Hello!
I have SoftIce 4.5 on XP. Is there breakpoint like hmemcpy on Win98 when GetWindowTextA or GetDlgItemTextA doesn't work?

Just take a look at hxxp://www.team-x.ru/xforum/topic876.html

Very funny!
Are you from Poland?

Yes

Sorry, my mistake!

Actually, the article is in Russian, not Polish.

Emulation Hmemcpy In winXP

The object of this article - to show, as and SoftIccE it is possible to determine with the aid of OllyDbg, where to establish into WinXP the point of stop in order to attain the effect, similar to work API of function Hmemcpy in win9x. This SOMETHING - is not API function. This SOMETHING - it is simple address in modulus USER32, which was called name point-..h .

!!! point-..h is not universal constant. It is unique for each system!!!

Point-.h through OllyDbg (idea it belongs Ricardo Narvaja )

1. Load CRACKME..EXE in Olly.

2. place the conditional point of stop to API TranslateMessage. For this:
a) open the list of imports [ Ctrl + N ]
b) find API TranslateMessage.
c) by the right knob of mouse in the line "USER32..TranslateMessage".
d) in the appearing menu select point "conditional log breakpoint on import".

3. now we determine conditions for the wear and tear of the point of stop.
In the field "Condition ' we write MSG == 201
In the field "Expression ' we write MSG
Decode value of expression as: Assume by expression.
For ' Pause program ' establish value ' On condition '.


OBSERVATION: In some systems condition MSG == of 201 can not be carried out. In this case place MSG == 202.

4. start appendix [ F9 ], introduce any registration data (Name: PowerUser, Serial: 162534) press "OK '.

5. troubleshooter it stops fulfillment protsessav modulus USER32:

77D43DD3 56 PUSH ESI
77D43DD4 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
77D43DD8 66:817E 08 E500 CMP WORD PTR DS:[ESI+8],0E5
77D43DDE 0F84 16870300 JE USER32.77D7C4FA
77D43DE4 6A 00 PUSH 0
77D43DE6 56 PUSH ESI
77D43DE7 E8 9EFFFFFF CALL USER32.TranslateMessageEx
77D43DEC 5E POP ESI
77D43DED C2 0400 RETN 4

6. Open the map of memory [ Alt + M ]. Then [ Ctrl + B ] for the search for line.

7. in the window of search introduce the series number, which was being used during the registration in CRACKME..EXE
0014A698 31 36 32 35 33 34 00 00 00 00 00 00 00 00 00 00 162534..........
0014A6A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0014A6B8 AB AB AB AB AB AB AB AB 00 00 00 00 3C 00 95 00 ............<...

8. Establish the point of stop to the access to the memory, where is stored introduced s/n. dl4 this isolate seriynik in the window of dump call by the right knob of mouse. In the appearing menu: Breakpoint - > memory, on access

9. start appendix [ F9 ]. Olly will stop directly at point-.h:

77D6067C F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]

Point-.h through SoftIce

Here it is still simpler.
Load CRACKME..EXE, introduce any name (PowerUser) and seriynik (615243) into the appropriate fields of introduction, then place into SoftIccE the conditional point of stop to TranslateMessage:

bpx TranslateMessage if @(esi+4)==201 [introduction]

or, if WM_.LBUTTONDOWN (201h) does not operate

Bpx TranslateMessage If @(.esi+ya)==202 [introduction]

(with the address [ esi+4 ] at the entrance in API it is stored the code of communication)

In the window of registration CRACKME..EXE harvest "OK '. After the emersion of the window of diagnostic routine, find, where in the memory is stored introduced s/n:

S 00000000 L ffffffff '615243'

It will seem in the window of data. Now it remained to place the point of stop on the memory, where it is stored:

bpm xxxxxxxx R

where the xxxxxxxx - this is the address, from which begins s/n introduced by you.

SoftIccE tormoznet directly after point-.h:

:77D6067C F3A5 REPZ MOVSD <------ point-h
:77D6067E 8BC8 MOV ECX, EAX <---- тут приземляется SoftICE
:77D60680 83E103 AND ECX, 03
:77D60683 F3A4 REPZ MOVSB

Thus, for my system point-.h is equal to 77D6067C. now it is possible to place on it the points of stop (bpx 77D6067C), similarly how we made bpx hmemcpy in the old and already overgrown by moss 98-oy.

Until today everything.

Keep on reversing…

That will get you most of it, and the crackme. A few words are garbled.

Regards,

Hello!
I know that this txt is in russian but the nick of that guy 'gryzon' is in polish. I'm from polish too.
Thanks for help!
I'll try it.