Use any PE Detector to quickly scan target:
Figure 1
Okay, it’s a .NET exe file. Run file to get information:
Figure 2
Huh, it displays a bank form :(. Let’s open target in dnSpy:
Figure 3
Right click to CSHOP and select “Go to Entry Point”:
Figure 4
Click FrmMain, we go here:
Figure 5
Follow InitializeComponent() function we’ll see two EventHandlers are _Click and Form1_Load:
Figure 6
Figure 7
Look at Form1_Load, this routine sets all labels to empty:
Figure 8
Look at _Click, this routine sets each labels with one default character:
Figure 9
With the information above, we have string: W54RE6MIPSP6S. Try to use this string to authenticate at reversing.kr, we will get fail. Back to the top of InitializeComponent() to dig deeper:
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD = new Button(); this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Location = new Point(165, 62); <- Set location of new button this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Name = "btnStart"; <- Set button’s name this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Size = new Size(0, 0); <- Set button’s size this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.TabIndex = 0; this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.UseVisualStyleBackColor = true; this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Click += new EventHandler(this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD_Click);
A notable point in above code that sets the size of button to zero. Let’s use dnSpy to changes these values to (40, 40) like the picture bellow:
Figure 10
After change, save to new file (ex: CSHOP_Patched.exe). Execute the patched file, we’ll see the button, click it to get the key:
Figure 11
End.
0day in {REA_TEAM} 