## Inroduction

Cyber Talents - Cloak and dagger reverse engineering ahram canadian competition.

## Description

Dot net binary file given as excutable file called cloak and dagger with description of “ Open The right file to get the flag “ Reverse it to get the flag

## File

For downloading excutable file , Visit Cloak And Dagger.exe .

## Solution

The file is .NET binary (you may use Detect It Easy to determine the type of a binary) On running it, it just lets you select a file and makes a messagebox with You have the wrong file! So let’s load it to dnSpy At the decompiled class form1 there are two methods

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 public static string HexStr(byte[] p) { char[] array = new char[p.Length * 2 + 2]; array[0] = '0'; array[1] = 'x'; int i = 0; int num = 2; while (i < p.Length) { byte b = (byte)(p[i] >> 4); array[num] = (char)((b > 9) ? (b + 55) : (b + 48)); b = (byte)(p[i] & 15); array[++num] = (char)((b > 9) ? (b + 55) : (b + 48)); i++; num++; } return new string(array); } 

Which just converts a byte array into hex value ‘a’ —> ‘0x61’ (you can use https://dotnetfiddle.net/ or the interactive c# plugin at dnSpy to test c# code snippets) Also we have

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 private void button1_Click(object sender, EventArgs e) { if (this.openFileDialog1.ShowDialog() == DialogResult.OK) { string fileName = this.openFileDialog1.FileName; try { string b = "FF0003060C1204121212000100C40307"; BinaryReader binaryReader = new BinaryReader(new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.None)); binaryReader.BaseStream.Position = 0L; byte[] p = binaryReader.ReadBytes(256); binaryReader.Close(); string a = string.Concat(new string[] { Form1.HexStr(p).Substring(2, 2), Form1.HexStr(p).Substring(34, 2), Form1.HexStr(p).Substring(66, 2), Form1.HexStr(p).Substring(98, 2), Form1.HexStr(p).Substring(130, 2), Form1.HexStr(p).Substring(162, 2), Form1.HexStr(p).Substring(194, 2), Form1.HexStr(p).Substring(226, 2), Form1.HexStr(p).Substring(258, 2), Form1.HexStr(p).Substring(290, 2), Form1.HexStr(p).Substring(322, 2), Form1.HexStr(p).Substring(354, 2), Form1.HexStr(p).Substring(386, 2), Form1.HexStr(p).Substring(418, 2), Form1.HexStr(p).Substring(450, 2), Form1.HexStr(p).Substring(482, 2) }); string str = string.Concat(new string[] { Form1.HexStr(p).Substring(4, 2), Form1.HexStr(p).Substring(36, 2), Form1.HexStr(p).Substring(68, 2), Form1.HexStr(p).Substring(100, 2), Form1.HexStr(p).Substring(132, 2), Form1.HexStr(p).Substring(164, 2), Form1.HexStr(p).Substring(196, 2), Form1.HexStr(p).Substring(228, 2), Form1.HexStr(p).Substring(260, 2), Form1.HexStr(p).Substring(292, 2), Form1.HexStr(p).Substring(324, 2), Form1.HexStr(p).Substring(356, 2), Form1.HexStr(p).Substring(388, 2), Form1.HexStr(p).Substring(420, 2), Form1.HexStr(p).Substring(452, 2), Form1.HexStr(p).Substring(484, 2) }); if (a == b) { MessageBox.Show("Flag is: " + str); } else { MessageBox.Show("You have the wrong file!"); } } catch (IOException) { } } } 

Which does this:

1. Open a new file with OpenFileDialog component and read it into byte array p
2. Define a string b with value FF0003060C1204121212000100C40307
3. Define a string a with the concatenation of hex values of bytes at offsets {0,16,32,48,64,80,96,112,128,144,160,176,192,208,224,240} (remember that HexStr returns 0x at the start of the hex string and every byte has a corresponding 2-chars hex string)

4. Also defines another string str like a but at different offsets Makes a check if array string a equals string b and if true it will print the flag to be string str<>

We can deduce some things here; first it will crash if opened a file with size < 242 bytes (484 / 2) Second, our target here is to open the right file nothing else Once I understood that, I knew that the right file is somehow embedded in the binary I used binwalk to extract any embedded or appended files with this command  binwalk –dd=”.*” “Cloak and Dagger.exe” The extracted files are so many, so we cannot just open them one by one to get the write file Rather than that I will loop through all files reading them and check for the bytes at the previous indices array to be equal to the hex array FF0003060C1204121212000100C40307

I used this simple script to achieve it

1 2 3 4 5 6 7 8 9 >>> from os import listdir >>> from os.path import isfile, join >>> onlyfiles = [f for f in listdir(".") if isfile(join(".", f))] >>> for file in onlyfiles: ... data = open(file,'rb').read() ... if data[0] == '\xFF' and data[16] == '\x00' and data[32] == '\x03' and data[48] == '\x06' and data[64] == '\x0C' and data[80] == '\x12' and data[96] == '\x04' and data[112] == '\x12' and data[128] == '\x12' and data[144] == '\x12' and data[160] == '\x00' and data[176] == '\x01' and data[192] == '\x00' and data[208] == '\xC4' and data[224] == '\x03' and data[240] == '\x07': ... print(file) ... 7F4428 

So we have the right file 7F4428, open it with our program to get the flag

 Flag is Captured  » D80103060B120712121211FF00000512