0

As part of a reverse-engineering challenge on Hackthebox.eu I've tried to decompile a .net executable file. The entire program decompiled successfully but it has two errors. I will post below the whole method.

  private unsafe void kapa(object sender, EventArgs e)
{
  int num1 = 0;
  this.z = "";
  this.o = "";
  this.m = "";
  int num2;
  IntPtr num3 = (IntPtr) &num2;
  int num4;
  int* numPtr1 = &num4;
  int num5;
  int* numPtr2 = &num5;
  int num6;
  int* numPtr3 = &num6;
  int num7;
  int* numPtr4 = &num7;
  int num8;
  int* numPtr5 = &num8;
  int num9;
  int* numPtr6 = &num9;
  int* numPtr7 = &num1;
  int num10 = 79;
  *(int*) num3 = num10;
  *numPtr1 = 128;
  *numPtr2 = 128;
  *numPtr3 = 105;
  *numPtr4 = 112;
  *numPtr5 = 112;
  *numPtr6 = 129;
  *numPtr7 = 130;
  this.pp = num2;
  this.linear(this.pp);
}

There is an error on this line:

"'IntPtr' is a type, which is not valid in the given context"

IntPtr num3 = (IntPtr) &num2;

and then an error for an undefined variable num2.

Is this an error in DotPeek?

Tamatea-geordie Schofield
  • 9
  • 6
  • "there is an error" -> what error? What's the error message? The code looks fine on first view, `num2` is declared one line before. – Karsten Koop Apr 13 '18 at 07:59
  • 'IntPtr' is a type, which is not valid in the given context – Tamatea-geordie Schofield Apr 13 '18 at 08:05
  • 1
    That is because that expression is (attempted) compiled as `(IntPtr) & num2`, so it tries to use it as the bitwise or logical `&` operator, not "take the address of num2". Be aware that if the code was made using IL it may not decompile to C# at all. There are things representable by IL that isn't possible in C#. – Lasse V. Karlsen Apr 13 '18 at 08:07
  • 1
    Why not raise it with [JetBrains](https://dotnettools-support.jetbrains.com/hc/en-us/?dotpeek) – phuzi Apr 13 '18 at 08:07
  • The code is also 32-bit only, which DotPeek may not pick up on, again probably because this looks like something that wasn't built using C#. – Lasse V. Karlsen Apr 13 '18 at 08:08
  • There is probably something lost in translation here. This code follows this pattern: Declare local variable, declare another variable pointing to the first one, assign a value to the first variable *through* this second pointer. However, the local variables aren't used beyond this, so the code, as written, if it compiled, does nothing, well, other than the things being assigned to fields through `this.`. So my bet is that DotPeek lost a lot while decompiling. – Lasse V. Karlsen Apr 13 '18 at 08:12
  • Compiler error can be "fixed" by doing `IntPtr num3 = (IntPtr) (&num2);`. Of course this won't make this code make more sense, but it will compile. Maybe this code should not even make sense, not sure what exactly that decompile challenge goal is. – Evk Apr 13 '18 at 08:14
  • @LasseVågsætherKarlsen variable `num2` is used in call to `this.linear`. And since it's decompile challenge, probably code is just specially obfuscated, so not every thing should make sense there. – Evk Apr 13 '18 at 08:25
  • Yes, num2 is used, but not num3, num4, etc. – Lasse V. Karlsen Apr 13 '18 at 09:39

1 Answers1

0

I just did this challenge today. There's nothing wrong with dot Peek but there are some subtle changes you need to make to the code.

  1. num2 being used without being assigned: Just assign it to 0 right above the (IntPtr) line
  2. IntPtr is a type not valid in the given context: You just need to modify the code to be (IntPtr)(&num2). This is so the compiler knows you're casting the address of num2 to an IntPtr.

In C++ (unmanaged code), pointers are basically variables that point to a memory address. In this particular code it's saying num3 is a pointer to the address of the variable num2. Hope that helps clear things up.

Daniel Caban
  • 111
  • 1
  • 3