PAN LabyREnth CTF – Windows #2

Sample: 351ff406e49f28518315e99a87e5020ec031883c69c291f86b6abe99b2d7c4ef (PW: infected)

file BabbySay.exe
BabbySay.exe: PE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly

BabbySay.exe - ExeInfo

The second sample was a really funny one. Starting the file will show a keyboard and after hard thinking I came to the conclusion that I will most probably need to push the right buttons to reveal the flag ;-).

BabbySay - Keyboard

 

Since we have a C# sample here, we can decompile the code to see what’s going on.
I used .NET Reflector to decompile it. After digging around you will spot the function which is responsible for the actions taken on each button click.

BabbySay - clickHandler

Just read the bunch of if statements to understand which buttons must be pressed in which order and after you’ve done it, the flag will show up.

flag_reveal

This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.