Ollydbg entry-level system (6)-message breakpoint and run tracking supplement

After reading the ollydbg entry-level system (V)-message breakpoint and run tracking, how do I feel? Will there be the following problems:
1. Do you think you don't know where to stop?
2. Why is the disconnection like this?
3. How can I determine the correct location after the disconnection?

Well, let's analyze these issues.

First, review the message mechanism of windows. Key point: all messages to be processed will be processed by the program itself, and messages not processed will be processed by windows. The format of the message processing function in Windows is as follows:
Lresult callback windowproc (
Hwnd, // handle of window
Uint umsg, // message identifier
Wparam, // first Message Parameter
Lparam // second Message Parameter
);
Umsg is the key, which indicates the type of the message, such as wm_command and wm_gettext. Remember.

Next, we will explain it with examples.

This crackme is made in a dialog box (How do you know ?).
1. Use ollydbg to load crtl N and find the function user32.dialogboxparama. Right-click and choose "Set breakpoint on each reference ".
2. Run F9. Look, it was blocked,

3. The content of dlgproc is what we need to find. This address is the entry point of the message processing function. Now I want to explain why there is a message breakpoint in the window,

To break down a message breakpoint, you must first find a function in the format of a Windows message processing function, and then judge the message based on the stack data. If the message meets the disconnected message, the ollydbg will be blocked (Do you still feel that you do not know where the message breakpoint is? Do you know how to break the message breakpoint ?). Obviously, the breakpoint function of this message is limited. For example, what about blocking menu messages in the main window? Therefore, the message breakpoint function is still limited. How to expand? Let's talk about it later.

4. ctrl g came to cyle.00000029 and we came to the message processing function. However, ollydbg did not recognize this function as a message processing function. Therefore, at cyle.002.1629, right-click "analysis"> "assumed parameter ",

In the displayed dialog box, select "winproc (hwnd, MSG, wparam, lparam )".

Click "application ,.

5. Right-click cyle.0020.29 and choose "breakpoint"> "message breakpoint on winproc". (have you ever seen this menu? Haha ).

5. In the "message" list box, select the message you want to disconnect (alt B, delete the previous breakpoint to avoid affecting your mood ).

6. Run F9 and run the program. Nothing happens at this time. When you click a text box in it (click it to make it focus so that you can input data), it will happen. You cannot enter the registration code in the text box or click the button. What's going on? Let's take a closer look at the Stack window! Originally triggered by the message en_setfouce in the text box! The message stays between en_setfocus and en_killfocus.
7. Well, now we can extend the message breakpoint (is it a special example of conditional breakpoint ?), That is, use the conditional breakpoint (sold out, haha ).

There is no difference between your requirements, conditions, and condition records because you do not need to record the content.
8. Press shitf F2 and enter MSG = wm_command & [esp C] = 66 (how does this 66 come from? This is the ID of the check button, which means "interrupted when wm_command is received and the ID is 0x66"), OK, F9, run.
9. Now, enter name and serial and click "check.
10. The location of this interruption does not seem to change. But I understand the message processing mechanism. Should I know the difference between this interruption? (The process will flow to the registration algorithm)
00401029>/.> enter 0, 0; decoded to <winproc>
0040102d |.> push EBX
0040102e |.> push EDI
0040102f |.> push ESI
00401030 |.> CMP [arg.2], 110
00401037 |.> je short cycle.0040105e
00401039 |.> CMP [arg.2], 111 // 111 = wm_command
00401040 |.> je short cycle.00401082 // you must jump here (Why ?)
00401042 |.> CMP [arg.2], 10
00401046 |.> je short cycle.00401057
00401048 |.> CMP [arg.2], 2
0040104c |.> je short cycle.00401057
0040104e |.> XOR eax, eax

11. Come to cycle.00401082,
00401082 |>/> CMP [arg.3], 67
00401086 |.> jnz short cycle.0040108d // It will definitely jump here
00401088 |.> call cycle.00401151
0040108d |> CMP [arg.3], 66
00401091 |.> jnz short cycle.00401098 // It won't jump here (Why ?)
00401093 |.> call cycle.004020.c // key,
00401098 |> XOR eax, eax

12. The blue part has been analyzed in the ccdebuger article. I will not analyze it here. I will mark the key in red.
00401_c/$> mov dword ptr ds: [402182], fedcba98
004010a6 |.> push 11;/COUNT = 11 (17 .)
004010a8 |.> push cycle.00402171; | buffer = cycle.00402171
004010ad |.> push 3e9; | controlid = 3e9 (1001 .)
004010b2 |.> push [arg.1]; | hwnd
004010b5 |.> call <JMP. & user32.getdlgitemtexta>;/getdlgitemtexta (Serial)
004010ba |.> or eax, eax
004010bc |.> je short cycle.0040111f
004010be |.> push 11;/COUNT = 11 (17 .)
004010c0 |.> push cycle.00402160; | buffer = cycle.00402160
004010c5 |.> push 3e8; | controlid = 3e8 (1000 .)
004010ca |.> push [arg.1]; | hwnd
004010cd |.> call <JMP. & user32.getdlgitemtexta>;/getdlgitemtexta (name)
004010d2 |.> or eax, eax
004010d4 |.> je short cycle.0040111f
004010d6 |.> mov ECx, 10
004010db |.> sub ECx, eax
004010dd |.> mov ESI, cycle.00402160
004010e2 |.> mov EDI, ESI
004010e4 |.> Add EDI, eax
004010e6 |.> ClD
004010e7 |.> rep movs byte ptr es: [EDI], byte PTR>
004010e9 |.> XOR ECx, ECx
004010eb |.> mov ESI, cycle.00402171
004010f0 |>/INC ECx
004010f1 |.> | lods byte ptr ds: [esi]
004010f2 |.> | or Al, Al
004010f4 |.> | je short cycle.00401100
004010f6 |.> | CMP Al, 7E
004010f8 |.> | JG short cycle.00401100
004010fa |.> | CMP Al, 30
004010fc |.> | JB short cycle.00401100
004010fe |. ^>/JMP short cycle.004010f0
00401100 |> CMP ECx, 11
00401103 |.> jnz short cycle.0040111f // determine whether the length is 16 valid characters, that is, 16 bytes. If not, Skip.
00401105 |.> call cycle.004011f1 // Algorithm
0040110a |.> mov ECx, 0ff01
0040110f |.> push ECx
00401110 |.> call cycle.00401190 // Algorithm
00401115 |.> CMP ECx, 1
00401118 |.> je short cycle.00401120 // skip
0040111a |> call cycle.00401166
0040111f |> retn
00401120 |> mov eax, dword ptr ds: [402168]
00401125 |.> mov EBX, dword ptr ds: [40216c]
0040112b |.> XOR eax, EBX
0040112d |.> XOR eax, dword ptr ds: [402182]
00401133 |.> or eax, 40404040
00401138 |.> and eax, 77777777
0040113d |.> XOR eax, dword ptr ds: [402179]
00401143 |.> XOR eax, dword ptr ds: [40217d]
00401149 |. ^> jnz short cycle.0040111a // Skip is not allowed
0040114b |.> call cycle.0040117b // a message indicating successful registration is displayed!
00401150/.> retn

I finally finished writing. Now let's review the problem at the beginning:
1. Do you think you don't know where to stop?
A: The message breakpoint is placed at the entry of the message processing function in windows.
2. Why is the disconnection like this?
A: It is possible that the ollydbg matches the stack data with the function prototype. Therefore, generally, the matching condition is [esp XX] = XXXXX.
3. How can I determine the correct location after the disconnection?
A: This is based on programming ideas and the message processing mechanism of windows. It is a combination of theory and practice.

Finally, to sum up, Because windows is message-driven, most of them are completed through messages, a large part of them can be achieved through message disconnection, however, how do I break a message? In general, it is like this: 1. Find out the function of message loop processing 2. Set a break at the entry of the message loop processing function

Write it here. I have praised ccdebuger too much. However, while praising ccdebuger, I don't know whether people have carefully digested others' achievements? Oh, actually, I didn't, because I don't know much about it, so I still follow my own ideas. The purpose of this article is to help a friend. He wants to break the message breakpoint, but I don't know how to proceed, so I will give him the message breakpoint of ccdebuger. However, I still did not solve the problem. Later, I moved my hand. Indeed, for the wm_command message, the OD will definitely be stopped continuously. Therefore, the simple message breakpoint won't work, therefore, combined with the run trace, we can solve the problem and generate the ccdebuger article (guess, haha ).
Finally, help you correct the following errors:
Reference:
When I wrote this tracing algorithm, I found that this crackme was still quite complicated. I did not write the specific algorithm, so I didn't have much time to perform detailed tracking. If you are interested, please check that the registration code is 17 bits and the user name is extended to 16 bits by means of replication. For example, if I enter "ccdebuger", the extension is "ccdebugerccdebug ". Generally, the first 8 digits of the Extended user name and the first 8 digits of the registration code are obtained first, calculate the first four digits and the last four digits of the user name with the first four digits and the last four digits of the Registration Code respectively, after calculation, the last 8 digits of the Extended user name and the last 8 digits of the registration code are divided into two parts, and the values calculated with the first 8 digits of the previous user name and registration code are different or calculated, the final result is 0. I have not found any use of the 17th-bit registration code. For beginners, this crackme may be a little more difficult. It doesn't matter. We mainly learn how to use ollydbg.

Regarding the concept of "bit", "bit" refers to the binary bit. Here, one byte equals eight bits and one character equals one byte. The "registration code is 17 bits" should be changed to "registration code is 17 bytes". If you have tracked and analyzed it, you can find that this is still wrong, it should be "the registration code is 16 bytes ",
CMP ECx, 11. Here 11 is in hexadecimal notation, that is, the decimal number is 17. It can be seen from the code that the decimal number 17 must be reduced by 1 to be the true length of the string. Therefore, we should change it to "the registration code is 16 bytes", followed by "bit ", it must be changed to "Byte ". The first time I read it, I did not pay attention to it.