jjdg申请加入破文 2

jjdg · 发表于 2006-8-28 10:42:22

【文章标题】: 爆破MoluCAD Demo
【文章作者】: JJDG
【软件名称】: MoluCAD Demo
【软件大小】: 5414k
【下载地址】: 自己搜索下载
【使用工具】: OD
【软件介绍】: MoluCAD Demo是一个可以制作分子3D结构模型的软件！
【作者声明】: 我就爆破凑合，算法不行!
--------------------------------------------------------------------------------
【详细过程】
  下载安装后，一启动程序就弹出提示：Thank you for trying thr MoluCAD demo.Would you like to purchase MoluCAD and enjoy the full functionality?
  点是就会打开网页去注册，那还破什么啊？所以点否！进入程序后，在标题栏显示[Demo]字样，我随便点了一下Br-，显示This file is only available for registered users.You may open BOLD files.关闭程序会再次弹出提示：Thank you for trying thr MoluCAD demo.Would you like to purchase MoluCAD  and enjoy the full functionality?在这个软件里面，我找不到可以注册的地方，所以就只有爆破了！

  OD载入，查找字符串，按上面得到的信息查找！
  双击thank you for trying the molucad demo.\nwould you like to purchase molucad and\nenjoy the full functionality?
  来到下面：
  0042AE20  /$  6A 00       PUSH 0                                  |注意了此处的信息有：本地调用来自 0042A7EE, 0042C09A, 0043175D
  0042AE22  |.  E8 A9FFFFFF CALL MoluCAD.0042ADD0                   |看来，只要在这里作一下手脚就可以一劳永逸了！
  0042AE27    84C0       TEST AL,AL                            |把test改为xor即可
  0042AE29  |.  74 2B       JE SHORT MoluCAD.0042AE56             ;  当然，将je改为jmp也可以
  0042AE2B  |.  6A 00       PUSH 0                                  ; /Arg3 = 00000000
  0042AE2D  |.  6A 04       PUSH 4                                  ; |Arg2 = 00000004
  0042AE2F  |.  68 D8A14A00 PUSH MoluCAD.004AA1D8                   ; |thank you for trying the molucad demo.\nwould you like to purchase
                                                                     |molucad and\nenjoy the full functionality?  来到这里！！！
  0042AE34  |.  E8 9E580500 CALL MoluCAD.004806D7                   ; \MoluCAD.004806D7
  0042AE39  |.  83F8 06    CMP EAX,6
  0042AE3C  |.  75 18       JNZ SHORT MoluCAD.0042AE56
  0042AE3E  |.  6A 05       PUSH 5                                  ; /IsShown = 5
  0042AE40  |.  6A 00       PUSH 0                                  ; |DefDir = NULL
  0042AE42  |.  6A 00       PUSH 0                                  ; |Parameters = NULL
  0042AE44  |.  68 5CA14A00 PUSH MoluCAD.004AA15C                   ; |http://www.kinematics.com/molucad/order.htm
  0042AE49  |.  68 6C764A00 PUSH MoluCAD.004A766C                   ; |open
  0042AE4E  |.  6A 00       PUSH 0                                  ; |hWnd = NULL
  0042AE50  |.  FF15 CC154A00 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA
  0042AE56  \>  C3          RETN

  在刚才的字符串上面还有个字符串，not allowed in the demo version.\nare you interested in purchasing molucad?，双击，来到：
  0042ADD0  /$  8A81 A4000000 MOV AL,BYTE PTR DS:[ECX+A4]
  0042ADD6  |.  84C0       TEST AL,AL
  0042ADD8    75 38       JNZ SHORT MoluCAD.0042AE12             改jnz为jmp即可！
  0042ADDA  |.  8A4424 04    MOV AL,BYTE PTR SS:[ESP+4]
  0042ADDE  |.  84C0       TEST AL,AL
  0042ADE0  |.  74 2B       JE SHORT MoluCAD.0042AE0D
  0042ADE2  |.  6A 00       PUSH 0                                  ; /Arg3 = 00000000
  0042ADE4  |.  6A 04       PUSH 4                                  ; |Arg2 = 00000004
  0042ADE6  |.  68 88A14A00 PUSH MoluCAD.004AA188                   ; |not allowed in the demo version.\nare you interested in purchasing molucad?
  0042ADEB  |.  E8 E7580500 CALL MoluCAD.004806D7                   ; \MoluCAD.004806D7
  0042ADF0  |.  83F8 06    CMP EAX,6
  0042ADF3  |.  75 18       JNZ SHORT MoluCAD.0042AE0D
  0042ADF5  |.  6A 05       PUSH 5                                  ; /IsShown = 5
  0042ADF7  |.  6A 00       PUSH 0                                  ; |DefDir = NULL
  0042ADF9  |.  6A 00       PUSH 0                                  ; |Parameters = NULL
  0042ADFB  |.  68 5CA14A00 PUSH MoluCAD.004AA15C                   ; |http://www.kinematics.com/molucad/order.htm
  0042AE00  |.  68 6C764A00 PUSH MoluCAD.004A766C                   ; |open
  0042AE05  |.  6A 00       PUSH 0                                  ; |hWnd = NULL
  0042AE07  |.  FF15 CC154A00 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA
  0042AE0D  |>  B0 01       MOV AL,1
  0042AE0F  |.  C2 0400    RETN 4
  0042AE12  |>  32C0       XOR AL,AL
  0042AE14  \.  C2 0400    RETN 4
  用鼠标点0042ADD0，可以看见下面的信息：
  本地调用来自 00417B37, 0042A7E0, 0042AC9A, 0042AE22, 0042BA95, 0042BACA, 0042BC85, 0042E6A0, 00432A72, 00432D1A, 00432EDA, 00432EF6, 00436DCA,
  0043A28A, 0043C69D, 0043C6B9, 0043C760, 0043C7F6, 0043CF57, 0043CF73, 0043D10F, 0043D135, 0043F74A, M)
  可见这又是个和前面类似的结构！

  在this file is only available for registered users.  you may open bold files.上面双击，来到：
  0043C9EE . /0F85 A7000000 JNZ MoluCAD.0043CA9B                   改jnz为jmp即可！
  0043C9F4 . |50          PUSH EAX                               ; /Arg3
  0043C9F5 . |50          PUSH EAX                               ; |Arg2
  0043C9F6 . |68 10BB4A00 PUSH MoluCAD.004ABB10                   ; |this file is only available for registered users.  you may open bold files.
  0043C9FB . |E8 D73C0400 CALL MoluCAD.004806D7                   ; \MoluCAD.004806D7
  0043CA00 . |8B4424 18    MOV EAX,DWORD PTR SS:[ESP+18]

  再搜索一下demo，结果发现，仅下面2个demo可以改！
  0042E6A7    /74 22       JE SHORT MoluCAD.0042E6CB             ;  je改为jmp
  0042E6A9  |. |B8 0CA74A00 MOV EAX,MoluCAD.004AA70C                ; demo
  0042E6AE  |. |8D50 01    LEA EDX,DWORD PTR DS:[EAX+1]
  0042E6B1  |> |8A08       /MOV CL,BYTE PTR DS:[EAX]
  0042E6B3  |. |40          |INC EAX
  0042E6B4  |. |3ACB       |CMP CL,BL
  0042E6B6  |.^|75 F9       \JNZ SHORT MoluCAD.0042E6B1
  0042E6B8  |. |2BC2       SUB EAX,EDX
  0042E6BA  |. |50          PUSH EAX
  0042E6BB  |. |68 0CA74A00 PUSH MoluCAD.004AA70C                   ; demo
  0042E6C0  |. |8D8E FC010000 LEA ECX,DWORD PTR DS:[ESI+1FC]
  0042E6C6  |. |E8 65A2FDFF CALL MoluCAD.00408930
  0042E6CB  |> \B8 00A74A00 MOV EAX,MoluCAD.004AA700                ;  < unknown >

  ok！修改完毕，全部复制到可执行文件，运行一下试试！
  爆破成功！

		自动登录	找回密码
密码			加入我们