Teasing Button


CTF Platform: CyberTalents
Challenge Name: Teasing Button
Category: Malware Reverse Engineering
Level: Medium
Points: 100
Description:
Do you really need the Hash?

Basic Static Analysis

Given an executable, after check it's type I found that it is PE32 .Net GUI for windows and as we can see in the following image it seems to be packed or something:



Basic Dynamic Analysis

after running the executable we will see 2 buttons, Yes and No . When I click yes button it will just swap the two buttons and nothing happen:


Advanced Static Analysis

Checking the code with dnSpy:


as we can see it is too hard to understand the code because it is confused, so I tried to unpack it with de4dot tool..

checking the unpacked one with dnSpy again and now I can read it as we can see:


going to btnYes_MouseHover and btnYes_MouseUp functions to check what is going on..


As we can see in the image, there is MessageBox contains method_0 and method_2 which takes "68" as an argument so lets check method_2 :



The function will return a value which is the hash, as we can see here:

return str + string_0 + str2 + str3 + this.method_0(string) + this.method_1(list);

So lets get the values of them:

str = "79" as this image:


string_0 is the argument that method_2 function takes before, so it is equal to 68 :


str2 = "017" from the first image contain str value

str3 = "eeb" as we see in this image:


method_0(string_) will takes string_ values which is equal to "2708","d77",83f" and convert them to one string so it will equal to "2708d7783f" :



method_1(list) will takes the values of list as one string also, but we need to know how switch work:


if you have a problem in reading the code you can write a code to follow the values of num2 so you can know which Case will happen next

This is example:


as we can see the code will start with Case number 5 ,then go to 7, after that it will go to 4,3,2,1 :


So our order will start from case 3 then 2 then 1, So the values of list will be: "f0bdf","5d1a","33b"
Then method_1(list) will equal to "f0bdf5d1a33b"

now we have all values of the return:

str = "79"
string_0 = "68"
str2 = "017"
str3 = "eeb"
method_0(string_) = "2708d7783f"
method_1(list) = "f0bdf5d1a33b"

then hash will be "7968017eeb2708d7783ff0bdf5d1a33b" and this is the flag :)