hi there,

I got a software hacking questions which I guess the files were written in C# ..Each of the files will pop out a dialog box which will ask us to enter a string or something..if the string we entered is correct, then the status will be changed into Corecct!..But i really have no idea on how to get the right one..

So, could u guys help me?giving me a hint or something or the way how i could solve this?
U could download all the files from here : ryzalyusoff.coml/Reverse Engineering.zip

thank you in advanced :)

www.ryzalyusoff.coml/Reverse Engineering.zip

Edited 4 Years Ago by samsons17

You could get something like dot net Reflector and disassemble the executable.
You could then (probably) see the strings you're looking for.

okay, sofar i have tried the unextractor and also the dot net reflector.. but unfortunately,
the files that have been extracted bring ni meanings to me, which no clue or whatsoever..any other ideas?

You're just looking for the strings, right?
You could open the executable or associated DLLs in (even) TextPad in binary mode and just search through things that look like words. You can page up or down and just look at the contents until you see something that looks good.

yes..
binary mode? anyways i got many random wierd text with some code like this :

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>

when i open up the exe file with my notepad..I couldnt find any of the reasonable word there to be as an answer, thats what confusing me right now..

when i run it with Textpad, it display me just the same info, but this time it provided me together with the hex value..

Right.
Now you can scroll down through the exe (in Textpad) and look for things (strings) that might be the answers you are seeking.
Something will appear clear to you when you are looking through all of that data.
If the original creator is purposely trying to hide the values from you, it will be difficult.

If the charset is not UTF8 or something similar, this technique will not help you at all.

If you are actually doing this as homework, you might want to stick with reflector or something like that and just step through the code wthe debugger and make it jump over the part that checks for wrong answers..

Edited 4 Years Ago by thines01: clarity

I got there and found a zip file with four executables in it.
...wouldn't DARE run them or suggest that for anyone else either.
Since the date/time on the files is within 24 hours, it made me really suspicious since the OP infers no knowing what language was used to make them.

Edited 4 Years Ago by thines01: clarity

no..dont worry about the files, nothing suspicious there..The reason those files are within the 24 hours is because i got
those file from the hacking competition that i just joined before..I couldnt finish or solve it in that competition, so
that I am thinking of finding the answer when I got home, just as my lesson and reference for the future..
I just hope that somebody could teach me this..Thank you :)

C# emits compiled programs in MSIL (Microsoft Intermediate Language) format. This format keeps a lot of information about the application such as class, field, method, property and parameter names etc.

The .NET Framework SDK has a disassembler utility called ILDASM. This util will allow you to decompile .NET Framework assemblies into IL Assembly Language statements. Open a Visual Studio command prompt and execute the util as follows: ILDASM.exe myBinary.exe

You can take this a step further by decompiling the assembly using a freeware util such as Anakrino to get the actual source code.

Unfortunately, I cannot access your binaries. So, I haven't actually tested the above. But in theory, it should work.

hye BobS0327 , thank you for your prompt reply..I have uploaded the files on mediafire, so perhaps you could download and try it now, this is the link : http://www.mediafire.com/?cruaoh9lzr9np9z

Now, i will try to do like what you said first..but i hope you will help me also in finding the answer ya :D

thank you so much..

hye, somehow my friend have gotten the actual source code from the first executable there by using somesoftware available :

__size32 global10 = 0;// 4 bytes
__size32 LoadStringA = 0x2198;// 4 bytes
__size32 SendMessageA = 0x217c;// 4 bytes
__size32 LoadIconA = 0x218c;// 4 bytes
__size32 GetModuleHandleA = 0x20c8;// 4 bytes
int global33 = 0xbb40e64e;
unsigned int global11 = 0;
__size32 global2 = 0;// 4 bytes
__size32 global0 = 0;// 4 bytes

__size32 proc2(__size32 *param1, __size32 param2);
__size32 proc3(__size32 param1);
__size32 proc4(__size32 param1);
void _start(unsigned short param1);
INT_PTR proc5(HWND hwndDlg, UINT ??, WPARAM ??, LPARAM lParam);
void proc6();
void proc7(int *param1, unsigned char param2, unsigned int param3);
__size32 proc8(int param1, int param2);

// address: 0x401256
void proc1() {
__size32 eax; // r24

global0 = 32;
eax = proc8(32, 4);
global2 = eax;
return;

}

// address: 0x40123c
__size32 proc2(__size32 *param1, __size32 param2) {
__size32 eax; // r24
__size32 *esi; // r30
void *esp; // r28
__size32 *esp_1; // r28{32}
__size32 *esp_2; // r28{2}
__size32 *esp_3; // r28{25}
__size32 *esp_4; // r28{12}
__size32 local0; // m[esp - 4]
__size32 *local1; // m[esp + 4]
__size32 *local10; // esp_1{32}
__size32 local11; // local5{39}
__size32 *local12; // local2{41}
__size32 *local2; // m[esp + 4]{41}
__size32 *local3; // m[esp + 4]{40}
__size32 local4; // m[esp - 4]{1}
__size32 local5; // m[esp - 4]{39}
__size32 local6; // m[esp - 4]{38}
__size32 *local7; // esp_3{25}
__size32 local8; // local6{38}
__size32 *local9; // local3{40}

local4 = param2;
esp_2 = esp - 4;
esi = param1;
local10 = esp_2;
local11 = local4;
local12 = param1;
esp_1 = local10;
local5 = local11;
local2 = local12;
local7 = esp_1;
local8 = local5;
local9 = local2;
while (esi < *(esp_1 + 12)) {
    eax = *esi;
    if (eax != 0) {
        (*eax)(local5, local2, eax, esi, LOGICALFLAGS32(eax), LOGICALFLAGS32(eax), LOGICALFLAGS32(eax));
        local7 = esp_4;
        local8 = local0;
        local9 = local1;
    }
    esp_3 = local7;
    local6 = local8;
    local3 = local9;
    esi++;
    local10 = esp_3;
    local11 = local6;
    local12 = local3;
    esp_1 = local10;
    local5 = local11;
    local2 = local12;
    local7 = esp_1;
    local8 = local5;
    local9 = local2;
}
esi = *esp_1;
return esi;

}

// address: 0x401000
__size32 proc3(__size32 param1) {
__size32 eax; // r24
__size32 ecx; // r25
__size32 edi; // r31
__size32 edx; // r26
__size32 esi; // r30
int esp; // r28
void *esp_1; // r28{18}
unsigned int local0; // m[esp - 28]
__size32 local1; // m[esp - 24]
int local2; // m[esp - 20]
int local3; // m[esp - 16]
int local4; // m[esp - 12]
__size32 local5; // m[esp - 8]
__size32 local6; // m[esp - 4]
__size32 local7; // m[esp + 4]

(*LoadStringA)(pc, param1, 103, 0x403038, 100, edi, esi, param1, param1, LoadStringA);
*(__size32*)(esp_1 - 4) = 100;
*(__size32*)(esp_1 - 8) = 0x4030a0;
*(__size32*)(esp_1 - 12) = 109;
*(__size32*)(esp_1 - 16) = esi;
(*edi)(local0, local1, local2, local3, local4, local5, local6, local7, eax, ecx, edx, esi, edi, <all>);
local6 = 0;
local5 = 0x401050;
local4 = 0;
local3 = 129;
local2 = esi;
global10 = esi;
DialogBoxParamA(*(esp - 20), *(esp - 16), *(esp - 12), *(esp - 8), *(esp - 4));
return 1;

}

// address: 0x40126e
__size32 proc4(__size32 param1) {
__size32 *eax; // r24

if (global11 != 0) {
    eax = *0x403028;
    param1 = proc2(eax, param1);
}
return param1;

}

// address: 0x4011ab
void _start(unsigned short param1) {
unsigned int al; // r8
__size32 eax; // r24
int eax_1; // r24
unsigned int *esi; // r30
unsigned int *esi_1; // r30{130}
unsigned int *esi_2; // r30{122}
int esp; // r28
__size32 *esp_1; // r28{76}

GetCommandLineA();
esi = eax;
al = *eax;
eax_1 = eax >> 8 & 0xffffff | (al);
if (al != 34) {
    if ((int)al > 32) {
        do {
            esi_2 = esi;
            esi = esi_2 + 1;
        } while (*(esi_2 + 1) > 32);
        goto L11;
    }
    goto L11;
}
do {
    esi_1 = esi;
    esi = esi_1 + 1;
    al = *(esi_1 + 1);
    eax_1 = eax_1 >> 8 & 0xffffff | (al);
    if (al == 0) {
        if (al == 34) {
            goto L12;
        }

L11:
al = esi;
eax_1 = eax_1 >> 8 &amp; 0xffffff | (al);
if (al == 0) {
break;
}
goto L10;
}
} while (al == 34);
do {
L12:
esi++;
L10:
} while ((int)al > 32);
GetStartupInfoA();
proc1();
esi = proc2(0x403000, esi); /
Warning: also results in esp_1 */
*(__size32*)(esp_1 + 4) = 10;
eax = *(esp_1 + 4);
*(unsigned int*)(esp_1 + 4) = eax;
*(__size32*)esp_1 = esi;
*(__size32*)(esp_1 - 4) = 0;
*(__size32*)(esp_1 - 8) = 0;
GetModuleHandleA();
*(__size32*)(esp_1 - 12) = eax;
eax = proc3(*(esp_1 - 12)); /* Warning: also results in esp */
esi = proc4(eax); /* Warning: also results in esp */
*(__size32*)(esp - 4) = esi;
ExitProcess(*(esp - 4));
return;
}

// address: 0x401050
INT_PTR proc5(HWND hwndDlg, UINT ??, WPARAM ??, LPARAM lParam) {
unsigned int al; // r8
__size8 al_1; // r8
__size16 ax; // r0
unsigned int cl; // r9
__size8 cl_1; // r9
union { int x45; unsigned int * x46; } eax; // r24
union { int x45; unsigned int * x46; } eax_1; // r24
union { int x45; char * x46; } eax_2; // r24
union { unsigned int x45; unsigned int * x46; } eax_3; // r24
union { unsigned int x47; unsigned int * x48; } eax_4; // r24
union { unsigned int x47; unsigned char * x48; } eax_5; // r24
__size32 eax_6; // r24
union { unsigned int x45; char * x46; } eax_7; // r24
union { unsigned int x45; char * x46; } eax_8; // r24{182}
HWND ebp; // r29
__size32 ebx; // r27
__size32 ecx; // r25
int edi; // r31
unsigned int edx; // r26
void *edx_1; // r26
void *edx_2; // r26{304}
__size32 esi; // r30
int esp; // r28
union { int x45; unsigned int * x46; } esp_1; // r28
union { int x55; HWND * x56; } esp_2; // r28
int esp_3; // r28
HWND *esp_4; // r28
union { unsigned int x45; char * x46; } local0; // m[esp + 8]
union { unsigned int x45; char * x46; } local1; // m[esp + 12]
HWND local10; // m[esp + 4]
union { unsigned int x45; char * x46; } local11; // m[esp + 8]
union { unsigned int x45; char * x46; } local12; // m[esp + 12]
int local13; // m[esp + 16]
int local14; // m[esp - 4]
__size8 local15; // m[esp - 104]
__size32 local16; // m[esp - 112]
__size32 local17; // m[esp - 116]
int local18; // m[esp - 132]
unsigned int local19; // m[esp - 136]
int local2; // m[esp - 103]
unsigned int local20; // m[esp - 148]
int local21; // m[esp + 4]{250}
int local22; // m[esp + 8]{250}
int local23; // m[esp + 12]{250}
int local24; // m[esp + 16]{250}
int local25; // m[esp - 4]{250}
int local26; // m[esp - 20]{250}
int local27; // m[esp - 103]{250}
int local28; // m[esp - 104]{250}
int local29; // m[esp - 112]{250}
int local3; // m[esp - 20]
int local30; // m[esp - 116]{250}
int local31; // m[esp - 120]{250}
int local32; // m[esp - 124]{250}
int local33; // m[esp - 128]{250}
int local34; // m[esp - 132]{250}
int local35; // m[esp - 136]{250}
int local36; // m[esp - 140]{250}
int local37; // m[esp - 144]{250}
int local38; // m[esp - 148]{250}
int local39; // %flags{250}
INT_PTR local4; // m[esp - 120]
int local40; // %flags{250}
int local41; // %flags{250}
int local42; // %flags{250}
int local43; // %flags{244}
int local44; // %flags{236}
int local45; // %flags{223}
int local46; // %flags{216}
int local47; // %ZF{250}
int local48; // %ZF{250}
int local49; // %ZF{250}
HWND local5; // m[esp - 124]
int local50; // %ZF{250}
int local51; // %ZF{244}
int local52; // %ZF{236}
int local53; // %ZF{223}
int local54; // %ZF{216}
int local55; // %CF{250}
int local56; // %CF{250}
int local57; // %CF{250}
int local58; // %CF{250}
int local59; // %CF{244}
int *local6; // m[esp - 128]
int local60; // %CF{236}
int local61; // %CF{223}
int local62; // %CF{216}
int local63; // m[esp - 108]
union { int x45; unsigned int * x46; } local64; // eax_1{292}
union { unsigned int x47; unsigned int * x48; } local65; // eax_4{314}
union { int x55; HWND * x56; } local66; // esp_2{340}
LPCSTR local7; // m[esp - 136]
int local8; // m[esp - 140]
HWND local9; // m[esp - 144]

esp_1 = esp - 116;
local66 = esp_1;
local66 = esp_1;
if (local0 == 272) {
    (*GetModuleHandleA)((unsigned short) *(esp + 8) - 272, (unsigned char) *(esp + 8) - 272, cl, *(esp + 8) - 272, ecx, edx, ebx, *(esp + 4), GetModuleHandleA, edi, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), global33 ^ (esp - 108), *(esp - 20), *(esp - 103), *(esp - 104), ebp, esi, ebx, edi, 107, 0, pc, *(esp - 140), *(esp - 144), *(esp - 148), SUBFLAGS32(*(esp + 8), 272, *(esp + 8) - 272), *(esp + 8) - 272 == 0, *(esp + 8) < 272);
    *(__size32*)(esp_4 - 4) = eax_6;
    (*LoadIconA)(ax, al_1, cl_1, eax_6, ecx, edx, ebx, ebp, esi, LoadIconA, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), *(esp - 4), *(esp - 20), *(esp - 103), *(esp - 104), *(esp - 112), *(esp - 116), *(esp - 120), *(esp - 124), *(esp - 128), *(esp - 132), *(esp - 136), *(esp - 140), *(esp - 144), *(esp - 148), <all>, local46, local54, local62);
    *(__size32*)(esp_4 - 4) = eax_6;
    *(__size32*)(esp_4 - 8) = 0;
    *(__size32*)(esp_4 - 12) = 128;
    *(__size32*)(esp_4 - 16) = ebp;
    (*SendMessageA)(ax, al_1, cl_1, eax_6, ecx, edx, SendMessageA, ebp, esi, edi, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), *(esp - 4), *(esp - 20), *(esp - 103), *(esp - 104), *(esp - 112), *(esp - 116), *(esp - 120), *(esp - 124), *(esp - 128), *(esp - 132), *(esp - 136), *(esp - 140), *(esp - 144), *(esp - 148), <all>, local45, local53, local61);
    *(__size32*)(esp_4 - 4) = 107;
    *(__size32*)(esp_4 - 8) = 0;
    (*esi)(ax, al_1, cl_1, eax_6, ecx, edx, ebx, ebp, esi, edi, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), *(esp - 4), *(esp - 20), *(esp - 103), *(esp - 104), *(esp - 112), *(esp - 116), *(esp - 120), *(esp - 124), *(esp - 128), *(esp - 132), *(esp - 136), *(esp - 140), *(esp - 144), *(esp - 148), <all>, local44, local52, local60);
    *(__size32*)(esp_4 - 4) = eax_6;
    (*edi)(ax, al_1, cl_1, eax_6, ecx, edx, ebx, ebp, esi, edi, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), *(esp - 4), *(esp - 20), *(esp - 103), *(esp - 104), *(esp - 112), *(esp - 116), *(esp - 120), *(esp - 124), *(esp - 128), *(esp - 132), *(esp - 136), *(esp - 140), *(esp - 144), *(esp - 148), <all>, local43, local51, local59);
    *(__size32*)(esp_4 - 4) = eax_6;
    *(__size32*)(esp_4 - 8) = 1;
    *(__size32*)(esp_4 - 12) = 128;
    *(__size32*)(esp_4 - 16) = ebp;
    (*ebx)(ax, al_1, cl_1, eax_6, ecx, edx, ebx, ebp, esi, edi, *(esp + 4), *(esp + 8), *(esp + 12), *(esp + 16), *(esp - 4), *(esp - 20), *(esp - 103), *(esp - 104), *(esp - 112), *(esp - 116), *(esp - 120), *(esp - 124), *(esp - 128), *(esp - 132), *(esp - 136), *(esp - 140), *(esp - 144), *(esp - 148), <all>, local39, local47, local55);
    esp_4 += 8;

L2:
eax_6 = 1;
proc6();
} else {
if (local0 - 272 != 1) {
L11:
esp_2 = local66;
eax_6 = 0;
proc6();
} else {
if ((unsigned short) local1 != 2) {
if ((unsigned short) local1 != 1) {
goto L11;
} else {
proc7(99, 0, &local2);
GetDlgItemTextA();
eax = esp - 120;
edx = 0;
local64 = eax;
do {
eax_1 = local64;
cl = *eax_1;
ecx = ecx >> 8 & 0xffffff | (cl);
eax_2 = eax_1 + 1;
local64 = eax_2;
} while (cl != 0);
if (eax_1 + 1 == (esp - 119)) {
L12:
SetDlgItemTextA("Wrong!!", 1001, hwndDlg);
local66 = esp;
goto L11;
} else {
do {
edx_2 = edx;
al = *(esp + edx_2 - 120);
if ((al ^ 101) != *(edx_2 + 0x40300c)) {
goto L12;
}
eax_3 = esp - 120;
edx = edx_2 + 1;
local65 = eax_3;
do {
eax_4 = local65;
cl = *eax_4;
ecx = ecx >> 8 & 0xffffff | (cl);
eax_5 = eax_4 + 1;
local65 = eax_5;
} while (cl != 0);
} while (edx_2 + 1 < eax_4 - esp + 120);
if (edx_2 + 1 != 20) {
goto L12;
} else {
SetDlgItemTextA("Correct!!", 1001, hwndDlg);
eax_6 = 0;
proc6();
}
}
}
} else {
EndDialog(2, hwndDlg);
goto L2;
}
}
}
return eax_6;
}

// address: 0x4011aa
void proc6() {
return;
}

// address: 0x4012a4
void proc7(int *param1, unsigned char param2, unsigned int param3) {
int al; // r8
unsigned int ecx; // r25
int *edi; // r31

if (param3 != 0) {
    al = (unsigned char) (param2) * 0x1010101;
    edi = param1;
    ecx = param3 / 4;
    while (ecx != 0) {
        *(int*)edi = (param2) * 0x1010101;
        edi +=  (DF == 0) ? 4 : -4;
        ecx = ecx - 1;
    }
    ecx = param3 & 0x3;
    while (ecx != 0) {
        *(int*)edi = al;
        edi +=  (DF == 0) ? 1 : -1;
        ecx = ecx - 1;
    }
}
return;

}

// address: 0x40128a
__size32 proc8(int param1, int param2) {
__size32 eax; // r24
HANDLE eax_1; // r24

eax = param2 * param1;
GetProcessHeap();
HeapAlloc(eax_1, 8, eax);
return eax;

}

but up until now, we have no idea where the answer is =.='

You might make more progress if you posted the disassembled code listed above in the Assembly forum.

This article has been dead for over six months. Start a new discussion instead.