CrackMe Challenge [Part 2] - Hardcoded Password (C#)

(The C# Dude) #1

Hey Mates,
in this post I’m going to tell you about RE C# programs(This is my favourite language for reversing :D). I prepared a very simple password program in C# which we’ll use to cover the fundamental concepts of C# reversing. This program is not obfuscated, so that it is again an easy to crack program for beginners, but in the next parts I’ll probably always give an obfuscated and a normal program, so you can chose what you want to use :slight_smile:.
What is obfuscation do you ask? For now I only say that they make it a bit harder (But not that hard) for use to reverse the programs, but I’ll explain it more detailed in the next part.

Description of the todays RE Challenge

This challenge is a bit harder than the little python challenge we had before, but as soon as you installed the required tools it will be easier to crack the password “mechanism” (I think this time it can’t really be called a mechanism…) than in the python challenge.
The program can be just started without arguments.Then It will ask you for a password and says if it’s right or not. Very simple code, very simple cracking ;).

You can get the compiled program here:!XlYSQAJA!hI2bdYtPXxE3GdxDOQTwO39lrnukCkLMg6fA49RcQkk
If you are scared of any malware embedded, don’t run the program and read my explanation of reversing C# applications. This time you can look on yourself if it’s infected or not ;P. I don’t upload the source, because the process of reversing would be useless then…

How to RE C# Applications

Today I won’t give my way of accomplishing the task, but a full tutorial on how to use decompilers for RE C# apps. If you know how to use them properly this won’t be new for you and you can just wait for the next parts, because this one won’t be of any interest for you :slight_smile:.

C# doesn’t compile into machine code, but in MSIL (MicroSoft Intermediate Language), so we can’t disassemble it properly. Maybe some of you think that’s bad, but here comes the great thing of MIL: We can just decompile the application to get normal sourcecode (If it’s not obfuscated ;))! I am not that experinced at RE that I can provide you a good explanation how this works, so I recommend you to just google it if you’re interested in the technique. For now it is only important that it works (And it’s scary how similar the decompiled source is…).

How do we use decompilers?

In this series I’ll only cover JetBrains dotPeek, which is the one I like the most. First download and install it from here: The install manager maybe confuses someone, but see it as the first challenge of decompiling C# applications to install the required tools. I won’t cover it here, because RE is already an advanced topic which I try to make as simple as possible here, but it should be possible for you to install it on your own :stuck_out_tongue_winking_eye:.
After you have installed it just start it and have a look at the interface. Although I think it’s easy to understand, I’ll cover here some fundamentals.

To select the file you want to reverse just use File->Open. Now you should see a new item on the left list which can be explored via the file manager.

Find the source with opening the manager like I did on the left side of dotPeek. After a double-click on the Main function you should see the source code of the program. Note: I am always scared of how precise this works. Not only the mechanisms are reconstructed, but also the names of the variables and functions… In this case the decompiled source matches exactly the real source code! This will change when obfuscators come into play, but I’ll cover that next time ;).
Also for people who don’t know C# it should be no problem to find the password now ;P.


Reversing C# seems to be an easy challenge for us. Now we know how to use decompilers to get a real source, which is a great advantage over looking at the ASM code! In the next part I’ll show you how to RE, although the program is obfuscated. After that last part of introduction we’ll come to the real challenges where you can show how good you are at RE.


(pico) #2

Nice post!

Just to let you know. The program works great on GNU/Linux using mono. For a case like this, were the password has not been obfuscated at all, you can just try:

string -e l file.exe

(The C# Dude) #3

Thank you!

I wanted to cover this and other more extensive cracking ways when we come to C++ (Ok, it sounds a bit weird to say more extensive when speaking about 1 command, but I hope you know what I mean ;)).

(Jakub) #4

On linux I used MonoDevelop for decompile. In monodevelop it’s named ‘Assembly Browser’ and works very similar to dotPeak (at least the same part like in post)

(The C# Dude) #5

I hope this will work after obfuscation. Would be very nice if this works on Linux too…
And thank you for the response, mabe it helps others :slight_smile:.

(Command-Line Ninja) #6

I missed this when it first came out! Awesome guide. I didn’t know decompiling C# was that simple :stuck_out_tongue:


Great job! Just like @pry0cc seems I got to the party late!


I think that you refered to the command strings right ? ^^

(pico) #9

;)… You are right. Good catch

(User X) #10

For Linux users that would like to solve this challenge, MonoDevelop has an AsmBrowser tool that decompiles C# applications… =-D

Nice writeup dude! =-D

CrackMe Challenge [Part 5] - License Key (C#)
(m0rph) #11

Sorry for necroposting, just thought I would add how I did it.

First, I entered the letter “a” to see how the program would react. Then, I found an address that made an API call to ZwReadFile, and set a breakpoint on it. Entered another “a” to see how many times it took for the function to cycle in memory for its comparison(for me it took 9 executes until RETN). Entered another “a” and executed until RETN 8 times, and stepped through each instruction. Saw a CMP opcode that looked promising, and found the password in the ECX register.