爆破MODDE 8.0
【文章标题】: 爆破MODDE 8.0【文章作者】: JJDG
【软件名称】: MODDE 8.0
【软件大小】: 9653k
【下载地址】: 自己搜索下载;URL http://www.umetrics.com/download/demos/modde8.exe
【加壳方式】: 无壳
【编写语言】: vc++
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个软件具体是什么用,老实说,我也不太清楚,是帮一个同学破的!好像是试验设计用的吧!
下载,安装该软件,在安装过程中程序会要求你输入product id,这时只要选择下面的那个license选项,即可完成安装。
运行一下看看,程序的启动界面会提示你到什么时候该软件到期!(关键字是expire,后面会用到)
点help-register,你会看到在注册窗口的中间有个灰色区域,未注册的时候是空白的,注册成功会显示如下信息:
A license file already exists in the program directory! If you continue to import/activate this file will be replaced.
peid查看无壳!
OD载入,查找字符串,查找expire,双击this beta version has expired.来到:
004A0B0C .6A 00 PUSH 0
004A0B0E .6A 10 PUSH 10
004A0B10 .83FE 03 CMP ESI,3
004A0B13 .75 3A JNZ SHORT modde80.004A0B4F §跳过出错信息!
004A0B15 .68 5CE24F00 PUSH modde80.004FE25C ;this beta version has expired. |来到这里!
004A0B1A .E8 E39A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B1F >6A 00 PUSH 0
004A0B21 .6A 40 PUSH 40
004A0B23 .68 00E34F00 PUSH modde80.004FE300 ;please contact umetrics for further information.\nusa,
canada and south america: [email protected]\nuk: [email protected]\nsweden and all other countries: [email protected]
004A0B28 .E8 D59A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B2D .C645 FC 17 MOV BYTE PTR SS:,17
004A0B31 .8D8D 9CFCFFFF LEA ECX,DWORD PTR SS:
004A0B37 .8B35 34FB4C00 MOV ESI,DWORD PTR DS:[<&MODDEutlwin.??1L>;MODDEu_1.??1Licence@@UAE@XZ
004A0B3D .FFD6 CALL ESI ;<&MODDEutlwin.??1Licence@@UAE@XZ>
004A0B3F .885D FC MOV BYTE PTR SS:,BL
004A0B42 .8D8D 0CFFFFFF LEA ECX,DWORD PTR SS:
004A0B48 .FFD6 CALL ESI
004A0B4A .E9 1E120000 JMP modde80.004A1D6D
004A0B4F >83FE 05 CMP ESI,5
004A0B52 .75 0C JNZ SHORT modde80.004A0B60
004A0B54 .68 7CE24F00 PUSH modde80.004FE27C ;this version has expired.
004A0B59 .E8 A49A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B5E .EB 0F JMP SHORT modde80.004A0B6F
004A0B60 >68 98E24F00 PUSH modde80.004FE298 ;your loan has expired.
004A0B65 .E8 989A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B6A .83FE 04 CMP ESI,4
004A0B6D .^ 75 B0 JNZ SHORT modde80.004A0B1F
由于软件注册方式是由安装时你做出的选择决定的,所以只能从license文件方面来考虑了!
再次查找license,在含license的字符串里面,你会发现有很多是重复的,而且其中有一个是比较特殊的:umetricslicense,注意到了没?Umetrics是公司名称哦!
好,双击,来到:
004A0316 > \68 94DC4F00 PUSH modde80.004FDC94 ;umetricslicense|<--估计从这里向下是对license文件的校验!下个断点先!
你会发现:
004FDC94=modde80.004FDC94 (ASCII "UmetricsLicense")
跳转来自 004A02BB
先往上看看,来到这里:
004A01C9 .53 PUSH EBX ; /Arg4
下断!(因为在这行下面包含有modde license file等注释!)
F9运行,断在004A01C9,F8到004A0341的时候,你会在寄存器看见:
EAX 0012FEEC
ECX 01B56800 ASCII "UmetricsLicense.$MODDE"
EDX 01B56800 ASCII "UmetricsLicense.$MODDE"
Ok,那么这个以.$MODDE为后缀名的文件就应该是license文件了!打开记事本,随便输点什么进去,存为UmetricsLicense.$MODDE即可!
OD重新载入,
F9运行,来到:
004A0316 > \68 94DC4F00 PUSH modde80.004FDC94 ;umetricslicense
f8继续,来到:
004A0440 .84C0 TEST AL,AL
004A0442 .75 3F JNZ SHORT modde80.004A0483 ;|下面是出错信息哦!跳走看看把jnz改为jmp
004A0444 .68 A8DC4F00 PUSH modde80.004FDCA8 ;the license file in modde's installation directory is incorrect.\nplease
contact umetrics to get a new license file.
来到下面:
004A048F .84C0 TEST AL,AL
004A0491 .0F85 89000000 JNZ modde80.004A0520 ;|下面又是出错信息,还是跳了好把jnz改为jmp
004A0497 .8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:
004A049D .51 PUSH ECX
004A049E .FF15 5CF84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>;MODDEutl.?GetApplicationVersion@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A04A4 .8BF0 MOV ESI,EAX
004A04A6 .C645 FC 0D MOV BYTE PTR SS:,0D
004A04AA .8D95 44FFFFFF LEA EDX,DWORD PTR SS:
004A04B0 .52 PUSH EDX
004A04B1 .FF15 58F84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>;MODDEutl.?GetApplicationName@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A04B7 .C645 FC 0E MOV BYTE PTR SS:,0E
004A04BB .8B0E MOV ECX,DWORD PTR DS:
004A04BD .51 PUSH ECX
004A04BE .8B10 MOV EDX,DWORD PTR DS:
004A04C0 .52 PUSH EDX
004A04C1 .68 20DD4F00 PUSH modde80.004FDD20 ;the license file in modde's installation directory is not valid.
004A04C6 .8D85 74FFFFFF LEA EAX,DWORD PTR SS:
跳到这里:
004A0520 > \8B8E F4000000 MOV ECX,DWORD PTR DS:
004A0526 .8B41 28 MOV EAX,DWORD PTR DS:
004A0529 .85C0 TEST EAX,EAX
004A052B .0F84 97000000 JE modde80.004A05C8 ;这里就不用改了,程序会自己跳的!
004A0531 .FF15 5CFB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?CheckL>;MODDEu_1.?CheckLockedToHardwareKey@LicenseFile@@QAE_NXZ
004A0537 .84C0 TEST AL,AL
004A0539 .0F85 89000000 JNZ modde80.004A05C8
004A053F .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
004A0545 .51 PUSH ECX
004A0546 .FF15 5CF84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>;MODDEutl.?GetApplicationVersion@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A054C .8BF0 MOV ESI,EAX
004A054E .C645 FC 10 MOV BYTE PTR SS:,10
004A0552 .8D95 64FFFFFF LEA EDX,DWORD PTR SS:
004A0558 .52 PUSH EDX
004A0559 .FF15 58F84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>;MODDEutl.?GetApplicationName@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A055F .C645 FC 11 MOV BYTE PTR SS:,11
004A0563 .8B0E MOV ECX,DWORD PTR DS:
004A0565 .51 PUSH ECX
004A0566 .8B10 MOV EDX,DWORD PTR DS:
004A0568 .52 PUSH EDX
004A0569 .68 68DD4F00 PUSH modde80.004FDD68 ;the activation key in the license file does not match this computer id.
004A056E .8D85 00FFFFFF LEA EAX,DWORD PTR SS:
来到:
004A05C8 > \8B8E F4000000 MOV ECX,DWORD PTR DS:
004A05CE .8A41 69 MOV AL,BYTE PTR DS:
004A05D1 .84C0 TEST AL,AL
004A05D3 .0F84 6A010000 JE modde80.004A0743 ;这里就不用改了,程序会自己跳的!
004A05D9 .C745 CC 04000>MOV DWORD PTR SS:,4
004A05E0 .8D55 D4 LEA EDX,DWORD PTR SS:
004A05E3 .52 PUSH EDX
004A05E4 .FF15 58FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?GetNum>;MODDEu_1.?GetNumberOfRegistrationDaysLeft@LicenseFile@@QAE_NAAH@Z
004A05EA .84C0 TEST AL,AL
004A05EC .0F84 7B170000 JE modde80.004A1D6D
004A05F2 .837D D4 01 CMP DWORD PTR SS:,1
004A05F6 .0F8D 87000000 JGE modde80.004A0683
004A05FC .6A 00 PUSH 0
004A05FE .8B8E F4000000 MOV ECX,DWORD PTR DS:
004A0604 .FF15 6CFB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?ShowRe>;MODDEu_1.?ShowRegistrationDialog@LicenseFile@@QAE_N_N@Z
004A060A .84C0 TEST AL,AL
来到:
004A073C > \C747 10 04000>MOV DWORD PTR DS:,4
004A0743 >8B86 F4000000 MOV EAX,DWORD PTR DS:
004A0749 .8B48 64 MOV ECX,DWORD PTR DS:
004A074C .85C9 TEST ECX,ECX
004A074E .0F85 7A040000 JNZ modde80.004A0BCE ;这次不跳不行了!jnz-->jmp因为如果顺序进行,下面又会出现出错信息的!
004A0754 .68 00100000 PUSH 1000 ; /Index = 4096.
004A0759 .FF15 98024D00 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; \GetSystemMetrics
004A075F .85C0 TEST EAX,EAX
004A0761 .0F84 67040000 JE modde80.004A0BCE
004A0767 .6A 00 PUSH 0
004A0769 .6A 40 PUSH 40
004A076B .68 00DE4F00 PUSH modde80.004FDE00 ;the license file does not allow to run under windows terminal services.
please contact umetrics for further information.\nusa, canada and south america:
[email protected]\nuk: [email protected]\nsweden and all other countries: [email protected]
来到下面:
004A0BCE > \8B7D CC MOV EDI,DWORD PTR SS:
004A0BD1 .83FF 01 CMP EDI,1
004A0BD4 .0F85 A5000000 JNZ modde80.004A0C7F 这里就不用改了,程序会自己跳的!看看下面的RegGetInstallationPath就知道应该跳了!
004A0BDA .C645 FC 1F MOV BYTE PTR SS:,1F
004A0BDE .8D85 4CFFFFFF LEA EAX,DWORD PTR SS:
004A0BE4 .50 PUSH EAX
004A0BE5 .FF15 14FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?RegGet>;MODDEu_1.?RegGetInstallationPath@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A0BEB .83C4 04 ADD ESP,4
跳到下面:(跳了这么久,大家也累了吧!放轻松,这里就是终点了!)
004A0C7F > \895D FC MOV DWORD PTR SS:,EBX
004A0C82 .6A 04 PUSH 4
004A0C84 .E8 4B970100 CALL <JMP.&MFC71.#762_??2@YAPAXI@Z>
004A0C89 .83C4 04 ADD ESP,4
004A0C8C .8945 A8 MOV DWORD PTR SS:,EAX
004A0C8F .C700 01000000 MOV DWORD PTR DS:,1
004A0C95 .C745 AC 00000>MOV DWORD PTR SS:,0
004A0C9C .C645 FC 23 MOV BYTE PTR SS:,23
004A0CA0 .83FF 01 CMP EDI,1
004A0CA3 .0F84 91000000 JE modde80.004A0D3A ;|跳不跳呢?当然.....不能跳了!没看见下面的自由女神吗?:)
004A0CA9 .8B85 E0FCFFFF MOV EAX,DWORD PTR SS: |不过,你也不用操心,到了这里,程序是舍不得你走的!
004A0CAF .85C0 TEST EAX,EAX
004A0CB1 .0F84 83000000 JE modde80.004A0D3A
004A0CB7 .C785 B8FEFFFF>MOV DWORD PTR SS:,136
004A0CC1 .C785 BCFEFFFF>MOV DWORD PTR SS:,43
004A0CCB .6A 0C PUSH 0C
004A0CCD .E8 02970100 CALL <JMP.&MFC71.#762_??2@YAPAXI@Z>
004A0CD2 .83C4 04 ADD ESP,4
004A0CD5 .8BF8 MOV EDI,EAX
004A0CD7 .89BD A4FEFFFF MOV DWORD PTR SS:,EDI
004A0CDD .C645 FC 24 MOV BYTE PTR SS:,24
004A0CE1 .85FF TEST EDI,EDI
004A0CE3 .74 46 JE SHORT modde80.004A0D2B
004A0CE5 .6A 00 PUSH 0
004A0CE7 .8D85 B8FEFFFF LEA EAX,DWORD PTR SS:
004A0CED .50 PUSH EAX
004A0CEE .68 431F0000 PUSH 1F43
004A0CF3 .8B4E 44 MOV ECX,DWORD PTR DS:
004A0CF6 .51 PUSH ECX
004A0CF7 .8BCF MOV ECX,EDI ;看看,下面这个UmStartWindow不就是成功的标志吗?
004A0CF9 .FF15 10FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.??0UmSt>;MODDEu_1.??0UmStartWindow@@QAE@PAUHINSTANCE__@@PBDPBVCPoint@@K@Z
004A0CFF .C707 D4EF4F00 MOV DWORD PTR DS:,modde80.004FEFD4;00j
基本上F8到004A0CF9的时候那个启动画面就出来了,同时那个什么到期(expired)的提示也没有了!
行了!
右击cpu窗口,复制到可执行文件--所有修改,保存,ok!
重新启动程序,看看结果吧!
怎么样?点那个help注册看看,A license file already exists in the program directory! If you continue to import/activate this file will be replaced.已经出现了!
恭喜你已经爆破通关啦!
2006年07月18日 23:32:43 支持下~~
页:
[1]