I'm trying to reverse an executable's serial routine, but I cannot break on execution as it reads my bogus serial.. the old reliables getdlgitemtexta and getwindowtexta do not get hit... It's just a win32 exe file (not a vb app), what other methods could it be using to get the input from the window?

-ran

Hi

Just a quick reply, it's not uncommon (or shouldn't be) for a tricky app to read the characters as you type them in. Look for variations on handling WM_CHAR notification and such.

Kayaker

Just to complement what Kayaker suggested,

It is really easy to interact with the human operator via key board and mouse without invoking any typical API. In fact, macromedia and flash do it all the time:

They read text that you input using their own routines, USER32 API never get called.

On the other hand, the windows messages are much harder to bypass and/or emulate

You need to know the handle of the window (textbox?) you are dealing with, which you can get form one of many spy programs. Then learn the use of bmsg in softice. Note bmsg is very touchy about context, so make sure you are in the right context or you wont be able to place the break point

then you can 'catch' the app reading the text you type, character by character, put a memory read BP in the buffer where your characters are being stored and figure out serial validation in the usual fashion.
If you are using Olly, ther is no BMSG that I know of, you need to learn the functioning of the "message pump" and use message related APIs to break into the message notification system.

Thre are several tutorials around this technique, I think in Krobar's collection

SendMessage with WM_GETTEXT (0Dh)

bpx SendMessageA if *(esp->8) == 13

I think - well, what do I know :shrug:

When all else fails - I set a BP on GetDlgItem - and enable it just before I hit the OK button.

SiGiNT

or try searching for your fake number in memory (should be long enough to be unique) and put a memory breakpoint on that location...

Go to W and look the button, in the windows list and right click MESSAGE BREAKPOINT (BMSG) and select the right message, the usual are WM_LBUTTONDOWN, or put a BP CONDITIONAL in TranslateMessage with MSG==202 in the condition window, and olly break when you push a buttton, or change the WM, to the more apropiate WM_KeyDown etc

Ricardo narvaja

There is another method i used to, just like our old and good Hmemcpy, it is:

bpx editwndproc+566 and you break in our old hmemcpy.
Regards,

Fighter_81

theres an ollydbg plugin for hmemcpy under winNT kernels called puntos magicos made by ricardo narvaja.

if the target is delphi, theres another nice approach. use the godup plugin and apply the full delphi 6/7 signatures found here in forum. search for gettext procedure and do a breakpoint on every reference. this will lead you very fast to the place where you want to be :-)

Very nice Fighter_81, I have try it, and it's perfectly wonderful,

In my Ollydbg, the words is 'bp EditWndProc+566'

i'll be glad to have helped you out, i write bpx because i use softice, and sorry for my bad english but i am an italian guy.

regards, Fighter_81