Common OD breakpoints

I collect common OD breakpoints, including the absolute omnipotent breakpoint of VB, dedicated to killing vbprograms

Common breakpoint (in OD)

Interception window:
BP createwindow creation window
BP createmediawex (a) creation window
BP showwindow display window
BP updatewindow update window
BP getwindowtext (a) obtains the window text

Intercept message box:
BP MessageBox (a) create a message box
BP messageboxexa create message box
BP messageboxindirect (a) creates a custom message box
BP isdialogmessagew

Interception warning:
BP messagebeep sends a system warning sound (if there is no sound card, the system speaker is directly driven)

Interception dialog box:
BP dialogbox create mode dialog box
BP dialogboxparam (a) create mode dialog box
BP dialogboxindirect create mode dialog box
BP dialogboxindirectparam (a) create mode dialog box
Create non-modal dialog box of BP createdialog
BP createdialogparam (a) create a non-Modal Dialog Box
BP createdialogindirect create non-Modal Dialog Box
BP createdialogindirectparam (a) create a non-Modal Dialog Box
BP getdlgitemtext (a) to obtain the text of the dialog box
BP getdlgitemint: obtains the integer of the dialog box.

Intercept clipboard:
BP getclipboarddata obtains the Clipboard data

Interception registry:
BP regopenkey ()
BP regopenkeyex
BP regqueryvalue (a) Search for child keys
BP regqueryvalueex
BP regsetvalue (a) sets the child key
BP regsetvalueex ()

Function restrictions:
BP enablemenuitem: Disable or allow menu items
BP enablewindow: Disable or allow a window

Interception time:
BP getlocaltime get local time
BP getsystemtime obtains the system time
BP getfiletime
BP gettickcount: the number of milliseconds that have elapsed since the system was successfully started.
BP getcurrenttime get current time (16 bits)
BP settimer create Timer
BP timerproc timer timeout callback function
Getdlgitemint must specify the integer of the input box.
Getdlgitemtext must specify the input string in the input box.
Getdlgitemtexta must specify the input string

Interception file:
BP createfilea creates or opens a file (32-bit)
BP openfile open file (32-bit)
BP readfile Read File (32-bit)
BP writefile Write File (32-bit)
Getmodulefilenamea
Getfilesize
Setfilepointer
Fileopen
Findfirstfilea
Readfile

Interception drive:
BP getdrivetypea to obtain the disk drive type
BP getlogicaldrives
BP getlogicaldrivestringsa obtains the root drive path of all current logical drives

★★Vbprogram-specific breakpoint★★

File length: rtcfilelen
BP _ vbafreestr for vbprogram restart Verification
Whether the BP _ vbastrcmp string is equal
Whether the BP _ vbastrcomp string is equal
BP _ vbavartstne comparison variable is not equal
BP _ vbavartsteq: whether the variables are equal
BP _ vbastrcopy copy string
BP _ vbastrmove move string
BP multibytetowidechar ANSI string to Unicode string
Conversion of BP widechartomultibyte Unicode string to ANSI string

====================================

Password interruption
Hmemcpy (for Win9x)
Getdlgitemtexta
Getdlgitemint
VB:
Getvolumeinformationa

Vbastrcomp (TRW)
BPX _ vbastrcomp (remember two '_')
Msvbvm60! _ Vbastrcomp | sofice
Msvbvm50! |

V3164str

CTRL + d
BPX msvbvm60! _ Vbastrcomp do "D * (esp + 0C)" (SoftICE)
Press F5 several times to generate the Register Code.
BPX regqueryvalueexa do "d ESP-> 8" (TRW)

Vbavartsteq
(0042932f 66898580 feffff mov word PTR [EBP + fffffe80], ax
Change to 0042932f 66898580 feffff mov word PTR [EBP + fffffe80], BX)

Common time interruptions
Getsystemtime
Getlocaltime
Gettickcount
VB:
Rtcgetpresentdate // get the current date

Common window kill interruptions
Lockmytask (dedicated for Win9x)
BP exitprocess exited the process
Destroywindow
Mouse_event (mouse interruption)
Postquitmessage (cracking full-color XP, useful ^_^)
VB:
_ Rtcmsgbox

INI file content is frequently interrupted
Getprivateprofilestringa
Getprivateprofileprofileint

Key file:
Getprivateprofileint
Readfile
Createfilea

Common registry interruptions
Regqueryvaluea
Regqueryvalueexa

Dog encryption interrupted
Bpio-H 278 R
Bpio-H 378 R

Breakpoint of other common functions
Createfilea (read dog driver ),
Deviceiocontrol,
Freeenvironmentstringsa (effective against HASP ).
Prestochangoselector (16-bit hasp's), '20160301' to find the string (to deal with San tiannuo). For more information, see the following example.

Disc cracking interrupted
16:
Getvolumeinformation
Getdrivetype
Int 2fh (DOS)
32:
Getdrivetypea
Getfullpathnamea
Getwindowsdirectorya

Disk Read interruption
Getlasterror returns the extended error code

Restrict interruptions
Enablemenuitem
Enablewindow allows or disables mouse and keyboard control of specified Windows and entries (menu grayed out when disabled)

I don't know what the floppy disk is interrupted? There are other special interruptions. I don't know if other friends can talk about them?
Such as ockmytask and mouse_event, Are these not api32 functions?
Win9x and Win2k are cracked. are some of the above interruptions unavailable?
I don't know what the above commonly used interrupt functions are on Win2k?
That is to say, ask the password, time, window, INI, key, registry, dongle, CD, floppy disk, restrictions, and so on!
Get familiar with common interruptions and get twice the result with half the effort!
Let's talk about it! In addition, how can we recover a software from a restart?
I don't know what is interrupted? There are three scenarios:
1. It may be in the registry.
2. Compare in special files (*. Key *. ini *. dat, etc)
3. Compared to the program, no error prompt or clear characters cannot be found for reverse translation (this is what I want to ask)

The most difficult one is to remove the watermark!
There are three possible cases:
A. the watermark is a bitmap file (bitblt, creatbitmap, and other bitmap functions)
B. the watermark is a distinctive character (reverse translation analysis)
C. The watermark is not an obvious character (for example, this a demo! It is only displayed on another production file, but *. htm *. EXE, etc)
C. It's the most difficult thing to do. It's what many people want to know! Include me. I don't know what the experts are saying?

AD:
There are two possible cases:
A. Start from the creation window and use movewindow or other window functions!
B. Use bitblt or other bitmap functions!
Finally, you can use some existing tools (such as api27, vwindset, and freespy)

Although there is no tree in the grape, the vine produces seedlings in the shed.
In the dust of people, do not provoke dust?

Ball [CCG]
It depends on the mark, which usually leaves information in the registry!
In SoftICE, we need to use BPX regqueryvalueexa do "d ESP-> 8" to interrupt the query,
In TRW, use BPX regqueryvalueexa do "D * (esp + 8)" to interrupt the query.
Some also leave registration information in this directory, common include. dat. ini. dll, etc,
I used BPX readfile for interruption, and some left registration information in the Windows directory.
You can use dedicated tools to view and import Filemon!

VB:

1. _ vbavartstne // compare whether the two variables are not equal
2. rtcr8valfrombstr // converts a string to a floating point number.
3. The rtcmsgbox dialog box displays information.
4. rtcbeep // call the speaker
5. rtcgetpresentdate // get the current date

For strings:
_ Vbastrcomp
_ Vbastrcmp
_ Vbastrcompvar
_ Vbastrlike
_ Vbastrtextcomp
_ Vbastrtextlike
For variables:
_ Vbavarcompeq
_ Vbavarcomple
_ Vbavarcomplt
_ Vbavarcompge
_ Vbavarcompgt
_ Vbavarcompne

VB pointer:
Throw

Vb dll also calls some functions in oleauto32.dll. Oleauto32.dll is a common proxy/stub DLL. The prototype of each function is defined in <oleauto. h> and is described in detail in msdn. This also helps to understand the role of functions in vb dll.

Example:

Lea eax, [EBP-58]
Push eax
Call [msvbvm60! _ V1_4var]

Run dd eax + 8 before calling. The value is 3;
After the call is completed, eax = 3
It can be seen that _ v1_4var is used to convert a variant to I4 (that is, a long integer ).

_ Vbavartstne seems to be used for self-verification. Normally, the return value is 0.
Available Software: smart robots in Three Kingdoms networks and music greeting card manufacturers. When the two software are shelled, an error occurs. Smart robots in the Three Kingdoms network will generate illegal work, and the music and greeting card factory will tell you that it is an illegal copy, you can modify the return values of _ vbavartstne to make them run normally.
So when you encounter a VB Software that cannot run normally after shelling, but you cannot find other problems, you can try to intercept this function, maybe it will be useful. 8 -)

I don't know about the API. Maybe I can read and write sectors through bios on the 98 platform, but in 2000/NT, I can write sectors through inner black atapi and Hal.
Machoman [CCG]
BPX write_port_buffer_ushort
At this breakpoint at NT/2000, when edX = 1f0h, you can see that the data in the EDI address is the data in the sector position, which must first be in winice. add Hal to dat. for details about sys, refer to the atapi manual.

Supplement:
Breakpoint for vbprograms and time limit programs
Crackerabc
First, the address of w32dasm that can correctly decompile the vbprogram is given:
======================================
Offsets 0x16b6c-0x16b6d

Modify the machine code to: 98 F4
======================================

Tracking breakpoint of vbprogram:

================
Multibytetowidechar,
Rtcr8valfrombstr,
Widechartomultibyte,
_ Vbastrcmp
_ Vbastrcomp
_ Vbastrcopy
_ Vbastrmove
_ Vbavartstne
Rtcbeep
Rtcgetpresentdate (Time API)
Rtcmsgbox
==========

Time limit breakpoint:

======================
Comparefiletime
Getlocaltime
Getsystemtime
Gettimezoneinformation
Msvcrt. difftime ()
Msvcrt. Time ()
======================

General Processing

BPX hmemcpy
BPX MessageBox
BPX messageboxexa
BPX messagebeep
BPX sendmessage

BPX getdlgitemtext
BPX getdlgitemint
BPX getwindowtext
BPX getwindowword
BPX getwindowint
BPX dialogboxparama
BPX createwindow
BPX createmediawex
BPX showwindow
BPX updatewindow

Bmsg XXXX wm_move
Bmsg XXXX wm_gettext
Bmsg XXXX wm_command
Bmsg XXXX wm_activate

Time-related
Bpint 21 if ah = 2a (DOS)
BPX getlocaltime
BPX getfiletime
BPX getsystemtime

CD-ROM or disk related
Bpint 13 If Ah = 2 (DOS)
Bpint 13 If Ah = 3 (DOS)
Bpint 13 If Ah = 4 (DOS)
BPX getfileattributesa
BPX getfilesize
BPX getdrivetype
BPX getlasterror
BPX readfile
Bpio-H (your CD-ROM port address) r

Software dog problems
Bpio-H 278 R
Bpio-H 378 R

Keyboard Input
Bpint 16 if ah = 0 (DOS)
Bpint 21 if ah = 0xa (DOS)

File Access Problems
Bpint 21 if ah = 3DH (DOS)
Bpint 31 if ah = 3fh (DOS)
Bpint 21 if ah = 3DH (DOS)
BPX readfile
BPX writefile
BPX createfile
BPX setfilepointer
BPX getsystemdirectory

Ini initialization file
BPX getprivateprofilestring
BPX getprivateprofileint
BPX writeprivateprofilestring
BPX writeprivateprofileint

Registry related
BPX regcreatekey
BPX regdeletekey
BPX regqueryvalue
BPX regclosekey
BPX regopenkey

Registration Mark
BPX Cs: EIP if eax = 0

Memory standards
Bpmb Cs: eip rw if 0x30: 0x45aa = 0

Display related
BPX 0x30: 0x45aa do "D 0x30: 0x44bb"
BPX Cs: 0x66cc do "? Eax"

Search window
Find0000wa

BP setfilepointer

BPX hmemcpy; crack the omnipotent breakpoint and intercept the memory copy action (Note: Win9x special breakpoint)
BPX lockmytask; when other breakpoints are ineffective, you can try this breakpoint to intercept the button action (dedicated to Win9x)

If you cannot find a breakpoint, try the following method:

Bmsg handle wm_gettext; intercept the registration code (handle is the handle of the corresponding window)
Bmsg handle wm_command; intercept the OK button (handle is the handle of the corresponding window)

Interception window:

BPX createwindow; Create window
BPX createmediawex (A/W); Create window
BPX showwindow; display window
BPX updatewindow; update window
BPX getwindowtext (A/W); get window text

Intercept message box:

BPX MessageBox (A/W); create a message box
BPX messageboxexa (w); create a message box
BPX messageboxindirect (A/W); create a custom message box

Interception warning:

BPX messagebeep; generates system alerts (if there is no sound card, the system speaker is directly driven)

Interception dialog box:

BPX dialogbox; Create mode dialog box
BPX dialogboxparam (A/W); Create mode dialog box
BPX dialogboxindirect; Create mode dialog box
BPX dialogboxindirectparam (A/W); Create mode dialog box
BPX createdialog; create non-Modal Dialog Box
BPX createdialogparam (A/W); create a non-Modal Dialog Box
BPX createdialogindirect; create non-Modal Dialog Box
BPX createdialogindirectparam (A/W); create non-Modal Dialog Box
BPX getdlgitemtext (A/W); get the text of the dialog box
BPX getdlgitemint; obtains the integer of the dialog box.

Intercept clipboard:

BPX getclipboarddata; obtain Clipboard data

Interception registry:

BPX regopenkey (A/W); open the child key (for example, BPX regopenkey (A) if * (ESP-> 8) = '****')
BPX regopenkeyexa (w); enable the sub-Key (for example, BPX regopenkeyex if * (ESP-> 8) = '****')
BPX regqueryvalue (A/W); search for child keys (for example, BPX regqueryvalue (A) if * (ESP-> 8) = '****')
BPX regqueryvalueex (A/W); search for child keys (for example, BPX regqueryvalueex if * (ESP-> 8) = '****')
BPX regsetvalue (A/W); set the child key (for example, BPX regsetvalue (A) if * (ESP-> 8) = '****')
BPX regsetvalueex (A/W); Set sub-keys (for example, BPX regsetvalueex (A) if * (ESP-> 8) = '****')

Note: '*****' indicates the first four characters of the subkey name. If the subkey is 'regcode', '*****' = 'regc'

Function restrictions:

BPX enablemenuitem; disable or allow menu items
BPX enablewindow; disable or allow a window
Bmsg hmenu wm_command; intercepts menu button events, where hmenu is the menu handle
BPX k32thk1632prolog; used with bmsg hmenu wm_command, you can use this breakpoint to enter the menu Handler
Application Example:
Call [Kernel32! K32thk1632prolog]
Call [......] <-- this trail enters the menu Handler
Call [Kernel32! K32thk1632epilog]

Interception time:

BPX getlocaltime; get local time
BPX getsystemtime; obtain the system time
BPX getfiletime; get file time
BPX gettickcount; the number of milliseconds that have elapsed since the system was successfully started.
BPX getcurrenttime; get the current time (16 bits)
BPX settimer; create a timer
BPX timerproc; timer timeout callback function

Interception file:

BPX createfilea (w); Create or open a file (32-bit)
BPX openfile; open the file (32-bit)
BPX readfile; read file (32-bit)
BPX writefile; Write File (32-bit)
BPX _ lcreat; create or open a file (16 bits)
BPX _ lopen; open the file (16 bits)
BPX _ lread; read a file (16 bits)
BPX _ lwrite; write a file (16 bits)
BPX _ hread; read a file (16 bits)
BPX _ hwrite; write a file (16 bits)

Interception drive:

BPX getdrivetype (A/W); obtain the disk drive type
BPX getlogicaldrives; get the logical drive symbol
BPX getlogicaldrivestringsa (w); get the root drive path of all current logical drives

Dog interception:

Bpio-H 378 (or 278, 3BC) r; 378, 278, and 3BC are parallel printing ports
Bpio-H 3f8 (or 2f8, 3e8, 2e8) r; 3f8, 2f8, 3e8, 2e8 are serial ports

Special breakpoint for vbprogram:

BPX msvbvm60! Rtcmsgbox
BPX msvbvm60! _ Vbastrcmp
BPX msvbvm60! _ Vbastrcomp
BPX msvbvm60! _ Vbastrcompvar
BPX msvbvm60! _ Vbastrtextcmp
BPX msvbvm60! _ Vbafileopen
BPX msvbvm60! _ Vbainputfile
BPX msvbvm60! _ Vbafileseek
BPX msvbvm60! _ Vbawritefile
BPX msvbvm60! _ Vbafileclose
BPX msvbvm60! Rtcfileattributes
BPX msvbvm60! Rtcfiledatetime
BPX msvbvm60! Rtcfilelen
BPX msvbvm60! Rtcfilelength
BPX msvbvm60! _ Vbavarint
BPX msvbvm60! _ Vbavarcmpge
BPX msvbvm60! _ Vbavarcmpgt
BPX msvbvm60! _ Vbavarcmple
BPX msvbvm60! _ Vbavarcmplt
BPX msvbvm60! _ Vbavarcmpne
BPX msvbvm60! _ Vbavartextcmpeq
BPX msvbvm60! _ Vbavartextcmpge
BPX msvbvm60! _ Vbavartextcmpgt
BPX msvbvm60! _ Vbavartextcmple
BPX msvbvm60! _ Vbavartextcmplt
BPX msvbvm60! _ Vbavartextcmpne
BPX msvbvm60! _ Vbavartexttsteq
BPX msvbvm60! _ Vbavartexttstge
BPX msvbvm60! _ Vbavartexttstgt
BPX msvbvm60! _ Vbavartexttstle
BPX msvbvm60! _ Vbavartexttstlt
BPX msvbvm60! _ Vbavartexttstne
BPX msvbvm60! _ Vbavartsteq
BPX msvbvm60! _ Vbavartstge
BPX msvbvm60! _ Vbavartstgt
BPX msvbvm60! _ Vbavartstle
BPX msvbvm60! _ Vbavartstlt
BPX msvbvm60! _ Vbavartstne

Note: The vbprogram can still use common API functions, as long as the function "eventually" calls this function
The above breakpoint corresponds to the VB6 program. If it is a vb5 program, change msvbvm60 to msvbvm50.