r0da's blog

Hi people Starting a blogpost by reversing a .Net PE sound weird to me, but I need to start somewhere :p This a Write Up about a Korean CTF challenge, the one is named CSHARP It's not really hard (because of .net) but I found it interresting MD5 : E8B0B5173B14D118FFD687D37F1A6F06 What I used :    -  DIE (Detect It Easy)     -  DNSpy Part 1 : Post analyse The first thing to do is identify what is this PE   It’s look like a .Net assembly (like in the title) Before reverse anything, I like to see what the tool look like   The typical .Net assembly icon confirm us that it is .Net Ok so a classic check, a textbox and a message box of answer So, let's get started It’s .Net so I will use dnSpy to decompile it Nothing special, the Module entrypoint is empty, the Main entrypoint is normal and just launch the Form1 class So let’s jump in the Form1 class In imports, we can see something i