HTB Hack The Boo 2023: Rev Spellbrewery

#htb #ctf #reverse-engineering #dotnet #binary-analysis

Challenge Information

AttributeDetails
EventHack The Boo 2023
CategoryReverse Engineering
ChallengeRev Spellbrewery

Summary

A .NET compiled binary that requires reverse engineering to understand its functionality. The challenge involves analyzing a compiled executable (SpellBrewery.exe and associated DLL files) to extract information or understand the program’s logic.

Analysis

Challenge Files:

The challenge provides a .NET application with the following components:

  • SpellBrewery (executable file)
  • SpellBrewery.dll (compiled .NET assembly)
  • SpellBrewery.deps.json (dependency information)
  • SpellBrewery.runtimeconfig.json (runtime configuration)

Tools for Analysis:

For .NET binaries, common analysis tools include:

  1. dnSpy: Open-source .NET debugger and assembly editor
  2. ILSpy: Decompiler for .NET assemblies
  3. dotPeek: JetBrains .NET decompiler
  4. Ghidra: Open-source reverse engineering framework
  5. dnDbg: .NET debugger

Solution

Step 1: Decompile the .NET Assembly

Use dnSpy or ILSpy to decompile the SpellBrewery.dll:

Terminal window
# Using ILSpy from command line
ilspycmd SpellBrewery.dll -o ./decompiled


# Using dnSpy (GUI)
# Open dnSpy -> File -> Open -> Select SpellBrewery.dll

Step 2: Analyze the Decompiled Code

Once decompiled, you’ll see the C# source code. Look for:

  • Main entry point
  • Key classes and methods
  • String literals and constants
  • Cryptographic operations
  • File I/O operations

Step 3: Dynamic Analysis with Debugger

Terminal window
# Using dnSpy debugger
# 1. Open the executable in dnSpy
# 2. Set breakpoints at interesting functions
# 3. Run with F5
# 4. Step through execution to understand behavior
# 5. Inspect variable values and memory

Step 4: Extract Flag/Information

Common targets in reverse engineering:

  • Look for base64 or hex-encoded strings
  • Check for hardcoded credentials or flags
  • Analyze validation routines
  • Check for anti-debugging tricks

Step 5: Patch or Modify (if needed)

// Example: If you find a check that prevents execution
if (username == "correct_username" && password == "correct_password") {
    // Display flag
}


// You might patch this to always return true
if (true) {  // Modified condition
    // Display flag
}

Using Python to Interact (if it’s a server)

import subprocess
import sys


# Run the .NET application
proc = subprocess.Popen([
    sys.executable,
    "SpellBrewery"
], stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)


# Send input
output, error = proc.communicate(input=b"test_input\n")
print(output.decode())

Key Takeaways

  • .NET binaries are significantly easier to reverse engineer than native code because they retain most source-level information
  • dnSpy is a powerful tool for .NET analysis with both decompilation and debugging capabilities
  • Look for:
    • Hardcoded strings and constants
    • Validation logic and checks
    • Cryptographic operations
    • File paths and resource references
  • .NET anti-tampering measures:
    • Obfuscation tools (ConfuserEx, dotfuscator)
    • Anti-debugging checks
    • Runtime integrity checks
  • Common patterns to look for:
    • String decryption routines
    • License validation
    • Check for “magic” values or keys
  • Defense strategies (for developers):
    • Use obfuscators to obscure logic
    • Implement anti-debugging checks
    • Use code virtualization
    • Consider native compilation or ahead-of-time (AOT) compilation