LSO Crackme 0×03 Solution
Learnsecurityonline.com released Crackme 0×03 at the beginning of the month and I ended up knocking it out in about 20-30 minutes after it was posted and posting a screen shot on the blog. This is the write up following that screen shot with the method of how I approached the crackme.
All we had was a binary, and we did not know much about it. Our goal was to solve the Crackme via the given binary. The instructions were vague, the functionality was vague. We are forced to execute the program to determine both it’s functionality and our objective. When we start the binary we are shown a small window with three buttons and the instructions “Find a way to play the above tones to pass”.
Pressing the button play tone delivers us a MessageBox that tells us the tones don’t match. Listening to the tones from the three buttons, and having pressed the “play this tone” button you can tell that the tones are by no way the same. This means it’s impossible to generate the stored tone with the buttons provided.
At this point I wanted to open up the binary and take a look at how it was doing its magic. Checking it for a Packer revealed nothing with the standard PE identifiers. I ran it through my standard three, none of which came up with anything. PEID did however, mention that it was built in Visual Studio using .net. Instead of loading it up with Ida Pro or Ollydbg I decided to open it with .Net Reflector[1]. I then chose to Disassemble the Binary. As I was walking through the disassembled code I noticed class references to NetZ. Curious as to what the hell it was I googled Netz and found out that the binary was after all Compressed with this Open Source .Net Packer called Netz and that the disassembly code I was looking at was the code for the Packer. Ok, back to google I ended up searching real quick for an Unpacker for Netz. Nothing turned up. SHIT!
Tebo mentioned that the RSS feed for Woodmann’s collaborative RCE tools had popped up a Generic .Net Unpacker[2]. My only other option was to Manually unpack the binary… Well screw that I will give this Generic .Net Unpacker a shot. It ended up working great, and I was able to load up one of the output binaries into .Net Reflector and disassemble it to about 90% of the original source. That’s truly the beauty of .Net code and .Net Reflector, you don’t have to muck around in too much assembly because you can disassemble straight to source, minus the variable names some times. Going through the code for Form 1, we find the Play_Click function and take a peak at the functionality.
If you take notice, there is a single if statement that checks the values of the NumArray2[] to be set too 300,600,900. But if you pay attention the values set to numArray2[] are 250,500, and 0×3e8. No where in the code is there a place to change the tone values on that Array (which in case you weren’t paying attention correspond to Button 1, 2 and 3.)
At this point I knew I needed to change the values in that array. But I am lazy.. Real lazy so I didn’t feel like walking through it with Ollydbg, and manually changing the value. I found something called Reflexil[3] which is an assembly editor that runs as a plugin for .Net reflector. This tool allowed me to go in and modify the values in that array to what we needed, then save the program with the modifications.
Turning around and saving the file, we can then run the program and just press play. Pushing buttons 1,2, and 3 doesn’t really matter because the logic in the program doesn’t even check to see if you pushed any buttons.
And we get our Win!
[1] .Net Reflector – http://www.aisto.com/roeder/dotnet/
[2] Generic .Net Unpacker – http://www.woodmann.net/collaborative/tools/index.php/.NET_Generic_Unpacker
[3] Reflexil – http://sebastien.lebreton.free.fr/reflexil/
