od的一些斷點解釋（SomebreakpointeplanationsofOD）

od的一些斷點解釋(SomebreakpointexplanationsofOD)

攔截窗口：

bpcreatewindow創(chuàng)建窗口

createwindowex(bp)創(chuàng)建窗口

bpshowwindow顯示窗口

bpupdatewindow更新窗口

getwindowtext(bp)獲取窗口文本

攔截消息框：

messagebox(bp)創(chuàng)建消息框

bpmessageboxexa創(chuàng)建消息框

messageboxindirect(bp)創(chuàng)建定制消息框

bpisdialogmessagew

攔截警告聲：

bpmessagebeep發(fā)出系統(tǒng)警告聲(如果沒有聲卡就直接驅動系統(tǒng)喇

叭發(fā)聲)

攔截對話框：

bpdialogbox創(chuàng)建模態(tài)對話框

dialogboxparam(bp)創(chuàng)建模態(tài)對話框

bpdialogboxindirect創(chuàng)建模態(tài)對話框

dialogboxindirectparam(bp)創(chuàng)建模態(tài)對話框

bpcreatedialog創(chuàng)建非模態(tài)對話框

createdialogparam(bp)創(chuàng)建非模態(tài)對話框

bpcreatedialogindirect創(chuàng)建非模態(tài)對話框

createdialogindirectparam(bp)創(chuàng)建非模態(tài)對話框

getdlgitemtext(bp)獲取對話框文本

bpgetdlgitemint獲取對話框整數值

攔截剪貼板：

bpgetclipboarddata獲取剪貼板數據

攔截注冊表：

regopenkey(bp)打開子健

bpregopenkeyex打開子健

regqueryvalue(bp)查找子健

bpregqueryvalueex查找子健

regsetvalue(bp)設置子健

regsetvalueex(bp)設置子健

功能限制攔截斷點：

bpenablemenuitem禁止或允許菜單項

bpenablewindow禁止或允許窗口

攔截時間：

bpgetlocaltime獲取本地時間

bpgetsystemtime獲取系統(tǒng)時間

bpgetfiletime獲取文件時間

bpgettickcount獲得自系統(tǒng)成功啟動以來所經歷的毫秒數

bpgetcurrenttime獲取當前時間(16位)

bpsettimer創(chuàng)建定時器

bptimerproc定時器超時回調函數

getdlgitemint得指定輸入框整數值

getdlgitemtext得指定輸入框輸入字符串

getdlgitemtexta得指定輸入框輸入字符串

攔截文件：

bpcreatefilea創(chuàng)建或打開文件（32位）

bpopenfile打開文件（32位）

bpreadfile讀文件（32位）

bpwritefile寫文件（32位）

getmodulefilenamea

getfilesize

setfilepointer

fileopen

findfirstfilea

readfile

攔截驅動器：

bpgetdrivetypea獲取磁盤驅動器類型

bpgetlogicaldrives獲取邏輯驅動器符號

bpgetlogicaldrivestringsa獲取當前所有邏輯驅動器的根驅動器

路徑

★★vb程序專用斷點★★

文件長度：rtcfilelen

bp__vbafreestr對付vb程序重啟驗證

bp___vbastrcmp比較字符串是否相等

bp___vbastrcomp比較字符串是否相等

bp___vbavartstne比較變量是否不相等

bp___vbavartsteq比較變量是否相等

bp___vbastrcopy復制字符串

bp___vbastrmove移動字符串

bpmu11ibytetowidecharansi字符串轉換成unicode字符串

bpwidechartomultibyteunicode字符串轉換成ansi字符串

密碼常用中斷

Hmemcpy（Win9x專用）

getdlgitemtexta

getdlgitemint

VB：

getvolumeinformationa

vbastrcomp(TRW)

創(chuàng)建―vbastrcomp(記得是兩個")

msvbvm60!vbastrcompIsofice

msvbvm50!

vbai4str

按Ctrl+D

創(chuàng)建msvbvm60!—vbastrcomp做“D*(ESP+OC)”(SoftICE)

按幾次F5出冊碼出來了。

創(chuàng)建regqueryvalueexa做“DESP—>8”(TRW)

vbavartsteq判斷是否注冊的函數

(0042932f66898580feffffMOVEBP+fffffE80PTR［字］,斧

改為0042932f66898580feffffMOVEBP+fffffE80PTR［字］，

BX)

時間常用中斷

GetSystemTime

本地時間

函數

VB：

rtcgetpresentdate/取得當前日期

殺窗常用中斷

lockmytask（Win9x專用）

BP是退出進程

窗口銷毀

mouse_event（鼠標中斷）

postquitmessage（開裂足彩XP,很有用'_'）

VB：

_rtcmsgbox

ini文件內容常用中斷

getprivateprofilestringa

getprivateprofileprofileint

關鍵文件：

getprivateprofileint

ReadFile

CreateFileA

注冊表常用中斷

regqueryvaluea

regqueryvalueexa

狗加密中斷

及H278R

及H378R

其它常用函數斷點

CreateFileA（讀狗驅動程序）,

DevicelOControl,

FreeEnvironmentStringsA（對付搭扣非常有效）。

Prestochangoselector（16位搭扣的），“7242”查找字符串（對付

圣天諾具體含義參考下面的范例）。

光盤破解中斷

16：

GetVolumelnformation

GetDriveType

國際2fh（DOS）

32：

這個

getfullpathnamea

getwindowsdirectorya

讀磁盤中斷

返回擴充出錯代碼GetLastError

限制中斷

允許、禁止或變灰指定的菜單條目或允許菜單項

的允許或禁止鼠標和鍵盤控制指定窗口和條目（禁止時菜單變灰）

不知道軟盤中斷是什么了？還有其它特殊中斷，不知道其他朋友可否

說一下了？

如ockmytask和mouseevent,這些就不是api32函數？

與進行破解Win9xWin2K,以上中斷有部分已經不能用了？

不知道在Win2K上，以上常用中斷函數是什么了？

也就是問密碼、時間、窗口、INI、關鍵、注冊表、加密狗、光盤、

軟盤、限制等！

了解常用的中斷，對破解分析可以做到事半功倍！

請大家說一下！還有如何破解了某個軟件時，一重啟就打回原形？

可以分為三種情況不知道下什么中斷了？：

lo比較可能在注冊表中

2o比較在特殊文件（*關鍵*INI*。DAT等）

3。比較在程序中，沒有任何錯誤提示或者反譯也找不到明顯字符（這

個就是我想問的）

還有一個是最難的，就是去掉水?。?/p>

也可以三種情況:

A.水印是位圖文件（BitBlt,creatbitmap等位圖函數）

B.水印是明顯字符（反譯分析）

C.水印不是明顯字符（如：這是一個演示！它只是顯示在另一個制作

文件上，可是**等.htm文件。）

C.才是最難搞,

That'swhatmanypeoplewanttoknow!Includingme.Iwonder

iftheexpertshaveanyhints

Advertisingstrip:

Canbedividedintotwocases:

A.fromthewindowintothehand,youcanuseMoveWindoworother

windowfunctions!

B.frombitmaptohand,alsocanuseBitBltorotherbitmap

function!

Finally,youcantakeadvantageofexistingtoolssuchasapi27,

vwindset,freespy,andsoon

Althoughthegrapetree,growthinseedlingshed.

Attheleft,notthedustalight?

Pellet[CCG]

Thatdependsonwherethemarkismade,usuallyleaving

informationintheregistry!

Insoftice,useBPXregqueryvalueexado"desp->8"tointerrupt

tosee,

InTRW,useBPXregqueryvalueexado"d*(esp+8)“tointerrupt

tosee.

What'smore,leavetheregistrationinformationinthis

directory,commonwith.Dat,.Ini,.Dll,andsoon,

I'musingBPXreadfiletointerrupt,andtheotheristoleave

theregistrationinformationunderthewindowsdirectory.

Youcanusespecialtoolstohelpyoucheck,enterFILEMONand

soon!

Vb:

1,—vbaVarTstNe//twovariablesarenotequal

2,rtcR8ValFromBstr//convertastringoffloatingpoint

3,rtcMsgBoxdisplaysamessagedialogbox

4,rtcBeep//letthespeakerscall

5,rtcGetPresentDate//getthecurrentdate

Stringfor:

vbaStrComp

vbaStrCmp

vbaStrCompVar

vbaStrLike

vbaStrTextComp

vbaStrTextLike

Forvariables:

—vbaVarCompEq

_vbaVarCompLe

_vbaVarCompLt

_vbaVarCompGe

_vbaVarCompGt

_vbaVarCompNe

Commonbreakpoints(2)

PointertoVB:

THROW

VBDLLalsocallssomeofthefunctionsinoleauto32.dll.

01eauto32.dllisagenericproxy/stubDLL,eachofwhichis

definedintheprototypeanddescribedindetailinMSDN.This

alsohelpstounderstandthefunctionoffunctionsinVBDLL.

Giveanexample：

LEA,EAX,[EBP-58]

PUSHEAX

CALL[MSVBVM60!__vbaI4Var]!

HitDDeax+8beforeexecutingcall,andgetthevalueof3;

Aftercallisexecuted,eax=3

Thus,thefunctionof_vbaI4VaristoconvertaVARIANTinto

14(thatis,alonginteger).

—vbaVarTstNeseemstobeusedforselfchecking,withanormal

returnvalueof0.

Knownapplicablesoftwareinclude:threenetworks,three

intelligentrobots,musiccardfactory.Whenthetwosoftware

isaftertheshellwillgowrong,networkthreeintelligent

robotswillproduceillegaloperation,thefactorywilltell

youthemusiccardisillegalcopy,bymodifyingthereturn

valueof_vbaVarTstNecanmaketheirnormaloperation.

So,whenyouencounteraVBsoftware,aftertheshellingcan

notrunproperly,andcannotfindanyotherproblems,youcan

trytointerceptthisfunction,perhapsitwillbeusefuloh.

8-)

APIdoesn'tknowverywell,maybeyoucanreadandwritesectors

onthe98platformviaBIOS,butin2000/NTyoucanwritesectors

throughtheinnerblackATAPIandHAL

Machoman[CCG]

BPXWRITE_PORT_BUFFER_USHORT

NT/2000thisbreakpoint,whenedx=lfOh,youcanseethedata

intheEDIaddressforsectorlocationdata,youmustfirstload

thehal.sysinwinice.dat,seetheATAPImanualindetail

Supplement:

BreakpointonproceduresforVBandtimeconstraints

CrackerABC

FirstgivestheaddressoftheW32DASMthatmodifiestheVB

programthatcancorrectlydecompiletheprogram:

Offsets0xl6B6C-0xl6B6D

Modifythemachinecodefor:98F4

TrackingbreakpointsforVBprograms:

MultiByteToWideChar,

RtcR8ValFromBstr,

WideCharToMultiByte,

—vbaStrCmp

—vbaStrComp

_vbaStrCopy

—vbaStrMove

—vbaVarTstNe

RtcBeep

RtcGetPresentDate(timeAPI)

RtcMsgBox

Timelimitedbreakpoint:

CompareFileTime

GetLocalTime

GetSystemTime

GetTimeZonelnformation

Msvcrt.diffTime()

Msvcrt.Time()

Generaltreatment

BPXhmemcpy

BPXMessageBox

BPXMessageBoxExA

BPXMessageBeep

BPXSendMessage

BPXGetDlgltemText

BPXGetDlgltemlnt

BPXGetWindowText

BPXGetWindowWord

BPXGetWindowInt

BPXDialogBoxParamA

BPXCreateWindow

BPXCreateWindowEx

BPXShowWindow

BPXUpdateWindow

BmsgXXXXwm_move

BmsgXXXXwm_gettext

BmsgXXXXwmcommand

BmsgXXXXwm_activate

Timecorrelation

Bpint21,if,ah==2A(DOS)

BPXGetLocalTime

BPXGetFileTime

BPXGetSystemtime

CD-ROMordiskcorrelation

Bpint13,if,ah==2(DOS)

Bpint13,if,ah==3(DOS)

Bpint13,if,ah==4(DOS)

BPXGetFileAttributesA

BPXGetFileSize

BPXGetDriveType

BPXGetLastError

BPXReadFile

BPIO-h(Your,CD-ROM,Port,Address)R

Softwaredogrelated

BPIO-h278R

BPIO-h378R

Keyboardinputcorrelation

Bpint16,if,ah==0(DOS)

Bpint21,if,ah==0xA(DOS)

Fileaccessrelated

Bpint21,if,ah==3dh(DOS)

Bpint31,if,ah==3fh(DOS)

Bpint21,if,ah==3dh(DOS)

BPXReadFile

BPXWriteFile

BPXCreateFile

BPXSetFilePointer

BPXGetSystemDirectory

INIinitializationfilecorrelation

BPXGetPrivateProfileString

BPXGetPrivateProfilelnt

BPXWritePrivateProfileString

BPXWritePrivateProfilelnt

Registryrelated

BPXRegCreateKey

BPXRegDeleteKey

BPXRegQueryvalue

BPXRegCloseKey

BPXRegOpenKey

Registrationflagrelated

BPXcs:eipifEAX==0

Memorystandarddependent

Bpmb,cs:eip,RW,if,0x30:0x45AA==0

Displaycorrelation

BPX0x30:0x45AAdo〃d0x30:0x44BB〃"

“BPXCS:0x66CCdo"?EAX?”

Findwindow

FindWindowA

BPSetFilePointer

BPXhmemcpy;crackuniversalbreakpoints,interceptmemory

copyactions(Note:Win9xdedicatedbreakpoints)

BPXLockmytask:whenyouareinvalidwithotherbreakpoints,

youcantrythebreakpointinterceptbuttonaction(Win9xonly)

Youcan'tfindabreakpoint,youcantrythefollowingmethod:

Bmsghandlewm_gettext;blockedregistrationcode(handleis

thehandleofthecorrespondingwindow)

Bmsghandlewm_command;blocktheOKbutton(handleisthe

handletothecorrespondingwindow)

Interceptwindow:

BPXCreateWindow;createwindows

BPXCreateWindowEx(A/W);

createawindow

BPXShowWindow;displaywindow

BPXUpdateWindow;updatewindow

BPXGetWindowText(A/W);getsthewindowtext

Interceptmessagebox:

BPXMessageBox(A/W);createsamessagebox

BPXMessageBoxExA(W);createsamessagebox

BPXMessageBoxIndirect(A/W);createcustommessageboxes

Interceptwarningsounds:

BPXMessageBeep;sendoutasystemwarningsound(ifyoudon't

haveasoundcard,drivethesystemspeakersdirectly)

Interceptdialogbox:

BPXDialogBox;createmodaldialogbox

BPXDialogBoxParam(A/W);createmodaldialogbox

BPXDialogBoxIndirect;createmodaldialogbox

BPXDialogBoxlndirectParam(A/W);createmodaldialogbox

BPXCreateDialog;createmodelessdialogs

BPXCreateDialogParam(A/W);createmodelessdialogbox

BPXCreateDialoglndirect;createmodelessdialogs

BPXCreateDialoglndirectParam(A/W);createmodelessdialog

box

BPXGetDlgltemText(A/W);getsthedialogboxtext

BPXGetDlgltemlnt;getsthefullvalueofthedialogbox

Blockclipboard:

BPXGetClipboardData;getclipboarddata

Blockregistry:

BPXRegOpenKey(A/W);ZiJianopen(example:BPXRegOpenKey(A)

if*(esp->8)=='****')

BPXRegOpenKeyExA(W);ZiJianopen(example:BPXRegOpenKeyEx

if*(esp->8)=='****')

BPXRegQueryValue(A/W);ZiJiansearch(example:BPX(A)if

*RegQueryValue(esp->8)=='****')

BPXRegQueryValueEx(A/W);ZiJiansearch(example:BPXif*

RegQueryValueEx(esp->8)=='****')

BPXRegSetValue(A/W);ZiJian(example:BPXRegSetValue(A)

if*(esp->8)=='****')

BPXRegSetValueEx(A/W);ZiJian(example:BPXRegSetValueEx

(A)if*(esp->8)=='****')

Note:forthespecified*****'subkeysbefore4characters,such

assubkeyis'Regcode',then，Regc''****'=

Functionlimitinterceptbreakpoint:

BPXEnableMenuItem;prohibitorallowmenuitems

BPXEnab1eWindow;prohibitorallowwindows

BmsghMenuwm_command;interceptmenukeyevents,wherehMenu

isthemenuhandle

BPXK32Thkl632Prolog;withbmsghMenuwm_command,youcanenter

themenuhandlerthroughthisbreakpoint

Applicationexample:

CALL[KERNEL32!K32Thkl632Prolog]!

CALLTowhichtrackintothemenuhandler

CALL[KERNEL32!K32Thkl632Epilog]!

Intercepttime:

BPXGetLocalTime;getlocaltime

BPXGetSystemTime;getsystemtime

BPXGetFileTime;getthefiletime

BPXGetTickCount;getsthenumberofmillisecondssincethe

systemsuccessfullystarted

BPXGetCurrentTime;getsthecurrenttime(16bits)

BPXSetTimer;createsthetimer

BPXTimerProc;timertimeoutcallbackfunction

Interceptorfile:

BPXCreateFileA(W);createsoropensafile(32bits)

BPXOpenFile;openthefile(32bits)

BPXReadFile;readthefile(32bits)

BPXWriteFile;writefiles(32bits)

BPX_lcreat;createsoropensfiles(16bits)

BPX_lopen;openthefile(16bits)

BPXIread;readthefile(16bits)

BPX_lwrite;writefiles(16bits)

BPX_hread;readthefile(16bits)

BPX_hwrite;

Writefile(16bits)

Interceptordrive:

BPXGetDrivetype(A/W);getthediskdrivetype

BPXGetLogicalDrives;getthelogicaldrivesymbols

BPXGetLogicalDriveStringsA(W);getstherootdrivepathfor

allcurrentlogicaldrives

Doginterceptor:

BPIO-h378(or278,3BC)R;378,278,and3BCareparallelprint

ports

BPIO,-h,3F8(or2F8,3E8