			------------------------------
			CrackMe [id:17] coded by tC...
			Tutorial by Lucifer48, 25 june
			------------------------------

I apologize for my lame english...
I enter a dummy combination, i put a bpx hmemcpy, click on the "<-check->" button, nothing
happens :( I also try a bpx IsDlgButtonChecked, it doesn't work.
How entering into the code AND in the right place/offset ?
This time W32Dasm will help me ;) i look at "String Data References", i hope i will find
something. I find the string "Registered", click on it and, *cool*, i am in the rigth place :)
I see few times the same tests (with jz/jnz 004403EB). I write down the adress of the beginning
of the routine (004402EC), and put a bpx on it. We are here:


XXXX:004402EC  PUSH EBX                 ;soft-ice has stopped here
XXXX:004402ED  MOV  EBX,EAX
XXXX:004402EF  MOV  EAX,[EBX+00000308]  ;a specific button
XXXX:004402F5  MOV  EDX,[EAX]
XXXX:004402F7  CALL [EDX+000000B8]      ;CMP BYTE PTR [EAX+000001F2],01 / SETZ AL
XXXX:004402FD  TEST AL,AL
XXXX:004402FF  JNZ  004403EB            ;not checked = (no jump)
...
from here, we have this following routine 11 times, 'yyy' is:
310, 31C, 320, 324, 328, 330, 304, 30C, 314, 318, 32C.
(unfortunalely these numbers aren't the handles of the buttons)

XXXX:004403xx  MOV  EAX,[EBX+00000yyy]
XXXX:004403xx  MOV  EDX,[EAX]
XXXX:004403xx  CALL [EDX+000000B8]      ;CMP BYTE PTR [EAX+000001F2],01 / SETZ AL
XXXX:004403xx  TEST AL,AL
XXXX:004403xx  JZ/JNZ 004403EB

In fact, each button is tested, the crackme checks only if the matrix (on the right) is valid.
To obtain the matrix (on the right), we must check (or not) buttons in the left matrix. And there
are many possibilities to get the same result.

The routine ends like that:

XXXX:004403D9  JZ   004403EB
XXXX:004403DB  MOV  EDX,004403F8
XXXX:004403E0  MOV  EAX,[EBX+000002D0]
XXXX:004403E6  CALL 004210B0
XXXX:004403EB  POP  EBX
XXXX:004403EC  RET

Assuming the following matrix (on the right) is:

A   B   C   D
E   F   G   H
I   J   K   L

This is the comparisons done (in order):

* B (308): not checked	* A (304): checked
* D (310): not checked	* C (30C): checked
* G (31C): not checked	* E (314): checked
* H (320): not checked	* F (318): checked
* I (324): not checked	* K (32C): checked
* J (328): not checked
* L (330): not checked

This is the solutions i have found (left matrix!):

O  X  O  O
O  O  O  X
O  O  O  X

O  O  O  O
O  O  X  X
O  O  O  X

O  O  X  O
O  O  X  X
O  O  O  X

O  O  X  O
O  O  X  X
X  O  O  X

O  X  O  O
O  O  X  X
O  O  O  X

O  X  X  O
O  O  X  X
O  O  O  X

O  X  X  O
O  O  X  X
X  O  O  X

X  X  X  O
O  O  X  X
O  O  O  X

X  X  X  O
O  O  X  X
X  O  O  X

I don't know how many matrix i have forgotten, but i think it's enough!

Greetings: ID group, Eternal Bliss (wonderfull site), tC... (for his *big* crackme in delphi ),
           ACiD BuRN, and other personnal friends...

Lucifer48
