2 min to read

TeasingButton challenge

write-up

Featured image

Level: Medium Points:100 Description: Do you really need the Hash?

Given an executable, after check it’s type I found that it is PE32 .Net GUI for windows and as we can see in the following image it seems to be packed or something: after running the executable we will see 2 buttons, Yes and No . When I click yes button it will just swap the two buttons and nothing happen: Checking the code with dnSpy: as we can see it is too hard to understand the code because it is confused, so I tried to unpack it with de4dot tool..

checking the unpacked one with dnSpy again and now I can read it as we can see: going to btnYes_MouseHover and btnYes_MouseUp functions to check what is going on.. As we can see in the image, there is MessageBox contains method_0 and method_2 which takes “68” as an argument so lets check method_2 : The function will return a value which is the hash, as we can see here: return str + string_0 + str2 + str3 + this.method_0(string) + this.method_1(list); So lets get the values of them: str = "79" as this image: string_0 is the argument that method_2 function takes before, so it is equal to 68 : str2 = "017" from the first image contain str value str3 = "eeb" as we see in this image: method_0(string_) will takes string_ values which is equal to “2708”,”d77”,83f” and convert them to one string so it will equal to "2708d7783f" : method_1(list) will takes the values of list as one string also, but we need to know how switch work: if you have a problem in reading the code you can write a code to follow the values of num2 so you can know which Case will happen next

This is example: as we can see the code will start with Case number 5 ,then go to 7, after that it will go to 4,3,2,1 : So our order will start from case 3 then 2 then 1, So the values of list will be: "f0bdf","5d1a","33b" Then method_1(list) will equal to "f0bdf5d1a33b"

now we have all values of the return: str = "79" string_0 = "68" str2 = "017" str3 = "eeb" method_0(string_) = "2708d7783f" method_1(list) = "f0bdf5d1a33b"

then hash will be 7968017eeb2708d7783ff0bdf5d1a33b and this is the flag :)