i assume you have installed windbg 32-bit version ( http://msdn.microsoft.com/en-us/windows/...e/gg463009 , http://www.microsoft.com/download/en/det...en&id=8279 ) and set-up symbols etc ( http://msdn.microsoft.com/en-us/windows/...e/gg462988 ).

first few basic windbg commands:
  • g - run
  • p - step
  • a <address> - assemble mode, modify asm code at address
  • r @eax/@ebx... - dump register content
  • r @eax/@ebx... = value - set register content


ok, lets start cracking. i'm using polarx crackme ( https://hackforums.net/showthread.php?tid=2176139 ) as an example. credits for him.

start up windbg and go to file -> open executable... and open crackme exe from there.
something like

should pop up.

thats the initial pause when starting executable, no code has been run yet. now you must type either


code:
sxe ld:mscorwks
code:

or


code:
sxe ld:clr
code:

depending on .net version. clr for .net 4, mscorwks for older. if you aren't sure you can type both. these set breakpoints to module load (clr.dll and mscorwks.dll). after you have typed either one or both, type g to continue run.

this pops up

it means that clr.dll is being loaded. now you can type


code:
.loadby sos clr/mscorwks (depending on which module got loaded, clr or mscorwks)
code:

this loads the sos plugin from same place as clr/mscorwks. now windbg is set up for debugging .net applications.

now the cracking phase. you can see the crackme will show a message box when you enter incorrect password. thats why we are going to breakpoint messagebox api call. type


code:
bp messageboxw
code:

to set the breakpoint. if you get errors about symbols, they arent fatal and in most cases you should be able to continue. you can confirm that breakpoint was set by typing


code:
bl
code:

to list all breakpoints.
here you can see breakpoint added


now when messageboxw is breakpointed, type g to run the program. window pops up, enter something random to password and click the button. you wont see the incorrect password window appear yet. instead on windbg window you will see something like


that means message box was just about to be called by crackme code.
type


code:
!clrstack
code:

to see .net internal call stack

its long output but you can see only line with obfuscated looking name with weird characters. thats the crackme function.


code:
0040e8dc 00244b86 ..(system.object, system.eventargs)
code:

00244b86 is the instruction address in that function.
type


code:
!ip2md <instruction addr> ( in my case 00244b86 but it changes on each run )
code:

and you will get something similar to

here methoddesc is the thing we are interested about.
if you type


code:
!dumpil <methoddesc> ( in my case 001d802c but again its not same always)
code:

you get the function code msil:


it may look confusing but after bit of visual analyzing you can see
that on

it jumps to il_25 after calling comparestring. this must be the password comparison. on il_25 you can see something usually used for comparison, brfalse/brtrue

this must be the check location.

to modify it, type


code:
!u <methoddesc> ( same as used on !dumpil )
code:

what you see is the jit compiled native code of crackme method. this can be modified to bypass things.
after bit of scrolling through the code you can see that only conditional jump (jump depending on condition) is at

pretty beginning. there is jne (jump if not equals).
in order to crack this crackme, we have to swap the opcode to je (jump if equals).

you see on line


code:
00244b3e 751b            jne     00244b5b
code:

beginning 00244b3e is address of that instruction.
so you have to type:


code:
a <instruction addr> ( 00244b3e for me )
code:

and then you can input new instruction which will replace the original on address 00244b5b.
type


code:
je 0x<jump location>
code:

jump location is taken from original instruction, but you have to add the 0x hexadecimal prefix.
after you have typed that, press enter again to exit from assembly mode.
type g to run the application and enter something into password box and click the button. you will probably get messagebox breakpoint again but if you do, you can just type g to continue directly.
message box will show you that password was valid :p


the main advantage in using windbg imo is that you dont have to deobfuscate the application and its usually pretty easy to find the check location. bad thing is that everything happens runtime, afaik you cant modify the il code and dump that to file. and if you did, you still would have to deal with anti-tamper.