View Full Version : Still a glitch, is it the target ?

July 2nd, 2007, 23:19
Must admit after reading so many JMI- STYLE replies as christened by LLXX i was not sure whether i am allowed to post this question, so i once more reread the faq,well most of it and still was in dillema whether to ask or not.

Well fingers crossed and ready for worst and hoping for best, here we go.

Ummmm, finaly i made this keygen for a lvl 4 keygen me from crackmes.de and i am sure if u read my solution you will find that i did quite a research on finding how target was generating serial. Target when executed gives u a special character saying " you will need @ to solve " where @ is that special charater.
This character changes randomly, problem is that my keygen is not working for just one special chracter for rest i hope it works fine.
WEll here is the link to download my solution along with the target.


July 2nd, 2007, 23:50

Don't let JMI or others put the phear in you, they're actually harmless. No one is trying to scare anyone away who demonstrates they have put a modicum of effort into their problem, no matter how "newbie" the question is.

You've posted a solution to a keygen, a tutorial, source and the target. This is exactly the kind of contribution we want and that others can learn from. You've given your knowledge back to the community, there is no greater gift.

When you get an answer to your question and a fully working solution, feel free to attach the updated files to this thread so others can benefit.


July 3rd, 2007, 08:56
For some stupid reasons I can't download from rapidshare(99% of the time).
Probably you are allowed to upload here coz its a just crackme solution

Just ignore JMI he is a time trial nag LOL

July 3rd, 2007, 10:03
He he, cheers both of u and may be these will do :

July 3rd, 2007, 17:14
And I should point out that "JMI's time trial" has lasted longer than most of the other "youngins" who frequent these Forums.

I believe I am the "oldest" member here. But the Diety could always "revoke" my membership on planet earth whenever he/she/it feels the need to do so.

And _InSaNe_ I would not have felt either the urge nor the need to give a "JMI_Style" response to your first post. As Kayaker stated, you did all the right things and shared your efforts with our readers.


July 4th, 2007, 08:57
Thanks for the link

July 6th, 2007, 16:47
I've only had a quick look but it it seems like the problem is with the 'magic' table.
It contains a non-ascii character (0xB7), which you've copied (from olly I presume) as being 0x2E, in your keygen.
I wouldn't worry too much about it though, 'buggy' crackmes (no offense intended) are not a rarity
and you've certainly demonstrated that you understand what the crackme does.

July 7th, 2007, 06:01
Sounds like i should move on to a harder crackme along with iczelion's 17th tut

July 8th, 2007, 02:24
To answer the original question: There is really a bug in noukey's keygenme.
This is a copy of messages I posted in the crackmes.de discussion board.

Here are a few serials that the keygenme wanted as serial:

for the name: ABxDEFGH
with random char: %
needs the serial: rH%(null)B%E%(null)%

with random char: +
needs the serial: &H+%B(null)E+++

with random char: ]
needs the serial: aG](0x01)B]D(0x00)]]

Here it is in detail:

.bss:00462624 RandomChar db 3Dh

.text:0045B4C7 mov edx, ds:RealSerial

.bss:0046262C RealSerial dd 0A7C7D8h

debug028:00A7C7D8 db 22h ; "
debug028:00A7C7D9 db 48h ; H
debug028:00A7C7DA db 3Dh ; =
debug028:00A7C7DB db 0
debug028:00A7C7DC db 42h ; B
debug028:00A7C7DD db 3Dh ; =
debug028:00A7C7DE db 1
debug028:00A7C7DF db 3Dh ; =
debug028:00A7C7E0 db 3Dh ; =
debug028:00A7C7E1 db 3Dh ; =

For random character = and name ABxDEFGH this is the serial I have to enter.

A few minutes later I found where the problem was coming from:

.text:0045B6AF mov eax, 31
.text:0045B6B4 call @System@Random$qqrxi
.text:0045B6B9 add eax, 5
.text:0045B6BC mov dword ptr ds:Random31, eax

Random value up to 30 + 5 => Max Value 35

.text:0045B46F mov ecx, dword ptr ds:Random31
.text:0045B475 movzx edx, byte ptr [edx+ecx+2]
.text:0045B47A mov [eax+3], dl

Character is read from the string but [edx+ecx+2] has a maximum value of 37. What is the 37th char of the string? 00

.text:0045B497 mov edx, ds:NoukeysString
.text:0045B49D mov ecx, dword ptr ds:Random31
.text:0045B4A3 movzx edx, byte ptr [edx+ecx+3]

Same thing again, 35 + 3 => Max Value of 38. What is the 38th char in the string? 01

The program is trying to reach outside the string.
Even without the bugs, this crackme should have been ranked 1 or 2.
I hope this sets your mind at ease.


July 8th, 2007, 04:01
Yes indeed, i get the point, its really looking outside the string for serial and yea even within the string there is this B7 h which is not an ascii character, looks like its the buggy crackme.
Well thanks all for ur help and time.


July 9th, 2007, 07:32
This crackme was actually more fun to find bugs in than to solve.