Results 1 to 11 of 11

Thread: other serial input methods to break on?

  1. #1
    haxran
    Guest

    other serial input methods to break on?

    I'm trying to reverse an executable's serial routine, but I cannot break on execution as it reads my bogus serial.. the old reliables getdlgitemtexta and getwindowtexta do not get hit... It's just a win32 exe file (not a vb app), what other methods could it be using to get the input from the window?

    -ran
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    Hi

    Just a quick reply, it's not uncommon (or shouldn't be) for a tricky app to read the characters as you type them in. Look for variations on handling WM_CHAR notification and such.

    Kayaker

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Just to complement what Kayaker suggested,

    It is really easy to interact with the human operator via key board and mouse without invoking any typical API. In fact, macromedia and flash do it all the time:

    They read text that you input using their own routines, USER32 API never get called.

    On the other hand, the windows messages are much harder to bypass and/or emulate

    You need to know the handle of the window (textbox?) you are dealing with, which you can get form one of many spy programs. Then learn the use of bmsg in softice. Note bmsg is very touchy about context, so make sure you are in the right context or you wont be able to place the break point

    then you can 'catch' the app reading the text you type, character by character, put a memory read BP in the buffer where your characters are being stored and figure out serial validation in the usual fashion.
    If you are using Olly, ther is no BMSG that I know of, you need to learn the functioning of the "message pump" and use message related APIs to break into the message notification system.

    Thre are several tutorials around this technique, I think in Krobar's collection

  4. #4
    SendMessage with WM_GETTEXT (0Dh)

    bpx SendMessageA if *(esp->8) == 13

    I think - well, what do I know :shrug:

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    When all else fails - I set a BP on GetDlgItem - and enable it just before I hit the OK button.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Tola
    Guest
    or try searching for your fake number in memory (should be long enough to be unique) and put a memory breakpoint on that location...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7

    In OLLY there are BMSG

    Go to W and look the button, in the windows list and right click MESSAGE BREAKPOINT (BMSG) and select the right message, the usual are WM_LBUTTONDOWN, or put a BP CONDITIONAL in TranslateMessage with MSG==202 in the condition window, and olly break when you push a buttton, or change the WM, to the more apropiate WM_KeyDown etc

    Ricardo narvaja

  8. #8
    There is another method i used to, just like our old and good Hmemcpy, it is:

    bpx editwndproc+566 and you break in our old hmemcpy.
    Regards,

    Fighter_81
    QUANDO TUTTO SEMBRA PERSO LA VITA CAMBIA VERSO

  9. #9
    theres an ollydbg plugin for hmemcpy under winNT kernels called puntos magicos made by ricardo narvaja.

    if the target is delphi, theres another nice approach. use the godup plugin and apply the full delphi 6/7 signatures found here in forum. search for gettext procedure and do a breakpoint on every reference. this will lead you very fast to the place where you want to be :-)

  10. #10

    Wink

    Quote Originally Posted by fighter_81
    There is another method i used to, just like our old and good Hmemcpy, it is:

    bpx editwndproc+566 and you break in our old hmemcpy.
    Regards,

    Fighter_81
    Very nice Fighter_81, I have try it, and it's perfectly wonderful,

    In my Ollydbg, the words is 'bp EditWndProc+566'

  11. #11
    i'll be glad to have helped you out, i write bpx because i use softice, and sorry for my bad english but i am an italian guy.

    regards, Fighter_81
    QUANDO TUTTO SEMBRA PERSO LA VITA CAMBIA VERSO

Similar Threads

  1. Debugger detection methods... WHEN to call them?
    By kunai in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: December 19th, 2010, 06:24
  2. Two VM detection methods, reported by Sirmabus
    By dELTA in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 17th, 2008, 06:41
  3. Where are the Class methods?
    By 5aLIVE in forum The Newbie Forum
    Replies: 1
    Last Post: July 28th, 2005, 04:25
  4. Looking for some help with softice and installshield methods
    By kittmaster in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: February 22nd, 2005, 23:28
  5. [HELP] OD 2.0 problems. need your input ! :)
    By TBD in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 28th, 2003, 10:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •