Common OD breakpoints

Password interruption
Hmemcpy (for win9x)
GetDlgItemTextA
GetDlgItemInt
Vb:
Getvolumeinformationa

Vbastrcomp (trw)
Bpx _ vbaStrComp (remember two _)
MSVBVM60! _ Vbastrcomp | sofice
MSVBVM50! |

V3164str

Ctrl + D
Bpx msvbvm60! _ Vbastrcomp do "d * (esp + 0c)" (softice)
Press F5 several times to generate the Register Code.
Bpx regqueryvalueexa do "d esp-> 8" (trw)

VbaVarTstEq
(0042932F 66898580 FEFFFF mov word ptr [ebp + FFFFFE80], ax
Change to 0042932F 66898580 FEFFFF mov word ptr [ebp + FFFFFE80], bx)

Common time interruptions
GetSystemTime
GetLocalTime
GetTickCount
Vb:
RtcGetPresentDate // get the current date

Common window kill interruptions
Lockmytask (dedicated for win9x)
DestroyWindow
Mouse_event (mouse interruption)
Postquitmessage (Cracking full-color xp, useful ^_^)
Vb:
_ RtcMsgBox

INI file content is frequently interrupted
GetPrivateProfileStringA
GetPrivateProfileProfileInt

Key file:
Getprivateprofileint
ReadFile
CreateFileA

Common registry interruptions
RegQueryvalueA
RegQueryvalueExA

Dog encryption interrupted
BPIO-h 278 R
BPIO-h 378 R

Breakpoint of other common functions
CreateFileA (read dog driver ),
Bp DeviceIOControl,
FreeEnvironmentStringsA (effective against HASP ).
Prestochangoselector (16-bit HASPs), 7242 search for strings (to deal with San tiannuo). For more information, see the following example.

Disc cracking interrupted
16:
Getvolumeinformation
Getdrivetype
Int 2fh (dos)
32:
GetDriveTypeA
GetFullPathNameA
GetWindowsDirectoryA

Disk Read interruption
GETLASTERROR returns the extended error code

Restrict interruptions
EnableMenuItem
EnableWindow allows or disables mouse and keyboard control of specified Windows and entries (menu grayed out when disabled)

I don't know what the floppy disk is interrupted? There are other special interruptions. I don't know if other friends can talk about them?
For example, Lockmytask and mouse_event are not api32 functions?
Win9x and win2k are cracked. are some of the above interruptions unavailable?
I don't know what the above commonly used interrupt functions are on win2k?
That is to say, ask the password, time, window, ini, key, registry, dongle, CD, floppy disk, restrictions, and so on!
Get familiar with common interruptions and get twice the result with half the effort!
Let's talk about it! In addition, how can we recover a software from a restart?
I don't know what is interrupted? There are three scenarios:
1. It may be in the registry.
2. Compare in special files (*. key *. ini *. dat, etc)
3. Compared to the program, no error prompt or clear characters cannot be found for reverse translation (this is what I want to ask)

The most difficult one is to remove the watermark!
There are three possible cases:
A. the watermark is A bitmap file (bitblt, creatBITMAP, and other bitmap functions)
B. the watermark is a distinctive character (reverse translation analysis)
C. The watermark is not an obvious character (for example, This a demo! It is only displayed on another production file, but *. htm *. exe, etc)
C. It's the most difficult thing to do. It's what many people want to know! Include me. I don't know what the experts are saying?

AD:
There are two possible cases:
A. Start from the creation window and use movewindow or other window functions!
B. Use bitblt or other bitmap functions!
Finally, you can use some existing tools (such as api27, vwindset, and freespy)

Although there is no tree in the grape, the vine produces seedlings in the shed.
In the dust of people, do not provoke dust?

Ball [CCG]
It depends on the mark, which usually leaves information in the registry!
In softice, we need to use bpx regqueryvalueexa do "d esp-> 8" to interrupt the query,
In trw, use bpx regqueryvalueexa do "d * (esp + 8)" to interrupt the query.
Some also leave registration information in this directory, common include. dat. ini. dll, etc,
I used bpx readfile for interruption, and some left registration information in the windows directory.
You can use dedicated tools to view and import filemon!

Vb:

1. _ vbaVarTstNe // compare whether the two variables are not equal
2. rtcR8ValFromBstr // converts a string to a floating point number.
3. The rtcMsgBox dialog box displays information.
4. rtcBeep // call the speaker
5. rtcGetPresentDate // get the current date

For strings:
_ VbaStrComp
_ VbaStrCmp
_ VbaStrCompVar
_ VbaStrLike
_ VbaStrTextComp
_ VbaStrTextLike
For variables:
_ VbaVarCompEq
_ VbaVarCompLe
_ VbaVarCompLt
_ VbaVarCompGe
_ VbaVarCompGt
_ VbaVarCompNe

VB pointer:
THROW

Common breakpoint (in OD)
Interception window:
Bp CreateWindow creation window
Bp createmediawex (A) creation window
Bp ShowWindow display window
Bp UpdateWindow update window
Bp GetWindowText (A) obtains the window text
Intercept message box:
Bp MessageBox (A) create A message box
Bp MessageBoxExA create message box
Bp MessageBoxIndirect (A) creates A custom message box
Interception warning:
Bp MessageBeep sends a system warning sound (if there is no sound card, the system speaker is directly driven)
Interception dialog box:
Bp DialogBox create mode dialog box
Bp DialogBoxParam (A) create mode dialog box
Bp DialogBoxIndirect create mode dialog box
Bp DialogBoxIndirectParam (A) create mode dialog box
Create non-modal dialog box of bp CreateDialog
Bp CreateDialogParam (A) create A non-Modal Dialog Box
Bp CreateDialogIndirect create non-Modal Dialog Box
Bp CreateDialogIndirectParam (A) create A non-Modal Dialog Box
Bp GetDlgItemText (A) to obtain the text of the dialog box
Bp GetDlgItemInt: obtains the integer of the dialog box.
Intercept clipboard:
Bp GetClipboardData obtains the Clipboard data
Interception registry:
Bp RegOpenKey ()
Bp RegOpenKeyEx
Bp RegQueryValue (A) Search for child keys
Bp RegQueryValueEx
Bp RegSetValue (A) sets the child key
Bp RegSetValueEx ()
Function restrictions:
Bp EnableMenuItem: Disable or allow menu items
Bp EnableWindow: Disable or allow a window
Interception time:
Bp GetLocalTime get local time
Bp GetSystemTime obtains the system time
Bp GetFileTime
Bp GetTickCount: the number of milliseconds that have elapsed since the system was successfully started.
Bp GetCurrentTime get current time (16 bits)
Bp SetTimer create Timer
Bp TimerProc timer timeout callback function
Interception file:
Bp CreateFileA creates or opens a file (32-bit)
Bp OpenFile open file (32-bit)
Bp ReadFile Read File (32-bit)
Bp WriteFile Write File (32-bit)
Interception drive:
Bp GetDriveTypeA to obtain the disk drive type
Bp GetLogicalDrives
Bp GetLogicalDriveStringsA obtains the root drive path of all current logical drives

★★Vbprogram-specific breakpoint★★
Whether the bp _ vbaStrCmp string is equal
Whether the bp _ vbaStrComp string is equal
Bp _ vbaVarTstNe comparison variable is not equal
Bp _ vbaVarTstEq: whether the variables are equal
Bp _ vbaStrCopy copy string
Bp _ vbaStrMove move string
Bp MultiByteToWideChar ANSI string to Unicode string
Conversion of bp WideCharToMultiByte Unicode string to ANSI string
Dog interception:
Bpio-h 378 (or 278, 3BC) R: 378, 278, and 3BC are parallel print ports.

Vb dll also calls some functions in oleauto32.dll. Oleauto32.dll is a common proxy/stub DLL. The prototype of each function is defined in <oleauto. h> and is described in detail in MSDN. This also helps to understand the role of functions in vb dll.

Example:

Lea eax, [EBP-58]
PUSH EAX
CALL [MSVBVM60! _ V1_4var]

Run dd eax + 8 before calling. The value is 3;
After the call is completed, eax = 3
It can be seen that _ v1_4var is used to convert a VARIANT to I4 (that is, a long integer ).

_ VbaVarTstNe seems to be used for self-verification. Normally, the return value is 0.
Available Software: smart robots in Three Kingdoms networks and music greeting card manufacturers. When the two software are shelled, an error occurs. Smart robots in the Three Kingdoms network will generate illegal work, and the music and greeting card factory will tell you that it is an illegal copy, you can modify the return values of _ vbaVarTstNe to make them run normally.
So when you encounter a VB Software that cannot run normally after shelling, but you cannot find other problems, you can try to intercept this function, maybe it will be useful. 8 -)

I don't know about the API. Maybe I can read and write sectors through BIOS on the 98 platform, but in 2000/NT, I can write sectors through inner black ATAPI and HAL.
Machoman [CCG]
Bpx WRITE_PORT_BUFFER_USHORT
At this breakpoint at NT/2000, when edx = 1f0h, you can see that the data in the EDI address is the data in the sector position, which must first be in winice. add hal to dat. for details about sys, refer to the ATAPI manual.

Supplement:
Breakpoint for vbprograms and time limit programs
CrackerABC
First, the address of W32DASM that can correctly decompile the vbprogram is given:
======================================
Offsets 0x16B6C-0x16B6D

Modify the machine code to: 98 F4
======================================

Tracking breakpoint of vbprogram:

================
MultiByteToWideChar,
RtcR8ValFromBstr,
WideCharToMultiByte,
_ VbaStrCmp