Archive for the ‘Chal10. CSHOP Challenge’ Category


Use any PE Detector to quickly scan target:

Krchal101

Figure 1

Okay, it’s a .NET exe file. Run file to get information:

Krchal102

Figure 2

Huh, it displays a bank form :(. Let’s open target in dnSpy:

Krchal103

Figure 3

Right click to CSHOP and select “Go to Entry Point”:

Krchal104

Figure 4

Click FrmMain, we go here:

Krchal105

Figure 5

Follow InitializeComponent() function we’ll see two EventHandlers are _Click and Form1_Load:

Krchal106

Figure 6

Krchal107

Figure 7

Look at Form1_Load, this routine sets all labels to empty:

Krchal108

Figure 8

Look at _Click, this routine sets each labels with one default character:

Krchal109

Figure 9

With the information above, we have string: W54RE6MIPSP6S. Try to use this string to authenticate at reversing.kr, we will get fail. Back to the top of InitializeComponent() to dig deeper:

this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD = new Button();
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Location = new Point(165, 62); <- Set location of new button
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Name = "btnStart"; <- Set button’s name
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Size = new Size(0, 0); <- Set button’s size
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.TabIndex = 0;
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.UseVisualStyleBackColor = true;
this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD.Click += new EventHandler(this.\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD\uFFFD_Click);

A notable point in above code that sets the size of button to zero. Let’s use dnSpy to changes these values to (40, 40) like the picture bellow:

Krchal1010

Figure 10

After change, save to new file (ex: CSHOP_Patched.exe). Execute the patched file, we’ll see the button, click it to get the key:

Krchal1011

Figure 11

End.

Advertisements