So far I’ve used the command strings and learned how to open Cutter for Radare2.
- Windows 10 box
- Cutter Installed
I’m going to omit all of the steps I took that were wasted / dead ends, and just write up how I was able to actually able to do it.
WELL didn’t I get kicked in the teeth for having the nerve of being excited about finally learning how to open Cutter. I wasted so much time on this challenge trying to navigate working with the app on Cutter, which still just looks like calligraphy to me, only to learn through forums that I was basically wasting my time.
A quick run of Bypass.exe shows a simple command prompt asking for a username, and then a password
Taking a look at Bypass.exe with strings or a hex editor will quickly show signs that it’s some kind of .NET application. While working on this program I saw others using a Sysinternals tool called sigcheck, but I suppose to each their own on this one.
After much failure with Cutter I checked out the forums and saw the hint that the challenge was made for “something like DnSpy”, so I checked it out.
.NET applications can be disassembled and debugged using DnSpy
I opened up the application in DnSpy and for the first time I was actually able to see remotely coherent looking functions.
The code above represents the program asking for my username & password, and then doing something with them - except, not really. As you can see in the 1() function, it will always return as false, which means that figuring out the right username and password is not gonna happen.
After looking at other DnSpy tutorials and articles online, I was fixated to take advantage of it’s code editing & recompiling features. I thought
Well, if I can edit the code, I’ll just have it call the function that shows me the flag and be done with it!
…..except I couldn’t get it to compile. Literally spent an hour on it, and the answers I were discovering suggested that the code was obfuscated in some way that maneuvering it to recompile would be feasible but a HUGE waste of time. Once I ditched my aspiration to edit the code, it dawned on me how dumb I was being, because I entirely forgot about the existence of breakpoints.
I’m not super familiar with the concept, but I think breakpoints are points you can establish in the execution flow that will pause the execution. That gives you time, the debugger/RE, to check out what’s going on in memory - or change some values in memory.
Don’t be me and forget about breakpoints. They provide a vector to pause execution flow, inspect what’s going on, and modify data.
And thus, the answer to the challenge was made apparent; I just need to set breakpoints at every statement that basically says “if not true, then quit” and change whatever values to true (or false, depending).
And it worked like a charm. I still know 0.0001% of all there is to know about reverse engineering, but I have relearned the use of breakpoints, and the usefulness of DnSpy.