downloadbrowsextFusion's K1

Download, 6 kb (password:
Browse contents of

Ok this is my first crackme it is a very easy one so

Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: C/C++

Published: 07. Oct, 2006
Downloads: 1109


Votes: 7
Crackme is boring.

Rate this crackme:

Send a message to xtFusion »

View profile of xtFusion »


Solution by redoC, published 22. jun, 2010; download (25 kb), password: or browse.

redoC has rated this crackme as boring.

Submit your solution »

Discussion and comments

09. Oct 2006
Nice crackme!!!
But a small bug coz of lazy code:when the name or serial is too short, good message will come after the error message;)
Good idea, anyhow.
09. Oct 2006
Ill check it out when i get home =)

09. Oct 2006
red477 sorry for that bug! i was so sleepy
when i did this for fun i hope you could work around it!
15. Oct 2006
How do I make this program stay on the screen? I type a name, hit ENTER, type a serial, hit ENTER - and it disappears. When the name or serial I enter has no letters, I don't get to see the error message or the good message. The window disappears.
I can see in Olly that the program behaves like red477 says, but shouldn't there have been a "getch()" or something in the end of the code?
15. Oct 2006
Just open the Crackme from the windows-prompt.
16. Oct 2006
Yes, of course! That was stupid! Thanks!
16. Oct 2006
A variable has not been initialized in the code.
Check offset 40132F. Bug?
18. Oct 2006
It seems to me that jB is right. At that point there are 3 dword's which affect the serial calculation, ebp-14, ebp-18 and ebp-1c.
The two last are always the same, but ebp-14 change all the time. I have traced it to the value of edi when the program starts, and this value is often 0, sometimes 1, sometimes 2, and sometimes something completely different.
So it doesn't seem possible to find a serial that will work all the time. Please prove me wrong, xtFusion...:)
14. Nov 2006
This should be the correct combination:
Tanatos / 9153f4eb but the "Corect , no" msg isn't guess thats a bug xtFusion...
14. Nov 2006
I don't think there IS a correct combination. I found several combinations that work sometimes, like

Zaphod / b21dbb7d or Zaphod / b21dbbb8 or others...

But they only work sometimes in Olly, never outside Olly.
Unfortunately xtFusion doesn't seem interested in participating in this debate...
31. Mar 2007
that was a toughy, but i got there in the end, enjoy the first solution :)
31. Mar 2007
oh and Zaphod, to prove it works (hopefully) try
Zaphod / b18d1b1f
31. Mar 2007
@jB_ yes mate ebp-14 is shure chnaging allways ...

and in olly u see the good message but not outside olly... seems he forgot to put a lil pause after the "correct".
31. Mar 2007
whoops, do i feel an idiot, umm, when my solution is up, ignore the fact i said ESP instead of EBP, i know what i meant :D
01. Apr 2007
refraction, I tried "Zaphod/b18d1b1f", but that doesn't work either, it is the same as the other combinations...
02. Apr 2007
you are right, its machine independant, i made it under xp64, works perfect, go into xp32, doesnt work :/ what makes it more annoying, i got the value from xp32 which works and tried it on an other xp32 machine, it doesnt work
very grrish
20. Aug 2007
Nope refraction, the serial is not machine dependent.
jB and Zaphod are right.
The value in the uninitialized variable ends up changing the serial number.

Hence, it is not possible to write a Keygen for this one unless we use ReadProcessMemory() and some really smart code to find and read the value of the uninitialized variable.
02. Nov 2007
I've wrote a loader/keygen for this crackme ).
Some trick with uninitialized variables found. Good for newbies. Thanks!.)
17. Dec 2007
So what is the result of the EBP-14 problem? Has anyone figured out the answer? Was EBP-14 designed to have different values depending on some variable or was it an accidentally uninitialized variable due to "lazy coding?"
19. Jun 2010
Guys, this crackme rejectes all keys at my PC.
I tried user name a one symbol 'a' and serial for this one-word name is 573edbcb

just look:

004013F1: CMP DWORD PTR SS:[EBP-10], 1
boolean variable at this address SS:[EBP-10] determines if our serial is wrong ( or right if the variable is not uqual to one).
Let's see where this variable is changed.
004013E3: MOV DWORD PTR SS:[EBP-10], 1
But this instruction is never executed!
Then let's set a write breakpoint on this memory region and find where does it set to 1.
Our debugger breaks on instruction:
004011DF: mov dword ptr [esp], eax ;eax == 1
This is something like startup application code.
And there are no breaks after this instruction.
So this VARIABLE WASN'T INITIALIZED TO ZERO before comparing two serials.

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.