Finding Password of a Crackme using Windbg

Hi,

I decided to make a Small tutorial about Windbg. This is not really useful because we’ll try to find the password of a Unprotected crackme. This tutorial is made to improve your skills in Windbg or just to discover something new !

Note : Our target is an unprotected Crackme but it can works on protected target. As soon as strings are not protected in Memory, it may works 🙂 (for example, it works on DnGuard, confuserex, … )

Let’s start ! Target : http://ge.tt/2Nyggro2

The aim is to put a breakpoint when the input strings will be compared to the good string. It also works if it’s a method which generate a string !

So let’s open Windbg and put : sxe ld:clrjit and then press g.

Then load SOS extension : .loadby SOS clr

Now it becomes a bit harder. Most of the time, crackme are make like this :

if(textBox1.Text == « password ») or like this : if(textBox1.Text.Equals(« password »)

This is 2 different cases. The first use op_Equality function (mscorlib) and the second is using Equals function (mscorlib). On our target, it’s the method Equals which is used. So we’ll put a crackme on this one but if you don’t know which method is used, try both 🙂

So put : !name2ee mscorlib.dll System.String.Equals

You should have something like this :

It’s because there are 5 equals methods on mscorlib :

The interesing one is the second because it compares a string with another string. So copy Jitted Code Address !

Put a breakpoint by typing bp + jitted code address (here 6ea10140)

Now we have to run exe. To do that, type g . Put a random password and the breakpoint should hit !

Now, we’ll inspect the stack to find the equals method. Type !clrstack -p

And go to the top of the stack. You should find the equals methods with its 2 parameters. The interesting one is « value » :

To see its value, type !do + token (here 0x04fa9df0)

And that’s all, you see the correct password :

As it’s said before, this is not the most useful tutorial but I really wanted to share it with you, specially for beginners 😀

So I hope you enjoyed this tutorial !

If you have any question, you can contact me on Skype (MindSystemm) or by mail : mindlockreverser@gmail.com

4 commentaires sur « Finding Password of a Crackme using Windbg »

Ajouter un commentaire

GhostFish dit :

21 mars 2018 à 5 h 59 min

Thanks ,that’s what I need.

J’aimeJ’aime

Réponse
1. mindlocksite dit :
  
  29 mars 2018 à 21 h 07 min
  
  Happy to have helped you !
  
  J’aimeJ’aime
  
  Réponse
Darth Blue dit :

8 juin 2020 à 11 h 52 min

Comment after two years:
Dude, unfortunately i cannot download the file. can you upload somewhere else please =) Thank you

J’aimeJ’aime

Réponse
1. mindlocksite dit :
  
  8 juin 2020 à 11 h 58 min
  
  Hi, unfortunately I don’t have it anymore but just protect a crackme with an obfuscator like confuserex or dnguard and you can use this tutorial to find the password
  
  J’aimeJ’aime
  
  Réponse

MindLock Blog

Because it's always better when it's manual

Finding Password of a Crackme using Windbg

4 commentaires sur « Finding Password of a Crackme using Windbg »

Laisser un commentaire Annuler la réponse.

Partager :

Articles similaires

4 commentaires sur « Finding Password of a Crackme using Windbg »

Laisser un commentaire Annuler la réponse.