OD message Breakpoint

"article author": Icefisher
"Author Email": [email protected]
"Software Download":
"Software Name": Echap518.exe (only for learning Crackme)
"Shell Way": there is a unpacked directly inside. ExE, is off the shell of See "original" I also came to talk about message breakpoint two
"Protection Method":
"Using the tool": Ollyice
"Article date": 20080813

-----------------------------------------------------------------------
The first original hope that everyone support, first I want to and I like a lot of new food, must have seen the forum on the OllyDbg tutorial, which the message breakpoint is really difficult to understand, the pain is unbearable ah, then today I will talk about my own experience it, hope that everyone to encourage each other.

First of all, I think we should first understand the message, what is the message, and when it comes to the message, we cannot help but talk about the structure of Windows programming (we are relieved ...). I'll probably talk about it, not the point.
As below, this is a typical Windows program structure, where I have omitted a lot of details,

  1/*------------------------------------------------------------------------2 Hellowin.  C--Displays "Hello, Windows 98!" in client area 3 4 (c) Charles Petzold, 1998 5 6     -----------------------------------------------------------------------*/7 8 #include <windows.h> 9 LRESULT CALLBACK WndProc (HWND, UINT, WPARAM, LPARAM);          int WINAPI WinMain (hinstance hinstance, hinstance hprevinstance,pstr szcmdline, int icmdshow) 13      TCHAR szappname[] = TEXT ("Hellowin"); HWND hwnd; 19 20 MSG msg; 21//Front are variable definitions, not concerned. Wndclaswndclass; Wndclass.style = Cs_hredraw | Cs_vredraw;  Wndclass.lpfnwndproc = WndProc; The key sentence, which indicates the location of the message's processing function, is Wndclass.cbclsextra = 0; Wndclass.cbwndextra = 0; Wndclass.hinstance = HINSTANCE; Wndclass.hicon = LoadIcon (NULL, idi_application); Notoginseng wndclass.hcursor = LoadCursor (NULL, Idc_arrow); Wndclass.hbrbackground= (Hbrush) getstockobject (White_brush); Wndclass.lpszmenunam = NULL; Wndclass.lpszclassname= Szappname;  45 46//This series of WNDCLASS is defined as the property of a class of windows, figuratively speaking is defining a mold, then can use this mold to build more windows, in which we need to pay attention to the red character of the Wndclass.lpfnwndproc = WndProc; and he points out which of the message handler functions of this mold? In other words, everything that happens in this window, such as clicking, double clicking, moving the mouse, pressing the button, will give birth to the message, and the system automatically calls WndProc to deal with these problems. */if (! RegisterClass (&wndclass)) (NULL, TEXT ("This program req Uires Windows nt! "), Szappname, Mb_iconerror); 0; 56 57} 58//Above is a very simple registration mold, you start to define the mold wndclass, then you have to let the system know Ah, this part is this function, do not need too much attention. A. hwnd = CreateWindow (szappname,//window CLThe name of the "the Hello Program",//Window caption 62 63          Ws_overlappedwindow,//window style cw_usedefault,//initial x position 66 cw_usedefault,//Initial y position cw_usedefault,//initial x si                 Ze cw_usedefault,//initial y size, NULL,                    Parent window Handle----NULL,//Window menu handle 76 77      HINSTANCE,//program instance handle (NULL); Creation Parameters 80 81//Note the above is the use of this mold, coupled with some of their own unique features set up a window, we do not need to pay attention to the ShowWindow (hwnd, IC Mdshow); UpdateWindow (HWND);           (GetMessage (&msg, NULL, 0, 0)) 89 90 {91 92  TranslateMessage (&AMP;MSG); 94 DispatchMessage (&AMP;MSG); 95 96} 97//above This needs attention, as mentioned earlier, if the window generated the message we need to call WndProc to deal with, then we need the above which while loop first processing, this now we do not need to understand. 98 return Msg.wparam;        }101 102 103 LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM WPARAM, LPARAM LPARAM)          104 {106 HDC HDC; 107 108 paintstruct PS; 109 RECT RECT; 111 112//focus, attention. When we get to the WNDPROC message handler, it's unnatural to think: so many kinds of messages, how the system can tell the difference is that, this is what we're going to notice in the UINT message, he explains Wparam,lparam are the message specific parameters, we look at the following, because the message is different, the system used a switch to select the corresponding handler, here to pay attention to wm_create: Like these wm_ is the beginning of the message, and essentially a number, but a header file defines some equivalent strings. 113 switch (message), 117 case wm_create:118 119 PlaySound (TEXT ("Hell Owin.wav "), NULL, Snd_filename | Snd_async); 121 return 0 122 123 Case wm_paint:124 HDC = BeginPaint (hwnd, &AMP;PS), 126 127 GetClientRect (hwnd, &rect), 129 DrawText (HDC, TEXT ("Hello , Windows 98! "),-1, &rect,130 131 Dt_singleline | Dt_center |         Dt_vcenter); 133 EndPaint (hwnd, &AMP;PS); 134 135 return 0; 136      137 Case wm_destroy:138 139 postquitmessage (0); 141 return 0; 142    } 143 return DefWindowProc (HWND, message, WParam, LParam); 144}

Ok, we do not feel very abstract, everyone just take my comments to see, probably understand this is what to do, in fact, in order to understand the message, only need to pay attention to my red Word marked part, Wndclass.lpfnwndproc = WndProc; This is our focus, He pointed out that the message processing for this type of Windows window was given to that function. Then the point is callback, which is transferred to different processing places according to different messages.

And everyone in the Crackme is widely used in the dialog box, more convenient than the window implementation, he called

1 dialogbox (    hinstance,2                TEXT ("AboutBox"), 3                hwnd,4                AboutDlgProc5            )

, where the last parameter is the message handler, which is equivalent to the WndProc described above

===========================================================================

Well, when we understand the message handler, we can take a look at this example, first Ollyice loading Unpacked.exe. F8 one-step operation.

Place F7, entered upon the F8,

Local F7, after entering can see F8 a few steps can see

Recall the last dialogbox I mentioned (
HINSTANCE,
TEXT ("AboutBox"),
hwnd
Aboutdlgproc
)

Because Dialogboxparama is more than the last parameter of DialogBox to record, does not affect our understanding,
(Of course, we can also use CTRL + N to find the function Dialogboxparama to directly locate here

）

We see DLGPROC=004015A1, so we can clearly understand that 4015A1 is where the message handler functions. We ctrl+g with the past to see,

We'll see a comparison of CMP eax,110 or CMP eax,111,

Recall from the last chapter, this is equivalent to
Switch (message)

{

Case WM_CREATE:



Case WM_PAINT:



Case Wm_destroy:

}

And what we need to know is Wm_commad =111 (the message used to locate the button)
Wm_lbutonup =202 (left mouse button release)
And we're going to have to pay attention to a place that I mentioned last time
WndProc (HWND hwnd, UINT message, WPARAM WPARAM, LPARAM LPARAM)
When we generate a message, it is necessary to call this function, then according to the Windows function call into the stack rule, we are not difficult to get at the beginning of the message processing function if the next breakpoint, the stack result must be so
{
return address
hwnd
Message
WParam
LParam
}

Well, the foundation is finished, then look at the program (because the front of the push EBP, so the back when the message is taken, for ebp+c, we should be able to understand it), well we first F9 run the program, in the View-window obviously we can see the check ID value of 1.

Now let's take a closer look at this message handler, he first took out message from Ebp+c, deposited it in eax, and then started the switch process, and he kept comparing these to determine which message
OK, we know that pressing the button will produce Wm_commad (111) message, then when we see CMP eax,111,je jumping, we are close to the target, tracking JE to the destination, we will be surprised, how to compare Ah, this is because there are many buttons, each press will produce a WM _commad (111), then we need to decide again which button?


We used WPARAM's low four-bit, he recorded the button's ID value, so there was Movz eax,
[EBP+10] Well, we already know that check has an ID value of 1, so we see
CMP eax,1
Je xxxxxxxx
With the past breakpoint, then we have completed the check breakpoint, as long as a check must come here, the follow-up will start from here, everything will be bright








Method Two
When we face a very complicated system, how do we find the key message handler? In the vast number of programs and how to find
What about CMP eax,111 and CMP eax,1?
Back to the previous question, I think the message handler no matter where he is, when he is called, the contents of the stack must be
{
return address
hwnd
Message
WParam
LParam
As long as we can catch him, I think we can catch everything.

First, when we can't find the message handler, maybe there's too much code we missed, and maybe some other tricks can be hidden. But we can run F9 first, in the View-window, we select their Common parent window, click Follow classproc

Then we enter the system airspace and then the first sentence up and down conditional breakpoints:
[Esp+8]==wm_command&&[esp+c]==1

Then we enter the data in the dialog box, click Check, we find that we interrupt the system airspace, and watch the stack


We all understand, and then in the view--memory, the code snippet under the memory Access breakpoint, F9 run, directly to the message processing function

At this point we need to quietly F8 all the way to follow.

Personal summary, remember [esp+8]==wm_command&&[esp+c]== button ID

OD message Breakpoint