Points: Solves: Category: Reverse Engineering Description:

It’s simple: Analyze the sample, find the key. Each key is an email address.


Let’s first find out a little about the file. Opening the file with PEID does not show the compiler and language. Luckily for us, Exeinfo shows “Microsoft Visual C# / Basic.NET” not packed.


Running the executable, we see it’s presenting us with a Window Box, title - “Let’s start with something easy!” and a button saying “Decode!”.


Pressing the decode button, the picture changes and the title gets scrambled.


Since this is compiled used .NET Framework, we can decompile the object and look around. In the “XXXXXXXXXXXXXX” object we can find the Decode_Click function.


Here we can see that there are two resources being used. The image resource “bob_roge” and “dat_secret”. We can also see the encoding function. Before we take advantage of that let’s see the content of “dat_secret” resource.


Converting the encoding function in Python and using it on a file with the content of the dat_secret resource, we get the key for this level.

#!/usr/bin/env python

import sys

infile = bytearray(open(sys.argv[1], 'r').read())

output = []

for num2 in infile:
	str = ((num2 >> 4) | ((num2 << 4) & 240)) ^ 0x29

print ''.join(output)
# python decrypt.py dat_secret