Cracking 0ya3um1's dotqw .NET CrackMe | Step-by-Step Tutorial
Video Tutorial
Introduction
In this tutorial, we’ll analyze and crack a .NET crackme created by 0ya3um1. This is a great exercise for learning .NET reverse engineering basics.
CrackMe Details
- Author: 0ya3um1
- Language: .NET
- Platform: Windows
- Architecture: x86-64
- Difficulty: 1.0/5.0
- Quality: 2.8/5.0
- Upload Date: August 16, 2024
Prerequisites
Before we begin, ensure you have the following tools installed:
- .NET Runtime (Installation Guide)
- PowerShell (Installation Guide)
- AvaloniaILSpy (Installation Guide)
Step 1: Initial Analysis
First, let’s examine the file to confirm it’s a .NET assembly:
1
2
$ file "dotqw's first crackme.exe"
dotqw's first crackme.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
When we run the application, we see a simple GUI window asking for a key.
Step 2: Decompiling with AvaloniaILSpy
Let’s use AvaloniaILSpy to decompile and analyze the code. We’ll start with the main entry point:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
using System;
using System.Windows.Forms;
namespace dotqw_s_first_crackme
{
// Token: 0x02000003 RID: 3
internal static class Program
{
// Token: 0x06000006 RID: 6 RVA: 0x00002335 File Offset: 0x00000535
[STAThread]
private static void Main()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Form1());
}
}
}
The main function initializes the Windows Forms application and launches Form1.
Step 3: Analyzing the Form
The form initialization code sets up the UI components:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
private void InitializeComponent()
{
this.label1 = new Label();
this.keyfield = new TextBox();
this.checkbutton = new Button();
base.SuspendLayout();
this.label1.AutoSize = true;
this.label1.Font = new Font("Microsoft Sans Serif", 14.25f, FontStyle.Regular, GraphicsUnit.Point, 204);
this.label1.Location = new Point(12, 0);
this.label1.Name = "label1";
this.label1.Size = new Size(267, 24);
this.label1.TabIndex = 0;
this.label1.Text = "type your key in the field below";
this.keyfield.Location = new Point(16, 27);
this.keyfield.Name = "keyfield";
this.keyfield.Size = new Size(262, 20);
this.keyfield.TabIndex = 1;
this.checkbutton.Location = new Point(16, 51);
this.checkbutton.Name = "checkbutton";
this.checkbutton.Size = new Size(262, 23);
this.checkbutton.TabIndex = 2;
this.checkbutton.Text = "check";
this.checkbutton.UseVisualStyleBackColor = true;
this.checkbutton.Click += this.button1_Click;
base.AutoScaleDimensions = new SizeF(6f, 13f);
base.AutoScaleMode = AutoScaleMode.Font;
base.ClientSize = new Size(290, 86);
base.Controls.Add(this.checkbutton);
base.Controls.Add(this.keyfield);
base.Controls.Add(this.label1);
base.FormBorderStyle = FormBorderStyle.FixedDialog;
base.Name = "Form1";
base.ShowIcon = false;
base.StartPosition = FormStartPosition.CenterScreen;
this.Text = "dotqw's first crackme ";
base.Load += this.Form1_Load;
base.ResumeLayout(false);
base.PerformLayout();
}
Step 4: Finding the Key Check Logic
The key verification happens in the button click handler:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
private void button1_Click(object sender, EventArgs e)
{
string text = this.keyfield.Text;
bool flag = text == "XOQIBwcLudyp6NG";
if (flag)
{
MessageBox.Show("nice, you did it");
Application.Exit();
}
else
{
MessageBox.Show("nope, thats not it");
}
}
Step 5: Solution
The key is stored in plain text in the application: XOQIBwcLudyp6NG
When we enter this key, we get the success message “nice, you did it”.
Conclusion
This crackme demonstrates basic .NET reverse engineering concepts:
- Using AvaloniaILSpy for decompilation
- Analyzing Windows Forms applications
- Finding hardcoded strings
- Understanding basic program flow
While this crackme was intentionally made easy, it serves as a good introduction to .NET reverse engineering. In real-world applications, keys and sensitive data should never be stored in plain text.