Find the flag inside the binary


Let’s check the file information.

It is a 32-bit .NET executable file. Let’s try to decompile it.

The binary is heavily obfuscated with ConfuserEx v1.0.0. We need to unpack and deobfuscate this file. Luckily, there are lots of tools created for this purpose. I have used UnConfuserEx by SHADOW. After unpacking the file, I used, as suggested by SHADOW, following tools developed by CodeCracker:

  • ConfuserEx Call Fixer
  • ConfuserEx Pop Patcher
  • ConfuserEx String Decryptor
  • ConfuserEx Switch Killer

Finally, I have used de4dot-cex which is a de4dot fork that supports ConfuserEx.

Let’s decompile it.

It creates a PowerShell instance and sends the first argument of the program as $flag variable to that instance. Then, it calls Class0.smethod_1 function with 3 byte arrays which are retrieved by base64 decoding the 3 strings from Class1 whcih are Class1.String_0, Class1.String_1, and Class1.String_2. Next, it adds the result of this function call to the PowerShell instance. Finally, it executes this PowerShell by calling Invoke().

Let’s take a look at the Class0.smethod_1 function.

It is AES decryption function and the three parameters are encrypted data, key, and iv respectively. Let’s look at the base64 strings from Class1.

All of them are retrieved from the resource of the file. Since the encrypted_data is too large, I won’t paste it here.

Let’s decrypt that data to get the actual PowerShell script.

After executing our script we get the following script which is also obfuscated.

We need to deobfuscate this.

This part gets the string “iex”, which is the standard alias for Invoke-Expression command, by joining the letters from the variable MaximumDriveCount. Thus, it calls Invoke-Expression with a huge parameter. Let’s execute that parameter to get its decoded form.

Here is the decoded version:

It creates a string parameter by joining lots of characters, then pipes the result to the iex command again. Let’s run the join operation to get the string parameter which is executed by Invoke-Expression.

Here, the command after the last pipe gets the string ‘Iex’ by a different trick that uses an environment variable and executes it. Everything that is at the left side of the final pipe is the parameter of the Invoke-Expression. Let’s decode it as well.

Now, we have finally completely deobfusated the script. It simply checks each character of the flag one by one.