Blog

Easy Reversing With dotPeek

Jun 3, 2019 | 3 minutes read
Share this:

Tags: reversing, writeup

Recently I joined Cyber Talents and among their introductory reversing engineering tasks there are two crackme challenges called “Eye of Sauron” and “I love this guy”. Upon further inspection I noticed these were .NET assemblies instead of regular C/C++ compiled code. I then realized it would be the perfect opportunity for me to try JetBrains dotPeek, a free .NET decompiler available at https://www.jetbrains.com/decompiler. In this post I go through my first impressions and show you how dotPeek helped me to solve both challenges.

Enter dotPeek

Downloading and installing dotPeek was a breeze, although it takes far more disk space than what I expected: a whooping 503 MB! After deleting some “unused” files I managed to get the installation down to 245 MB without causing things to break. The main interface is quite sleek and the menus offer a plethora of options that I won’t discuss in this short writeup.

dotPeek main interface

“Eye Of Sauron”

The first challenge only says “Can you find the key to pass?” and gives you a link to the exe file. After running it you’re presented with a simple screen asking for a key. If the wrong key is given you get the classic Lord of Rings “you shall not pass” rebuke.

shall I pass? shall I pass?

OK, show me the code! Fortunately dotPeek does an nice job of decompiling the .NET assembly so that we can quickly find a suspiciously looking ShallHePass() method. This method indeed validates the user provided key as follows:

private bool ShallHePass()
{
        return this.txtPass.Text == this.reverse(this.label2.Text + this.label3.Text + this.label4.Text + this.label5.Text);
}

The reverse() method was also nicely decompiled by dotPeek:

private string reverse(string original)
{
        char[] charArray = original.ToCharArray();
        Array.Reverse((Array) charArray);
        return new string(charArray);
}

So it seems that the validation done is quite simple: glue together a bunch of hardcoded strings (this.labelX.Text variables), reverse it and then compares the result with the user input. If it they’re equal ShallHePass() returns true and we should be granted access to Mordor. I then wrote a short python script using the hardcoded values found int he source code:

>>> key = 'd0248b4e' + '47996655' + '83f05689' + 'c154b6ea'
>>> key[::-1] # cool shortcut to reverse a string
'ae6b451c98650f3855669974e4b8420d'

The result is indeed the key we’re looking for:

yes, you shall pass!

“I Love This Guy”

I guess this challenge was supposed to be harder than the previous one since it’s worth 100 points (medium difficulty) instead of 50 (easy), however dotPeek’s great decompiling engine gives us an unfair advantage.

The challenge description says “Can you find the password to obtain the flag?“ and gives us a link to the exe file. Again I tried different key combinations just to see how the program behaves:

trying my luck

Obviously it didn’t work so fired dotPeek to see how well this .NET assembly decompiles. Sure enough I got some pretty clean C# code from it:

decompiled C# code

From there it was easier than before to understand how the validation mechanism works (spoiler: it checks if the user input matches a sequence of letters from a list). The following two lines of Python gives then the flag:

>>> letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_"
>>> letters[5] + letters[14] + letters[13] + letters[25] + letters[24]
'FONZY'

Challenge solved! A piece of cake :)

Final Thoughts

I was positively surprised by dotPeek sleek interface and very readable decompiled source code listings. I will keep playing with it as I’m sure it will come in handy next time I have some .NET malware to disassemble.

comments powered by Disqus