TickTock
MediumMalware Reverse Engineering
Overview
A mysterious .enc file and a compiled C# executable await your analysis. By reversing the logic behind the missing key file, your task is to uncover how the encryption key and IV were generated using a seemingly innocent call to RandomSubset. Time is of the essence—literally—as the program relies on a time-based RNG seed. Understand how randomness works in C#, analyze the execution flow, and retrace the ticking clock to reclaim the flag.
flag format:
flag{******_**_**_********_****_***_******}
Lab Details
Prerequisites & Requirements
- C# & .NET Reverse Engineering:
- Familiarity with reading Decompiled C# code (using tools like dnSpy).
- Understanding how external libraries (Nuget packages like MoreLinq) are linked and used within an application.
- Awareness of .NET version differences (
e.g., howSystem.Randombehavior differs between .NET Framework4.7.2and .NET 6+).
- Cryptographic Primitives:
- Understanding AES Encryption (CBC Mode) and the necessity of a valid Key and Initialization Vector (IV).
- Knowledge of PRNGs (Pseudo-Random Number Generators) and the concept of "Seeding".
- Algorithmic Logic:
- Understanding that if you know the Seed , you can predict the entire sequence of random numbers generated by
System.Random. - Ability to write multi-threaded code (C#
Parallel.For) to optimize brute-force attempts over a large search space.
- Understanding that if you know the Seed , you can predict the entire sequence of random numbers generated by
What will you learn?
- Exploiting Insecure Randomness:
- Identifying Time-Based Seeding vulnerabilities (
Environment.TickCount). - Learning why system uptime (milliseconds since boot) is a weak entropy source for cryptographic key generation.
- Identifying Time-Based Seeding vulnerabilities (
- Dependency Analysis:
- Digging into third-party library source code (MoreLinq) to understand how wrapper functions like RandomSubset utilize the underlying random number generator (
GlobalRandom.Instance).
- Digging into third-party library source code (MoreLinq) to understand how wrapper functions like RandomSubset utilize the underlying random number generator (
- State Reconstruction & Brute-Forcing:
- Creating a "Solver" that replicates the exact environment of the target executable.
- Using the exact same library calls to recreate the random number sequence and brute-forcing the seed range (0 to ~1 hour of system uptime) to recover the AES key.
Tools
- dnSpy:
- Used for Static Analysis and Decompilation . It allows you to view the C# source code, identify the usage of MoreLinq, and find the logic where RandomSubset generates the Key and IV.
- Visual Studio / .NET CLI (C#):
- Used to write and compile the Solver Application .
- Unlike Python, using C# is critical here to ensure the
System.Randomimplementation matches the target binary exactly. You also need to reference the MoreLinq library in your solver to replicate the RandomSubset behavior.
- Detect It Easy (DiE):
- Used for initial Triage to identify that the binary is a 32-bit/64-bit .NET executable.
Job Positions
Malware Analysts
Tags
Static AnalysisMalware AnalysisDecompilerCryptorBrute ForcePrng WeaknessDotnetAes