Sunday, 7 December 2014

IRISSCON CRACKME

Cracking the Irisscon-Crackme

Tools required 

1) Any debugger (I will use immunity. You can download it here)

2) Irisscon-crackme(you can get it here)

3) Windows machine

            After downloading the Irisscon-crackme , Double click on it . It will throw a error stating to insert the irisscon-2012 CD-ROM . So our objective is to bypass that error .



                 Start your Debugger and open Irisscon-crackme using that. And step into(using f7) until you reach a statement which calls  irisscon.00401020

  
                Then right click choose search for  All referenced txet strings and select please insert the disk , double click on that you will see the string at 0040136E, you can observe  that the  function produces the error starts at 00401358.


                       Lets find the address from which function is being called so that we can bypass it . select 00401358 address  and then right click and select  find references to selected command . It will show two adresses one being the 00401358 and other will be 00401503 . Double click on 00401503 to view that address.




                         Just above the call instruction you can see a JE instruction . What JE  does is it will take a jump if  Z flag is set to 1 . So  what's basically happening is when we run the program the flag will be 0 and it will not take a jump and it will show the error .So lets set a hardware breakpoint at JE instruction and run the program . As we have set a breakpoint at JE instruction the debugger will start execution at at the point .



                           In the left-middle windows we can see that jump is not taken as Z-flag is 0. Double click on 0 value of Z-flag(top-right window) to change it's value to 1 .As the value is 1 now jump will be taken , continue running the program and it will open a window showing the key :)  .