Hello everyone.
I am new in this website and I am happy to be part of this group.
I am trying to decrypt a encrypted file used by a lookup program for two weeks.
I searched google, olly site tuts4you and this site for relevant info. I didn't found anything that I could apply in my case.
My program is quite large so it is unthinkable to step every instruction.
When I run it freely and pause after input window being displayed a return instruction gets hilighted.
When I stepped without going through everything I got to db section and olly asked me if I wanted to place a breakpoint and that it was dangerous ( Suspicious breakpoint ). I was only stepping and didn't doubleclicked any opcodes. When i said no the input window was displayed.
What I now want to do is follow my input and see what happens to it. So how do I find the input I entered in a program back in olly ? The program shows no. of elements found and displays those elements when I input name of that element. My program has 1 main executable and 2 dlls : 1 does searching and calls other crypt.dll. It also has database file and css file for layout of main executable. Hope you guys can point me my mistake and help me go further.

Happy reversing

Search process memory for your input (with cheat engine) then drop a hardware breakpoint on it

or make some educated guesses about which api calls would involve your input and place a bp on them (GetWindowText, WM_COMMAND, etc)

here is some old intro stuff:
http://www.woodmann.com/crackz/Archives/Crknotes.zip

Why not try using IDA debugger, instead of Olly, assuming the file indeed is encrypted?

Have Phun

To answer your question directly, GetWindowTextW and GetDlgItemTextW are the most common APIs for getting your input.
However, you may also want to break on CreateFileW and/or ReadFile if your goal is to see how your file is getting decrypted.

Thanks for the reply guys.

Progress so far :
Cheat Engine added to my tool-kit.

Decrypt function found in crypt.dll but unable to decrypt how it actually decrypts (so far)
It changes crypted code in ram pointed by edi to readable words but not to definitions.

New discovery : My Dictionary app deinitiates 1 dictionary database and initiates other when I open the app or change databases. Deinit en init are functions in a search dll that in turn calls crypt.dll.
Why would it have to (de)initiate a database prior to using it ?
I breakpointed every functions in local dlls and this is what happens my input goes through search-decrypt-search results.

Working with suggested apis currently. Calls are nested so I'm having trouble to follow them all at a time.

My intention was to figure out how that app works in order to convert dictionary database into plaintext so that i could use it in more generic app that fits my needs and works with lot other dictionaries.

Q: What can IDA do that Olly can't ? And why should I consider using it ?

Regards

Beyond compare disassembler, not that Olly's is bad, but combining that with the ability to use its own debugger, well, its just ... better.

Have Phun