Hi,

I decided to make a Small tutorial about Windbg. This is not really useful because we’ll try to find the password of a Unprotected crackme. This tutorial is made to improve your skills in Windbg or just to discover something new !

Note : Our target is an unprotected Crackme but it can works on protected target. As soon as strings are not protected in Memory, it may works 🙂 (for example, it works on DnGuard, confuserex, … )

Let’s start ! Target : http://ge.tt/2Nyggro2

The aim is to put a breakpoint when the input strings will be compared to the good string. It also works if it’s a method which generate a string !

So let’s open Windbg and put : sxe ld:clrjit and then press g.

Then load SOS extension : .loadby SOS clr 

Now it becomes a bit harder. Most of the time, crackme are make like this :

if(textBox1.Text == « password ») or like this : if(textBox1.Text.Equals(« password »)

This is 2 different cases. The first use op_Equality function (mscorlib) and the second is using Equals function (mscorlib). On our target, it’s the method Equals which is used. So we’ll put a crackme on this one but if you don’t know which method is used, try both 🙂

So put : !name2ee mscorlib.dll System.String.Equals

You should have something like this :

Screenshot_1

It’s because there are 5 equals methods on mscorlib :

The interesing one is the second because it compares a string with another string. So copy Jitted Code Address !

Put a breakpoint by typing bp + jitted code address (here 6ea10140)

Now we have to run exe. To do that, type g . Put a random password and the breakpoint should hit !

Screenshot_2.png

Now, we’ll inspect the stack to find the equals method. Type !clrstack -p 

And go to the top of the stack.  You should find the equals methods with its 2 parameters. The interesting one is « value » :

Screenshot_3

To see its value, type !do + token (here 0x04fa9df0)

And that’s all, you see the correct password :

Screenshot_4.png

As it’s said before, this is not the most useful tutorial but I really wanted to share it with you, specially for beginners 😀

So I hope you enjoyed this tutorial !

If you have any question, you can contact me on Skype (MindSystemm) or by mail : mindlockreverser@gmail.com

Publicités