Getting started with ollydbg-cracking common breakpoint settings

4-getting started with ollydbg-cracking common breakpoints (conversion)

Software Localization
16:25:23 read 76
Comment 0 font size:LargeMediumSmallSubscription

BPX hmemcpy
Cracking the omnipotent breakpoint and blocking the memory copy action
BPX lockmytask when other breakpoints are ineffective, you can try this breakpoint to intercept the button action.
Bmsg handle wm_gettext intercepts the registration code (handle is the handle of the corresponding window)
Bmsg handle wm_command blocks the OK button (handle is the handle of the corresponding window)

Interception window:
BPX createwindow creation window
BPX createmediawex (a) creation window
BPX showwindow display window
BPX updatewindow update window
BPX getwindowtext (a) get window text

Intercept message box:

BPX MessageBox (a) create a message box
BPX messageboxexa create message box
BPX messageboxindirect (a) create a custom message box

Interception warning:
BPX messagebeep sends a system warning sound (if there is no sound card, the system speaker is directly driven)

Interception dialog box:
BPX dialogbox create mode dialog box
BPX dialogboxparam (a) create mode dialog box
BPX dialogboxindirect create mode dialog box
BPX dialogboxindirectparam (a) create mode dialog box
Create non-modal dialog box of BPX createdialog
BPX createdialogparam (a) create non-Modal Dialog Box
BPX createdialogindirect create non-Modal Dialog Box
BPX createdialogindirectparam (a) create a non-Modal Dialog Box
BPX getdlgitemtext (a) to obtain the text of the dialog box
BPX getdlgitemint get the integer of the dialog box

Intercept clipboard:
BPX getclipboarddata get Clipboard data

Interception registry:
BPX regopenkey (a) open the child key (for example, BPX regopenkey (A) if * (esp + 8) = '****')
BPX regopenkeyex open the child key (for example, BPX regopenkeyex if * (esp + 8) = '****')
BPX regqueryvalue (a) Search for child keys (for example, BPX regqueryvalue (A) if * (esp + 8) = '****')
BPX regqueryvalueex search child key (for example, BPX regqueryvalueex if * (esp + 8) = '****')
BPX regsetvalue (a) sets the child key (for example, BPX regsetvalue (A) if * (esp + 8) = '****')
BPX regsetvalueex (a) sets the child key (for example, BPX regsetvalueex (A) if * (esp + 8) = '****')
"*****" Refers to the first four characters of the subkey name. If the subkey is "regcode", "*****" = "regc"

Function restrictions:
BPX enablemenuitem disable or allow menu items
BPX enablewindow disable or allow window
Bmsg hmenu wm_command intercepts menu button events, where hmenu is the menu handle
BPX k32thk1632prolog works with bmsg hmenu wm_command. You can use this breakpoint to access the menu handler.

Application Example:
Call [Kernel32! K32thk1632prolog]
Call [......] <-- this trail enters the menu Handler
Call [Kernel32! K32thk1632epilog]

Interception time:
BPX getlocaltime get local time
BPX getsystemtime get system time
BPX getfiletime get file time
BPX gettickcount: the number of milliseconds that have elapsed since the system was successfully started.
BPX getcurrenttime get current time (16 bits)
BPX settimer create Timer
BPX timerproc timer timeout callback function

Interception file:
BPX createfilea create or open a file (32-bit)
BPX openfile open file (32-bit)
BPX readfile Read File (32-bit)
BPX writefile Write File (32-bit)
BPX _ lcreat create or open a file (16 bits)
BPX _ lopen open the file (16 bits)
BPX _ lread Read File (16 bits)
BPX _ lwrite Write File (16 bits)
BPX _ hread Read File (16 bits)
BPX _ hwrite Write File (16 bits)

Interception drive:
BPX getdrivetype (a) obtain the disk drive type
BPX getlogicaldrives
BPX getlogicaldrivestringsa obtains the root drive path of all current logical drives

Dog interception:
Bpio-H 378 (or 278, 3BC) r 378, 278, and 3BC are parallel printing ports.
Bpio-H 3f8 (or 2f8, 3e8, 2e8) r 3f8, 2f8, 3e8, 2e8 are serial ports

Special breakpoint for vbprogram:
BPX msvbvm50! _ Comparison of vbastrcmp strings
BPX msvbvm50! _ Comparison of vbastrcomp strings
BPX msvbvm50! _ Vbavartstne: whether the variables are not equal
BPX msvbvm50! _ Vbavartsteq: Check whether the variables are equal.
BPX msvbvm50! _ Vbastrcopy: copy a string
BPX msvbvm50! _ Vbastrmove move string
BPX multibytetowidechar ANSI string to Unicode string
BPX widechartomultibyte Unicode string to ANSI string
The above breakpoint corresponds to the vb5 program. If it is a VB6 program, change msvbvm50 to msvbvm60.

Vbprogram cracking
Remember some common functions of VB:
Multibytetowidechar converts an ANSI string to a Unicode Character
Widechattomultibyte converts Unicode characters to ANSI characters
Rtct8valfrombstr converts a character to a floating point number
Vbastrcmp comparison string (common breakpoint)
Comparison of vbastrcomp strings (Common breakpoints)
Vbastrcopy copy string
Strconv conversion string
Vbastrmove move string
_ Vbavarcat connection string
Rtcmidcharvar can be a character or string in a string!
_ Vbalenbstr: String Length
Vbavartstne variable comparison
Vbavartsteq variable comparison
Rtcmsgbox dialog box
Varbstrcmp comparison string
Varcycmp comparison string
　　
After the program is loaded with OD, enter BPX hmemcpy in the command line and press Enter. All the functions called by the program running will pop up and the breakpoint will be set on each function!

Note: I like to use this breakpoint setting method to break the vbprogram. Through step-by-step tracking, I can basically grasp the idea of program protection, so I basically use this breakpoint to break the vbprogram. Of course, you can use other breakpoints, any breakpoint makes sense as long as the key is found.

There are two methods to register VB Programs without prompt:
First (error prompt): Use getvbres to replace the prompt string, which is generally replaced by '123456', '123456', Or something like.
Because: VB, the words used to store the prompts are added with some stuff. The tools we use are generally byte analysis. Replace it with a byte like '200'. You can use static analysis to get your string. Getvbres)

Second (no prompt): Use the vbde tool (I don't know if Dede is used or not) to track the location of the cracked button window.

First, the address of w32dasm that can correctly decompile the vbprogram is given:
======================================
Offsets 0x16b6c-0x16b6d

Modify the machine code to: 98 F4
======================================

Tracking breakpoint of vbprogram: 

Multibytetowidechar,
Rtcr8valfrombstr,
Widechartomultibyte,
_ Vbastrcmp
_ Vbastrcomp
_ Vbastrcopy
_ Vbastrmove
_ Vbavartstne
Rtcbeep
Rtcgetpresentdate (Time API)
Rtcmsgbox
==========

Time limit breakpoint:

Comparefiletime
Getlocaltime
Getsystemtime
Gettimezoneinformation
Msvcrt. difftime ()
Msvcrt. Time ()
======================

VB breakpoint Search Method

1. written in VB6.0, the OD load program calls up the registration window, ALT + e call up the executable module window find X: \ windows \ system32 \ msvbvm60.dll double-click, find in the CTRL + N call up window, name xxxxxxe section = engine export _ vbavarmove double-click the following address (you can directly go to the command line BP _ vbavarmove ), return to the Application Registration window and register the address that has been blocked. Press Ctrl + F9 and press F8.

2. OD loading program, breakpoint under the command line: BP rtcmsgbox
Stack friendly prompt
Click OK. Next, find out the first sentence of the Code executed by the click sign-up button, OK? Of course, according to our knowledge, the code that programmers write to an event is similar to that of other languages.
3. OD loader, breakpoint under the command line: BP rtcmsgbox
Enter the pseudo registration code 9999999999999999999 randomly, and the service will be interrupted after confirmation.
Stack friendly prompt
Click OK.
W32dasm disassembly program, shiht + F12
4. messageBox in VB is a message box, And breakpoint under rtcmsgbox is used in assembly. load the program with olldbg, ALT + e, find msvbvm60.dll In the executable file module, double-click it, right-click the code window, right-click the rtcmsgbox function in the name of the current module, and double-click it, in 6a362f29 55 push EBP, double-click the breakpoint and close the extra window. Only the main CPU debugging window is left, And the F9 runs the program. Click? After entering 987654321, press enter and immediately interrupt. Then ctrt + F9 runs to the return address, because this is msvbvm60's airspace and we will return to the program's airspace. in secret notepad, a message error message is displayed. Click OK to go up and press F8 to return.
5. For Microsoft Visual Basic 6.0, use smartcheck to find the program and compare the registration code points.
6. use VB to compare breakpoints
Vbastrcmp
Vbastrcomp
Vbavartsteq
Set a breakpoint in od to find the registration code
7. Load the program with OD, run it, and fill in the above registration code and serial number. In OD, place the breakpoint, ALT + e, double-click msvbvm60, right-click the running database, right-click the name in the current module, find vbastrcmp, and double-click the breakpoint.