od的一些断点解释（SomebreakpointeplanationsofOD）

od的一些断点解释(SomebreakpointexplanationsofOD)

拦截窗口：

bpcreatewindow创建窗口

createwindowex(bp)创建窗口

bpshowwindow显示窗口

bpupdatewindow更新窗口

getwindowtext(bp)获取窗口文本

拦截消息框：

messagebox(bp)创建消息框

bpmessageboxexa创建消息框

messageboxindirect(bp)创建定制消息框

bpisdialogmessagew

拦截警告声：

bpmessagebeep发出系统警告声(如果没有声卡就直接驱动系统喇

叭发声)

拦截对话框：

bpdialogbox创建模态对话框

dialogboxparam(bp)创建模态对话框

bpdialogboxindirect创建模态对话框

dialogboxindirectparam(bp)创建模态对话框

bpcreatedialog创建非模态对话框

createdialogparam(bp)创建非模态对话框

bpcreatedialogindirect创建非模态对话框

createdialogindirectparam(bp)创建非模态对话框

getdlgitemtext(bp)获取对话框文本

bpgetdlgitemint获取对话框整数值

拦截剪贴板：

bpgetclipboarddata获取剪贴板数据

拦截注册表：

regopenkey(bp)打开子健

bpregopenkeyex打开子健

regqueryvalue(bp)查找子健

bpregqueryvalueex查找子健

regsetvalue(bp)设置子健

regsetvalueex(bp)设置子健

功能限制拦截断点：

bpenablemenuitem禁止或允许菜单项

bpenablewindow禁止或允许窗口

拦截时间：

bpgetlocaltime获取本地时间

bpgetsystemtime获取系统时间

bpgetfiletime获取文件时间

bpgettickcount获得自系统成功启动以来所经历的毫秒数

bpgetcurrenttime获取当前时间(16位)

bpsettimer创建定时器

bptimerproc定时器超时回调函数

getdlgitemint得指定输入框整数值

getdlgitemtext得指定输入框输入字符串

getdlgitemtexta得指定输入框输入字符串

拦截文件：

bpcreatefilea创建或打开文件（32位）

bpopenfile打开文件（32位）

bpreadfile读文件（32位）

bpwritefile写文件（32位）

getmodulefilenamea

getfilesize

setfilepointer

fileopen

findfirstfilea

readfile

拦截驱动器：

bpgetdrivetypea获取磁盘驱动器类型

bpgetlogicaldrives获取逻辑驱动器符号

bpgetlogicaldrivestringsa获取当前所有逻辑驱动器的根驱动器

路径

★★vb程序专用断点★★

文件长度：rtcfilelen

bp__vbafreestr对付vb程序重启验证

bp___vbastrcmp比较字符串是否相等

bp___vbastrcomp比较字符串是否相等

bp___vbavartstne比较变量是否不相等

bp___vbavartsteq比较变量是否相等

bp___vbastrcopy复制字符串

bp___vbastrmove移动字符串

bpmu11ibytetowidecharansi字符串转换成unicode字符串

bpwidechartomultibyteunicode字符串转换成ansi字符串

密码常用中断

Hmemcpy（Win9x专用）

getdlgitemtexta

getdlgitemint

VB：

getvolumeinformationa

vbastrcomp(TRW)

创建―vbastrcomp(记得是两个")

msvbvm60!vbastrcompIsofice

msvbvm50!

vbai4str

按Ctrl+D

创建msvbvm60!—vbastrcomp做“D*(ESP+OC)”(SoftICE)

按几次F5出册码出来了。

创建regqueryvalueexa做“DESP—>8”(TRW)

vbavartsteq判断是否注册的函数

(0042932f66898580feffffMOVEBP+fffffE80PTR［字］,斧

改为0042932f66898580feffffMOVEBP+fffffE80PTR［字］，

BX)

时间常用中断

GetSystemTime

本地时间

函数

VB：

rtcgetpresentdate/取得当前日期

杀窗常用中断

lockmytask（Win9x专用）

BP是退出进程

窗口销毁

mouse_event（鼠标中断）

postquitmessage（开裂足彩XP,很有用'_'）

VB：

_rtcmsgbox

ini文件内容常用中断

getprivateprofilestringa

getprivateprofileprofileint

关键文件：

getprivateprofileint

ReadFile

CreateFileA

注册表常用中断

regqueryvaluea

regqueryvalueexa

狗加密中断

及H278R

及H378R

其它常用函数断点

CreateFileA（读狗驱动程序）,

DevicelOControl,

FreeEnvironmentStringsA（对付搭扣非常有效）。

Prestochangoselector（16位搭扣的），“7242”查找字符串（对付

圣天诺具体含义参考下面的范例）。

光盘破解中断

16：

GetVolumelnformation

GetDriveType

国际2fh（DOS）

32：

这个

getfullpathnamea

getwindowsdirectorya

读磁盘中断

返回扩充出错代码GetLastError

限制中断

允许、禁止或变灰指定的菜单条目或允许菜单项

的允许或禁止鼠标和键盘控制指定窗口和条目（禁止时菜单变灰）

不知道软盘中断是什么了？还有其它特殊中断，不知道其他朋友可否

说一下了？

如ockmytask和mouseevent,这些就不是api32函数？

与进行破解Win9xWin2K,以上中断有部分已经不能用了？

不知道在Win2K上，以上常用中断函数是什么了？

也就是问密码、时间、窗口、INI、关键、注册表、加密狗、光盘、

软盘、限制等！

了解常用的中断，对破解分析可以做到事半功倍！

请大家说一下！还有如何破解了某个软件时，一重启就打回原形？

可以分为三种情况不知道下什么中断了？：

lo比较可能在注册表中

2o比较在特殊文件（*关键*INI*。DAT等）

3。比较在程序中，没有任何错误提示或者反译也找不到明显字符（这

个就是我想问的）

还有一个是最难的，就是去掉水印！

也可以三种情况:

A.水印是位图文件（BitBlt,creatbitmap等位图函数）

B.水印是明显字符（反译分析）

C.水印不是明显字符（如：这是一个演示！它只是显示在另一个制作

文件上，可是**等.htm文件。）

C.才是最难搞,

That'swhatmanypeoplewanttoknow!Includingme.Iwonder

iftheexpertshaveanyhints

Advertisingstrip:

Canbedividedintotwocases:

A.fromthewindowintothehand,youcanuseMoveWindoworother

windowfunctions!

B.frombitmaptohand,alsocanuseBitBltorotherbitmap

function!

Finally,youcantakeadvantageofexistingtoolssuchasapi27,

vwindset,freespy,andsoon

Althoughthegrapetree,growthinseedlingshed.

Attheleft,notthedustalight?

Pellet[CCG]

Thatdependsonwherethemarkismade,usuallyleaving

informationintheregistry!

Insoftice,useBPXregqueryvalueexado"desp->8"tointerrupt

tosee,

InTRW,useBPXregqueryvalueexado"d*(esp+8)“tointerrupt

tosee.

What'smore,leavetheregistrationinformationinthis

directory,commonwith.Dat,.Ini,.Dll,andsoon,

I'musingBPXreadfiletointerrupt,andtheotheristoleave

theregistrationinformationunderthewindowsdirectory.

Youcanusespecialtoolstohelpyoucheck,enterFILEMONand

soon!

Vb:

1,—vbaVarTstNe//twovariablesarenotequal

2,rtcR8ValFromBstr//convertastringoffloatingpoint

3,rtcMsgBoxdisplaysamessagedialogbox

4,rtcBeep//letthespeakerscall

5,rtcGetPresentDate//getthecurrentdate

Stringfor:

vbaStrComp

vbaStrCmp

vbaStrCompVar

vbaStrLike

vbaStrTextComp

vbaStrTextLike

Forvariables:

—vbaVarCompEq

_vbaVarCompLe

_vbaVarCompLt

_vbaVarCompGe

_vbaVarCompGt

_vbaVarCompNe

Commonbreakpoints(2)

PointertoVB:

THROW

VBDLLalsocallssomeofthefunctionsinoleauto32.dll.

01eauto32.dllisagenericproxy/stubDLL,eachofwhichis

definedintheprototypeanddescribedindetailinMSDN.This

alsohelpstounderstandthefunctionoffunctionsinVBDLL.

Giveanexample：

LEA,EAX,[EBP-58]

PUSHEAX

CALL[MSVBVM60!__vbaI4Var]!

HitDDeax+8beforeexecutingcall,andgetthevalueof3;

Aftercallisexecuted,eax=3

Thus,thefunctionof_vbaI4VaristoconvertaVARIANTinto

14(thatis,alonginteger).

—vbaVarTstNeseemstobeusedforselfchecking,withanormal

returnvalueof0.

Knownapplicablesoftwareinclude:threenetworks,three

intelligentrobots,musiccardfactory.Whenthetwosoftware

isaftertheshellwillgowrong,networkthreeintelligent

robotswillproduceillegaloperation,thefactorywilltell

youthemusiccardisillegalcopy,bymodifyingthereturn

valueof_vbaVarTstNecanmaketheirnormaloperation.

So,whenyouencounteraVBsoftware,aftertheshellingcan

notrunproperly,andcannotfindanyotherproblems,youcan

trytointerceptthisfunction,perhapsitwillbeusefuloh.

8-)

APIdoesn'tknowverywell,maybeyoucanreadandwritesectors

onthe98platformviaBIOS,butin2000/NTyoucanwritesectors

throughtheinnerblackATAPIandHAL

Machoman[CCG]

BPXWRITE_PORT_BUFFER_USHORT

NT/2000thisbreakpoint,whenedx=lfOh,youcanseethedata

intheEDIaddressforsectorlocationdata,youmustfirstload

thehal.sysinwinice.dat,seetheATAPImanualindetail

Supplement:

BreakpointonproceduresforVBandtimeconstraints

CrackerABC

FirstgivestheaddressoftheW32DASMthatmodifiestheVB

programthatcancorrectlydecompiletheprogram:

Offsets0xl6B6C-0xl6B6D

Modifythemachinecodefor:98F4

TrackingbreakpointsforVBprograms:

MultiByteToWideChar,

RtcR8ValFromBstr,

WideCharToMultiByte,

—vbaStrCmp

—vbaStrComp

_vbaStrCopy

—vbaStrMove

—vbaVarTstNe

RtcBeep

RtcGetPresentDate(timeAPI)

RtcMsgBox

Timelimitedbreakpoint:

CompareFileTime

GetLocalTime

GetSystemTime

GetTimeZonelnformation

Msvcrt.diffTime()

Msvcrt.Time()

Generaltreatment

BPXhmemcpy

BPXMessageBox

BPXMessageBoxExA

BPXMessageBeep

BPXSendMessage

BPXGetDlgltemText

BPXGetDlgltemlnt

BPXGetWindowText

BPXGetWindowWord

BPXGetWindowInt

BPXDialogBoxParamA

BPXCreateWindow

BPXCreateWindowEx

BPXShowWindow

BPXUpdateWindow

BmsgXXXXwm_move

BmsgXXXXwm_gettext

BmsgXXXXwmcommand

BmsgXXXXwm_activate

Timecorrelation

Bpint21,if,ah==2A(DOS)

BPXGetLocalTime

BPXGetFileTime

BPXGetSystemtime

CD-ROMordiskcorrelation

Bpint13,if,ah==2(DOS)

Bpint13,if,ah==3(DOS)

Bpint13,if,ah==4(DOS)

BPXGetFileAttributesA

BPXGetFileSize

BPXGetDriveType

BPXGetLastError

BPXReadFile

BPIO-h(Your,CD-ROM,Port,Address)R

Softwaredogrelated

BPIO-h278R

BPIO-h378R

Keyboardinputcorrelation

Bpint16,if,ah==0(DOS)

Bpint21,if,ah==0xA(DOS)

Fileaccessrelated

Bpint21,if,ah==3dh(DOS)

Bpint31,if,ah==3fh(DOS)

Bpint21,if,ah==3dh(DOS)

BPXReadFile

BPXWriteFile

BPXCreateFile

BPXSetFilePointer

BPXGetSystemDirectory

INIinitializationfilecorrelation

BPXGetPrivateProfileString

BPXGetPrivateProfilelnt

BPXWritePrivateProfileString

BPXWritePrivateProfilelnt

Registryrelated

BPXRegCreateKey

BPXRegDeleteKey

BPXRegQueryvalue

BPXRegCloseKey

BPXRegOpenKey

Registrationflagrelated

BPXcs:eipifEAX==0

Memorystandarddependent

Bpmb,cs:eip,RW,if,0x30:0x45AA==0

Displaycorrelation

BPX0x30:0x45AAdo〃d0x30:0x44BB〃"

“BPXCS:0x66CCdo"?EAX?”

Findwindow

FindWindowA

BPSetFilePointer

BPXhmemcpy;crackuniversalbreakpoints,interceptmemory

copyactions(Note:Win9xdedicatedbreakpoints)

BPXLockmytask:whenyouareinvalidwithotherbreakpoints,

youcantrythebreakpointinterceptbuttonaction(Win9xonly)

Youcan'tfindabreakpoint,youcantrythefollowingmethod:

Bmsghandlewm_gettext;blockedregistrationcode(handleis

thehandleofthecorrespondingwindow)

Bmsghandlewm_command;blocktheOKbutton(handleisthe

handletothecorrespondingwindow)

Interceptwindow:

BPXCreateWindow;createwindows

BPXCreateWindowEx(A/W);

createawindow

BPXShowWindow;displaywindow

BPXUpdateWindow;updatewindow

BPXGetWindowText(A/W);getsthewindowtext

Interceptmessagebox:

BPXMessageBox(A/W);createsamessagebox

BPXMessageBoxExA(W);createsamessagebox

BPXMessageBoxIndirect(A/W);createcustommessageboxes

Interceptwarningsounds:

BPXMessageBeep;sendoutasystemwarningsound(ifyoudon't

haveasoundcard,drivethesystemspeakersdirectly)

Interceptdialogbox:

BPXDialogBox;createmodaldialogbox

BPXDialogBoxParam(A/W);createmodaldialogbox

BPXDialogBoxIndirect;createmodaldialogbox

BPXDialogBoxlndirectParam(A/W);createmodaldialogbox

BPXCreateDialog;createmodelessdialogs

BPXCreateDialogParam(A/W);createmodelessdialogbox

BPXCreateDialoglndirect;createmodelessdialogs

BPXCreateDialoglndirectParam(A/W);createmodelessdialog

box

BPXGetDlgltemText(A/W);getsthedialogboxtext

BPXGetDlgltemlnt;getsthefullvalueofthedialogbox

Blockclipboard:

BPXGetClipboardData;getclipboarddata

Blockregistry:

BPXRegOpenKey(A/W);ZiJianopen(example:BPXRegOpenKey(A)

if*(esp->8)=='****')

BPXRegOpenKeyExA(W);ZiJianopen(example:BPXRegOpenKeyEx

if*(esp->8)=='****')

BPXRegQueryValue(A/W);ZiJiansearch(example:BPX(A)if

*RegQueryValue(esp->8)=='****')

BPXRegQueryValueEx(A/W);ZiJiansearch(example:BPXif*

RegQueryValueEx(esp->8)=='****')

BPXRegSetValue(A/W);ZiJian(example:BPXRegSetValue(A)

if*(esp->8)=='****')

BPXRegSetValueEx(A/W);ZiJian(example:BPXRegSetValueEx

(A)if*(esp->8)=='****')

Note:forthespecified*****'subkeysbefore4characters,such

assubkeyis'Regcode',then，Regc''****'=

Functionlimitinterceptbreakpoint:

BPXEnableMenuItem;prohibitorallowmenuitems

BPXEnab1eWindow;prohibitorallowwindows

BmsghMenuwm_command;interceptmenukeyevents,wherehMenu

isthemenuhandle

BPXK32Thkl632Prolog;withbmsghMenuwm_command,youcanenter

themenuhandlerthroughthisbreakpoint

Applicationexample:

CALL[KERNEL32!K32Thkl632Prolog]!

CALLTowhichtrackintothemenuhandler

CALL[KERNEL32!K32Thkl632Epilog]!

Intercepttime:

BPXGetLocalTime;getlocaltime

BPXGetSystemTime;getsystemtime

BPXGetFileTime;getthefiletime

BPXGetTickCount;getsthenumberofmillisecondssincethe

systemsuccessfullystarted

BPXGetCurrentTime;getsthecurrenttime(16bits)

BPXSetTimer;createsthetimer

BPXTimerProc;timertimeoutcallbackfunction

Interceptorfile:

BPXCreateFileA(W);createsoropensafile(32bits)

BPXOpenFile;openthefile(32bits)

BPXReadFile;readthefile(32bits)

BPXWriteFile;writefiles(32bits)

BPX_lcreat;createsoropensfiles(16bits)

BPX_lopen;openthefile(16bits)

BPXIread;readthefile(16bits)

BPX_lwrite;writefiles(16bits)

BPX_hread;readthefile(16bits)

BPX_hwrite;

Writefile(16bits)

Interceptordrive:

BPXGetDrivetype(A/W);getthediskdrivetype

BPXGetLogicalDrives;getthelogicaldrivesymbols

BPXGetLogicalDriveStringsA(W);getstherootdrivepathfor

allcurrentlogicaldrives

Doginterceptor:

BPIO-h378(or278,3BC)R;378,278,and3BCareparallelprint

ports

BPIO,-h,3F8(or2F8,3E8