hideinpILainsight

By naweiss

hideinpILainsight

We got the file wabbalubbadubdub.exe from the challenge, in the challenges description it says it's .NET code therefore we used ILSpy:

 

There are two small obstacles for us to overcome:

  1. The code checks if we are using a debugger, if we are it just prints Sometimes science is a lot more art than science. A lot of people don't get that.
  2. Otherwise it generates a random number between 0 to 312 non inclusive and checks if it is larger than or equals to 312 i.e. if (false)

We'll ignore these obstacles for now and come back to them later.

The code creates a dll during runtime with a module that has a function called gimmedeflag, interesting.

The function gets two byte[] parameters and returns a byte[] parameter.

After that all the types of the functions local variables are defined. And the content of the array il is set to be the IL (byte-code) of the function.

Next the function gimmedeflag is called with two parameter:

We'll take the relevant code and put it in a new C# project and we'll debug it skipping over the two obstacles described earlier.

We don't really know what is going on inside the function gimmedeflag but we have its IL code, we'll try to learn from that.

The easiest way was to just save the entire dll that was created during runtime to a new file, and then we could decompile that. We did this and got gimmedeflag's C# code.

A few little changes in the code and we get the dll:

 

We'll use ILSpy again and get:

 

We noticed that the code throws null no matter what input we give.

To summarize what we saw, the code created a dll which we saved to a new file, we read the function gimmedeflag and noticed it throws an error.

We'll create a new project and put gimmedeflag's code without throw null.

As we mentioned earlier, the function get two parameters: A set array and the Main functions's code from the exe.

The last thing we are missing is the code from the main, we'll extract it with the following code:

 

That's all, we'll run the code with the described parameters, and get the flag: BSidesTLV{Look, Rick, I know IL!}

Success