^-^,
whit3sn0w





5 comments:

  1. I don't understand, how do you do a bitwise XOR?
    Great writeups btw.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi jimmy,

    Bitwise XOR is done by perform the XOR operation on corresponding bits of two equal length bit pattern.

    Let's take a look at 0xc5ec4d790L,

    0x means that the number is a hexadecimal and the suffix L means it is a long type.

    You can either convert the hexadecimal to binary to do XOR on every corresponding bit manually or you can use the calculator from windows and set it to Programmer mode (View > Programmer). Set it to Hex and punch in the number without x0 and suffix L and do the XOR operation and you will get the answer in Hex. Select the Dec check box, you will get the decimal value which is the flag.

    The reason I did an XOR to get the flag is because of the nature of XOR operation.

    A XOR B = C
    C XOR B = A
    A XOR C = B

    Hope that this helps =)

    whit3sn0w

    ReplyDelete
  4. Correction: The decimal value is passcode not the flag.

    ReplyDelete
  5. Yeah thats fantastic! Thanks for your help.

    ReplyDelete