Category: Reverse Engineering
Here are the files if you want to try it for yourself: reme-1.zip
Reading the description we can find that we need a windows environment with .NET Core Runtime 2.2 installed
After getting that up and running I executed the file:
So we need a password, let's see if we can find one!
My tool of choice for .NET apps is dnSpy.
Does what it should, and can edit and recompile the code.
Just what we need.
After installing dnspy just open it and drag the ReMe.dll in.
Then on the sidebar browse to the main method like this:
Follow the points I marked red, and you'll find yourself in the main method.
The first thing it executes is InitialCheck, lets check that out!
Here we can see that it compares the first argument with the result of that String.Decrypt() function.
But we can't see the flag (blue).
So we need to find out how we decrypt that Password.
Shouldn't be too hard.
I've gone back into main, and rightclicked.
There you can click
Edit Method (C#)...
Then you get the Code.
And how do we get the decrypted Password now?
By printing it!
Just add a
Console.WriteLine() and let it print the decrypted String!
After you put that in, just click
Compile and it's in!
After that you want to save the edited dll.
Before that I advise you to make a backup of the file (or redownload it after getting the first flag).
In the upper-right corner, click
The Name MUST be
ReMe.dll, otherwise it wont start.
So overwrite your copy of ReMe and download it again later, or put the modified file into another dir and copy the json-junk with it.
OK to save the file. After that you can close dnSpy.
Then open another shell (cmd/powershell, your choice), and open the file.
CanIHazFlag? is printed on the screen!
Now get the original ReMe.dll back, and use the password aaand.....
There's the flag!
nope after that is because you only specified one parameter, but it needs two, but thats part of ReMe2!
As I say in every RE-Challenge, Obfuscation won't help. Sure, it'll postpone the search for a bit, but at some point someone's gonna get it.
That's why I recommend using Hashes like SHA-512 for obvious reasons.
Good Hashes can't be reversed (at this point of time), and are just the most secure way out.
~sw1tchbl4d3, 07/03/2020 (dd/mm/yyyy)