Hi,
I decided to make a Small tutorial about Windbg. This is not really useful because we’ll try to find the password of a Unprotected crackme. This tutorial is made to improve your skills in Windbg or just to discover something new !
Note : Our target is an unprotected Crackme but it can works on protected target. As soon as strings are not protected in Memory, it may works 🙂 (for example, it works on DnGuard, confuserex, … )
Let’s start ! Target : http://ge.tt/2Nyggro2
The aim is to put a breakpoint when the input strings will be compared to the good string. It also works if it’s a method which generate a string !
So let’s open Windbg and put : sxe ld:clrjit and then press g.
Then load SOS extension : .loadby SOS clr
Now it becomes a bit harder. Most of the time, crackme are make like this :
if(textBox1.Text == « password ») or like this : if(textBox1.Text.Equals(« password »)
This is 2 different cases. The first use op_Equality function (mscorlib) and the second is using Equals function (mscorlib). On our target, it’s the method Equals which is used. So we’ll put a crackme on this one but if you don’t know which method is used, try both 🙂
So put : !name2ee mscorlib.dll System.String.Equals
You should have something like this :
It’s because there are 5 equals methods on mscorlib :
The interesing one is the second because it compares a string with another string. So copy Jitted Code Address !
Put a breakpoint by typing bp + jitted code address (here 6ea10140)
Now we have to run exe. To do that, type g . Put a random password and the breakpoint should hit !
Now, we’ll inspect the stack to find the equals method. Type !clrstack -p
And go to the top of the stack. You should find the equals methods with its 2 parameters. The interesting one is « value » :
To see its value, type !do + token (here 0x04fa9df0)
And that’s all, you see the correct password :
As it’s said before, this is not the most useful tutorial but I really wanted to share it with you, specially for beginners 😀
So I hope you enjoyed this tutorial !
If you have any question, you can contact me on Skype (MindSystemm) or by mail : mindlockreverser@gmail.com
Thanks ,that’s what I need.
J’aimeJ’aime
Happy to have helped you !
J’aimeJ’aime
Comment after two years:
Dude, unfortunately i cannot download the file. can you upload somewhere else please =) Thank you
J’aimeJ’aime
Hi, unfortunately I don’t have it anymore but just protect a crackme with an obfuscator like confuserex or dnguard and you can use this tutorial to find the password
J’aimeJ’aime