0x90 SecuritySuite - CrackMe Tutorial

September 4, 2015 - Reading time: 4 minutes

Target: 0x90 SecuritySuite - CrackMe

URLhttps://forum.tuts4you.com/topic/37464-net-0x90-securitysuite-crackme/

Protection: Serial

Description: Crackme with a serial protection

ToolsMegaDumper, Telerik JustDecompile, de4dot and Visual Studio.

From the forum thread:

Used:

1. RPX - 4 Passes
2. DeepSea Obfuscator - 3 Passes
3. ConfuserEx 0.5.0-Custom by Me - 1 Pass

----

Objectives:

Successfully DeObfuscate the application then Find the Password.

If you feel willingly, please write a tutolrial.

So we are dealing with a packed exe. Let's dump the process with MegaDumper. This creates a lot of files in the Dumps folder. So lets try to find the correct file to analyze. Just decompile the files and look for the file containing the namespaces SecuritySuite, SecuritySuite.My and SecuritySuite.My.Resources.

Open Form1 in SecuritySuite and find the Button1_Click method:

    private void Button1_Click(object sender, EventArgs e)
    {
      if (Operators.CompareString(this.TextBox2.Text, Cryptage.RC2_Decrypt("iedX+tawwyCG2Zu/ZIlU1A==", "蝑蝞哱哸娗娞弳弰諃齈龘墻蒠蓔蜳雥齆犪藱藚葮腠熿熼燛鸃鼞欘珆玸髽鮛皾籈譧肵苂苃齫儽戃跾趍跠跬鷖鼳鼲輘瞗穇碡碙鋡烢烒珛瀷瀹藶"), false) != 0)
      {
        this.Label1.Visible = true;
        this.Label1.Text = Cryptage.RC2_Decrypt("PdgNYQY+M06nkvm7N9qP8A5c3YOvgQysB8j0r9zDInw=", "蝑蝞哱哸娗娞弳弰諃齈龘墻蒠蓔蜳雥齆犪藱藚葮腠熿熼燛鸃鼞欘珆玸髽鮛皾籈譧肵苂苃齫儽戃跾趍跠跬鷖鼳鼲輘瞗穇碡碙鋡烢烒珛瀷瀹藶");
      }
      else
        this.Label1.Text = Cryptage.RC2_Decrypt("SDtjsDdna14pMoKlrxSfUxh/+hxaf1Z6", "蝑蝞哱哸娗娞弳弰諃齈龘墻蒠蓔蜳雥齆犪藱藚葮腠熿熼燛鸃鼞欘珆玸髽鮛皾籈譧肵苂苃齫儽戃跾趍跠跬鷖鼳鼲輘瞗穇碡碙鋡烢烒珛瀷瀹藶");
    }

So the crackme compares the value entered in the second text box to the result of the RC2_Decrypt method. Lets take a look at that method in the Cryptage class.

    public static string RC2_Decrypt(string input, string pass)
    {
      RC2CryptoServiceProvider cryptoServiceProvider1 = new RC2CryptoServiceProvider();
      MD5CryptoServiceProvider cryptoServiceProvider2 = new MD5CryptoServiceProvider();
      string @string;
      try
      {
        byte[] hash = cryptoServiceProvider2.ComputeHash(Encoding.ASCII.GetBytes(pass));
        cryptoServiceProvider1.Key = hash;
        cryptoServiceProvider1.Mode = CipherMode.ECB;
        ICryptoTransform decryptor = cryptoServiceProvider1.CreateDecryptor();
        byte[] inputBuffer = Convert.FromBase64String(input);
        @string = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
      }
      catch (Exception ex)
      {
        ProjectData.SetProjectError(ex);
        ProjectData.ClearProjectError();
      }
      return @string;
    }

Now all we have to do is write a program to show the decrypted password using the RC2_Decrypt method and the arguments in the call from the Button1_Click method.

using System;
using System.Security.Cryptography;
using System.Text;

namespace PassDecrypter
{
    class PassDecrypter
    {
        static void Main()
        {
            Console.WriteLine("Password: " + GetPass());
            Console.ReadKey();
        }

        private static string GetPass()
        {
            return RC2_Decrypt("iedX+tawwyCG2Zu/ZIlU1A==",
                "蝑蝞哱哸娗娞弳弰諃齈龘墻蒠蓔蜳雥齆犪藱藚葮腠熿熼燛鸃鼞欘珆玸髽鮛皾籈譧肵苂苃齫儽戃跾趍跠跬鷖鼳鼲輘瞗穇碡碙鋡烢烒珛瀷瀹藶");
        }

        public static string RC2_Decrypt(string input, string pass)
        {
            var cryptoServiceProvider1 = new RC2CryptoServiceProvider();
            var cryptoServiceProvider2 = new MD5CryptoServiceProvider();
            var hash = cryptoServiceProvider2.ComputeHash(Encoding.ASCII.GetBytes(pass));
            cryptoServiceProvider1.Key = hash;
            cryptoServiceProvider1.Mode = CipherMode.ECB;
            var decryptor = cryptoServiceProvider1.CreateDecryptor();
            var inputBuffer = Convert.FromBase64String(input);
            var @string = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
            return @string;
        }
    }
}

Running this program will generate the following output:

Password: Markus 16:15

And when we enter this in the second text box and press the button we get the "Congratulations!"-message.

To deobfuscate the exe run it through de4dot, open up the output file in JustDecompile (with the Assembly editor plugin) and use Reflexil to delete the four unused classes, then save the exe.