This reverse challange was a lot of fun and quite straight forward, excellent for learning how to use .NET debuggers to find flaws within applications. 😊

First I downloaded and viewed the zip.

It has an .exe extention, my guess that its a portable exe for Windows systems, lets fire up FlareVM and load Bypass.exe into pestudio 8.99.

It looks like a 32 bit .NET executable, which is great! πŸ˜ƒ We can use dnSpy-x86 to debug and view the source code of Bypass.exe to see how the program works. Lets load Bypass.exe into dnSpy now.

Quite cryptic at the moment, lets set a break point on the csharp public static bool 1() method as it is called first and it also has some Console.Write(); methods used which is used to output text to a command prompt.

It looks like text is the username variable and text2 is the password variable and then the method returns false.

Lets rename the method and variables so its easy to read. πŸ˜‚

Here is my pesudocode of the Bypass.exe program flow so far.

bool flag = false
bool flag2 = flag

if (flag2 = True)
  // Username correct, call next method.
  // Username or password incorrect.
  Console.Write("Incorrect, username and password.");

So my plan of attack now is to change the flag2 variable to true so we can execute the global::0.2(); method. Lets step through this method and see what it does, from a glance it looks like it checks to see if the correct flag is submitted and then displays the flag? πŸ€”πŸ€”

Looks like the csharp string <> = 5.3; fetches the key ThisIsAReallyReallySecureKeyButYouCanReadItFromSourceSoItSucks this looks useful! πŸ‘Œ

Looks like we need to enter a “Secure key”, lets use the one we found assigned to that empty variable? πŸ˜‰ It looks like bool flag; has been set to true, lets see what the command prompt prints out after executing this if statement? πŸ‘€

Looks like we got the flag! HTB{SuP3rC00lFL4g} πŸ‘

Thanks for reading, if you want to know I used FlareVM for my reverse engineering environment!

Leave a comment

Your email address will not be published. Required fields are marked *