Attacking Common Applications - Attacking Thick Client Applications

Hello, anyone who finished this exercise can give me some help.

This has been the most frustrating exercise yet, I don’t even understand the concept or what I am doing.

I did all the steps.

After dumping the file from x64dbg.exe and running string64.exe on it, this is my output:

Screenshot from 2023-05-19 12-46-53

Running de4dot.exe:
Screenshot from 2023-05-19 12-47-49

Pretty sure i did every step correctly. If not i suppose i would not find the map with a size of 0000000000003000 with a type of MAP and protection set to -RW--. I think! Like i said i have no idea what I am doing in this exercise.

Thanks!

3 Likes

SOLVED IT!

My error was i forgot to restart the x64dbg.exe application after changing the preferences.

Your file dumped file must have this name: restart-service_00000000001F0000.bin

How were you able to get the memory dump to be slow enough? it is updating every one second for me so I cant click on it when it zooms by?

After making changes in x64dbg Preferences, restart the application

1 Like

I’m running into an issue with this section. I go through the steps and it doesn’t ever create a .bat file as specified. I also, I agree with @JahBless , this section is very convoluted and doesn’t explain very well what we’re even doing. Following along to get the flag feels like a lot of information is missing in the explanation of why this works the way it does.

3 Likes

I am struggling for 2 hrs on this basic lesson. I have not clue what they are trying to say.
And the VM is really really slow…

2 Likes

I Dont find this restart-service_00000000001F0000.bin?! can you share more Infos please?

hi, can any kind soul. give some other hints? it is not the same as what the guide was showing right? i got the MAP with rw memory but the strings output is nothing related.

I am working on " Attacking Thick Client Applications" assignment.
I am logging in and there is supposed to be a user called Matt; at least according to writeup.
There is no user Matt. I added the list of users on the machine.
image
Then I run the Oracle application and according to description there the is supposed to be diretcory named App under user cybervaca as shown in the attached figure.


But when I run the Oracle application the app does not create the App Folder. The attached figure shows what I am getting.

I must be missing something.
Can somebody help?
Thanks

Hi Bro, you same situation as me. you need to follow the instruction from the “Retrieving hardcoded Credentials from Thick-Client Applications”.

ana one can help me find the address

Anyone figure this out? I’ve dumped every MAP type and nothing is coming back as an executable

Finally got this, the box has a few issues with running powershell. Basically run powershell as admin and make the executions from there. The modification to the folder where the bat file gets written to needs to be changed for administrators as well. x64dbg takes a lot of time to open, but it finally does (just need to be patient).

I got to the point in the steps “Follow in Memory Map” but could never find the 3000 size. Finally found it today, just needed to scroll to the top of the window. Then start checking RWs for the same size. Clicking on them should reveal which one is the file, by the MZ magic byte.

thank you everyone for your input. i followed the section for this exactly without skipping any steps and was able to find it very easily after a million failed attempts. my hint for anyone trying to take the easy way through this is that they give you the script for all the power you need in the world. once executed its pretty straight forward from there.

1 Like

This one took me a while to get right, hopefully this saves some folk some heart ache. Follow the module to get this to work, it does if you tweak a few things:

  1. You won’t be using the user “Matt” like in the example, sub that for “cybervaca” in whatever you’re seeing with Matt.
  2. When it comes to modifying the batch file, I ONLY got it to work if I copied the bottom part from the module and pasted it in to replace the stuff at the bottom that was already there. Remember to get rid of the bits at the top like in the example too.
  3. When you change preferences on the Debugger, RESTART the program immediately after and re-open it or the changes won’t take effect!
  4. When it comes to using PowerShell in this module, RUN AS ADMIN!
  5. When you import the file to the Debugger, if you don’t see the red arrow at the top left as you import the file in the CPU section, you’re onto a loser, it NEEDS to be there for it to work.
  6. You’ll have to sift for that MAP file with RW privs, but it is there.
  7. The VM is slow as a year in jail, opening the debugger took minutes so you have to give it a while.
  8. If you use strings and get TONNES of data, your dumped file isn’t the correct one, try another.
  9. On DNSpy, don’t panic if you don’t see your file straight away, drag it in and go down the file chain like in the example.

Whoever is reading this, it’s doable, a tough one but you got it.

1 Like

Guys, how did you manage to click on the correct line in x64dbg?? Everything keeps changing so fast I do not have time to double click and then choose the option before it changes??? Why are these exercises like this???

2 Likes

I really need help with this section. I am on the same boat here, Honestly cant find the the MAP section which is Read/Write.

Here is what I have already done:

  1. Restarted x64dbg with only the Entry breakpoint
  2. Tried importing Ghidra and analyzing the exe (no strings found apparently)
  3. I have tried searching in x64dbg for the Ascii (4D5A - MZ) and its apparently only in two places as a file header (the restart service block with its .text,.data, .bss sections) and (the dll section which is irrelevent)
    Dumping these gives me the error file isnt a .NET PE which is frustrating.
    Any help would be appreciated.
    Discord - elus1nist#0

I don’t see the red arrow what I’m doing wrong please help!!!

1 Like

Life saver lol,
So if you sort the memory from address it does not jump up and down so you can handle it,
So I downloaded all MAP + RW and one of them worked.

BTW - Dont forget to use the new oracle restart service and not the original one.

This was very Hard.

Hello
Please can someone help. Powershell is not working on my box. I restarted the box many times with same result. That make the restart-service.exe file not to show in the directory.