Sasageyo
EasyMalware Reverse Engineering
Overview
Dive into the internals of a .NET Native AOT application and uncover how it handles encryption. Analyze the executable’s logic to reveal the data it hides and understand how native compilation changes the reversing process. The key to the flag lies in the way the application transforms your input.
flag format:
flag{***_*******_**_*****_****_*****}
Lab Details
Prerequisites & Requirements
- AOT Compilation Internals: Understanding the architectural differences between JIT-compiled Managed IL and Native AOT binaries.
- Static Triage: Familiarity with PE header analysis and identifying compiled frameworks via entry-point signatures.
- Symmetric Cryptography: Conceptual knowledge of AES (Advanced Encryption Standard) operation modes, specifically Key and IV usage.
- Symbolic Debugging: Basic experience using PDB (Program Database) files to resolve function names in native binaries.
What will you learn?
- Native Symbol Mapping: Utilizing PDB files within a disassembler to bridge the gap between stripped native code and source-level function names.
- Advanced Ghidra Scripting: Implementing specialized plugins to solve framework-specific obfuscation, such as Dehydrated String Rehydration .
- Cryptographic Parameter Extraction: Tracing native function arguments to recover hardcoded AES-256 keys and Initialization Vectors (IV).
- Binary Forensics: Analyzing the CryptoStream and StreamWriter implementations in a native context to determine the final data transformation pipeline.
Tools
- Disassembler: Ghidra (with the .NET Native AOT Analyzer plugin).
- Triage: Detect-It-Easy (DIE).
Job Positions
Malware Analyst
Tags
GhidraDotnetStatic AnalysisDynamic AnalysisAes