PAN LabyREnth CTF – Windows #2

Sample: 351ff406e49f28518315e99a87e5020ec031883c69c291f86b6abe99b2d7c4ef (PW: infected)

file BabbySay.exe
BabbySay.exe: PE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly

BabbySay.exe - ExeInfo

The second sample was a really funny one. Starting the file will show a keyboard and after hard thinking I came to the conclusion that I will most probably need to push the right buttons to reveal the flag ;-).

BabbySay - Keyboard


Since we have a C# sample here, we can decompile the code to see what’s going on.
I used .NET Reflector to decompile it. After digging around you will spot the function which is responsible for the actions taken on each button click.

BabbySay - clickHandler

Just read the bunch of if statements to understand which buttons must be pressed in which order and after you’ve done it, the flag will show up.


This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.