Tatakae
MediumMalware Reverse Engineering
Overview
A mysterious .NET Native binary encrypts your input into a separate file, using a shuffled PRNG-based routine. Can you reverse-engineer its obfuscated logic, recover the encryption scheme, and decrypt the hidden message? Dive into native AOT internals and uncover how it transforms your data.
flag format:
flag{******_*********_**_**********}
Lab Details
Prerequisites & Requirements
- AOT Compilation Internals: Understanding the difference between JIT-compiled Managed IL and Native AOT (Ahead-of-Time) compilation.
- Native Code Analysis: Intermediate proficiency in x64 Assembly and C++ data structures.
- Binary Diffing: Familiarity with heuristic function matching and version tracking between binaries.
- Metadata Recovery: Knowledge of the ReadyToRun (RTR) directory and how .NET stores native method descriptors.
What will you learn?
- Binary Version Tracking: Utilizing Ghidra’s Version Tracking to correlate stripped functions with known-good .NET Native samples.
- Custom Crypto Reversal: Deconstructing a multi-stage encryption routine involving additive ciphers, positional offsets, and PRNG-based shuffling.
- PRNG State Recovery: Identifying and reversing the Fisher-Yates Shuffle by reconstructing the deterministic seed (sum of key bytes).
- Plugin Integration: Implementing specialized Ghidra plugins to resolve dynamically loaded strings and internal .NET Native structures.
Tools
- Reverse Engineering: Ghidra (specifically the Version Tracking tool and .NET Native AOT Analyzer plugin).
- Triage: Detect-It-Easy (for identifying AOT vs. Managed .NET).
Job Positions
Malware Analyst
Tags
GhidraDotnetStatic AnalysisMalware AnalysisDisassemblerPrng Weakness